nginx

Using ModSecurity to Virtual Patch Apache Struts CVE-2017-5638 Many security vulnerabilities are found in libraries used by application code. When it’s impractical to quickly deploy a fix to code in a library, you may be able to use ModSecurity to intercept an exploit, “virtually patching” the affected code until you can upgrade the affected libraries. The Apache Struts application library vulnerability (CVE-2017-5638), which led to the breach of 143 million accounts at Equifax, is an example of exploit that can be virtually patched. The signature of the vulnerability is the presence of #cmd= or #cmds= strings in the Content-Type, Content-Disposition, or Content-Length HTTP headers. (More detailed explanation below) Using ModSecurity, we can create a virtual patch with a simple rule that searches for the malicious strings in the affected HTTP headers: SecRule REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Content-Length|REQUEST_HEADERS:Content-Disposition “@rx #cmds?=” “id:5638,auditlog,log,deny,status:403” Using SecRule we specify [ more… ]

More Fun with NGINX Plus Health Checks and Docker Containers At nginx.conf 2017, I gave a presentation on this topic, which you can access as a YouTube video or a blog post, which includes the Powerpoint slides and a transcription of my talk. In this blog post, I’ll describe an improved version of the basic approach, then give specific, working configuration code you can use to implement it yourself. Introduction When running containers in a microservices environment, your service instances may be susceptible to becoming overloaded due to resource limitations, such as memory or CPU utilization. A number of strategies can be employed to address this issue; this blog post addresses using NGINX Plus active health checks as one strategy. We’ll focus on three different use cases: Request-count-based. Use this method when requests to a service are so heavyweight that [ more… ]

Monitoring NGINX Setting up a monitoring tool for NGINX is an important part of maintaining website operations. Proper NGINX monitoring can reveal a lot of useful information about the underlying application performance. There are quite a few monitoring systems out there suitable for the task; the first step, however, is to enable metric collection in NGINX. Using the stub_status Module There’s a module for NGINX called ngx_http_stub_status_module (or simply stub_status) that exposes a few important metrics about NGINX activity. To check if your NGINX build has the stub_status module, use nginx -V: nginx -V 2>&1 | grep –color — –with-http_stub_status_module Our NGINX builds already include the stub_status module. Check this page for the available Linux packages. Otherwise, you have to rebuild nginx from source, adding the parameter –with-http_stub_status_module to the configure script. As the next step, enable the stub_status module [ more… ]

NGINX Response to the Meltdown and Spectre Vulnerabilities This week, some details about security flaws in several microprocessors were publicly shared; a full disclosure is expected to follow. The flaws take several forms, and have been named Meltdown and Spectre. You can find more information about the scope of both Meltdown and Spectre here: https://meltdownattack.com/ A process (application) running on a server can use these flaws to access the protected memory used by other processes. The bugs can be exploited between processes and across containers, and even in some cloud and virtual environments. Like all other processes, NGINX memory is vulnerable to snooping from another process running on the same host. For servers you control, NGINX strongly recommends that you apply the appropriate OS patches to protect against this. For cloud providers, and other platform providers that you use, we [ more… ]

Unit 0.3 Beta Release Available Now On Dec 28th, we released the third beta version of NGINX Unit, the new dynamic web and application server. In this blog post, we will review and discuss the latest changes in detail. If you have Unit 0.2 installed from our package repositories, upgrade using your package manager. If you are performing a fresh installation, see the installation documentation for details: https://unit.nginx.org/installation/. (We now provide pre-built packages for more operating systems.) HTTP Keep-Alive HTTP persistent connections, or HTTP keep-alive, is the technology used to keep TCP connections open between requests. This reduces latency and improves the performance of the web site. NGINX Unit now uses keep-alive connections by default. You don’t have to configure anything on the Unit side to have this enabled. Keep-alive functionality is managed by the HTTP headers Connection and Keep-Alive. [ more… ]