NGINX.COM
Web Server Load Balancing with NGINX Plus


Modern applications require modern app security solutions. With the ever‑increasing pace of framework‑based app development, the growth of microservices topologies, and the ever‑changing security landscape, app security is becoming increasingly challenging for developer teams. This is where modern web application firewall (WAF) solutions step in.

F5 Essential App Protect, launched earlier this year, and NGINX App Protect both provide WAF capabilities for NGINX and NGINX Plus by focusing on signature‑based app protection and are built with DevOps and CI/CD in mind. However, they are architected, configured, and deployed in different ways, and serve different purposes depending on your organization’s needs:

  • NGINX App Protect runs on NGINX Plus and is deployed as a lightweight software package within your app infrastructure to provide advanced security protection for your apps.
  • F5 Essential App Protect is consumed as-a-Service and provisioned in the cloud regions of your choice to provide checkbox simplicity and pre‑configured protection across a number of attack vectors.

In a nutshell, NGINX App Protect runs on NGINX Plus in your app infrastructure, while Essential App Protect is a cloud service that you provision to sit between the users and your app infrastructure. Your particular application requirements dictate which is more appropriate, but a general rule of thumb is that API‑ and Kubernetes‑intensive applications that require high performance benefit from the close proximity of NGINX App Protect running on premises. Long‑tail applications and those without strict performance requirements benefit from the ease and simplicity of F5 Essential App Protect.

The focus of this post is on setting up F5 Essential App Protect as a quick and easy “bolt‑on” app security solution for teams using NGINX and NGINX Plus. Here are some of the unique benefits that make F5 Essential App Protect so powerful:

  1. Out-of-the-gate security protecting against malicious IP addresses and known bad actors, using intelligent probability‑based rating systems for detecting and mitigating malicious traffic
  2. Support for hybrid and multi‑cloud deployments across multiple app server platforms with consistent config via UI, APIs, or Ansible playbooks
  3. Traffic scrubbing, obfuscation of services and endpoints from bad actors, bandwidth reduction, and built‑in DDoS mitigation
  4. Increased agility from a SaaS delivery model and flexible pricing options offered in the AWS Marketplace or F5 Cloud Services portal
  5. Real‑time app security insights from advanced analytics and visualizations

Setting Up F5 Essential App Protect

As an example, here we use F5 Essential App Protect to protect a web app running on NGINX Plus, with no application code changes and a few minimal updates to the NGINX configuration.

Configuring F5 Essential App Protect

After subscribing to F5 Essential App Protect through the AWS Marketplace or F5 Cloud Services portal, you create an Essential App Protect instance by performing these steps, which are detailed in our documentation:

  1. Provide your application details (FQDN and name )
  2. Confirm app endpoints and region (Essential App Protect auto‑discovers app instances and suggests the AWS region closest to each deployment location)
  3. Set up SSL/TLS (add a certificate and choose to redirect traffic from HTTP to HTTPS if appropriate)
  4. Confirm the mode (blocking or monitoring) and the protection features desired (various methods of protection are offered by default, and can easily be customized once baseline protection is deployed)
  5. Update application DNS settings with a CNAME record provided by the service (to direct app traffic to the configured instance)

As soon as the DNS changes propagate, the Essential App Protect instance begins protecting the app, with any security events captured on the main Essential App Protect dashboard:

You can further analyze individual events or aggregated stats for deep insights into the types of attacks and the resources they are targeting:

Updating the NGINX Configuration

We also configure NGINX or NGINX Plus to ensure that only traffic processed by Essential App Protect reaches the application. We create an allowlist of the IP addresses used by Essential App Protect in each region from which we accept traffic, and block all other addresses.

Following best practices, we also extract the actual client IP address for each request, enable TLSv1.2, and enable keepalive connections between Essential App Protect and NGINX.

Note: To extract client IP addresses, the Real IP module must be enabled. It is enabled by default in NGINX Plus. For NGINX Open Source, you must build it into the binary by including the --with-http_realip_module parameter to the configure command.

server {
    listen 443 ssl;
    server_name www.example.com

    # Allow traffic from eu-central-l region
    allow 3.126.252.37;
    allow 3.127.90.102;
    allow 52.58.211.135;
    # Allow traffic from other regions, as listed in the documentation
    #...
    # Deny all other traffic
    deny all;

    # Extract real source IP address from XFF header 
    set_real_ip_from  3.126.252.37;
    set_real_ip_from  3.127.90.102;
    set_real_ip_from  52.58.211.135;
    real_ip_header    X-Forwarded-For;
    real_ip_recursive on;

    # Enable TLSv1.2 only (if using TLS encryption); TLSv1.2 is EAP's default
    ssl_protocols TLSv1.2;
  
    ssl_certificate     /etc/nginx/certs/example.com.crt;
    ssl_certificate_key /etc/nginx/certs/example.com.key;

    location / {
        # Enable keepalive connection from EAP to NGINX
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        set $sample_app 192.168.100.2:443;
        proxy_pass https://$sample_app;
    }
}

Configuring Firewalls

You might have a number of firewalls that also filter traffic based on IP address, at various layers of your app infrastructure – app server, VM instance, cloud or hosting‑provider networking, and even hardware firewalls or routers. You also need to update these firewalls to accept traffic from F5 Essential App Protect in the relevant regions.

Conclusion

F5 Essential App Protect is the perfect solution for teams who need to move fast, are already leveraging NGINX for performance, scalability, and availability, and want to use a simple, pay-as-you-go, SaaS‑based security service to protect their apps. By packaging F5’s 20+ years of app security expertise into a DevOps‑ready service, F5 Essential App Protect gives your development teams the tools they need to stay ahead of the security threats faced by modern apps, without requiring specialized knowledge.

As a next step, why not dip your toe in the water with the F5 Essential App Protect lab, and register for a free trial to experience for yourself how quick and easy it is to secure your NGINX apps with F5 Essential App Protect?

Hero image
免费白皮书:
NGINX 企阅版全解析

助力企业用户规避开源治理风险,应对开源使用挑战

关于作者

关于 F5 NGINX

F5, Inc. 是备受欢迎的开源软件 NGINX 背后的商业公司。我们为现代应用的开发和交付提供一整套技术。我们的联合解决方案弥合了 NetOps 和 DevOps 之间的横沟,提供从代码到用户的多云应用服务。访问 nginx-cn.net 了解更多相关信息。