More Related Content More from NGINX, Inc. (20) Announcing NGINX Plus R242. | ©2021 F5
2
Today’s hosts
Liam Crilly 🇬🇧
• Sr Director, Product Management, NGINX
• @liamcrilly
Timo Stark 🇩🇪
• Product Management Engineer, NGINX
• @linux_lenny
3. | ©2021 F5
3
Agenda
1 2 3 4 5
The solutions
can help you
face these
challenges
head on
Diving deep
into the new
release—
features and
functionality
Demo time!
Understanding
the application
landscape—
challenges
and trends
Q & A
5. | ©2021 F5
5
Every organization is in the application business
APPLICATIONS ARE ESSENTIAL FOR JUST ABOUT EVERY ORGANIZATION—INCLUDING YOURS
98%
Organizations report
applications are
essential or critical
to their business
6. | ©2021 F5
6
Digital transformation is changing app & IT processes
LARGEST Y/Y GROWTH IN MODERNIZING APPLICATIONS
Source: F5 2021 State of Application Strategy Report [n=1948]
How digital transformation is influencing application decisions
65%
60%
Modernizing applications
Implementing automation and orchestration
Changing how we develop applications
37%
56%
39%
44%
+51%
2020 2021
Q: How is digital transformation influencing your application decisions? Select all that apply
7. | ©2021 F5
7
Get your free copy of the 2021 State
of Application Strategy Report by
heading to https://www.f5.com/state-
of-application-strategy-report#report
You can also look back on six years of
research in the archive!
More information and insights available in the 2021 State of Application
Strategy Report
13. | ©2021 F5
14
Most Secure Proxy
FIPS-Compliance
Verifiable FIPS mode for
audit-friendly TLS
WAF Options
Stop SQL injection, LFI, RFI, and
many L7 attacks
Active Health Checks
Detect and work around a much
wider variety of problems
Supported High Availability
Avoid single points of failure
on-prem and in clouds
Real-Time Monitoring
Create live dashboards and
connect to NGINX/3rd-party tools
Secure Resilient
DNS-Based Service Discovery
Automate discovery and load
balancing of new servers
Key-Value Store
Dynamically control traffic flow
through RESTful API
Clustering
Share runtime state across
multiple instances
Scale
Encrypted JWT
Authentication
OpenID Connect and OAuth
token validation
14. | ©2021 F5
15
Ensure resiliency
FIPS-Compliance
Verifiable FIPS mode for
audit-friendly TLS
WAF Options
Stop SQL injection, LFI, RFI, and
almost any L7 attack
Active Health Checks
Improve reliability by routing traffic
away from failed servers to
operational ones
Supported High Availability
Eliminate single points of failure
on-prem and in clouds
Real-Time Monitoring
Create live dashboards and
connect to NGINX/3rd-party tools
Secure Resilient
DNS-Based Service Discovery
Automate discovery and load
balancing of new servers
Key-Value Store
Dynamically control traffic flow
through RESTful API
Clustering
Share runtime state across
multiple instances
Scale
JWT Authentication
OpenID Connect and OAuth
token validation
15. | ©2021 F5
16
JWT Authentication
OpenID Connect and OAuth
token validation
Achieve scale
FIPS-Compliance
Verifiable FIPS mode for
audit-friendly TLS
WAF Options
Stop SQL injection, LFI, RFI, and
almost any L7 attack
Active Health Checks
Detect and work around a much
wider variety of problems
Supported High Availability
Avoid single points of failure
on-prem and in clouds
Real-Time Monitoring
Create live dashboards and
connect to NGINX/3rd-party tools
Secure Strengthen
DNS-Based Service Discovery
Automate discovery and load
balancing of new servers
Key-Value Store
Dynamically control traffic flow
through RESTful API
Clustering
Share runtime state across
multiple instances
Scale
17. | ©2021 F5
18
NGINX Plus R24 – Released 27-Apr-2021
WHAT’S IN THE RELEASE
NGINX Plus R24 extends the NGINX Plus product and opens additional use
cases. The release can be categorized in two main ways:
Introduces new features
and functionality
Matures and improves
NGINX JavaScript module
18. | ©2021 F5
19
