cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Srikanth7
F5 Employee
F5 Employee

Solution Overview

NGINX App Protect combines the proven effectiveness of F5's Advanced WAF technology with the agility and performance of NGINX Plus. It runs natively on NGINX Plus and addresses some of the most difficult challenges facing modern DevOps environments.

NGINX App Protect, when deployed as an overlay security solution to complement your third-party API Management platforms such as MuleSoft, Kong, Google’s Apigee, and others, provides:

  •  Seamlessly integrates with NGINX Plus and NGINX Ingress Controller
  • Strong security controls to protect against malicious attacks
  • Reduces complexity and tool sprawl while delivering modern apps
  • Enforces security and regulatory requirements.

With NGINX App Protect, you can detect and defend against OWASP App Security's Top Ten attack types like data exfiltration, malicious infections inputs, and many others.

0EM1T000002bofV.png

Figure: NGINX App Protect as an overlay security protection solution for your existing API Management Platform


Solution Deployment

This solution deployment procedure assumes that you have an understanding of the NGINX+ platform. If you like to learn more about NGINX, click this link.

Install NGINX App Protect

Install the most recent version of the NGINX Plus App Protect package (which includes NGINX Plus): 

sudo yum install -y app-protect

Edit the NGINX configuration file and enable the NGINX App Protect module.

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

load_module modules/ngx_http_app_protect_module.so;

events {
    worker_connections 1024;
}

http {
    include          /etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    server {
    listen       80;
        server_name  localhost;
        proxy_http_version 1.1;

        app_protect_enable on;
        app_protect_policy_file "/etc/nginx/NginxDefaultPolicy.json";
        app_protect_security_log_enable on;
        app_protect_security_log "/etc/nginx/log-default.json" syslog:server=10.1.20.6:5144;

        location / {
            resolver 10.1.1.9;
            resolver_timeout 5s;
            client_max_body_size 0;
            default_type text/html;
            proxy_pass http://k8s.arcadia-finance.io:30274$request_uri;
        }
    }
}

Create a Log Configuration

Create a log configuration file log_default.json

sudo vi log-default.json
{
    "filter": {
        "request_type": "all"
    },
    "content": {
        "format": "default",
        "max_request_size": "any",
        "max_message_size": "5k"
    }
}

Restart the NGINX Service

Restart the NGINX service and check the logs.

sudo systemctl start nginx
less /var/log/nginx/error.log

Update Signatures

To add NGINX Plus App Protect signatures repository, download and update the signature package.

sudo yum install -y app-protect-attack-signatures
sudo yum --showduplicates list app-protect-attack-signatures
sudo yum install -y app-protect-attack-signatures-2020.04.30

Reload NGINX process to apply the new signatures.

sudo nginx -s reload

Advanced features

NGINX App Protect supports various advanced security features like Bot Protection, Cryptonice integration, API Security with OpenAPI file import. Let's look at how to deploy Bot Protection in this example.

Create a new NAP policy JSON file with Bot

sudo vi /etc/nginx/policy_bots.json
{
    "policy": {
        "name": "bot_defense_policy",
        "template": {
            "name": "POLICY_TEMPLATE_NGINX_BASE"
        },
        "applicationLanguage": "utf-8",
        "enforcementMode": "blocking",
        "bot-defense": {
            "settings": {
                "isEnabled": true
            },
            "mitigations": {
                "classes": [
                    {
                        "name": "trusted-bot",
                        "action": "alarm"
                    },
                    {
                        "name": "untrusted-bot",
                        "action": "block"
                    },
                    {
                        "name": "malicious-bot",
                        "action": "block"
                    }
                ]
            }
        }
    }

Modify the nginx.conf file to reference this new policy JSON file.

sudo vi /etc/nginx/nginx.conf
user nginx;

worker_processes 1;
load_module modules/ngx_http_app_protect_module.so;

error_log /var/log/nginx/error.log debug;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    server {
        listen       80;
        server_name  localhost;
        proxy_http_version 1.1;

        app_protect_enable on;
        app_protect_policy_file "/etc/nginx/policy_bots.json";
        app_protect_security_log_enable on;
        app_protect_security_log "/etc/nginx/app-protect-log-policy.json" syslog:server=10.1.20.6:5144;

        location / {
            resolver 10.1.1.9;
            resolver_timeout 5s;
            client_max_body_size 0;
            default_type text/html;
            proxy_pass http://k8s.arcadia-finance.io:30274$request_uri;
        }
    }
}

Verification

We will verify the NGINX App Protect deployment for illegal requests in the below example.

Test with curl and with the browser using both the correct URL and the illegal URL:

	curl http://localhost
	curl http://localhost/?a=%3Cscript%3E

 Simultaneously open a second terminal window to see there are three types of violations noted in the log.

 tail -f /var/log/app_protect/class_illegal_security.log
 Request ID 1035880152621768133: GET / received on 2021-06-14 16:09:55 from IP 127.0.01 had the following violations: Illegal meta character in value, Attack Signature detected, Violation Rating Thereat detected.

 Note: NGINX App Protect logs all violations that occur. Therefore, we see not only the illegal character noted but also that it detected an attack signature and there is a rating threat also detected.


Additional Resources

NGINX App Protect: Configuration Guide

NGINX: Installation and Deployment Guides

Try NGINX App Protect: 30 days free trial

Version history
Last update:
‎08-Apr-2021 08:44
Updated by:
Contributors