Nginx web server upgrade focuses on web security, JavaScript configuration

Nginx Plus Release 10 adds a web app firewall, IP transparency, and support for the nginScript configuration and control language

Nginx Web server upgrade focuses on Web security, JavaScript configuration

Security rules the day in version 10 of Nginx's enterprise-level web server, which features enhancements, including a web application firewall.

Nginx Plus Release 10, available Tuesday, also introduces JavaScript-based scripting for configuration, IP transparency, and DSR (Direct Server Return) load-balancing.

For application security, version 10 features an Nginx-native version of the ModSecurity WAF module, which Nginx co-developed with Trustwave. The firewall, which is the first Nginx-supported WAF for the web server, uses heuristics and signatures to identify bad traffic for users to either drop or log for inspection.

A preview version of the WAF module ships with the version 10 release. "We will offer full support for users who want to evaluate and ultimately deploy that module," said Owen Garrett, Nginx head of products. The company also will keep working with Trustwave to add Nginx-specific features and improve performance. Nginx has tested the module to ensure it works correctly with the Nginx core, but the company recommends users test it thoroughly before putting it into production.

Version 10 also backs Oauth 2 and OpenID authentication standards, via JSON Web Tokens. "[This support] allows Nginx to verify the traffic that's been authenticated and to extract information about the user who sends the requests from the authentication token," Garrett said. Dual-stack ECC-RSA (Elyptic Curve Cryptography) traffic encryption, meanwhile, improves performance over legacy RSA certificates while maintaining backward compatibility. website owners can handle more SSL transactions, and Garrett noted that "ECC certificates are up to five times faster than RSA certificates."

Also getting a nod in release 10 is nginScript, a JavaScript-based configuration and control language for Nginx that provides fine-grained control over application delivery and security. An nginScript plugin module can control HTTP, TCP, and UDP (User Datagram Protocol) traffic. "It will allow you to build much more sophisticated and intelligent rules for load-balancing and managing traffic," Garrett said.

Until now, a Lua module or Perl were used to configure Nginx. "We're not seeking to compete [with Lua or Perl], but we know that JavaScript is an extremely popular and well-known language," said Garrett. The company is supporting nginScript as an easier-to-use alternative and looks to fit nginScript with a wider range of language features from the ECMAScript 6 specification underlying JavaScript.

IP transparency and DSR load-balancing in release 10 help support a broader range of applications, Nginx said. IP transparency has the original client IP address passed to the back-end service, which is now required for many applications. DSR load balancing, meanwhile, suits latency-sensitive and real-time applications. In DSR load balancing, the web server makes the first decision on load balancing, with the server responding directly to the client afterward. With DSR, UDP traffic can bypass the load balancer to improve performance.

Nginx has been a rising star among web servers. Introduced in 2002, it used at nearly 31 percent of the top 10 million websites known by researcher W3Techs, behind only the Apache web server, which is used at 52 percent of sites and debuted in 1995.

Copyright © 2016 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!