nginx

Mitigating the HTTPoxy Vulnerability with NGINX On July 18th, a vulnerability named ‘HTTPoxy’ was announced, affecting some server-side web applications that run in CGI or CGI-like environments, such as some FastCGI configurations. Languages known to be affected so far include PHP, Python, and Go. The vulnerability was mentioned on the NGINX mailing list in July, 2013, by Jonathan Matthews. This month, it was found in the wild. A number of CVEs have been assigned, covering specific languages and CGI implementations: CVE-2016-5385: PHP CVE-2016-5386: Go CVE-2016-5387: Apache HTTP Server CVE-2016-5388: Apache Tomcat CVE-2016-1000109: HHVM CVE-2016-1000110: Python There is a new website describing the vulnerability, a CERT vulnerability note, and a description of the discovery of the vulnerability. There is additional information on the personal website of Dominic Scheirlinck, an open source web developer at Vend. This post describes the vulnerability and [ more… ]

Let’s Encrypt: TLS for NGINX The following is adapted from a presentation given by Yan Zhu and Peter Eckersley from the Electronic Frontier Foundation (EFF) at nginx.conf 2015, held in San Francisco in September. You can watch the video of the complete talk on YouTube. Table of Contents 0:00 Introduction 00:29 Problem #1 – TLS is Not Ubiquitous 2:10 Problem #2 – Setting up TLS 2:52 How Long Does it Take to Setup TLS? 6:30 Problem #3 – TLS Configuration is Confusing 7:01 RC4 7:58 SHA‑1 8:28 Logjam 8:48 SSL Test 9:06 Problem #4 – Mixed Content Blocking 11:06 W3C 11:45 Problem #5 – Too Many CAs 13:30 The Let’s Encrypt Mission 14:14 Let’s Encrypt 24:01 TLS and HTTPS Problem 25:30 Default Client Functionality 34:19 Let’s Encrypt NGINX 35:20 Parse Configs 35:47 Authenticator 36:28 Installer 37:28 Write Out the Config and Reload NGINX! 37:37 Let’s Encrypt NGINX Demo 39:33 Get Involved 40:13 Get in Touch 0:00 Introduction Yan: Today, [ more… ]

NGINX + HTTPS 101: SSL Basics & Getting Started This post is adapted from a webinar hosted at NGINX.conf from September 22-24th by Nick Sullivan Table of Contents NGINX + HTTPS 101 Overview HTTPS What is HTTPS? SSL Handshake Why Set Up HTTPS? What Are the Downsides? What You Need to Set Up HTTPS Protocol Versions Protocol Versions A Bit of History Client Compatibility for TLS 1.2 Client Compatibility for TLS 1.0 Configuration Options Cipher Suites Cipher Suites Cipher Suites Breakdown Server Cipher Suites Cipher Suite Negotiation Recommended Cipher Suites Certificates What is a Certificate? What is a Trusted Certificate? How Do I Get a Certificate? How do I Create a CSR and Private Key? How to Get a Free Certificate Certificate Chain Configuring NGINX Configuring NGINX NGINX Configurations Parameters NGINX Configurations Parameters (OpenSSL) Certificate Chain and Private key with [ more… ]

Bluestem Brands Migrates from Monolith to Microservices Efficiently with NGINX Plus Enabling Improved Performance and Continuous Delivery   Situation Bluestem Brands, Inc. is the parent to 16 fast-growing e-commerce retail brands. The company offers a unique mix of retail and payment options for a diverse set of customers with a wide range of financial needs. Bluestem Brands runs a separate site for each of its brands where customers shop for apparel, shoes, gifts, home accessories, and more. Three of the Bluestem Brands sites – Fingerhut, Gettington, and Paycheck Direct – extend credit to shoppers, letting them pay for purchases over time. Shoppers log in, check the balances on their accounts, and shop. Until recently, Bluestem operated these three sites on a legacy architecture with a monolithic application for each brand. The machines that handled production traffic for the sites hosted [ more… ]

Get the Hands‑On Guide to CI/CD with Docker in this Free O’Reilly Ebook It’s no secret that the use of Docker and container technologies is on the rise. We recently surveyed the broad community of NGINX and NGINX Plus users and found that a full two‑thirds of organizations are investigating or already using containers in some way. Whether you’re already running contained applications in production or are still thinking about putting them on your roadmap, if you’re using the modern DevOps approach to software delivery you need to know the best practices for continuous integration and delivery (CI/CD) in Docker‑based environments. The O’Reilly book Using Docker by Adrian Mouat provides a wealth of practical guidance on incorporating Docker into your full software development lifecycle. The final stages of the lifecycle – integrating Docker into your CI/CD workflows and ultimately into your production environment – [ more… ]