SlideShare a Scribd company logo

NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX

N
NGINX, Inc.

On-Demand Link: https://www.nginx.com/resources/webinars/nginx-101-web-traffic-encryption-ssl-tls/ 85% of all web traffic is encrypted. This now standard practice helps ensure that data (sensitive or not) sent over the Internet remains private and out of the hands of eavesdroppers and hackers. But how do you encrypt traffic? The answer is with SSL/TLS, an encryption protocol that protects Internet communication. Join this NGINX 101 foundational webinar to learn more about the importance of and best practices for encrypting your web, application, and API traffic. Our presenters show you how to create or procure a certificate to ensure transactions are authenticated, as well as demo how straightforward it is to encrypt and secure your web traffic using NGINX. We also answer attendee questions about NGINX and encryption. Robert Haynes Technical Marketing Manager F5

Software
1 of 36
Download to read offline
NGINX 101: Managing SSL/TLS ROBERT HAYNES
| ©2021 F5 2 Agenda TLS/SSL Overview Introduction TLS Protocols Cyphers Key Exchange Encryption Certificates Basic NGINX Config Demo NGINX SSL Configuration Extras Next Redirecting HTTP to HTTPS Recommended SSL settings Additional NGINX security offers
| ©2021 F5 3 >70% 10,000 busiest websites 440M+ websites and apps OPEN SOURCE FOOTPRINT NGINX powers the Internet . . . and most enterprises! PROVEN = 1 Million
| ©2021 F5 4 NGINX Plus Enterprise-Class Data Plane NGINX Open Source Fast, Flexible, Portable
| ©2021 F5 5 TLS/SSL Overview CONFIDENTIAL
| ©2021 F5 6 CONFIDENTIAL Clarifying some terms HTTPS SSL TLS Encrypting Web Traffic
| ©2021 F5 7 10000 Ft (3048m) View THIS IS WHAT WE ARE TRYING TO ACHIEVE Client Server Key Algorithm Key Algorithm Matching key and encryption algorithm Identity confirmed, connection established, encryption of traffic between client and server.
| ©2021 F5 8 CONFIDENTIAL Establishing an encrypted connection TCP Connection Identity and capabilities Key ‘exchange’ Bulk encryption Server Client
| ©2021 F5 9 CONFIDENTIAL Establishing Capabilities and Identity Identity and capabilities Server Client Supported Cypher Suites
| ©2021 F5 10 CONFIDENTIAL Establishing Capabilities and Identity Identity and capabilities Server Client Supported Cypher Suites Identity ECDHE-RSA-AES256-GCM-SHA384 RSA
| ©2021 F5 11 CONFIDENTIAL Creating a Shared Key Identity and capabilities Key ‘exchange’ Server Client ECDHE-RSA-AES256-GCM-SHA384 Public Value Public Value Random Secret Random Secret Public Value Public Value Public Value Public Value Intermediate Intermediate
| ©2021 F5 12 CONFIDENTIAL Creating a Shared Key Identity and capabilities Key ‘exchange’ Server Client ECDHE-RSA-AES256-GCM-SHA384 Random Secret Random Secret Intermediate Intermediate
| ©2021 F5 13 CONFIDENTIAL Bulk Encryption Identity and capabilities Key ‘exchange’ Bulk encryption Server Client ECDHE-RSA-AES256-GCM-SHA384
| ©2021 F5 14 CONFIDENTIAL Protocol == Control of Operations THE SSL/TLS PROTOCOL SETTING IS THE CONTROL STREAM Identity and capabilities Key ‘exchange’ Bulk encryption Server Client SSL1 SSL2 SSL3 TLS1 TLS1.1 TLS1.2 TLS1.3
| ©2021 F5 15 Eliminates known insecure key ciphers Mandates forward secrecy Mandates more secure bulk encryption Signs whole handshake CONFIDENTIAL Why Use TLS 1.3? LATEST AND GREATEST SAFER Reduced handshakes in TLS session setup 0-RTT connections for session resumption Simpler cipher suites, fewer possible combinations FASTER 63% of Servers prefer TLS 1.3* *F5 TLS Telemetry report 2021
| ©2021 F5 16 SSL Certificates CONFIDENTIAL
| ©2021 F5 17 CONFIDENTIAL What is an SSL Certificate used for? Establish Identity Certificate contains identity information and is signed by a trusted Certificate Authority Signing Communications A client can verify that data was sent from the server by using the public key in the SSL certificate to decrypt it
