Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX Open Source

Dynamic SSL Certificates and Other
New Features in NGINX Plus R18
and NGINX Open Source

Faisal Memon
Software Engineer, NGINX
Formerly:
• Product Marketing Manager, NGINX
• Sr. Technical Marketing Engineer, Riverbed
• Software Engineer, Cisco
Interests:
• Surfing
• Yoga
• Raspberry Pi tinkering
• Trying to figure out the real estate market
Who am I?

NGINX + F5: Complementary Approaches
Open Source-Driven
375M websites powered worldwide
66% of the 10,000 busiest sites
90M downloads per year
Enterprise-Driven
25,000 customers worldwide
49 of the Fortune 50
10 of the world’s top 10 brands

What is NGINX?
Internet
Web Server
Serve content from disk
Reverse Proxy
FastCGI, uWSGI, gRPC…
Load Balancer
Caching, SSL termination…
HTTP traffic
- Basic load balancer
- Content Cache
- Web Server
- Reverse Proxy
- SSL termination
- Rate limiting
- Basic authentication
- 7 metrics
NGINX Open Source NGINX Plus
+ Advanced load balancer
+ Health checks
+ Session persistence
+ Least time alg
+ Cache purging
+ HA/Clustering
+ JWT Authentication
+ OpenID Connect SSO
+ NGINX Plus API
+ Dynamic modules
+ 90+ metrics

Previously on…
• TLS 1.3 support
• Two Stage Rate Limiting
• Easier OpenID Connect Configuration *
• 2x faster ModSecurity Performance
• NGINX Ingress Controller for Kubernetes 1.4.0
* NGINX Plus Exclusive feature
7
Watch On Demand:
nginx.com/resources/webinars/tls-1-3-new-features-nginx-plus-r17-nginx-open-source/

Agenda
• Dynamic SSL Certificates
• OpenID Connect Enhancements
• Listen Port Ranges, FTP Proxy Support
• Key-Value Definition in the Configuration
• Greater Flexibility for Active Health Checks
• NGINX JavaScript Module and other updates
• Demo
• Summary and Q&A

Standard SSL Configuration
server {
listen 443 ssl;
ssl_certificate cert.crt;
ssl_certificate_key cert.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
• Manually specify each certificate and key to be
loaded from disk
• If you have a 1,000+ certificates:
• Need to specify 1,000+ cert/key pairs
• Long load and reload times
• High memory consumption during reload
• Adding new site means updating config and reload

SSL Configuration using SNI
server {
listen 443 ssl;
ssl_certificate $ssl_server_name.crt;
ssl_certificate_key $ssl_server_name.key;
location / {
}
}
• $ssl_server_name holds hostname
requested through SNI
• Files will be loaded on demand
• Single configuration for all SSL-enabled sites
• To create a new site, simply upload the
appropriately named cert/key pair, no reloads
• Up to 30% performance penalty to load
certificate from disk. Uses OS file cache to
improve performance.

SSL Configuration using Key-Value Store
keyval_zone zone=ssl_crt:10m;
keyval $ssl_server_name $crt_pem zone=ssl_crt;
keyval_zone zone=ssl_key:10m;
keyval $ssl_server_name $key_pem zone=ssl_key;
server {
listen 443 ssl;
ssl_certificate data:$crt_pem;
ssl_certificate_key data:$key_pem;
location / {
}
}
• data: means the following variable holds the
certificate or key in memory.
• $crt_pem and $key_pem are looked up
from the Key-Value Store using
$ssl_server_name
• Key-Value Store can be programmed through
the NGINX Plus API for automated provisioning
• Ideal for short-lived certificates or integrations
with issuers such as Let’s Encrypt and
Hashicorp Vault.
* NGINX Plus exclusive

NGINX Plus JWT Authentication
Support timeline:
• R10 -- Initial support for native JWT authentication
added
• R12 -- Support for custom fields
• R14 -- Support for nested claims
• R15 -- Support for OpenID Connect SSO. Link to
Okta, OneLogin, PingIdentity, etc.
• R17 -- Support for fetching JWK from URL
• R18 – Support for opaque session tokens, refresh
tokens, and a logout URL for OpenID ConnectJWTAuthentication and OpenID Connect SSO are
exclusive to NGINX Plus

New OpenID Connect Features
• Opaque Session Tokens – Can now authenticate clients with opaque session tokens in the
form of a browser cookie. Opaque tokens contain no personally identifiable information about
the user.
• Refresh Tokens – New support for refresh tokens so that expired ID tokens are seamlessly
refreshed. NGINX Plus stores the refresh token in the key-value store and associates it with
the opaque session token. When the ID token expires, NGINX Plus sends the refresh token to
the authorization server. If the session is still valid, the authorization server issues a new ID
token.
• Logout URL -- When logged-in users visit the /logout URI, their ID and refresh tokens
are deleted from the key-value store, and they must reauthenticate when making a future
request.

