TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source

TLS 1.3 and Other New Features in
NGINX Plus R17 and NGINX Open
Source

Faisal Memon
Product Marketing Manager, NGINX
Formerly:
• Sr. Technical Marketing Engineer, Riverbed
• Technical Marketing Engineer, Cisco
• Software Engineer, Cisco
Who am I?

What is NGINX?
Internet
Web Server
Serve content from disk
Reverse Proxy
FastCGI, uWSGI, gRPC…
Load Balancer
Caching, SSL termination…
HTTP traffic
- Basic load balancer
- Content Cache
- Web Server
- Reverse Proxy
- SSL termination
- Rate limiting
- Basic authentication
- 7 metrics
NGINX Open Source NGINX Plus
+ Advanced load balancer
+ Health checks
+ Session persistence
+ Least time alg
+ Cache purging
+ HA/Clustering
+ JWT Authentication
+ OpenID Connect SSO
+ NGINX Plus API
+ Dynamic modules
+ 90+ metrics

Previously on…
• Global rate limiting *
• Cluster-aware key-value store *
• Random with Two Choices algorithm
• Enhanced UDP load balancing
• PROXY Protocol v2
• AWS PrivateLink Support *
* NGINX Plus Exclusive feature
4

Agenda
• TLS 1.3
• Two Stage Rate Limiting
• Easier OpenID Connect Configuration
• 2x Faster ModSecurity Performance
• NGINX Ingress Controller for Kubernetes 1.4.0
• Demo
• Summary and Q&A

TLS 1.3 Overview
• Ratified in October 2018, RFC 8446
• Ten years since TLS 1.2. Numerous vulnerabilities:
◦ FREAK
◦ Heartbleed
◦ Poodle
◦ ROBOT
◦ SLOTH
• TLS 1.3 is faster and more secure than TLS 1.2
• Not supported by F5 BIG-IP
6

FREAK
• With FREAK, a man-in-the-middle could downgrade the cipher to something weaker
• TLS 1.3 removes all the weaker Export ciphers and signs the entire key exchange7

TLS 1.3: Addition by Subtraction
Removed in TLS 1.3:
• AES-CBC
• Arbitrary Diffie-Hellman groups
• Export ciphers
• DES/3DES
• MD5
• PKCS#1 v1.5 padding
• RC4
• RSA key transport (DH mandatory)
• SHA-1
8
5 supported ciphers in TLS 1.3:
• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256
• TLS_AES_128_CCM_8_SHA256
• TLS_AES_128_CCM_SHA256

TLS 1.3: Improved Handshake
TLS 1.3 improves performance by reducing the number of round trips to set up a secure connection
9

TLS 1.3: 0-RTT Mode
TLS 1.3 enables fast resumption of TLS sessions
10

TLS 1.3: 0-RTT Mode
TLS 1.3 Potential replay attack
11

TLS 1.3 Support
• Requires Open SSL 1.1.1
• Supported OS: Ubuntu 18.10, FreeBSD 12.0, Alpine 3.9
◦ Debian 10 will have OpenSSL 1.1.1 when released later this year
• Supported browsers: Chrome 70, Firefox 63
◦ Not supported by Safari yet
◦ Latest status info: caniuse.com/#feat=tls1-3
12

TLS 1.3 NGINX Config
• We recommend to include
TLSv1.2 because not all
browsers support TLS 1.3
• NGINX uses TLS 1.3 if client
supports it, and TLS 1.2 if
not.
• ssl_early_data enables 0-
RTT mode
• Use $ssl_early_data to
have backend server drop potential
replay packets
13
server {
listen 443 ssl;
ssl_certificate /etc/ssl/my_site_cert.pem;
ssl_certificate_key /etc/ssl/my_site_key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_early_data on; # Enable 0-RTT (TLS 1.3)
location / {
proxy_pass http://my_backend;
proxy_set_header Early-Data $ssl_early_data;
}
}