| ©2021 F5 18 CONFIDENTIAL SSL for Identity Verification Certificate from NGINX.com Root Certificate Authority (Balitmore Cybertrust) Intermediate Certificate (Cloudflare.com) Signs Signs Certificate Chain
| ©2021 F5 19 CONFIDENTIAL Certificates Self Signed CA Signed Self CA Signed Generate your own Obtain from a CA Create your CA Create your cert Certificate Warnings No warnings No warnings on browsers with your root CA Dev/Test Production Internal prod/QA
| ©2021 F5 20 NGINX SSL Configuration CONFIDENTIAL
| ©2021 F5 21 CONFIDENTIAL NGINX Config Overview http{ # HTTP block sets global http values server { # server block defines an individual config } upstream { # upstream block defines backend servers } } Server and upstream blocks are usually contained in separate files and incorporated using the include directive
| ©2021 F5 22 CONFIDENTIAL NGINX SSL Configuration server { listen 443 ssl; server_name www.example.com; ssl_certificate ssl/www.example.com.crt; ssl_certificate_key ssl/www.example.com.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; … Server Name – needs to match certificate* SSL Certificate and key name Allowable protocols Cipher string for for TLS 1.2 Port to listen on and protocol Cipher string for TLS 1.3
| ©2021 F5 23 CONFIDENTIAL ssl_ciphers Explained HIGH:!aNULL:!MD5; Use the high strength set of ciphers Explicitly exclude (!) any cipher suite offering no authentication Explicitly exclude (!) any cipher suite using MD5 for hashing See what cipher strings will be listed: openssl ciphers -V 'HIGH:!aNULL:!MD5'
| ©2021 F5 24 CONFIDENTIAL ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256 Protocol Bulk Encryption Key Derivation TLS 1.3 has 5 recommended cipher suites (37 in TLS1.2),(319 for backward compatibility!)
| ©2021 F5 25 Demo Time CONFIDENTIAL
| ©2021 F5 26 CONFIDENTIAL Environment Me NGINX Proxy NGINX Webserver HTTPS 443 HTTPS 443 HTTP 8080
| ©2021 F5 27 Other Settings: CONFIDENTIAL
| ©2021 F5 28 CONFIDENTIAL Redirect HTTP to HTTPS server { listen 80; listen [::]:80; server_name example.com www.example.com; return 301 https://example.com$request_uri; } Add an additional server block listening on port 80, and return a HTTP redirect response to any request:
| ©2021 F5 29 CONFIDENTIAL Improving SSL Security - Key Exchange Parameters Increase the size of one of the known parameters to 4096 bytes: Generate the key: SSL_Demo> sudo openssl dhparam -out /etc/nginx/ssl/dhkey4096.pem 4096 Add the value to the NGINX config: ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; ssl_dhparam /etc/ssl/dhkey4096.pem;
| ©2021 F5 30 Add Strict Transport Security headers: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; This informs a browser that a site should ONLY be accessed over HTTPS. Increase the timeout and set a session cache ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; CONFIDENTIAL Additional Security and Performance Settings
| ©2021 F5 31 NGINX Security Products CONFIDENTIAL
| ©2021 F5 32 NGINX App Protect DoS Protection against a range of DoS attacks, including hard-to-spot low and slow attacks NGINX App Protect WAF Powerful defense against layer 7 attacks Based on F5’s leading application layer firewall NGINX Kubernetes Ingress Controller Ingress control for Kubernetes, with added encryption, authentication and WAF. CONFIDENTIAL NGINX Security Products BUILT ON NGINX PLUS
| ©2021 F5 33 Summary CONFIDENTIAL
| ©2021 F5 34 CONFIDENTIAL Useful Resources Private Keys https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/ Cipher Suites https://www.youtube.com/watch?v=ZM3tXhPV8v0 Key Exchange https://www.youtube.com/watch?v=pa4osob1XOk TLS 1.3 https://www.nginx.com/blog/nginx-plus-r17-released/#r17-tls13
| ©2020 F5 35 Questions? CONFIDENTIAL
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX

