BT

NGINX Release Targets Application Security

| by James Chesters Follow 1 Followers on Aug 30, 2016. Estimated reading time: 2 minutes |

NGINX Plus R10 has been released, with a focus on improving application security, and network integration.

Faisal Memon, technical product marketing for NGINX, describes the initial release of the ModSecurity web application firewall (WAF) as "a long time ask" of customers. R10 supports API authentication by validating JSON web tokens (JWT), and improved SSL/TLS performance in production with support for elliptic curve crypto (ECC) certificates.

Explaining the technical aspects of web application firewalls, NGINX's head of products, Owen Garrett, said:

A WAF operates on a database of “rules” that define malicious behaviors to be blocked and/or logged. The OWASP ModSecurity core rule set (CRS) is one of the most widely used rule sets with ModSecurity. NGINX Plus with ModSecurity WAF uses the OWASP CRS to identify and block a broad range of application attacks.

These attacks include, but are not limited to, HTTP violations, SQL injection, XSS, RFI, and LFI attacks. NGINX's WAF also includes DDoS mitigation, PCI-DSS 6.6 compliance, and sensitive data protection.

Memon said NGINX was motivated by security improvements because of a rough security climate, telling InfoQ in the past year web application attacks went up 50% and DDoS attacks have more than doubled.

"Every application is now at risk of being attacked," Memon said.

To enable the ModSecurity WAF for NGINX Plus, developers should include the modsecurity directive along with the modsecurity_rules_file directive to specify the rule set:

upstream backend {
    server server-hostname;
}


server {
    listen 80;
    status_zone backend;

    modsecurity on;
    location / {
        proxy_pass http://backend;
        modsecurity_rules_file rule-set-file;

     }
}

Important in the NGINX Plus R10 release is its native support for the JSON Web Token (JWT) authentication standard.

Mermon told InfoQ:

With this release, NGINX Plus can now authenticate clients by validating the JSON Web Tokens (JWT) they present. This presents a more secure and consolidated architecture than other options, such as having each API endpoint handle authentication themselves.

NGINX Plus R10 allows developers to publish SSL/TLS services using both RSA and ECC certificates, that are up to three times faster than equivalent‑strength RSA certificates -- giving more SSL/TLS connections per server and faster SSL/TLS handshakes. ECC certificates allow developers to maintain backwards compatibility for older devices accepting only RSA certificates.

Previewed in R10 is new nginScript configuration language, that enables developers to use JavaScrript to implement more complex routing and caching configurations, and create serverless functions that run directly on NGINX Plus.

The nginScript preview is available in the NGINX dynamic modules repository.

NGINX Plus R10 deprecates the NGINX Plus Extras package. Developers are advised to modify their installation and configuration procedures to use the nginx‑plus package and dynamically load the modules in the nginx‑plus‑extras package that are actively used. From NGINX Plus R11, this will be the only way to use modules not built into the nginx‑plus package.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT