5 things you didn't know nginx could do velocity
Le téléchargement de votre SlideShare est en cours.
×
Consultez-les par la suite
Suggestions
Plus De Contenu Connexe
Diaporamas pour vous (20)
Similaire à Securing Your Containerized Applications with NGINX (20)
Plus par Docker, Inc. (20)
Plus récents (20)
Securing Your Containerized Applications with NGINX
- 1. Securing Your Containerized Applications with NGINX Kevin Jones Sr Product Manager NGINX, now part of F5 @webopsx
- 2. • Benefits of a Reverse Proxy for Security • NGINX Best Practices for TLS • Running NGINX in Docker • Q&A Todays talk!
- 3. Benefits of a Reverse Proxy ● HTTP Security and Façade Routing ● TLS Offload ● Authentication / Authorization Offload
- 4. HTTP Security & Façade Routing
- 5. ● Restrict Access to Specific URLs ● Intercept Response Headers from Upstream Servers ● Control Request Methods ● Control Domain Level Access ● Provide a Layer of Façade URLs for Routing to Microservices ● Rewrite URLs for Backwards Compatibility ● API Version Control / Testing (A/B) A Reverse Proxy can…
- 6. Service C Service B Service AService A Login Service /login :32706 Service B Inventory Service /inventory :32717 Service C Partner API /api/beta :32724 api.example.com *:80 /api/v2/login /api/v1/inventory /admin/ partner.example.com *:80 /api/v1 GET Reverse Proxy / Gateway PUT PATCH
- 7. Service C Service B Service AService A Login Service /login :32706 Service B Inventory Service /inventory :32717 Service C Partner API /api/beta :32724 api.example.com *:80 /api/v2/login /api/v1/inventory /admin/ partner.example.com *:80 /api/v1 Reverse Proxy / GatewayNGINX Directive server_name listen location limit_except proxy_pass upstream map if PUT PATCH GET
- 8. SSL/TLS
- 9. ● SSL/TLS Protocols ● Ciphers ● Sessions ● Certificate and Key Management ● OCSP ● Performance Degradation ● Security Vulnerabilities and Patching Complexities of TLSComplexities of TLS RSA, DH, ECDH, SRP, PSK??!
- 10. Let's Encrypt ● A Cron process can update certificates and keys NGINX API Cron (Certbot) ● The certificates and keys can be stored on disk or in memory depending on security requirements ● If you are using NGINX, certificates and keys can be loaded from disk on demand (lazy load) ● If using NGINX Plus, your certificates and keys can be stored in the NGINX Plus key- value database
- 11. Authentication & Authorization
- 12. ● Offload credential validation ● Intercept unauthenticated requests ● Support integration with an IDP or other authentication flows ● Support multi factor requirements ● Once that client is validated, authorization provides policy enforcement on specific HTTP access Authentication and Authorization
- 13. GET w/ JSON Web Token JSON Web Key Payload { "alg": "HS256", "typ": "JWT" } Header { "alg": "HS256", "typ": "JWT" } Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd WIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gR G9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.N3Hb- h4CdvYDpm6iT-kQVAXt_q2vBnnZ-BDLfOPrd18
- 14. Raffle Time! Check the chat to see if you've won!
- 15. NGINX Best Practices For Configuring TLS
- 16. https://www.ssllabs.com/ssltest/
- 17. server { listen 443 ssl default_server; server_name example.com; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.pem; # SSL protocols ssl_protocols TLSv1.3 TLSv1.2; # SSL ciphers ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM- SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; # DH parameters and curve ssl_dhparam /path/to/dhparam.pem; ssl_ecdh_curve secp384r1; } CODE EDITOR
- 18. Generate stronger DH parameters • This will take a while, be patient • For highest security, It is recommended to use a bit length of 4096 CODE EDITOR $ openssl dhparam -out /etc/ssl/certsdhparam.pem 4096 Generating DH parameters, 4096 bit long safe prime, generator 2 This is going to take a long time ............+.......................+.................................................................. ......................................................................................................... ...........................+............................................................................ ............................................................+........................................... ......................................................................................................... ..................................................................................................+..... .........+...........................+.................................................................
