Thanks. The RBL checking in Apache (via mod security) can happen in very specific manner. I could specify that they check only specific arguments (the very precise "input" field in the html) in a very specific page ("postcommentform.php").
Similarly, sure, the application needs to be smartly coded to prevent against injections. But mod_security enables blocking this at a much earlier phase in the web transaction. And it's easy to control this a bit better at the hosting level.
Clearly, I am looking at nginx not only as a "speed option", but as a replacement for Apache. Several blogs online say that they have moved to nginx. I am trying to see how. Apache is sadly bloated but thanks to mod_security etc it's a very, very practical modern solution.
Anyway, my setup above is not working either. Even just to use nginx as merely a static server.