This is the second blog post in our series on deploying NGINX Plus as an API gateway. Part 1 provides detailed configuration instructions for several use cases. This post extends those use cases and looks at a range of safeguards that can be applied to protect and secure backend API services in production: Rate Limiting Enforcing Specific…
Continue reading ›PCI DSS Best Practices with NGINX Plus
The Payment Card Industry (PCI) Data Security Standard (DSS), or PCI DSS, is a certification standard for protecting consumer's credit card numbers and other personal data. It's easy to implement PCI DSS best practices with NGINX Plus. This blog post tells you how. Moving from SSL to the Latest Version of TLS Secure Sockets Layer (SSL) is dead,…
Continue reading ›Trust No One: The Perils of Trusting User Input
Occasionally, we like to highlight interesting or significant security issues that users of NGINX Open Source and NGINX Plus might encounter. Application stacks are complex and it’s very easy to overlook obscure or unexpected ways that common features can be exploited. NGINX and NGINX Plus are a powerful way to both provide access to these features and…
Continue reading ›NGINX Response to the Meltdown and Spectre Vulnerabilities
This week, some details about security flaws in several microprocessors were publicly shared; a full disclosure is expected to follow. The flaws take several forms, and have been named Meltdown and Spectre. You can find more information about the scope of both Meltdown and Spectre at https://meltdownattack.com. A process (application) running on a server can…
Continue reading ›Top 5 NGINX Blog Posts for 2017 – R12, Microservices, & More
neophile (n): an enthusiast for what is new or novel What was most popular in the NGINX blog this year? Looking at our top blog posts, we see that new NGINX Plus releases, microservices, security, and load balancing are all big hits, along with the NGINX Application Platform. 1. NGINX Plus R12 The NGINX Plus R12 release was…
Continue reading ›ModSecurity: Logging and Debugging
[ngx_snippet name='table-style-blog'] "ModSecurity will help you sleep better at night because, above all, it solves the visibility problem: it lets you see your web traffic." — Ivan Ristić, creator of ModSecurity When something is not working as you expect it to, logs are always the first place to look. Good logs can provide valuable insights to…
Continue reading ›Dynamic IP Blacklisting with NGINX Plus and fail2ban
Photo: Arnold Reinhold – Own work, CC BY‑SA 3.0 You may not realize it, but your website is under constant threat. If it’s running Wordpress, there will be bots trying to spam you. If it has a login page, there will be brute‑force password attacks. You may also consider search engine spiders…
Continue reading ›Announcing NGINX Plus R13
We’re pleased to announce that NGINX Plus Release 13 (R13) is now available as a free upgrade to all NGINX Plus subscribers. NGINX Plus is a combined web server, load balancer, and content cache built on top of the open source NGINX software. NGINX Plus R13 includes new features focused on dynamic deployments, enhanced debugging capabilities, and improved security…
Continue reading ›Compiling and Installing ModSecurity for NGINX Open Source
[blockquote author="Ivan Ristić, creator of ModSecurity"]Web applications – yours, mine, everyone’s – are terribly insecure on average. We struggle to keep up with the security issues and need any help we can get to secure them. We all want to create secure applications that will never be breached. But the almost weekly news of a high‑profile…
Continue reading ›Web Application Security
This post is adapted from a presentation delivered at nginx.conf 2016 by Tyler Shields of Signal Sciences. You can view a recording of the presentation on the NGINX, Inc. channel on YouTube. Table of Contents 0:00 Introduction 0:17 Acronym Soup A 1:00 Acronym Soup: WAF, SAST, DAST, IAST, RASP 1:48 Annual Pedants Conference 2:13 Definition of Terms: WAF 3:14…
Continue reading ›