Recommended

NGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX, Inc.
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Backup and Restore VMs Based on KVM
Backup and Restore VMs Based on KVMBackup and Restore VMs Based on KVM
Backup and Restore VMs Based on KVMShapeBlue
 
Kafka’s New Control Plane: The Quorum Controller | Colin McCabe, Confluent
Kafka’s New Control Plane: The Quorum Controller | Colin McCabe, ConfluentKafka’s New Control Plane: The Quorum Controller | Colin McCabe, Confluent
Kafka’s New Control Plane: The Quorum Controller | Colin McCabe, ConfluentHostedbyConfluent
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3NGINX, Inc.
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsAntonin Stoklasek
 

Recommended

NGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX, Inc.
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Backup and Restore VMs Based on KVM
Backup and Restore VMs Based on KVMBackup and Restore VMs Based on KVM
Backup and Restore VMs Based on KVMShapeBlue
 
Kafka’s New Control Plane: The Quorum Controller | Colin McCabe, Confluent
Kafka’s New Control Plane: The Quorum Controller | Colin McCabe, ConfluentKafka’s New Control Plane: The Quorum Controller | Colin McCabe, Confluent
Kafka’s New Control Plane: The Quorum Controller | Colin McCabe, ConfluentHostedbyConfluent
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3NGINX, Inc.
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsAntonin Stoklasek
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservicesThomas Graf
 
How to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration MistakesHow to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration MistakesNGINX, Inc.
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
 
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...LINE Corporation
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could dosarahnovotny
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXNGINX, Inc.
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90minsLarry Cai
 
Everything as Code with Terraform
Everything as Code with TerraformEverything as Code with Terraform
Everything as Code with TerraformAll Things Open
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewMaría Angélica Bracho
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...Akihiro Suda
 
Best Practices for Getting Started with NGINX Open Source
Best Practices for Getting Started with NGINX Open SourceBest Practices for Getting Started with NGINX Open Source
Best Practices for Getting Started with NGINX Open SourceNGINX, Inc.
 
Introduction to CNI (Container Network Interface)
Introduction to CNI (Container Network Interface)Introduction to CNI (Container Network Interface)
Introduction to CNI (Container Network Interface)HungWei Chiu
 
cLoki: Like Loki but for ClickHouse
cLoki: Like Loki but for ClickHousecLoki: Like Loki but for ClickHouse
cLoki: Like Loki but for ClickHouseAltinity Ltd
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
 
OpenStack and MySQL
OpenStack and MySQLOpenStack and MySQL
OpenStack and MySQLMatt Lord
 
Exactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotExactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotFlink Forward
 
RabbitMQ + OpenLDAP
RabbitMQ + OpenLDAPRabbitMQ + OpenLDAP
RabbitMQ + OpenLDAPCheng Hsien Chen
 
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud Cohesive Networks
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfReliqusConsulting
 

More Related Content

What's hot

Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservicesThomas Graf
 
How to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration MistakesHow to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration MistakesNGINX, Inc.
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
 
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...LINE Corporation
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could dosarahnovotny
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXNGINX, Inc.
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90minsLarry Cai
 
Everything as Code with Terraform
Everything as Code with TerraformEverything as Code with Terraform
Everything as Code with TerraformAll Things Open
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewMaría Angélica Bracho
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...Akihiro Suda
 
Best Practices for Getting Started with NGINX Open Source
Best Practices for Getting Started with NGINX Open SourceBest Practices for Getting Started with NGINX Open Source
Best Practices for Getting Started with NGINX Open SourceNGINX, Inc.
 
