On-demand recording: https://nginx.webex.com/nginx/lsr.php?RCID=419169e2cde399547cdbcf947fa1b590
NGINX Plus Release 10 (R10) is one of the biggest releases of NGINX Plus in years. NGINX Plus extends open source NGINX with advanced functionality and award-winning support, providing customers with a complete application delivery solution. NGINX Plus R10 features cutting-edge capabilities in security, reverse proxying, and scriptability. The new features in R10 will help you take your NGINX Plus deployments to the next level.
The native JavaScript-like scripting language, nginScript, has been enhanced. You can now use sophisticated policies to manage, shape, and transform application traffic.
In addition, in this webinar with Owen Garrett, Head of Products at NGINX, you will learn about these great new features:
* ModSecurity WAF – The ModSecurity web application firewall (WAF), the Swiss Army® knife of security, has been ported to NGINX Plus. The ModSecurity WAF is now available as an option in our dynamic modules repository.
* JWT support – You can now offload authentication to NGINX Plus using the open JSON Web Tokens (JWT) standard.
* Dual ECC and RSA certificate support – Improve SSL/TLS performance with ECC certificates while maintaining backwards compatibility with RSA standards.
* Transparent proxy support – With IP transparency, backend servers can now "see" the client's IP address, enabling fast, direct server-client communications.
2. MORE INFORMATION AT
NGINX.COM
NGINX Plus R9 Recap
● Dynamic modules
○ Load rich modules into NGINX Plus at runtime
● UDP load balancing
○ Load balancing for DNS, RADIUS, and other UDP services
○ Complements existing TCP/HTTP load balancing
● On-the-fly reconfiguration using DNS SRV records
○ Reduce microservices complexity
● NGINX Plus App Pricing
○ “All you can eat” pricing for NGINX Plus
Released: Tuesday April 12, 2016
3. NGINX Plus R10 New Features
Key new features for improved security, network integration, and scripting
Security:
● ModSecurity Web Application Firewall (WAF)
● Native JWT support for OAuth 2.0 and OpenID Connect
● “Dual-stack” RSA-ECC certificates
Network integration:
● IP transparency
● Direct Server Return (DSR) for UDP apps
Scripting:
● nginScript
Released: Tuesday August 23, 2016
3
5. Why a Web Application Firewall?
“...even when you understand web security, it is difficult to produce secure code, especially when
working under the pressure so common in today's software development projects.”
– Ivan Ristic, ModSecurity creator
● 50% increase in web application attacks from 2015 to 2016
● 125% increase in DDoS attacks from 2015 to 2016
● Security breaches can be devastating
• Code Spaces – Went out of business after attacker deleted all of its data
• DNC email scandal – Head of DNC, 3 others forced to resign
• iCloud, PlayStation Network, many more
● A WAF is a necessary tool for protecting applications
5
6. Why ModSecurity?
● Open source (curated by TrustWave)
● Battle tested for over 14 years
● Used by tens of thousands of websites
● 3,000 downloads/month
● Large, enthusiastic community backing
● Easy to find help
6
7. ModSecurity 101
● Two basic components
• Rules that define malicious behavior
• WAF software that enforces the rules
● Pluggable rule set
• OWASP Core Rule Set (free)
• GotRoot Commercial Rules ($199/year)
• TrustWave Commercial Rules ($495/year)
● Anomaly-based scoring
• Each rule that “fires” contributes to the anomaly score
• Based on the score different actions can happen
■ Log as notice, warning, critical, etc.
■ Drop the request
7
8. Comprehensive Protection for Critical Apps and Data
Application Servers
● Layer 7 attack protection
● DDoS mitigation
● Real-time blacklists 1
● Sensitive data protection
● Honeypots
● Virtual patching
● Detailed audit logs
● PCI-DSS 6.6 compliance
1 Additional costs may apply
8
9. NGINX Plus with ModSecurity WAF Details
● R10 release is a ‘preview’ – test, evaluate, feedback, deploy
● Easily installable as a dynamic module
● Fully maintained, built, tested, and packaged per release by our core engineering team
● One number to call for 24x7 support with setup and configuration help
• Includes OWASP Core Rule Set configuration
● Cost: $2,000/year per instance for NGINX Plus Professional and Enterprise customers
9
10. Why NGINX Plus with ModSecurity WAF?
● Significantly reduce costs
• Over 66% savings in 5-year TCO vs. Imperva
● Combined solution increases operational efficiency
• Application delivery and security in one place
• Imperva is WAF only – no load balancing, caching, etc.
● Gain software flexibility and elasticity
• Deploy in any environment, public or private
• Limited deployment options with Imperva, F5, etc.
● Eliminate vendor lock-in
• Standards-based rules language vs. proprietary rules with Imperva, F5, etc.
11
13. Use Case 1: Single Sign-On (SSO)
● Easily add single sign-on to new or existing
applications
● OpenID Connect provider issues JWTs
● Consumer/external – Google, Yahoo!, etc.
• No Facebook
● Enterprise/internal – Okta, OneLogin, Ping
Identity, etc.
14
14. Use Case 2: API Gateway
● Centralized authentication for APIs
● Client-side application requests JWT
• iPhone/Android-native app
• Browser-based app
● Typically homegrown entity that issues JWTs
• Does not involve OpenID, Google, etc.