New features and functionality
Encrypted JSON Web
Token support
• Builds on JSON Web Tokens for
transaction authentication
• Provides confidentiality and data
integrity of sensitive info
• Solves challenges associated with
signed tokens (JWS)
• Encrypted tokens (JWE) encodes PII
contained in the JWT claim set
without risk of data leak
F5 Device ID+
integration
• Strengthens security via accurate
device identification
• Facilitates understanding customer
behavior and identifying anomalies
• Enhance security by sending device
identifiers to SIEM systems
• Improves UX and reduces friction for
returning visitors
• Free for NGINX Plus customers
Health check status
persistence
• Solves issue of NGINX Plus rejecting
client requests until passing health
check upon reload
• Extremely valuable for highly
dynamic environments
• Builds on mandatory health checks
• Enables marking mandatory health
checks as “persistent”
19. | ©2021 F5
20 CONFIDENTIAL
The challenges with signed-only JWT (JWS)
SENSITIVE DATA CROSSING TRUST BOUNDARIES
Key-Value
Store
Identity Provider
User / Browser NGINX Plus Proxy Backend
Cookie: auth_token=requestID httpOnly Secure
Do not share sensitive data from the Token or the
whole token with the Frontend! Leave the sensitive data with me! Will take care of it in my
key-value store and send it just to the backend!
20. | ©2021 F5
21 CONFIDENTIAL
Introducing encrypted JWT (JWE)
PROTECTING SENSITIVE DATA AT THE CLIENT
Identity Provider /
Auth-Service
User / App NGINX Plus Proxy
Backend
Authenticates against an internal Auth-Service!
Encrypted JWE sent to the device!
AES-Key
Decrypt with symmetric key (shared with the Auth-
Service) and validate the token.
Share the JWE with Backend-Services for further
investigation.
AES-Key
21. | ©2021 F5
22
• Leverages a unique JavaScript implementation for NGINX and
NGINX Plus
• Fits within NGINX request processing architecture
• Helps with server-side use cases and per-request processing
• Designed for quick initialization and disposal (no GC)
• Offers freedom to prioritize language support for server-side use
cases and ignore what’s not needed
• Works with both HTTP and TCP/UDP app-layer protocols
• Supports many powerful use cases including:
o Generating custom log formats not available with standard NGINX
variables
o Modifying responses from proxied servers
o Building custom authentication schemes (like OAuth 2.0
introspection on client requests)
o Parsing TCP/UDP protocols for app-level sticky sessions
What is the NGINX JavaScript Module (njs)?
EXTEND NGINX FOR HIGHLY CUSTOMIZED AND SOPHISTICATED IMPLEMENTATIONS
For more information on njs—including how to get
started—head to the NGINX blog
22. | ©2021 F5
23
Maturation of NGINX JavaScript module (njs)
TWO IMPORTANT R24 ENHANCEMENTS THAT MAKE IT POSSIBLE TO FURTHER EXTEND NGINX PLUS:
• Intercepts responses from upstream servers and
replaces strings in response body and headers
• Uses JS to inspect and modify body of response
and can scan for complex patterns, transform data
formats, and insert dynamic content into responses
• Uses JS to examine (and intercept and modify)
contents of response header
• Introduces a separate implementation of response
filtering with two new directives: js_body_filter and
js_header_filter
Response filtering for API
GWs and reverse proxies
• Answers authentication challenges associated with
modern APIs that use TCP/UDP as underlying
protocol
• Enables use of HTTP-based authentication for
access control in the stream context
• Leverages built-in njs ngx.fetch function to
instantiate simple HTTP client within TCP/UDP
connection
HTTP services for TCP/UDP
via embedded HTTP client
25. | ©2021 F5
31
Next steps
CHECK OUT THESE NGINX PLUS RESOURCES!
R24 release blog
https://www.nginx.com/blog/nginx-plus-r24-released/
NGINX Plus product page
https://www.nginx.com/products/nginx/
Free trial of NGINX Plus
https://www.nginx.com/free-trial-request/