Listen Port Ranges and FTP Proxying
server {
listen 21; # FTP control port
listen 40000-45000; # Data port range
proxy_pass <FTP-server>:$server_port;
}
• Previously could only specific a single port per
listen directive
• Multiple ports required multiple listen
directives
• Now can specify a range of ports
• Passive FTP opens up data port amongst a
large range of ports

Key-Value Definition in Configuration
keyval_zone zone=recents:10m timeout=2m;
keyval $remote_addr $last_uri zone=recents;
server {
listen 80;
location / {
set $last_uri $uri;
proxy_pass http://my_backend;
}
}
• Previously only way to update the Key-Value
Store was with NGINX Plus API
• Now can be updated by using the set directive
• $last_uri holds key-value entry with last
URI accesses by IP address
• set over writes with last URI. If no entry
present, it creates it
$ curl http://localhost:8080/api/4/http/keyvals/recents
{
"10.19.245.68": "/blog/nginx-plus-r18-released/",
"172.16.80.227": "/products/nginx/",
"10.219.110.168": "/blog/nginx-unit-1-8-0-now-available”
}

New require Directive
map $upstream_http_cache_control $has_cache_control {
"" 0;
default 1;
}
map $upstream_http_expires $is_cacheable {
"" $has_cache_control;
default $upstream_http_expires;
}
match cacheable {
require $is_cacheable;
status 200;
}
server {
listen 80;
location / {
health_check uri=/ match=cacheable;
proxy_pass http://my_backend;
}
}
• New require directive requires all specified
variables to be non-zero for health check to
pass
• In this example we look for the presence of
Cache-Control headers
• Passed server has Cache-Control header
OR non-zero Expires header

New proxy_session_drop Directive
server {
listen 12345;
proxy_pass my_tcp_backend;
health_check;
proxy_session_drop on;
}
• Previously when using NGINX to reverse proxy
TCP/UDP, backend server’s health status is
considered only for new connections.
• With new proxy_session_drop directive
enabled you can immediately close the
connection when the next packet is received
from, or sent to, the offline server.

NGINX JavaScript updates
export default {maskIp}; // Only expose maskIp()
function maskIp(addr) { // Public (exported) function
return i2ipv4(fnv32a(addr));
}
• Previously, all JavaScript code had to reside in a
single file.
• With new import and export JavaScript
modules, code can be organized into multiple
function-specific files.
• New js_path directive sets additional
directories to search
import masker from 'mask_ip_module.js';
function maskRemoteAddress(r) {
return(masker.maskIp(r.remoteAddress));
}
js_include main.js;
js_path /etc/nginx/njs_modules;
js_set $remote_addr_masked maskRemoteAddress;
log_format masked '$remote_addr_masked ...

Additional features
• Clustering Enhancement – A single zone_sync configuration can now be used for all instances in a
cluster with the help of wildcard support in the listen directive. (NGINX Plus exclusive)
• New Variable -- $upstream_bytes_sent, contains number of bytes sent to an upstream server.
• NGINX Ingress Controller for Kubernetes – Can now be installed directly from our new Helm
repository, without having to download Helm chart source files.
• New/Updated Dynamic Modules –
◦ Brotli (New): A general-purpose, lossless data compression algorithm.
◦ OpenTracing (New): Ability to instrument NGINX Plus with OpenTracing-compliant requests for a range of distributed
tracing services, such as Datadog, Jaeger, and Zipkin.
◦ Lua (Updated): A scripting language for NGINX Plus, updated to use LuaJIT 2.1.
24

Summary
• SSL certificates can be dynamically loaded using SNI hostname
• SSL certificates can be added dynamically using the NGINX Plus API
• The listen directive now accepts port ranges, enabling FTP proxy support
• Key-Value pairs can now be set directly in NGINX Plus configuration
• New require directive for health checks can test the value of NGINX Plus variables
to fail/pass servers
• NGINX JavaScript module supports import and export for better code organization

Q & ATry NGINX Plus and NGINX WAF free for 30 days: nginx.com/free-trial-request

Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX Open Source

Recommended

More Related Content

What's hot (20)

Similar to Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX Open Source (20)

More from NGINX, Inc. (20)

Recently uploaded (20)

Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX Open Source