Introduction to CNI (Container Network Interface)
Introduction to CNI (Container Network Interface)Introduction to CNI (Container Network Interface)
Introduction to CNI (Container Network Interface)HungWei Chiu
 
cLoki: Like Loki but for ClickHouse
cLoki: Like Loki but for ClickHousecLoki: Like Loki but for ClickHouse
cLoki: Like Loki but for ClickHouseAltinity Ltd
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
 
OpenStack and MySQL
OpenStack and MySQLOpenStack and MySQL
OpenStack and MySQLMatt Lord
 
Exactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotExactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotFlink Forward
 

What's hot (20)

Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
 
How to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration MistakesHow to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration Mistakes
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could do
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
 
Everything as Code with Terraform
Everything as Code with TerraformEverything as Code with Terraform
Everything as Code with Terraform
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 
Best Practices for Getting Started with NGINX Open Source
Best Practices for Getting Started with NGINX Open SourceBest Practices for Getting Started with NGINX Open Source
Best Practices for Getting Started with NGINX Open Source
 
Introduction to CNI (Container Network Interface)
Introduction to CNI (Container Network Interface)Introduction to CNI (Container Network Interface)
Introduction to CNI (Container Network Interface)
 
cLoki: Like Loki but for ClickHouse
cLoki: Like Loki but for ClickHousecLoki: Like Loki but for ClickHouse
cLoki: Like Loki but for ClickHouse
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep Dive
 
OpenStack and MySQL
OpenStack and MySQLOpenStack and MySQL
OpenStack and MySQL
 
Exactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotExactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and Pinot
 
RabbitMQ + OpenLDAP
RabbitMQ + OpenLDAPRabbitMQ + OpenLDAP
RabbitMQ + OpenLDAP
 

Similar to NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX

Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud Cohesive Networks
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfReliqusConsulting
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXNGINX, Inc.
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview hemantnaik
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfssuserf0e32f
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudOlivia LaMar
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXNGINX, Inc.
 
Citrix Day 2014: XenMobile Enterprise Edition
Citrix Day 2014: XenMobile Enterprise EditionCitrix Day 2014: XenMobile Enterprise Edition
Citrix Day 2014: XenMobile Enterprise EditionDigicomp Academy AG
 
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...David McGeough
 
Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...
Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...
Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...David McGeough
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideRapidSSLOnline.com
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )Monodip Singha Roy
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
ESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdfESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdfProtect724v2
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open micRahul Kumar
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 

Similar to NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX (20)

Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdf
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the Cloud
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 
Citrix Day 2014: XenMobile Enterprise Edition
Citrix Day 2014: XenMobile Enterprise EditionCitrix Day 2014: XenMobile Enterprise Edition
Citrix Day 2014: XenMobile Enterprise Edition
 
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetS...
 
Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...
Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...
Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues ...
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
The last picks
The last picksThe last picks
The last picks
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSX
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
ESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdfESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdf
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open mic
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 

More from NGINX, Inc.

【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法NGINX, Inc.
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナーNGINX, Inc.
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法NGINX, Inc.
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & KubecostManaging Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & KubecostNGINX, Inc.
 
Manage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with ObservabilityManage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with ObservabilityNGINX, Inc.
 
Accelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with AutomationAccelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with AutomationNGINX, Inc.
 
Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101NGINX, Inc.
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesUnit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesNGINX, Inc.
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!NGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINXEasily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINXNGINX, Inc.
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!NGINX, Inc.
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINXKeep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINXNGINX, Inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...NGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXProtecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXNGINX, Inc.
 
NGINX Kubernetes API
NGINX Kubernetes APINGINX Kubernetes API
NGINX Kubernetes APINGINX, Inc.
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXNGINX, Inc.
 
Installing and Configuring NGINX Open Source
Installing and Configuring NGINX Open SourceInstalling and Configuring NGINX Open Source
Installing and Configuring NGINX Open SourceNGINX, Inc.
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptxHow to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptxNGINX, Inc.
 
Kubernetes環境で実現するWebアプリケーションセキュリティ
Kubernetes環境で実現するWebアプリケーションセキュリティKubernetes環境で実現するWebアプリケーションセキュリティ
Kubernetes環境で実現するWebアプリケーションセキュリティNGINX, Inc.
 
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...NGINX, Inc.
 

