The document summarizes Kevin Jones' presentation on securing containerized applications with NGINX. It discusses the benefits of using a reverse proxy for security, NGINX best practices for TLS configuration, and deploying NGINX in Docker containers. It also provides code examples and configurations for setting up NGINX as a reverse proxy, optimizing TLS, and using NGINX as a sidecar proxy.
5. ● Restrict Access to Specific URLs
● Intercept Response Headers from Upstream Servers
● Control Request Methods
● Control Domain Level Access
● Provide a Layer of Façade URLs for Routing to
Microservices
● Rewrite URLs for Backwards Compatibility
● API Version Control / Testing (A/B)
A Reverse Proxy can…
6. Service C
Service B
Service AService A
Login
Service
/login
:32706
Service B
Inventory
Service
/inventory
:32717
Service C
Partner
API
/api/beta
:32724
api.example.com
*:80
/api/v2/login
/api/v1/inventory
/admin/
partner.example.com
*:80
/api/v1
GET
Reverse Proxy /
Gateway
PUT
PATCH
7. Service C
Service B
Service AService A
Login
Service
/login
:32706
Service B
Inventory
Service
/inventory
:32717
Service C
Partner
API
/api/beta
:32724
api.example.com
*:80
/api/v2/login
/api/v1/inventory
/admin/
partner.example.com
*:80
/api/v1
Reverse Proxy /
GatewayNGINX Directive
server_name
listen
location
limit_except
proxy_pass
upstream
map
if
PUT
PATCH
GET
9. ● SSL/TLS Protocols
● Ciphers
● Sessions
● Certificate and Key Management
● OCSP
● Performance Degradation
● Security Vulnerabilities and Patching
Complexities of TLSComplexities of TLS RSA, DH, ECDH,
SRP, PSK??!
10. Let's Encrypt
● A Cron process can update
certificates and keys
NGINX
API
Cron (Certbot)
● The certificates and keys can be
stored on disk or in memory
depending on security
requirements
● If you are using NGINX,
certificates and keys can be
loaded from disk on demand
(lazy load)
● If using NGINX Plus, your
certificates and keys can be
stored in the NGINX Plus key-
value database
12. ● Offload credential validation
● Intercept unauthenticated requests
● Support integration with an IDP or other
authentication flows
● Support multi factor requirements
● Once that client is validated, authorization provides
policy enforcement on specific HTTP access
Authentication and
Authorization
13. GET w/ JSON Web
Token
JSON Web Key
Payload
{
"alg": "HS256",
"typ": "JWT"
}
Header
{
"alg": "HS256",
"typ": "JWT"
}
Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd
WIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gR
G9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.N3Hb-
h4CdvYDpm6iT-kQVAXt_q2vBnnZ-BDLfOPrd18
18. Generate
stronger DH
parameters
• This will take a while, be
patient
• For highest security, It is
recommended to use a bit
length of 4096
CODE EDITOR
$ openssl dhparam -out /etc/ssl/certsdhparam.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
............+.......................+..................................................................
.........................................................................................................
...........................+............................................................................
............................................................+...........................................
.........................................................................................................
..................................................................................................+.....
.........+...........................+.................................................................
20. CODE EDITOR
server {
# HTTP STS
add_header Strict-Transport-Security "max-
age=31536000; includeSubDomains; preload" always;
}
Enable HTTP
Strict
Transport
Security
• Informs browsers to always
interact with your site over
HTTPS
• This will protect your site
against various attacks such as
downgrade attacks and
possible cookie hijacking
23. Service C
Service B
Service AService A
Login
Service
:32706
Service B
Inventory
Service
:32717
Service C
Partner
API
:32724
api.example.com
*:80 / *:443
/api/v2/login
/api/v1/inventory
/admin/
partner.example.com
:443
/api/v1
Reverse Proxy /
Gateway
api.example.com
*:80 / *:443
/api/v2/login
/api/v1/inventory
/admin
partner.example.com
:443
/api/v1
24. Configure
NGINX with
Docker Compose
• Configure services you want
to communicate thru NGINX
using "expose"
• Link your services together
with the "links" option
• Then publish your NGINX
service using the "ports"
mapping
CODE EDITOR
nginx:
build: ./nginx
container_name: nginx
restart: always
links:
- login
ports:
- "80:80"
volumes:
- ./etc/nginx/conf.d/server.conf:/etc/nginx/conf.d/server.conf
login:
build: ./login
container_name: login
restart: always
expose:
- "80"
25. NGINX
Configuration
CODE EDITOR
user nginx;
events {
worker_connections 1024;
}
http {
server {
listen 80;
location /login {
proxy_pass http://login:80;
}
}
}
Use the proxy_pass
directive to configure
NGINX to resolve the
embedded Docker DNS
server; this will support
any scaling of your
services while using
Docker Compose
26. Login
Servicelogin.example.com
Reverse Proxy
Inventory
Serviceinventory.example.com
Reverse Proxy
Partner
APIpartner.example.com
Reverse Proxy
Login
Service
127.0.0.1:9001login.example.com
Sidecar Proxy
Inventory
Service
127.0.0.1:7001inventory.example.com
Sidecar Proxy
Partner
API
127.0.0.1:5001partner.example.com
Sidecar Proxy
Sidecar
Proxy
Deploying NGINX as a
Sidecar Proxy provides
the ability to optimize
TLS, standardize on
HTTP protocol behavior
and offload functionality
that is already designed
into NGINX without the
need of developing it as
code, such as
authentication and
authorization
27. Sidecar Proxy
• Using proxy_pass you can
route requests to your
application listening on
localhost within the
container
CODE EDITOR
http {
server {
listen 80;
server_name partner.example.com;
location /api/v2 {
proxy_pass http://127.0.0.1:5001;
}
}
}
Partner
API
127.0.0.1:5001partner.example.com
Sidecar Proxy
28. Thank you for watching!
Visit https://swag-nginx.com
Use code: DOCKERCON30
For 30% off!
