Download - What's New in NGINX Plus R10?
What’s New in NGINX Plus R10?
1
MORE INFORMATION AT NGINX.COM
NGINX Plus R9 Recap
● Dynamic modules○ Load rich modules into NGINX Plus at runtime
● UDP load balancing○ Load balancing for DNS, RADIUS, and other UDP services○ Complements existing TCP/HTTP load balancing
● On-the-fly reconfiguration using DNS SRV records○ Reduce microservices complexity
● NGINX Plus App Pricing○ “All you can eat” pricing for NGINX Plus
Released: Tuesday April 12, 2016
NGINX Plus R10 New Features
Key new features for improved security, network integration, and scripting
Security:
● ModSecurity Web Application Firewall (WAF)● Native JWT support for OAuth 2.0 and OpenID Connect● “Dual-stack” RSA-ECC certificates
Network integration:
● IP transparency● Direct Server Return (DSR) for UDP apps
Scripting:● nginScript
Released: Tuesday August 23, 2016
3
ModSecurity WAF
4
Why a Web Application Firewall?
“...even when you understand web security, it is difficult to produce secure code, especially when working under the pressure so common in today's software development projects.”
– Ivan Ristic, ModSecurity creator
● 50% increase in web application attacks from 2015 to 2016● 125% increase in DDoS attacks from 2015 to 2016
● Security breaches can be devastating• Code Spaces – Went out of business after attacker deleted all of its data• DNC email scandal – Head of DNC, 3 others forced to resign• iCloud, PlayStation Network, many more
● A WAF is a necessary tool for protecting applications5
Why ModSecurity?
● Open source (curated by TrustWave)
● Battle tested for over 14 years
● Used by tens of thousands of websites
● 3,000 downloads/month
● Large, enthusiastic community backing
● Easy to find help
6
ModSecurity 101
● Two basic components• Rules that define malicious behavior• WAF software that enforces the rules
● Pluggable rule set• OWASP Core Rule Set (free)• GotRoot Commercial Rules ($199/year)• TrustWave Commercial Rules ($495/year)
● Anomaly-based scoring• Each rule that “fires” contributes to the anomaly score• Based on the score different actions can happen
■ Log as notice, warning, critical, etc.■ Drop the request
7
Comprehensive Protection for Critical Apps and Data
Application Servers
● Layer 7 attack protection
● DDoS mitigation
● Real-time blacklists 1
● Sensitive data protection
● Honeypots
● Virtual patching
● Detailed audit logs
● PCI-DSS 6.6 compliance1 Additional costs may apply
8
NGINX Plus with ModSecurity WAF Details
● R10 release is a ‘preview’ – test, evaluate, feedback, deploy
● Easily installable as a dynamic module
● Fully maintained, built, tested, and packaged per release by our core engineering team
● One number to call for 24x7 support with setup and configuration help• Includes OWASP Core Rule Set configuration
● Cost: $2,000/year per instance for NGINX Plus Professional and Enterprise customers
9
Why NGINX Plus with ModSecurity WAF?
● Significantly reduce costs• Over 66% savings in 5-year TCO vs. Imperva
● Combined solution increases operational efficiency• Application delivery and security in one place• Imperva is WAF only – no load balancing, caching, etc.
● Gain software flexibility and elasticity• Deploy in any environment, public or private• Limited deployment options with Imperva, F5, etc.
● Eliminate vendor lock-in• Standards-based rules language vs. proprietary rules with Imperva, F5, etc.
11
Native JWT Support
12
NGINX Plus for Authentication
13
Use Case 1: Single Sign-On (SSO)
● Easily add single sign-on to new or existing applications
● OpenID Connect provider issues JWTs
● Consumer/external – Google, Yahoo!, etc.• No Facebook
● Enterprise/internal – Okta, OneLogin, Ping Identity, etc.
14
Use Case 2: API Gateway
● Centralized authentication for APIs
● Client-side application requests JWT• iPhone/Android-native app• Browser-based app
● Typically homegrown entity that issues JWTs• Does not involve OpenID, Google, etc.
● Workflow is identical to SSO
15
Why NGINX Plus for OpenID?
