NGINX.COM
Web Server Load Balancing with NGINX Plus

[Editor – The NGINX ModSecurity WAF module for NGINX Plus officially went End-of-Sale as of April 1, 2022 and is transitioning to End-of-Life effective March 31, 2024. For more details, see F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life on our blog.]

Overview

m.a.x. Informationstechnologie AG (m.a.x. IT) is a well‑established IT solution partner and managed service provider based in Munich, Germany. Since 1989, m.a.x. IT has supported medium‑sized and large companies with solutions for IT infrastructure and software development. These solutions enable their clients to maintain competitiveness as well as optimize their IT spend.

Challenge

As a managed service provider hosting critical applications for many enterprises, m.a.x. IT cannot compromise on reliability, availability, and security. They were using Apache HTTP Server as a reverse proxy, but it had limited security capabilities. Upgrading security became topmost priority in order to address their clients’ concerns. m.a.x. IT wanted to implement virtual patching – a rapid way to address newly discovered vulnerabilities – and needed a more stable solution that handled upstream server failures in a graceful fashion. Last but not least, m.a.x. IT wanted a nimble solution which enabled it to perform operational tasks such as making configuration changes and troubleshooting faster. In sum, m.a.x. IT wanted to undertake a complete overhaul of its existing infrastructure to improve reliability and operational agility and achieve high security.

Solution

m.a.x. IT considered many other vendors and settled on NGINX Plus. Reason? NGINX Plus is the only solution that met all its needs. Simplicity and ease of use during installation and configuration phases was very beneficial. m.a.x. IT achieved robust security with NGINX ModSecurity WAF, which can use ModSecurity commercial rules. m.a.x. IT was also able to apply password and IP range restrictions on specific web paths.

To improve performance on the backend, m.a.x. IT uses NGINX Plus to offload SSL/TLS processing in both directions.

From an operational standpoint, m.a.x. IT has implemented NGINX Plus' active health checks, resulting in improved availability as any upstream server failure is automatically detected and load is spread out across the remaining servers by NGINX Plus. m.a.x. IT also takes advantage of the Least Time load‑balancing algorithm exclusive to NGINX Plus. With this method, NGINX Plus selects the upstream server with the lowest average latency and lowest number of active connections, thereby maximizing performance of web applications. Dynamic reconfiguration using the NGINX Plus API allows m.a.x. IT to update upstream configuration without causing any downtime for their customers. NGINX Plus’ live activity monitoring provides critical insights into the health and performance of applications.

We tried to honestly consider other solutions. They all lost because of NGINX’s ease of use, its simplicity and cleanliness of installation and configuration, on‑the‑fly reconfiguration of upstream nodes via a web GUI, and overall stable and professional feel of the complete setup.
– Patrick Bestek, IT Security Manager at m.a.x IT

Comprehensive Security with NGINX ModSecurity WAF

Results

Comprehensive Security with NGINX ModSecurity WAF

With NGINX ModSecurity WAF, m.a.x IT can detect and prevent a wide range of Layer 7 attacks including SQL injection (SQLi), cross‑site scripting (XSS), and Local File Include (LFI), which together account for over 90% of known Layer 7 attacks. It also can maintain detailed logs about all transactions including requests, responses, and visibility into which rules were activated. These capabilities helped the m.a.x IT team to meet customer requirements and thereby retain their business.

Improved Reliability and Availability

m.a.x. IT achieves higher reliability with live activity monitoring. It is easier and faster to detect and resolve issues than with Apache HTTP Server.

According to Patrick, “Apache 2 needed more restarts than NGINX Plus when making changes to the configuration or loading new modules. The live activity monitoring capability available from the web GUI [NGINX Plus dashboard] monitors the health of any upstream server. It allows us to quickly remove any unhealthy servers. We are able to spot problems sooner compared to Apache 2.”

Active health checks and executing configuration changes without any downtime helps improve availability. Furthermore, it is very easy to make configuration changes using NGINX Plus’ dynamic reconfiguration capability – there’s no steep learning curve.

“Due to the clear and simple setup of NGINX Plus with [NGINX ModSecurity] WAF, configuration changes and maintenance, such as exceptions to specific rules of ModsSecurity or rewriting of URLs, can take place in a faster manner compared to Apache 2. This is especially beneficial if the system administrator maintaining the configuration does so only infrequently – it’s very easy to get back into it and find one’s way again,” says Patrick.

Improved Operational Agility

Ease of use as well as the ability to make rapid configuration changes using the NGINX Plus API helps m.a.x. IT to reduce time, effort, and costs. They are able to deploy new applications faster – and this keeps their customers happy and helps them to attract new customers and stand out from the competition.

About m.a.x. IT

m.a.x. Informationstechnologie AG (m.a.x. IT) is an interdisciplinary IT solution partner based in Munich, Germany. Founded in 1989, m.a.x. IT supports medium‑sized and large companies with solutions for IT infrastructure, software development and partial or complete outsourcing of corporate IT. As a managed services provider, m.a.x. IT provides support for clients, servers, networks, platforms and security in the context of individual service contracts.

[NGINX ModSecurity WAF officially went End-of-Sale as of April 1, 2022 and is transitioning to End-of-Life effective March 31, 2024. For more details, see F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life on our blog.]

Challenges

Needed a reliable load balancer with robust security capabilities.


Overview

m.a.x. IT is an IT service provider.


Headquarters
Munich, Germany
Founded in 1989
Use Cases
Solutions