- 19. https://www.ssllabs.com/ssltest/
- 20. CODE EDITOR server { # HTTP STS add_header Strict-Transport-Security "max- age=31536000; includeSubDomains; preload" always; } Enable HTTP Strict Transport Security • Informs browsers to always interact with your site over HTTPS • This will protect your site against various attacks such as downgrade attacks and possible cookie hijacking
- 21. https://www.ssllabs.com/ssltest/
- 22. Deploying NGINX on Docker
- 23. Service C Service B Service AService A Login Service :32706 Service B Inventory Service :32717 Service C Partner API :32724 api.example.com *:80 / *:443 /api/v2/login /api/v1/inventory /admin/ partner.example.com :443 /api/v1 Reverse Proxy / Gateway api.example.com *:80 / *:443 /api/v2/login /api/v1/inventory /admin partner.example.com :443 /api/v1
- 24. Configure NGINX with Docker Compose • Configure services you want to communicate thru NGINX using "expose" • Link your services together with the "links" option • Then publish your NGINX service using the "ports" mapping CODE EDITOR nginx: build: ./nginx container_name: nginx restart: always links: - login ports: - "80:80" volumes: - ./etc/nginx/conf.d/server.conf:/etc/nginx/conf.d/server.conf login: build: ./login container_name: login restart: always expose: - "80"
- 25. NGINX Configuration CODE EDITOR user nginx; events { worker_connections 1024; } http { server { listen 80; location /login { proxy_pass http://login:80; } } } Use the proxy_pass directive to configure NGINX to resolve the embedded Docker DNS server; this will support any scaling of your services while using Docker Compose
- 26. Login Servicelogin.example.com Reverse Proxy Inventory Serviceinventory.example.com Reverse Proxy Partner APIpartner.example.com Reverse Proxy Login Service 127.0.0.1:9001login.example.com Sidecar Proxy Inventory Service 127.0.0.1:7001inventory.example.com Sidecar Proxy Partner API 127.0.0.1:5001partner.example.com Sidecar Proxy Sidecar Proxy Deploying NGINX as a Sidecar Proxy provides the ability to optimize TLS, standardize on HTTP protocol behavior and offload functionality that is already designed into NGINX without the need of developing it as code, such as authentication and authorization
- 27. Sidecar Proxy • Using proxy_pass you can route requests to your application listening on localhost within the container CODE EDITOR http { server { listen 80; server_name partner.example.com; location /api/v2 { proxy_pass http://127.0.0.1:5001; } } } Partner API 127.0.0.1:5001partner.example.com Sidecar Proxy
- 28. Thank you for watching! Visit https://swag-nginx.com Use code: DOCKERCON30 For 30% off! Questions? kevin@nginx.com
- 29. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt CODE EDITOR { “Lorem”: “ipsum”, “laudantium”: 42 }
- 30. Side title Secondary headline CODE EDITOR { “Lorem”: “ipsum”, “laudantium”: 42 }Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium dolor laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae.
- 31. Side title Secondary headline CODE EDITOR { “Lorem”: “ipsum”, “laudantium”: 42 } Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium dolor laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae.
- 32. At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti. Headline here
- 33. Slide title / 2 line max. Secondary headline / 1 line max. Delete if slide title is 2 lines. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur.
- 34. Slide title / 2 line max. Secondary headline / 1 line max. Delete if slide title is 2 lines. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur.
- 35. Paragraph font Open Sans 18pt. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt
- 36. Paragraph font Open Sans 18pt. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt
- 37. Section title. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam. Section title. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt
- 38. Section title. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam. Section title. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt
- 39. Section title. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt Section title. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam.
- 40. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt Section title. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam. Section title. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam.
- 41. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt Section title. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur. Sed ut perspiciatis unde omnis. Section title. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur. Sed ut perspiciatis unde omnis. Section title. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur. Sed ut perspiciatis unde omnis.
- 42. ● Bullet One ● Bullet Two ● Bullet Three ● Bullet Four ● Bullet Five ● Bullet Six Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt
- 43. 1. Bullet One 2. Bullet Two 3. Bullet Three 4. Bullet Four 5. Bullet Five 6. Bullet Six Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt
- 44. Side title Secondary headline 1,000+ Paragraph title bold 14pt Body copy open sans 14pt 1,000+ Paragraph title bold 14pt Body copy open sans 14pt 1,000+ Paragraph title bold 14pt Body copy open sans 14pt 1,000+ Paragraph title bold 14pt Body copy open sans 14pt
- 45. Title here Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. ● Lorem ipsum ● Lorem ipsum ● Lorem ipsum ● Lorem ipsum ● Lorem ipsum ● Lorem ipsum
- 46. Image & diagram Slides
- 47. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt Section title. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur. Sed ut perspiciatis unde omnis. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit.
- 48. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt Section title. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur. Sed ut perspiciatis unde omnis. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit.
- 49. Title font Monserrat bold 30pt
- 50. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt
- 51. Title here Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem.
- 52. Title here ● Bullet One ● Bullet Two ● Bullet Three ● Bullet Four ● Bullet Five ● Bullet Six
- 53. Title font Monserrat
- 54. Title font Monserrat
- 55. Screenshot Slides
- 56. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt
- 57. Side title Secondary headline
- 58. Side title Secondary headline
- 59. Code block Slides
- 60. Title font Monserrat bold 30pt Secondary headline font Monserrat 18pt CODE EDITOR { “Lorem”: “ipsum”, “laudantium”: 42 }
- 61. Side title Secondary headline CODE EDITOR { “Lorem”: “ipsum”, “laudantium”: 42 }Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium dolor laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae.
- 62. Side title Secondary headline CODE EDITOR { “Lorem”: “ipsum”, “laudantium”: 42 } Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium dolor laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae.
- 63. Callout Slides
- 64. Callout or quote text Monserrat bold 36pt Body copy font Monserrat 18pt
- 65. Logos on dark
- 66. Docker Logos
- 67. Docker Logos
- 68. Logos on white
- 69. Text styles Display Slide Title Section Title BodyParagraph Title Caption Small BodySmall Paragraph Title Large Body LABEL
- 70. Color Palette Primary Color Palette Secondary Color Palette
- 71. Icons
- 72. Icons
- 73. Icons
