How to deploy NGINX App Protect as an Overlay Security Protection Solution for Your Existing API Management Platform
Solution Overview
NGINX App Protect combines the proven effectiveness of F5's Advanced WAF technology with the agility and performance of NGINX Plus. It runs natively on NGINX Plus and addresses some of the most difficult challenges facing modern DevOps environments.
NGINX App Protect, when deployed as an overlay security solution to complement your third-party API Management platforms such as MuleSoft, Kong, Google’s Apigee, and others, provides:
- Seamlessly integrates with NGINX Plus and NGINX Ingress Controller
- Strong security controls to protect against malicious attacks
- Reduces complexity and tool sprawl while delivering modern apps
- Enforces security and regulatory requirements.
With NGINX App Protect, you can detect and defend against OWASP App Security's Top Ten attack types like data exfiltration, malicious infections inputs, and many others.
Figure: NGINX App Protect as an overlay security protection solution for your existing API Management Platform
Solution Deployment
This solution deployment procedure assumes that you have an understanding of the NGINX+ platform. If you like to learn more about NGINX, click this link.
Install NGINX App Protect
Install the most recent version of the NGINX Plus App Protect package (which includes NGINX Plus):
sudo yum install -y app-protect
Edit the NGINX configuration file and enable the NGINX App Protect module.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
load_module modules/ngx_http_app_protect_module.so;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server {
listen 80;
server_name localhost;
proxy_http_version 1.1;
app_protect_enable on;
app_protect_policy_file "/etc/nginx/NginxDefaultPolicy.json";
app_protect_security_log_enable on;
app_protect_security_log "/etc/nginx/log-default.json" syslog:server=10.1.20.6:5144;
location / {
resolver 10.1.1.9;
resolver_timeout 5s;
client_max_body_size 0;
default_type text/html;
proxy_pass http://k8s.arcadia-finance.io:30274$request_uri;
}
}
}
Create a Log Configuration
Create a log configuration file log_default.json
sudo vi log-default.json
{
"filter": {
"request_type": "all"
},
"content": {
"format": "default",
"max_request_size": "any",
"max_message_size": "5k"
}
}
Restart the NGINX Service
Restart the NGINX service and check the logs.
sudo systemctl start nginx less /var/log/nginx/error.log
Update Signatures
To add NGINX Plus App Protect signatures repository, download and update the signature package.
sudo yum install -y app-protect-attack-signatures sudo yum --showduplicates list app-protect-attack-signatures sudo yum install -y app-protect-attack-signatures-2020.04.30
Reload NGINX process to apply the new signatures.
sudo nginx -s reload
Advanced features
NGINX App Protect supports various advanced security features like Bot Protection, Cryptonice integration, API Security with OpenAPI file import. Let's look at how to deploy Bot Protection in this example.
Create a new NAP policy JSON file with Bot
sudo vi /etc/nginx/policy_bots.json
{
"policy": {
"name": "bot_defense_policy",
"template": {
"name": "POLICY_TEMPLATE_NGINX_BASE"
},
"applicationLanguage": "utf-8",
"enforcementMode": "blocking",
"bot-defense": {
"settings": {
"isEnabled": true
},
"mitigations": {
"classes": [
{
"name": "trusted-bot",
"action": "alarm"
},
{
"name": "untrusted-bot",
"action": "block"
},
{
"name": "malicious-bot",
"action": "block"
}
]
}
}
}
Modify the nginx.conf file to reference this new policy JSON file.
sudo vi /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
load_module modules/ngx_http_app_protect_module.so;
error_log /var/log/nginx/error.log debug;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
proxy_http_version 1.1;
app_protect_enable on;
app_protect_policy_file "/etc/nginx/policy_bots.json";
app_protect_security_log_enable on;
app_protect_security_log "/etc/nginx/app-protect-log-policy.json" syslog:server=10.1.20.6:5144;
location / {
resolver 10.1.1.9;
resolver_timeout 5s;
client_max_body_size 0;
default_type text/html;
proxy_pass http://k8s.arcadia-finance.io:30274$request_uri;
}
}
}
Verification
We will verify the NGINX App Protect deployment for illegal requests in the below example.
Test with curl and with the browser using both the correct URL and the illegal URL:
curl http://localhost curl http://localhost/?a=%3Cscript%3E
Simultaneously open a second terminal window to see there are three types of violations noted in the log.
tail -f /var/log/app_protect/class_illegal_security.log Request ID 1035880152621768133: GET / received on 2021-06-14 16:09:55 from IP 127.0.01 had the following violations: Illegal meta character in value, Attack Signature detected, Violation Rating Thereat detected.
Note: NGINX App Protect logs all violations that occur. Therefore, we see not only the illegal character noted but also that it detected an attack signature and there is a rating threat also detected.
Additional Resources
NGINX App Protect: Configuration Guide
NGINX: Installation and Deployment Guides
Try NGINX App Protect: 30 days free trial