Nginx is a lightweight and powerful HTTP proxy, mail proxy, and reverse proxy server for UNIX-like systems that can also be used as an excellent High Availability (HA) and cluster system. Naxsi is an Nginx Web Application Firewall (WAF) created to mitigate web application vulnerabilities by using an intelligent resource to generate whitelist rules.
This article will cover basic Nginx HA configuration and show how to improve web security by using the Naxsi Web Application Firewall (WAF). Nginx, written by Igor Sysoev, is a forward and reverse HTTP proxy server that can also work as a mail proxy. You can learn more about Nginx and its features at the Nginx wiki page: http://wiki.nginx.org.
Before the applications are installed, it is necessary to update the FreeBSD ports tree to use the latest Nginx version. Update Ports:
#cd /usr/ports
#portsnap fetch update
Install Nginx and Naxsi:
#cd /usr/ports/www/nginx
#make install clean
Clustering
Enabling the cluster/load balancer feature is as simple as including the upstream directive on the vhost information. Listing 1 shows a cluster configuration.
The acme entity will be referenced by the proxy_pass parameter (Listing 2), and the hosts included in the upstream directive will respond to the requests sequentially. We can preserve the connection in the same backend using the ip_hash parameter (Listing 3) which, for example, is important for authenticated sessions.
Priority and failover
The parameter weight is responsible for defining the backend priority. In Listing 4, the first three requests will be sent to the server 192.168.0.2, the fourth and fifth to 192.168.0.3, and the sixth request to 192.168.0.4.
The failover is enabled using the parameters max_fails and fail_timeout. Max_fails defines the total request failures allowed within the fail_timeout time interval. After that, requests are sent to the next backend. To take servers offline from the cluster, use the parameter down (Figure 5).
So far we have configured a basic cluster/load-balancing system using Ngnix and now, we will include a security layer to protect the web applications against common web attacks.
behavior of the application to create new rules. The nx_ util is another useful tool that parses the web site error logs, updates a SQLite database, generates new whitelist rules, and exports the data to the screen or an HTML file (Listing 8-10 and Figure 2).
tail /var/log/nginx-error.log | ./nx_util.py -c /usr/local/
etc/nginx/nx_util-0.3/nx_util.conf -l -i -o -H acme.html
An example of nginx.conf can be downloaded here:
http://alexos.org/files/nginx.conf.
Conclusion
Now we have a complete cluster/load balancing system, and we have secured our web applications using Nginx and Naxsi WAF. Remember to create file and database replication for a completely fault-tolerant system. As this is my first article in BSD Magazine, many thanks to all for reading it!
About the Author
Alexandro Silva aka Alexos lives in Salvador, Bahia, Brasil. He is an Information Security Consultant at iBliss Segurança & Inteligência. He has been using FreeBSD since the 4.11 release and can be reached online at http://alexos.org.
This article was re-published with the permission of BSD Magazine. To Learn More about iXsystem’s commitment to open source check us out here: https://www.ixsystems.com/about-ix/