Questions?
kevin@nginx.com
29. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
}
30. Side title
Secondary
headline
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
}Sed ut perspiciatis unde
omnis iste natus error sit
voluptatem accusantium
dolor laudantium, totam
rem aperiam, eaque ipsa
quae ab illo inventore
veritatis et quasi
architecto beatae vitae.
31. Side title
Secondary
headline
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
} Sed ut perspiciatis unde
omnis iste natus error sit
voluptatem accusantium
dolor laudantium, totam
rem aperiam, eaque ipsa
quae ab illo inventore
veritatis et quasi
architecto beatae vitae.
32. At vero eos et accusamus et
iusto odio dignissimos ducimus
qui blanditiis praesentium
voluptatum deleniti atque
corrupti.
Headline here
33. Slide title / 2 line max.
Secondary headline / 1 line max. Delete if slide title is
2 lines.
Sed ut perspiciatis unde omnis iste natus error sit
voluptatem accusantium doloremque laudantium, totam
rem aperiam, eaque ipsa quae ab illo inventore veritatis et
quasi architecto beatae vitae dicta sunt explicabo.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur
aut odit aut fugit, sed quia consequuntur.
34. Slide title / 2 line max.
Secondary headline / 1 line max. Delete if slide title is
2 lines.
Sed ut perspiciatis unde omnis iste natus error sit
voluptatem accusantium doloremque laudantium, totam
rem aperiam, eaque ipsa quae ab illo inventore veritatis et
quasi architecto beatae vitae dicta sunt explicabo.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur
aut odit aut fugit, sed quia consequuntur.
35. Paragraph font Open Sans 18pt.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
36. Paragraph font Open Sans 18pt.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
37. Section title.
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium
doloremque laudantium, totam rem aperiam.
Section title.
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium
doloremque laudantium, totam rem aperiam.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
38. Section title.
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium
doloremque laudantium, totam rem aperiam.
Section title.
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium
doloremque laudantium, totam rem aperiam.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
39. Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam
rem aperiam.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam
rem aperiam.
40. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam
rem aperiam.
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam
rem aperiam.
41. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem
quia voluptas sit aspernatur
aut odit aut fugit, sed quia
consequuntur. Sed ut
perspiciatis unde omnis.
Section title.
Nemo enim ipsam voluptatem
quia voluptas sit aspernatur
aut odit aut fugit, sed quia
consequuntur. Sed ut
perspiciatis unde omnis.
Section title.
Nemo enim ipsam voluptatem
quia voluptas sit aspernatur
aut odit aut fugit, sed quia
consequuntur. Sed ut
perspiciatis unde omnis.
42. ● Bullet One
● Bullet Two
● Bullet Three
● Bullet Four
● Bullet Five
● Bullet Six
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
43. 1. Bullet One
2. Bullet Two
3. Bullet Three
4. Bullet Four
5. Bullet Five
6. Bullet Six
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
44. Side title
Secondary
headline 1,000+
Paragraph title bold 14pt
Body copy open sans 14pt
1,000+
Paragraph title bold 14pt
Body copy open sans 14pt
1,000+
Paragraph title bold 14pt
Body copy open sans 14pt
1,000+
Paragraph title bold 14pt
Body copy open sans 14pt
45. Title here
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa quae
ab illo inventore veritatis et quasi architecto
beatae vitae dicta sunt explicabo.
Nemo enim ipsam voluptatem quia voluptas sit
aspernatur aut odit aut fugit, sed quia
consequuntur magni dolores eos qui ratione
voluptatem sequi nesciunt.
● Lorem ipsum
● Lorem ipsum
● Lorem ipsum
● Lorem ipsum
● Lorem ipsum
● Lorem ipsum
47. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit.
48. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit.
51. Title here
Sed ut perspiciatis unde omnis iste natus
error sit voluptatem accusantium
doloremque laudantium, totam rem
aperiam, eaque ipsa quae ab illo inventore
veritatis et quasi architecto beatae vitae
dicta sunt explicabo.
Nemo enim ipsam voluptatem quia
voluptas sit aspernatur aut odit aut fugit,
sed quia consequuntur magni dolores eos
qui ratione voluptatem.
52. Title here
● Bullet One
● Bullet Two
● Bullet Three
● Bullet Four
● Bullet Five
● Bullet Six
61. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
}
62. Side title
Secondary
headline
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
}Sed ut perspiciatis unde
omnis iste natus error sit
voluptatem accusantium
dolor laudantium, totam
rem aperiam, eaque ipsa
quae ab illo inventore
veritatis et quasi
architecto beatae vitae.
63. Side title
Secondary
headline
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
} Sed ut perspiciatis unde
omnis iste natus error sit
voluptatem accusantium
dolor laudantium, totam
rem aperiam, eaque ipsa
quae ab illo inventore
veritatis et quasi
architecto beatae vitae.