More from NGINX, Inc. (20)

【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & KubecostManaging Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & Kubecost
 
Manage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with ObservabilityManage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with Observability
 
Accelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with AutomationAccelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with Automation
 
Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesUnit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINXEasily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINX
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINXKeep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
 
Protecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXProtecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINX
 
NGINX Kubernetes API
NGINX Kubernetes APINGINX Kubernetes API
NGINX Kubernetes API
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINX
 
Installing and Configuring NGINX Open Source
Installing and Configuring NGINX Open SourceInstalling and Configuring NGINX Open Source
Installing and Configuring NGINX Open Source
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptxHow to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
 
Kubernetes環境で実現するWebアプリケーションセキュリティ
Kubernetes環境で実現するWebアプリケーションセキュリティKubernetes環境で実現するWebアプリケーションセキュリティ
Kubernetes環境で実現するWebアプリケーションセキュリティ
 
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
 

Recently uploaded

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 

Recently uploaded (20)

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 

NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX

  • 2. | ©2021 F5 2 Agenda TLS/SSL Overview Introduction TLS Protocols Cyphers Key Exchange Encryption Certificates Basic NGINX Config Demo NGINX SSL Configuration Extras Next Redirecting HTTP to HTTPS Recommended SSL settings Additional NGINX security offers
  • 3. | ©2021 F5 3 >70% 10,000 busiest websites 440M+ websites and apps OPEN SOURCE FOOTPRINT NGINX powers the Internet . . . and most enterprises! PROVEN = 1 Million
  • 4. | ©2021 F5 4 NGINX Plus Enterprise-Class Data Plane NGINX Open Source Fast, Flexible, Portable
  • 5. | ©2021 F5 5 TLS/SSL Overview CONFIDENTIAL
  • 6. | ©2021 F5 6 CONFIDENTIAL Clarifying some terms HTTPS SSL TLS Encrypting Web Traffic
  • 7. | ©2021 F5 7 10000 Ft (3048m) View THIS IS WHAT WE ARE TRYING TO ACHIEVE Client Server Key Algorithm Key Algorithm Matching key and encryption algorithm Identity confirmed, connection established, encryption of traffic between client and server.
  • 8. | ©2021 F5 8 CONFIDENTIAL Establishing an encrypted connection TCP Connection Identity and capabilities Key ‘exchange’ Bulk encryption Server Client
  • 9. | ©2021 F5 9 CONFIDENTIAL Establishing Capabilities and Identity Identity and capabilities Server Client Supported Cypher Suites
  • 10. | ©2021 F5 10 CONFIDENTIAL Establishing Capabilities and Identity Identity and capabilities Server Client Supported Cypher Suites Identity ECDHE-RSA-AES256-GCM-SHA384 RSA
  • 11. | ©2021 F5 11 CONFIDENTIAL Creating a Shared Key Identity and capabilities Key ‘exchange’ Server Client ECDHE-RSA-AES256-GCM-SHA384 Public Value Public Value Random Secret Random Secret Public Value Public Value Public Value Public Value Intermediate Intermediate
  • 12. | ©2021 F5 12 CONFIDENTIAL Creating a Shared Key Identity and capabilities Key ‘exchange’ Server Client ECDHE-RSA-AES256-GCM-SHA384 Random Secret Random Secret Intermediate Intermediate
  • 13. | ©2021 F5 13 CONFIDENTIAL Bulk Encryption Identity and capabilities Key ‘exchange’ Bulk encryption Server Client ECDHE-RSA-AES256-GCM-SHA384
  • 14. | ©2021 F5 14 CONFIDENTIAL Protocol == Control of Operations THE SSL/TLS PROTOCOL SETTING IS THE CONTROL STREAM Identity and capabilities Key ‘exchange’ Bulk encryption Server Client SSL1 SSL2 SSL3 TLS1 TLS1.1 TLS1.2 TLS1.3
  • 15. | ©2021 F5 15 Eliminates known insecure key ciphers Mandates forward secrecy Mandates more secure bulk encryption Signs whole handshake CONFIDENTIAL Why Use TLS 1.3? LATEST AND GREATEST SAFER Reduced handshakes in TLS session setup 0-RTT connections for session resumption Simpler cipher suites, fewer possible combinations FASTER 63% of Servers prefer TLS 1.3* *F5 TLS Telemetry report 2021
