Security rules the day in version 10 of Nginx's enterprise-level web server, which features enhancements, including a web application firewall.
For application security, version 10 features an Nginx-native version of the ModSecurity WAF module, which Nginx co-developed with Trustwave. The firewall, which is the first Nginx-supported WAF for the web server, uses heuristics and signatures to identify bad traffic for users to either drop or log for inspection.
A preview version of the WAF module ships with the version 10 release. "We will offer full support for users who want to evaluate and ultimately deploy that module," said Owen Garrett, Nginx head of products. The company also will keep working with Trustwave to add Nginx-specific features and improve performance. Nginx has tested the module to ensure it works correctly with the Nginx core, but the company recommends users test it thoroughly before putting it into production.
Version 10 also backs Oauth 2 and OpenID authentication standards, via JSON Web Tokens. "[This support] allows Nginx to verify the traffic that's been authenticated and to extract information about the user who sends the requests from the authentication token," Garrett said. Dual-stack ECC-RSA (Elyptic Curve Cryptography) traffic encryption, meanwhile, improves performance over legacy RSA certificates while maintaining backward compatibility. website owners can handle more SSL transactions, and Garrett noted that "ECC certificates are up to five times faster than RSA certificates."
IP transparency and DSR load-balancing in release 10 help support a broader range of applications, Nginx said. IP transparency has the original client IP address passed to the back-end service, which is now required for many applications. DSR load balancing, meanwhile, suits latency-sensitive and real-time applications. In DSR load balancing, the web server makes the first decision on load balancing, with the server responding directly to the client afterward. With DSR, UDP traffic can bypass the load balancer to improve performance.
Nginx has been a rising star among web servers. Introduced in 2002, it used at nearly 31 percent of the top 10 million websites known by researcher W3Techs, behind only the Apache web server, which is used at 52 percent of sites and debuted in 1995.
This story, "Nginx web server upgrade focuses on web security, JS configuration" was originally published by InfoWorld.