Using a reverse proxy server like NGINX can be an effective approach when securing web applications. However, web apps can still be vulnerable to attacks, even with a reverse proxy. That's where a Web Application Firewall (WAF) comes in.
Adding a WAF to your NGINX reverse proxy setup can provide an additional layer of protection against common web application attacks such as SQL injection, cross-site scripting (XSS), and Cross-Site Request Forgery (CSRF).
Keeping this in view, in the article, we will explore why you should use a WAF in NGINX reverse proxy and how to install the open-appsec WAF in NGINX reverse proxy.
What Is NGINX, and What Is Its Function in Kubernetes?
NGINX is an open-source web server and application delivery platform widely used to serve static and dynamic content over ports 80 (HTTP) and 443 (HTTPS).
In Kubernetes, NGINX is often used as an Ingress controller to manage external access to the Kubernetes services within a cluster. It acts as a reverse proxy to route incoming requests to the appropriate backend services based on the requested hostname, path, or other criteria. This allows clients to access the Kubernetes services using a single, stable IP address or DNS name rather than having to know the IP addresses or ports of individual pods or services.
In addition to this, NGINX Ingress Controller can perform other functions such as the following:
Load Balancing
SSL Termination
Rate Limiting
URL-Based Routing
It can also be configured using Kubernetes manifests for declarative configuration and version control. It also integrates seamlessly with Kubernetes features such as service discovery, autoscaling, and rolling updates, making it a flexible tool for managing traffic and delivering applications in Kubernetes.
Overall, the NGINX reverse proxy in Kubernetes provides a centralized and scalable way to manage all external access to services in a Kubernetes cluster.
Why Should You Use a WAF in NGINX?
While NGINX reverse proxy can provide some basic security features, such as rate limiting and SSL termination, it is not designed to provide advanced security features like those offered by a WAF.
Admittedly, people feel reluctant to add a WAF to NGINX reverse proxy to prevent a hike in false positives that leads to user frustration, decreased trust in the app, and potential loss of users. However, this can be avoided by integrating a low latency WAF with a good track record and effective security against known and unknown web attacks – without worrying about increased false positives.
Given below are the advantages you will get by using open-appsec WAF in NGINX reverse proxy.
It can lead to improved security against known and unknown attacks using two machine learning algorithms.
It has simplified deployment and maintenance due to the absence of signatures.
It can be easily installed and integrated using an interactive CLI tool.
It has a faster threat response and reduced false positives.
It can prove cost-effective because it is an open-source WAF.
Are you looking for a way to block attacks on your web application before they happen? Look no further, as open-appsec uses machine learning to continuously detect and preemptively block threats before they can do any damage. Our code has also been published on GitHub, and the effectiveness of our WAF has been successfully proven in numerous tests by third parties. Try open-appsec in the Playground today.
How to Install open-appsec WAF in an NGINX Environment (on a Linux Machine)?
You can deploy open-appsec as an add-on for NGINX to protect all client requests and API calls passing through the NGINX reverse proxy server.
For simplicity and speed, we’ll use an interactive CLI tool to configure and deploy open-appsec.
Requirements
A Linux machine (physical or virtual system running the Linux OS) will be necessary.
Install the supported NGINX attachments for the Linux version. Click here to view the supported NGINX attachment for your Linux version.
wget command line tool installed on your Linux machine.
Installation
Download the installer for Linux using these commands:
wget https://downloads.openappsec.io/open-appsec-install && chmod +x open-appsec-install
You can show the installer version and available options by running the following command to show the help info:
./open-appsec-install -h
This interactive installer provides two alternative modes for automatic versus manual installation.
Mode 1: Automatic installation of open-appsec and adding attachment (plugin) to NGINX.
In this mode, open-appsec will automatically install with all required components, and the attachment will be added and activated in the existing configuration for NGINX.
./open-appsec-install --auto
The steps shown below for Mode 2 are the exact steps also performed when running the automatic installation.
(Adding --prevent will set the default rule in the default policy file prevent-learn instead of detect-learn, but the recommendation is to keep detect-learn)
Mode 2: Downloading software components and presenting manual installation instructions
In this mode, all required components based on your NGINX/Kong version, OS version, and Platform will be downloaded to your machine. Additionally, instructions will be presented for manual installation.
./open-appsec-install --download
Optionally you can add a --tmpdir <path> option to specify an alternative path for the downloaded software components (default path is /tmp/openappsec/).
Once the download has finished, follow these steps for manual installation:
Step 1: Deploying the attachment on an existing alpine NGINX/Kong server
Copy the associated libraries as shown in the output for Step 1 with commands similar to this:
cp /tmp/open-appsec/[version specific dir]/libshmem_ipc /usr/lib/ cp /tmp/open-appsec/[version specific dir]/libcompression_utils /usr/lib/ cp /tmp/open-appsec/[version specific dir]/libnginx_attachment_util /usr/lib/
Copy the nginx attachment file as shown in the output for Step 1 with a command similar to this:
cp /tmp/open-appsec/[version specific dir]/libngx_module.so /usr/lib/nginx/modules/
Load the attachment on your NGINX by adding the following line to your nginx.conf, usually located here: /etc/nginx/ load_module /usr/lib/nginx/modules/libngx_module.so;
Step 2: Installing the open-appsec agent
Run the following commands:
/tmp/open-appsec/openappsec/install-cp-nano-agent.sh --install --hybrid_mode /tmp/open-appsec/openappsec/install-cp-nano-service-http-transaction-handler.sh --install /tmp/open-appsec/openappsec/install-cp-nano-attachment-registration-manager.sh --install
Step 3: Validate the configuration
Run the following command to validate the Nginx configuration:
nginx -t
You should see an output confirming that the syntax is "ok" similar to this:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart the NGINX service so that the updated nginx configuration is applied and the open-appsec attachment module is loaded:
service nginx restart
Congratulations, you successfully installed and activated open-appsec to your existing NGINX/Kong installation.
Note: For Production usage, you might want to switch from using the Basic to the more accurate Advanced Machine Learning model.
Finally
Adding a WAF to your NGINX reverse proxy setup is a crucial step in securing your application's safety, and using a WAF like open-appsec can be a reliable and powerful option.
With its intuitive configuration options and robust security features, open-appsec can protect your web applications from SQL injection, XSS, and other attacks. Follow the installation steps outlined in this article to easily set up open-appsec WAF with NGINX reverse proxy. For more details, check the open-appsec documentation or try open-appsec in the Playground today.
Frequently Asked Questions
Is NGINX free?
NGINX is a free, open-source, high-performance HTTP server and reverse proxy. It is free for both personal and commercial use. NGINX Plus is sold as a software subscription, which has a lot more added features compared to the open-source version.
Why is NGINX called a reverse proxy?
NGINX is a reverse proxy because it acts as an intermediary between clients and servers, forwarding client requests to backend servers. It distributes client requests across multiple backend servers, improving performance and increasing reliability by ensuring that the other servers can continue to handle requests if one server goes down. It also handles load balancing, caching, SSL termination, and other tasks to improve web application performance, security, and scalability.
Why use a reverse proxy?
Apart from its overall advantage of improving the performance, security, and scalability of web applications, here are several reasons for using a reverse proxy. It can assign incoming requests to several backend servers in a way that prevents any individual server from becoming overloaded. It also acts as an extra security layer between the internet and the backend servers.
Is NGINX a web server or reverse proxy?
NGINX serves as a web server and a reverse proxy. It was originally developed as a high-performance web server, but over time it has evolved into a versatile application delivery platform that includes reverse proxy capabilities.