● Improve security by consolidating keys to one location
● Simplify application logic by offloading authentication
● Rate limit and track per user rather than per IP address
● Eliminate vendor lock-in
16
“Dual-Stack” RSA-ECC Certificates
17
RSA vs. ECC
● Certificates are used for:○ Users know they are talking to the right website and not a man-in-the-
middle○ Securely exchange information to establish secure communications
● RSA certificates have been industry standard for a long time
● ECC (Elliptic Curve Cryptography) provides same functionality as RSA with over 3x better performance
● "Dual-stack” means backward compatibility for older devices○ Configure a server with both RSA and ECC certificates○ Modern clients automatically use higher-performance, lower-impact ECC
certificate○ Legacy clients are not locked out because NGINX provides them with an
RSA cert18
Network Features
19
● Support for a broader range of application types and deployment models● IP transparency – Send original client IP address to backend server● Direct Server Return (DSR) – Server responds directly to client
○ DSR is supported for UDP-based applications
Transparent Proxy Enables IP Transparency and Direct Server Return
20
nginScript
21
MORE INFORMATION AT NGINX.COM
● Next-generation configuration language for NGINX
● Makes NGINX more powerful and accessible
● Customers can use JavaScript to perform more complex and custom actions than can be performed with standard NGINX configuration
● JavaScript is a well-known and widely used programming language, especially in the frontend
What Is nginScript?
MORE INFORMATION AT NGINX.COM
nginScript in NGINX Plus R10
js_include /etc/nginx/functions.js;
server { listen 80;
location / { set $transition_window_start 1471971600; # 23-Aug-2016 17:00:00 UTC set $transition_window_end 1471978800; # 23-Aug-2016 19:00:00 UTC
js_set $upstream transitionStatus; # Returns "old|new" based on window pos proxy_pass http://$upstream; error_log /var/log/nginx/transition.log info; # Enable nginScript logging }}
MORE INFORMATION AT NGINX.COM
nginScript in NGINX Plus R10function transitionStatus(req) { var vars, window_start, window_end, time_now, timepos, numhash, hashpos;
// Get the transition window from NGINX configuration vars = req.variables; window_start = vars.transition_window_start; window_end = vars.transition_window_end;
// Are we in the transition time window? time_now = Math.floor(Date.now() / 1000); // Convert from milliseconds if ( time_now < window_start ) { return "old"; } else if ( time_now > window_end ) { return "new"; } else { // We are in the transition window // Calculate our relative position in the window (0-1) timepos = (time_now - window_start) / (window_end - window_start);
// Get numeric hash for this client's IP address numhash = fnv32a(vars.binary_remote_addr);
// Calculate the hash's position in the output range (0-1) hashpos = numhash / 4294967295; // Upper bound is 32 bits req.log("timepos = " + timepos + ", hashpos = " + hashpos); //error_log [info]
// Should we transition this client? if ( timepos > hashpos ) { return "new"; } else { return "old"; } }}
MORE INFORMATION AT NGINX.COM
● nginScript is a work in progress
• Implements a growing subset of ECMAScript 5.1• Implements a growing set of global functions and built-in objects and
functions
● Still seeking optimal way to integrate nginScript and NGINX configuration language
nginScript in NGINX Plus R10
Additional Features
MORE INFORMATION AT NGINX.COM
● Closer parity between TCP/UDP load balancing and HTTP load balancing. TCP/UDP load balancing now includes:
• split_clients for A/B testing• geoip to take actions based on the geographical location of clients• geo to define variables based on IP address• map module• Additional NGINX variables
● NGINX Plus uses the IP_BIND_ADDRESS_NO_PORT socket option when available• Reuses port numbers to help prevent ephemeral port exhaustion• Enables greater scalability by allowing for more simultaneous TCP
connections• Requires Linux kernel 4.2 (Ubuntu 15.10 or later)
Additional Features
MORE INFORMATION AT NGINX.COM
● A unique transaction ID ($request_id) is autogenerated for each new HTTP request
• Facilitates application tracing and brings APM capabilities to log-analysis tools
• The transaction ID can be proxied to backend servers so that all parts of the system can log a consistent identifier for each transaction
● The proxy_request_buffering, fastcgi_request_buffering, scgi_request_buffering, and uwsgi_request_buffering directives now work with HTTP/2 and can be used to toggle request buffering
● HTTP/2 clients can now start sending the request body immediately using the new http2_body_preread_size directive, which controls the size of the buffer used before NGINX Plus starts reading the client request body
Additional Features
Summary
NGINX Plus R10 has key new features for improved security, network integration, and scripting
● NGINX Plus with ModSecurity WAF helps defend and secure applications
● JWT authentication consolidated with NGINX Plus simplifies operations
● "Dual-stack” RSA-ECC certificates more than double SSL/TLS TPS while maintaining backward compatibility
● Transparent proxy enables IP transparency and Direct Server Return
● nginScript is the next-generation extension language for NGINX
Released: Tuesday August 23, 2016
29