Rate Limiting in NGINX
• Follows the leaky bucket algorithm
• If the rate at which water is poured in
exceeds the rate at which it leaks, the
bucket overflows
• What to do with excessive requests?
• More info: nginx.com/blog/rate-
limiting-nginx/
15

Rate Limiting in NGINX
• Choices:
◦ Drop them immediately
◦ Queue and service them later
◦ Queue but service immediately
◦ Queue, service immediately up to a
point, then delay and service later
16

Two Stage Rate Limiting
17
limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;
server {
listen 80;
location / {
limit_req zone=ip burst=12 delay=8;
proxy_pass http://website;
}
}

NGINX Plus JWT Authentication
Support timeline:
• R10 -- Initial support for native JWT authentication
added
• R12 -- Support for custom fields
• R14 -- Support for nested claims
• R15 -- Support for OpenID Connect SSO. Link to
Okta, OneLogin, PingIdentity, etc.
• R17 -- Support for fetching JWK from URL
JWTAuthentication and OpenID Connect SSO are
exclusive to NGINX Plus

NGINX Plus JWT Config
• auth_jwt_key_request
initiates a subrequest to fetch
the JWKs from the server.
• Responses are cached.
• You can use NGINX cache
tuning tricks such as
proxy_cache_use_stale,
overring expiration headers, etc.
20
# Create directory to cache keys from IdP
proxy_cache_path /var/cache/nginx/jwk levels=1
keys_zone=jwk:1m max_size=10m;
server {
listen 80; # Use SSL/TLS in production
location / {
auth_jwt "closed site";
auth_jwt_key_request /_jwks_uri;
proxy_pass http://my_backend;
}
location = /_jwks_uri {
internal;
proxy_cache jwk; # Cache responses
proxy_pass https://idp.example.com/oauth2/keys;
}
}

NGINX WAF and ModSecurity 3.0
Layer 7 attack protection:
• SQL Injection
• Remote Code Execution
• Local File Include
• Remote File Include
• Cross—Site Scripting
• Cross Site Request Forgery
NGINX WAF and ModSecurity 3.0 are now 2x faster

NGINX Ingress Controller for Kubernetes 1.4.0
New features:
• TCP/UDP load balancing
• Extended Prometheus support
• Easy development of custom annotations
• Random with Two Choices load balancing
algorithm
Enterprise-grade application delivery for Kubernetes

Additional features
• TCP Keepalives to Upstreams -- New proxy_socket_keepalive directive toggles
TCP keepalives between NGINX and proxied server.
• Upstream HTTP Keepalive Timeout and Request Cap -- New keepalive_timeout directive sets
max idle time for keepalive connection between NGINX and proxied server.
• Finite Upstream UDP Session Size -- New proxy_requests directive sets max number of UDP
packets sent from NGINX to proxied server before new UDP “session” created.
• Enhancement to Cluster State Sharing -- When using state sharing in cluster, can
now do server name verification, using SNI to pass the server name when connecting
to cluster nodes. (NGINX Plus exclusive)
25

Summary
• New support for TLS 1.3 improves security and performance
• TLS 1.3 currently supported in Ubuntu 18.10, FreeBSD 12.0, Alpine 3.9.
• New two-stage rate limiting allows burst packets to be serviced with no delay up to a
point, then delayed, then dropped.
• NGINX Plus can now fetch JSON Web Keys from iDP making for easier OpenID
Connect configuration.
• NGINX WAF and ModSecurity 3.0 2x faster performance
• NGINX Ingress Controller for Kubernetes 1.4.0 adds TCP/UDP load balancing,
extended Prometheus support and additional new features.

Q & ATry NGINX Plus and NGINX WAF free for 30 days: nginx.com/free-trial-request

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source

Ähnlich wie TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source (20)

Mehr von NGINX, Inc.

Mehr von NGINX, Inc. (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source

Hinweis der Redaktion