Why does Open OnDemand install apache but then reference nginx in its packages?
ondemand-nginx-filesystem-1.14.0-2.p5.3.7.el7.noarch
ondemand-nginx-1.14.0-2.p5.3.7.el7.x86_64
https://osc.github.io/ood-documentation/master/architecture.html#overview
The front end that provides authentication and user mapping is Apache. Once the user is authenticated a per user NGINX process is started which is configured with the Passenger application server which serves the individual apps. The separate NGINX server per user is what ensures user separation and then authorization is handled using the OS (the server can only do what the user can do). In this regard, the NGINX server acts like a web version of an ssh session on a login node.
The reason we use NGINX for the per user web server instead of Apache is that NGINX can listen on Unix domain sockets. This makes the proxy code that starts the per user web servers or decides which per user web server to proxy too much simpler and more secure.
Why not use nginx for the front-end proxy though?
At OSC we trust it more than other web servers and since we know how to configure it well with Puppet we typically always put Apache in front of any webservice we use.
As for the OnDemand project it has provided the benefit of having various well tested and used federated authentication methods available such as mod_auth_shib, mod_auth_openidc, mod_auth_cas, allowing centers to hook front end authentication into their campus auth.