What’s New in NGINX Plus R10?

1

MORE INFORMATION AT NGINX.COM

NGINX Plus R9 Recap

● Dynamic modules○ Load rich modules into NGINX Plus at runtime

● UDP load balancing○ Load balancing for DNS, RADIUS, and other UDP services○ Complements existing TCP/HTTP load balancing

● On-the-fly reconfiguration using DNS SRV records○ Reduce microservices complexity

● NGINX Plus App Pricing○ “All you can eat” pricing for NGINX Plus

Released: Tuesday April 12, 2016

NGINX Plus R10 New Features

Key new features for improved security, network integration, and scripting

Security:

● ModSecurity Web Application Firewall (WAF)● Native JWT support for OAuth 2.0 and OpenID Connect● “Dual-stack” RSA-ECC certificates

Network integration:

● IP transparency● Direct Server Return (DSR) for UDP apps

Scripting:● nginScript

Released: Tuesday August 23, 2016

3

ModSecurity WAF

4

Why a Web Application Firewall?

“...even when you understand web security, it is difficult to produce secure code, especially when working under the pressure so common in today's software development projects.”

– Ivan Ristic, ModSecurity creator

● 50% increase in web application attacks from 2015 to 2016● 125% increase in DDoS attacks from 2015 to 2016

● Security breaches can be devastating• Code Spaces – Went out of business after attacker deleted all of its data• DNC email scandal – Head of DNC, 3 others forced to resign• iCloud, PlayStation Network, many more

● A WAF is a necessary tool for protecting applications5

Why ModSecurity?

● Open source (curated by TrustWave)

● Battle tested for over 14 years

● Used by tens of thousands of websites

● 3,000 downloads/month

● Large, enthusiastic community backing

● Easy to find help

6

ModSecurity 101

● Two basic components• Rules that define malicious behavior• WAF software that enforces the rules

● Pluggable rule set• OWASP Core Rule Set (free)• GotRoot Commercial Rules ($199/year)• TrustWave Commercial Rules ($495/year)

● Anomaly-based scoring• Each rule that “fires” contributes to the anomaly score• Based on the score different actions can happen

■ Log as notice, warning, critical, etc.■ Drop the request

7

Comprehensive Protection for Critical Apps and Data

Application Servers

● Layer 7 attack protection

● DDoS mitigation

● Real-time blacklists 1

● Sensitive data protection

● Honeypots

● Virtual patching

● Detailed audit logs

● PCI-DSS 6.6 compliance1 Additional costs may apply

8

NGINX Plus with ModSecurity WAF Details

● R10 release is a ‘preview’ – test, evaluate, feedback, deploy

● Easily installable as a dynamic module

● Fully maintained, built, tested, and packaged per release by our core engineering team

● One number to call for 24x7 support with setup and configuration help• Includes OWASP Core Rule Set configuration

● Cost: $2,000/year per instance for NGINX Plus Professional and Enterprise customers

9

Why NGINX Plus with ModSecurity WAF?

● Significantly reduce costs• Over 66% savings in 5-year TCO vs. Imperva

● Combined solution increases operational efficiency• Application delivery and security in one place• Imperva is WAF only – no load balancing, caching, etc.

● Gain software flexibility and elasticity• Deploy in any environment, public or private• Limited deployment options with Imperva, F5, etc.

● Eliminate vendor lock-in• Standards-based rules language vs. proprietary rules with Imperva, F5, etc.

11

Native JWT Support

12

NGINX Plus for Authentication

13

Use Case 1: Single Sign-On (SSO)

● Easily add single sign-on to new or existing applications

● OpenID Connect provider issues JWTs

● Consumer/external – Google, Yahoo!, etc.• No Facebook

● Enterprise/internal – Okta, OneLogin, Ping Identity, etc.

14

Use Case 2: API Gateway

● Centralized authentication for APIs

● Client-side application requests JWT• iPhone/Android-native app• Browser-based app

● Typically homegrown entity that issues JWTs• Does not involve OpenID, Google, etc.

● Workflow is identical to SSO

15

Why NGINX Plus for OpenID?