  • 16. | ©2021 F5 16 SSL Certificates CONFIDENTIAL
  • 17. | ©2021 F5 17 CONFIDENTIAL What is an SSL Certificate used for? Establish Identity Certificate contains identity information and is signed by a trusted Certificate Authority Signing Communications A client can verify that data was sent from the server by using the public key in the SSL certificate to decrypt it
  • 18. | ©2021 F5 18 CONFIDENTIAL SSL for Identity Verification Certificate from NGINX.com Root Certificate Authority (Balitmore Cybertrust) Intermediate Certificate (Cloudflare.com) Signs Signs Certificate Chain
  • 19. | ©2021 F5 19 CONFIDENTIAL Certificates Self Signed CA Signed Self CA Signed Generate your own Obtain from a CA Create your CA Create your cert Certificate Warnings No warnings No warnings on browsers with your root CA Dev/Test Production Internal prod/QA
  • 20. | ©2021 F5 20 NGINX SSL Configuration CONFIDENTIAL
  • 21. | ©2021 F5 21 CONFIDENTIAL NGINX Config Overview http{ # HTTP block sets global http values server { # server block defines an individual config } upstream { # upstream block defines backend servers } } Server and upstream blocks are usually contained in separate files and incorporated using the include directive
  • 22. | ©2021 F5 22 CONFIDENTIAL NGINX SSL Configuration server { listen 443 ssl; server_name www.example.com; ssl_certificate ssl/www.example.com.crt; ssl_certificate_key ssl/www.example.com.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; … Server Name – needs to match certificate* SSL Certificate and key name Allowable protocols Cipher string for for TLS 1.2 Port to listen on and protocol Cipher string for TLS 1.3
  • 23. | ©2021 F5 23 CONFIDENTIAL ssl_ciphers Explained HIGH:!aNULL:!MD5; Use the high strength set of ciphers Explicitly exclude (!) any cipher suite offering no authentication Explicitly exclude (!) any cipher suite using MD5 for hashing See what cipher strings will be listed: openssl ciphers -V 'HIGH:!aNULL:!MD5'
  • 24. | ©2021 F5 24 CONFIDENTIAL ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256 Protocol Bulk Encryption Key Derivation TLS 1.3 has 5 recommended cipher suites (37 in TLS1.2),(319 for backward compatibility!)
  • 25. | ©2021 F5 25 Demo Time CONFIDENTIAL
  • 26. | ©2021 F5 26 CONFIDENTIAL Environment Me NGINX Proxy NGINX Webserver HTTPS 443 HTTPS 443 HTTP 8080
  • 27. | ©2021 F5 27 Other Settings: CONFIDENTIAL
  • 28. | ©2021 F5 28 CONFIDENTIAL Redirect HTTP to HTTPS server { listen 80; listen [::]:80; server_name example.com www.example.com; return 301 https://example.com$request_uri; } Add an additional server block listening on port 80, and return a HTTP redirect response to any request:
  • 29. | ©2021 F5 29 CONFIDENTIAL Improving SSL Security - Key Exchange Parameters Increase the size of one of the known parameters to 4096 bytes: Generate the key: SSL_Demo> sudo openssl dhparam -out /etc/nginx/ssl/dhkey4096.pem 4096 Add the value to the NGINX config: ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; ssl_dhparam /etc/ssl/dhkey4096.pem;
  • 30. | ©2021 F5 30 Add Strict Transport Security headers: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; This informs a browser that a site should ONLY be accessed over HTTPS. Increase the timeout and set a session cache ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; CONFIDENTIAL Additional Security and Performance Settings
  • 31. | ©2021 F5 31 NGINX Security Products CONFIDENTIAL
  • 32. | ©2021 F5 32 NGINX App Protect DoS Protection against a range of DoS attacks, including hard-to-spot low and slow attacks NGINX App Protect WAF Powerful defense against layer 7 attacks Based on F5’s leading application layer firewall NGINX Kubernetes Ingress Controller Ingress control for Kubernetes, with added encryption, authentication and WAF. CONFIDENTIAL NGINX Security Products BUILT ON NGINX PLUS
  • 34. | ©2021 F5 34 CONFIDENTIAL Useful Resources Private Keys https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/ Cipher Suites https://www.youtube.com/watch?v=ZM3tXhPV8v0 Key Exchange https://www.youtube.com/watch?v=pa4osob1XOk TLS 1.3 https://www.nginx.com/blog/nginx-plus-r17-released/#r17-tls13