Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News NGINX Release Targets Application Security

NGINX Release Targets Application Security

NGINX Plus R10 has been released, with a focus on improving application security, and network integration.

Faisal Memon, technical product marketing for NGINX, describes the initial release of the ModSecurity web application firewall (WAF) as "a long time ask" of customers. R10 supports API authentication by validating JSON web tokens (JWT), and improved SSL/TLS performance in production with support for elliptic curve crypto (ECC) certificates.

Explaining the technical aspects of web application firewalls, NGINX's head of products, Owen Garrett, said:

A WAF operates on a database of “rules” that define malicious behaviors to be blocked and/or logged. The OWASP ModSecurity core rule set (CRS) is one of the most widely used rule sets with ModSecurity. NGINX Plus with ModSecurity WAF uses the OWASP CRS to identify and block a broad range of application attacks.

These attacks include, but are not limited to, HTTP violations, SQL injection, XSS, RFI, and LFI attacks. NGINX's WAF also includes DDoS mitigation, PCI-DSS 6.6 compliance, and sensitive data protection.

Memon said NGINX was motivated by security improvements because of a rough security climate, telling InfoQ in the past year web application attacks went up 50% and DDoS attacks have more than doubled.

"Every application is now at risk of being attacked," Memon said.

To enable the ModSecurity WAF for NGINX Plus, developers should include the modsecurity directive along with the modsecurity_rules_file directive to specify the rule set:

upstream backend {
    server server-hostname;

server {
    listen 80;
    status_zone backend;

    modsecurity on;
    location / {
        proxy_pass http://backend;
        modsecurity_rules_file rule-set-file;


Important in the NGINX Plus R10 release is its native support for the JSON Web Token (JWT) authentication standard.

Mermon told InfoQ:

With this release, NGINX Plus can now authenticate clients by validating the JSON Web Tokens (JWT) they present. This presents a more secure and consolidated architecture than other options, such as having each API endpoint handle authentication themselves.

NGINX Plus R10 allows developers to publish SSL/TLS services using both RSA and ECC certificates, that are up to three times faster than equivalent‑strength RSA certificates -- giving more SSL/TLS connections per server and faster SSL/TLS handshakes. ECC certificates allow developers to maintain backwards compatibility for older devices accepting only RSA certificates.

Previewed in R10 is new nginScript configuration language, that enables developers to use JavaScrript to implement more complex routing and caching configurations, and create serverless functions that run directly on NGINX Plus.

The nginScript preview is available in the NGINX dynamic modules repository.

NGINX Plus R10 deprecates the NGINX Plus Extras package. Developers are advised to modify their installation and configuration procedures to use the nginx‑plus package and dynamically load the modules in the nginx‑plus‑extras package that are actively used. From NGINX Plus R11, this will be the only way to use modules not built into the nginx‑plus package.

Rate this Article