● Improve security by consolidating keys to one location

● Simplify application logic by offloading authentication

● Rate limit and track per user rather than per IP address

● Eliminate vendor lock-in

16

“Dual-Stack” RSA-ECC Certificates

17

RSA vs. ECC

● Certificates are used for:○ Users know they are talking to the right website and not a man-in-the-

middle○ Securely exchange information to establish secure communications

● RSA certificates have been industry standard for a long time

● ECC (Elliptic Curve Cryptography) provides same functionality as RSA with over 3x better performance

● "Dual-stack” means backward compatibility for older devices○ Configure a server with both RSA and ECC certificates○ Modern clients automatically use higher-performance, lower-impact ECC

certificate○ Legacy clients are not locked out because NGINX provides them with an

RSA cert18

Network Features

19

● Support for a broader range of application types and deployment models● IP transparency – Send original client IP address to backend server● Direct Server Return (DSR) – Server responds directly to client

○ DSR is supported for UDP-based applications

Transparent Proxy Enables IP Transparency and Direct Server Return

20

nginScript

21

MORE INFORMATION AT NGINX.COM

● Next-generation configuration language for NGINX

● Makes NGINX more powerful and accessible

● Customers can use JavaScript to perform more complex and custom actions than can be performed with standard NGINX configuration

● JavaScript is a well-known and widely used programming language, especially in the frontend

What Is nginScript?

MORE INFORMATION AT NGINX.COM

nginScript in NGINX Plus R10

js_include /etc/nginx/functions.js;

server {   listen 80;

   location / {       set $transition_window_start 1471971600; # 23-Aug-2016 17:00:00 UTC       set $transition_window_end   1471978800; # 23-Aug-2016 19:00:00 UTC

       js_set $upstream transitionStatus; # Returns "old|new" based on window pos       proxy_pass http://$upstream;       error_log /var/log/nginx/transition.log info; # Enable nginScript logging   }}

MORE INFORMATION AT NGINX.COM

nginScript in NGINX Plus R10function transitionStatus(req) {  var vars, window_start, window_end, time_now, timepos, numhash, hashpos;

  // Get the transition window from NGINX configuration vars = req.variables;  window_start = vars.transition_window_start;  window_end = vars.transition_window_end;

  // Are we in the transition time window?  time_now = Math.floor(Date.now() / 1000); // Convert from milliseconds  if ( time_now < window_start ) {    return "old";  } else if ( time_now > window_end ) {    return "new";  } else { // We are in the transition window    // Calculate our relative position in the window (0-1)    timepos = (time_now - window_start) / (window_end - window_start);

    // Get numeric hash for this client's IP address    numhash = fnv32a(vars.binary_remote_addr);

    // Calculate the hash's position in the output range (0-1)    hashpos = numhash / 4294967295; // Upper bound is 32 bits    req.log("timepos = " + timepos + ", hashpos = " + hashpos); //error_log [info]

    // Should we transition this client?    if ( timepos > hashpos ) {      return "new";    } else {      return "old";    }  }}

MORE INFORMATION AT NGINX.COM

● nginScript is a work in progress

• Implements a growing subset of ECMAScript 5.1• Implements a growing set of global functions and built-in objects and

functions

● Still seeking optimal way to integrate nginScript and NGINX configuration language

nginScript in NGINX Plus R10

Additional Features

MORE INFORMATION AT NGINX.COM

● Closer parity between TCP/UDP load balancing and HTTP load balancing. TCP/UDP load balancing now includes:

• split_clients for A/B testing• geoip to take actions based on the geographical location of clients• geo to define variables based on IP address• map module• Additional NGINX variables

● NGINX Plus uses the IP_BIND_ADDRESS_NO_PORT socket option when available• Reuses port numbers to help prevent ephemeral port exhaustion• Enables greater scalability by allowing for more simultaneous TCP

connections• Requires Linux kernel 4.2 (Ubuntu 15.10 or later)

Additional Features

MORE INFORMATION AT NGINX.COM

● A unique transaction ID ($request_id) is autogenerated for each new HTTP request

• Facilitates application tracing and brings APM capabilities to log-analysis tools

• The transaction ID can be proxied to backend servers so that all parts of the system can log a consistent identifier for each transaction

● The proxy_request_buffering, fastcgi_request_buffering, scgi_request_buffering, and uwsgi_request_buffering directives now work with HTTP/2 and can be used to toggle request buffering

● HTTP/2 clients can now start sending the request body immediately using the new http2_body_preread_size directive, which controls the size of the buffer used before NGINX Plus starts reading the client request body

Additional Features

Summary

NGINX Plus R10 has key new features for improved security, network integration, and scripting

● NGINX Plus with ModSecurity WAF helps defend and secure applications

● JWT authentication consolidated with NGINX Plus simplifies operations

● "Dual-stack” RSA-ECC certificates more than double SSL/TLS TPS while maintaining backward compatibility

● Transparent proxy enables IP transparency and Direct Server Return

● nginScript is the next-generation extension language for NGINX

Released: Tuesday August 23, 2016

29