NGINX is one of the most popular images on Docker Hub and has been at the forefront of the web since the early 2000's. In this talk we will discuss how and why NGINX's lightweight and powerful architecture makes it a very popular choice for securing containerized applications as a sidecar reverse proxy within containers. We will highlight important aspects of application security that NGINX can help with, such as TLS, HTTP, AuthN, AuthZ and traffic control.Additional Sponsor InformationDuring our session we will be Raffling off a swag pack to live attendees. We'll also be offering 30% off our swag store that can be shared via social. Details below:URL: swag-nginx.com Code: DOCKERCON30 Value: 30% off

1. Securing Your Containerized
Applications with NGINX
Kevin Jones
Sr Product Manager
NGINX, now part of F5
@webopsx

2. • Benefits of a Reverse Proxy for Security
• NGINX Best Practices for TLS
• Running NGINX in Docker
• Q&A
Todays talk!

3. Benefits of a Reverse
Proxy
● HTTP Security and Façade Routing
● TLS Offload
● Authentication / Authorization Offload

4. HTTP Security & Façade Routing

5. ● Restrict Access to Specific URLs
● Intercept Response Headers from Upstream Servers
● Control Request Methods
● Control Domain Level Access
● Provide a Layer of Façade URLs for Routing to
Microservices
● Rewrite URLs for Backwards Compatibility
● API Version Control / Testing (A/B)
A Reverse Proxy can…

6. Service C
Service B
Service AService A
Login
Service
/login
:32706
Service B
Inventory
Service
/inventory
:32717
Service C
Partner
API
/api/beta
:32724
api.example.com
*:80
/api/v2/login
/api/v1/inventory
/admin/
partner.example.com
*:80
/api/v1
GET
Reverse Proxy /
Gateway
PUT
PATCH

7. Service C
Service B
Service AService A
Login
Service
/login
:32706
Service B
Inventory
Service
/inventory
:32717
Service C
Partner
API
/api/beta
:32724
api.example.com
*:80
/api/v2/login
/api/v1/inventory
/admin/
partner.example.com
*:80
/api/v1
Reverse Proxy /
GatewayNGINX Directive
server_name
listen
location
limit_except
proxy_pass
upstream
map
if
PUT
PATCH
GET

8. SSL/TLS

9. ● SSL/TLS Protocols
● Ciphers
● Sessions
● Certificate and Key Management
● OCSP
● Performance Degradation
● Security Vulnerabilities and Patching
Complexities of TLSComplexities of TLS RSA, DH, ECDH,
SRP, PSK??!

10. Let's Encrypt
● A Cron process can update
certificates and keys
NGINX
API
Cron (Certbot)
● The certificates and keys can be
stored on disk or in memory
depending on security
requirements
● If you are using NGINX,
certificates and keys can be
loaded from disk on demand
(lazy load)
● If using NGINX Plus, your
certificates and keys can be
stored in the NGINX Plus key-
value database

11. Authentication &
Authorization

12. ● Offload credential validation
● Intercept unauthenticated requests
● Support integration with an IDP or other
authentication flows
● Support multi factor requirements
● Once that client is validated, authorization provides
policy enforcement on specific HTTP access
Authentication and
Authorization

13. GET w/ JSON Web
Token
JSON Web Key
Payload
{
"alg": "HS256",
"typ": "JWT"
}
Header
{
"alg": "HS256",
"typ": "JWT"
}
Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd
WIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gR
G9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.N3Hb-
h4CdvYDpm6iT-kQVAXt_q2vBnnZ-BDLfOPrd18

14. Raffle Time! Check the chat to
see if you've won!

15. NGINX Best Practices
For Configuring TLS

16. https://www.ssllabs.com/ssltest/

17. server {
listen 443 ssl default_server;
server_name example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
# SSL protocols
ssl_protocols TLSv1.3 TLSv1.2;
# SSL ciphers
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-
SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
# DH parameters and curve
ssl_dhparam /path/to/dhparam.pem;
ssl_ecdh_curve secp384r1;
}
CODE EDITOR

18. Generate
stronger DH
parameters
• This will take a while, be
patient
• For highest security, It is
recommended to use a bit
length of 4096
CODE EDITOR
$ openssl dhparam -out /etc/ssl/certsdhparam.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
............+.......................+..................................................................
.........................................................................................................
...........................+............................................................................
............................................................+...........................................
.........................................................................................................
..................................................................................................+.....
.........+...........................+.................................................................

19. https://www.ssllabs.com/ssltest/

20. CODE EDITOR
server {
# HTTP STS
add_header Strict-Transport-Security "max-
age=31536000; includeSubDomains; preload" always;
}
Enable HTTP
Strict
Transport
Security
• Informs browsers to always
interact with your site over
HTTPS
• This will protect your site
against various attacks such as
downgrade attacks and
possible cookie hijacking

21. https://www.ssllabs.com/ssltest/

22. Deploying NGINX on
Docker

23. Service C
Service B
Service AService A
Login
Service
:32706
Service B
Inventory
Service
:32717
Service C
Partner
API
:32724
api.example.com
*:80 / *:443
/api/v2/login
/api/v1/inventory
/admin/
partner.example.com
:443
/api/v1
Reverse Proxy /
Gateway
api.example.com
*:80 / *:443
/api/v2/login
/api/v1/inventory
/admin
partner.example.com
:443
/api/v1

24. Configure
NGINX with
Docker Compose
• Configure services you want
to communicate thru NGINX
using "expose"
• Link your services together
with the "links" option
• Then publish your NGINX
service using the "ports"
mapping
CODE EDITOR
nginx:
build: ./nginx
container_name: nginx
restart: always
links:
- login
ports:
- "80:80"
volumes:
- ./etc/nginx/conf.d/server.conf:/etc/nginx/conf.d/server.conf
login:
build: ./login
container_name: login
restart: always
expose:
- "80"

25. NGINX
Configuration
CODE EDITOR
user nginx;
events {
worker_connections 1024;
}
http {
server {
listen 80;
location /login {
proxy_pass http://login:80;
}
}
}
Use the proxy_pass
directive to configure
NGINX to resolve the
embedded Docker DNS
server; this will support
any scaling of your
services while using
Docker Compose

26. Login
Servicelogin.example.com
Reverse Proxy
Inventory
Serviceinventory.example.com
Reverse Proxy
Partner
APIpartner.example.com
Reverse Proxy
Login
Service
127.0.0.1:9001login.example.com
Sidecar Proxy
Inventory
Service
127.0.0.1:7001inventory.example.com
Sidecar Proxy
Partner
API
127.0.0.1:5001partner.example.com
Sidecar Proxy
Sidecar
Proxy
Deploying NGINX as a
Sidecar Proxy provides
the ability to optimize
TLS, standardize on
HTTP protocol behavior
and offload functionality
that is already designed
into NGINX without the
need of developing it as
code, such as
authentication and
authorization

27. Sidecar Proxy
• Using proxy_pass you can
route requests to your
application listening on
localhost within the
container
CODE EDITOR
http {
server {
listen 80;
server_name partner.example.com;
location /api/v2 {
proxy_pass http://127.0.0.1:5001;
}
}
}
Partner
API
127.0.0.1:5001partner.example.com
Sidecar Proxy

28. Thank you for watching!
Visit https://swag-nginx.com
Use code: DOCKERCON30
For 30% off!
Questions?
kevin@nginx.com