● Workflow is identical to SSO
15
15. Why NGINX Plus for OpenID?
● Improve security by consolidating
keys to one location
● Simplify application logic by offloading
authentication
● Rate limit and track per user rather
than per IP address
● Eliminate vendor lock-in
16
17. RSA vs. ECC
● Certificates are used for:
○ Users know they are talking to the right website and not a man-in-the-middle
○ Securely exchange information to establish secure communications
● RSA certificates have been industry standard for a long time
● ECC (Elliptic Curve Cryptography) provides same functionality as RSA with over 3x better
performance
● "Dual-stack” means backward compatibility for older devices
○ Configure a server with both RSA and ECC certificates
○ Modern clients automatically use higher-performance, lower-impact ECC certificate
○ Legacy clients are not locked out because NGINX provides them with an RSA cert
18
19. ● Support for a broader range of application types and deployment models
● IP transparency – Send original client IP address to backend server
● Direct Server Return (DSR) – Server responds directly to client
○ DSR is supported for UDP-based applications
Transparent Proxy Enables IP Transparency and Direct Server Return
20
21. MORE INFORMATION AT
NGINX.COM
● Next-generation configuration language for NGINX
● Makes NGINX more powerful and accessible
● Customers can use JavaScript to perform more complex and custom actions than can be
performed with standard NGINX configuration
● JavaScript is a well-known and widely used programming language, especially in the frontend
What Is nginScript?
22. MORE INFORMATION AT
NGINX.COM
nginScript in NGINX Plus R10
js_include /etc/nginx/functions.js;
server {
listen 80;
location / {
set $transition_window_start 1471971600; # 23-Aug-2016 17:00:00 UTC
set $transition_window_end 1471978800; # 23-Aug-2016 19:00:00 UTC
js_set $upstream transitionStatus; # Returns "old|new" based on window pos
proxy_pass http://$upstream;
error_log /var/log/nginx/transition.log info; # Enable nginScript logging
}
}
23. MORE INFORMATION AT
NGINX.COM
nginScript in NGINX Plus R10
function transitionStatus(req) {
var vars, window_start, window_end, time_now, timepos, numhash, hashpos;
// Get the transition window from NGINX configuration
vars = req.variables;
window_start = vars.transition_window_start;
window_end = vars.transition_window_end;
// Are we in the transition time window?
time_now = Math.floor(Date.now() / 1000); // Convert from milliseconds
if ( time_now < window_start ) {
return "old";
} else if ( time_now > window_end ) {
return "new";
} else { // We are in the transition window
// Calculate our relative position in the window (0-1)
timepos = (time_now - window_start) / (window_end - window_start);
// Get numeric hash for this client's IP address
numhash = fnv32a(vars.binary_remote_addr);
// Calculate the hash's position in the output range (0-1)
hashpos = numhash / 4294967295; // Upper bound is 32 bits
req.log("timepos = " + timepos + ", hashpos = " + hashpos); //error_log [info]
// Should we transition this client?
if ( timepos > hashpos ) {
return "new";
} else {
return "old";
}
}
}
24. MORE INFORMATION AT
NGINX.COM
● nginScript is a work in progress
• Implements a growing subset of ECMAScript 5.1
• Implements a growing set of global functions and built-in objects and functions
● Still seeking optimal way to integrate nginScript and NGINX configuration language
nginScript in NGINX Plus R10
26. MORE INFORMATION AT
NGINX.COM
● Closer parity between TCP/UDP load balancing and HTTP load balancing. TCP/UDP load
balancing now includes:
• split_clients for A/B testing
• geoip to take actions based on the geographical location of clients
• geo to define variables based on IP address
• map module
• Additional NGINX variables
● NGINX Plus uses the IP_BIND_ADDRESS_NO_PORT socket option when available
• Reuses port numbers to help prevent ephemeral port exhaustion
• Enables greater scalability by allowing for more simultaneous TCP connections
• Requires Linux kernel 4.2 (Ubuntu 15.10 or later)
Additional Features
27. MORE INFORMATION AT
NGINX.COM
● A unique transaction ID ($request_id) is autogenerated for each new HTTP request
• Facilitates application tracing and brings APM capabilities to log-analysis tools
• The transaction ID can be proxied to backend servers so that all parts of the system can
log a consistent identifier for each transaction
● The proxy_request_buffering, fastcgi_request_buffering,
scgi_request_buffering, and uwsgi_request_buffering directives now work with
HTTP/2 and can be used to toggle request buffering
● HTTP/2 clients can now start sending the request body immediately using the new
http2_body_preread_size directive, which controls the size of the buffer used before
NGINX Plus starts reading the client request body
Additional Features
28. Summary
NGINX Plus R10 has key new features for improved security, network integration, and scripting
● NGINX Plus with ModSecurity WAF helps defend and secure applications
● JWT authentication consolidated with NGINX Plus simplifies operations
● "Dual-stack” RSA-ECC certificates more than double SSL/TLS TPS while maintaining
backward compatibility
● Transparent proxy enables IP transparency and Direct Server Return
● nginScript is the next-generation extension language for NGINX
Released: Tuesday August 23, 2016
29