TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA

TLS 1.3 and Other New
Features in NGINX Plus R17
and NGINX Open Source

What is NGINX?
Internet
Web Server
Serve content from disk
Reverse Proxy
FastCGI, uWSGI, gRPC…
Load Balancer
Caching, SSL termination…
HTTP traffic
- Basic load balancer
- Content Cache
- Web Server
- Reverse Proxy
- SSL termination
- Rate limiting
- Basic authentication
- 7 metrics
NGINX Open Source NGINX Plus
+ Advanced load balancer
+ Health checks
+ Session persistence
+ Least time alg
+ Cache purging
+ HA/Clustering
+ JWT Authentication
+ OpenID Connect SSO
+ NGINX Plus API
+ Dynamic modules
+ 90+ metrics

Previously on…
• Global rate limiting *
• Cluster-aware key-value store *
• Random with Two Choices algorithm
• Enhanced UDP load balancing
• PROXY Protocol v2
• AWS PrivateLink Support *
* NGINX Plus Exclusive feature
3

Agenda
• TLS 1.3
• Two Stage Rate Limiting
• Easier OpenID Connect Configuration
• 2x Faster ModSecurity Performance
• NGINX Ingress Controller for Kubernetes 1.4.0
• Demo
• Summary and Q&A

TLS 1.3 Overview
• Ratified in October 2018, RFC 8446
• Ten years since TLS 1.2. Numerous vulnerabilities:
◦ FREAK
◦ Heartbleed
◦ Poodle
◦ ROBOT
◦ SLOTH
• TLS 1.3 is faster and more secure than TLS 1.2
• Not supported by F5 BIG-IP
5

FREAK
• With FREAK, a man-in-the-middle could downgrade the cipher to something weaker
• TLS 1.3 removes all the weaker Export ciphers and signs the entire key exchange6

TLS 1.3: Addition by Subtraction
Removed in TLS 1.3:
• AES-CBC
• Arbitrary Diffie-Hellman groups
• Export ciphers
• DES/3DES
• MD5
• PKCS#1 v1.5 padding
• RC4
• RSA key transport (DH mandatory)
• SHA-1
7
5 supported ciphers in TLS 1.3:
• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256
• TLS_AES_128_CCM_8_SHA256
• TLS_AES_128_CCM_SHA256

TLS 1.3: Improved Handshake
TLS 1.3 improves performance by reducing the number of round trips to set up a secure connection
8

TLS 1.3: 0-RTT Mode
TLS 1.3 enables fast resumption of TLS sessions
9

TLS 1.3: 0-RTT Mode
TLS 1.3 Potential replay attack
10

TLS 1.3 Support
• Requires Open SSL 1.1.1
• Supported OS: Ubuntu 18.10, FreeBSD 12.0, Alpine 3.9
◦ Debian 10 will have OpenSSL 1.1.1 when released later this year
• Supported browsers: Chrome 70, Firefox 63
◦ Not supported by Safari yet
◦ Latest status info: caniuse.com/#feat=tls1-3
11

TLS 1.3 NGINX Config
• We recommend to include
TLSv1.2 because not all
browsers support TLS 1.3
• NGINX uses TLS 1.3 if client
supports it, and TLS 1.2 if
not.
• ssl_early_data enables 0-
RTT mode
• Use $ssl_early_data to
have backend server drop
potential replay packets
12
server {
listen 443 ssl;
ssl_certificate /etc/ssl/my_site_cert.pem;
ssl_certificate_key /etc/ssl/my_site_key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_early_data on; # Enable 0-RTT (TLS 1.3)
location / {
proxy_pass http://my_backend;
proxy_set_header Early-Data $ssl_early_data;
}
}

Rate Limiting in NGINX
• Follows the leaky bucket algorithm
• If the rate at which water is poured
in exceeds the rate at which it leaks,
the bucket overflows
• What to do with excessive requests?
• More info:
nginx.com/blog/rate-limiting-
nginx/
14

Rate Limiting in NGINX
• Choices:
◦ Drop them immediately
◦ Queue and service them later
◦ Queue but service immediately
◦ Queue, service immediately up to a
point, then delay and service later
15

Two Stage Rate Limiting
16
limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;
server {
listen 80;
location / {
limit_req zone=ip burst=12 delay=8;
proxy_pass http://website;
}
}

NGINX Plus JWT Authentication
Support timeline:
• R10 -- Initial support for native JWT
authentication added
• R12 -- Support for custom fields
• R14 -- Support for nested claims
• R15 -- Support for OpenID Connect SSO.
Link to Okta, OneLogin, PingIdentity, etc.
• R17 -- Support for fetching JWK from URL
JWT Authentication and OpenID Connect
SSO are exclusive to NGINX Plus

NGINX Plus JWT Config
• auth_jwt_key_request
initiates a subrequest to
fetch the JWKs from the
server.
• Responses are cached.
• You can use NGINX cache
tuning tricks such as
proxy_cache_use_stale,
overring expiration
headers, etc.
19
# Create directory to cache keys from IdP
proxy_cache_path /var/cache/nginx/jwk levels=1
keys_zone=jwk:1m max_size=10m;
server {
listen 80; # Use SSL/TLS in production
location / {
auth_jwt "closed site";
auth_jwt_key_request /_jwks_uri;
proxy_pass http://my_backend;
}
location = /_jwks_uri {
internal;
proxy_cache jwk; # Cache responses
proxy_pass https://idp.example.com/oauth2/keys;
}
}

NGINX WAF and ModSecurity 3.0
Layer 7 attack protection:
• SQL Injection
• Remote Code Execution
• Local File Include
• Remote File Include
• Cross—Site Scripting
• Cross Site Request Forgery
NGINX WAF and ModSecurity 3.0 are now 2x faster

NGINX Ingress Controller for Kubernetes 1.4.0
New features:
• TCP/UDP load balancing
• Extended Prometheus support
• Easy development of custom
annotations
• Random with Two Choices load
balancing algorithm Enterprise-grade application delivery for Kubernetes

Additional features
• TCP Keepalives to Upstreams -- New proxy_socket_keepalive directive toggles
TCP keepalives between NGINX and proxied server.
• Upstream HTTP Keepalive Timeout and Request Cap --
New keepalive_timeout directive sets max idle time for keepalive connection
between NGINX and proxied server.
• Finite Upstream UDP Session Size -- New proxy_requests directive sets max
number of UDP packets sent from NGINX to proxied server before new UDP “session”
created.
• Enhancement to Cluster State Sharing -- When using state sharing in cluster, can
now do server name verification, using SNI to pass the server name when
connecting to cluster nodes. (NGINX Plus exclusive)
24

Summary
• New support for TLS 1.3 improves security and performance
• TLS 1.3 currently supported in Ubuntu 18.10, FreeBSD 12.0, Alpine 3.9.
• New two-stage rate limiting allows burst packets to be serviced with no
delay up to a point, then delayed, then dropped.
• NGINX Plus can now fetch JSON Web Keys from iDP making for easier
OpenID Connect configuration.
• NGINX WAF and ModSecurity 3.0 2x faster performance
• NGINX Ingress Controller for Kubernetes 1.4.0 adds TCP/UDP load
balancing, extended Prometheus support and additional new features.

Q & ATry NGINX Plus and NGINX WAF free for 30 days: nginx.com/free-trial-request

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA

Similar to TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA (20)

More from NGINX, Inc.

More from NGINX, Inc. (20)

Recently uploaded

Recently uploaded (20)

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA