Basic Security for Your Application with NGINX Balancer

| January 20, 2015 | DevOps PaaS

As the amount of information shared through the internet is growing from year to year, as well as adoption of the Web as a mean for doing business, the protection of websites and web applications becomes one of the major Internet security issues. The threat can come from different origins, wherein the most common ones are cross-site scripting (an attack on the web application itself), SQL injection attacks (on information inside a database) or phishing (the attempt to acquire essential information such as usernames, passwords or credit card details by masquerading as a trustworthy entity).
The obvious response to this is implementation of plenty of prevention tools, with various complexity levels and costs, which are intended to protect your application in one way or another. But before rushing to choose one, consider a few common security methods, because sometimes the most basic security becomes the most efficient one.
In this article we’ll show you how to set a couple of simple protection mechanisms, that are available for any application that uses NGINX-balancer as a frontend, and which implementation doesn’t require any additional costs. Remember that spending some time on increasing your application’s security now can save you a lot of time and money later and regardless, won’t do any harm.

Nginx Load Balancer

The described below protection methods will be applied to an NGINX-balancer server, so let us say a few words about it before proceeding further.
Load balancing is commonly used for optimizing resource utilization, maximizing throughput, reducing latency, and ensuring fault-tolerant configurations. This is accomplished through smart requests distribution between the application servers nodes, performed by an NGINX-balancer, which is aimed to ensure high system availability and reliability. Herewith, this server can be used for processing both HTTP and TCP traffic types. For more information visit the corresponding pages in our documentation:

NGINX-balancer node is automatically added to an environment if you pick up more than one application server node, and in addition, it can be added manually even for a single server. To do this, just select the Balancing wizard block above the chosen application server in the Environment Topology window.
env wiz

Security Methods

Now when the environment is ready, it’s time to reveal our methods:

  • Authentication makes application access protected with a password
  • IP Address Deny mechanism is used to forbid application access from a particular IP

We’ll also pay the attention to the way of combining the abovementioned methods for being used simultaneously. So, let’s find out how to implement this to your environment. Here we go!

Authentication

Authentication is a simple but powerful method to restrict application access and ensure that an unauthorised entity won’t be able to cause any harm to it. In this example, we’ll show you how to set up username/password protection.
1. Obviously the password information can not be stored in an open form, so it needs to be protected itself. For that you need to generate a hash, based on the desired username and password using any htpasswd tool or one of the similar online services (for example, http://www.htpasswdgenerator.net/).
2. Save the character sequence you’ve received and switch back to the Jelastic dashboard with your environment listed. There click the Config button for the NGINX balancer node.
config
3. You’ll see the Configuration Manager tab opened, wherein you need to create a New file (using the same-named button at the tools panel) inside the conf.d folder. Set any desired name for it but obligatory with the .htpasswd extension (e.g. password.htpasswd).
new file
4. After this is done, paste the hash that you’ve received at the first instruction step to the file’s content. Remember that you can add as many accounts as you need (just don’t forget to place every next one from a new line).
passwords
Save the changes when all the settings are done.
5. Then choose the nginx-jelastic.conf file inside the conf folder and find the location block in the first server code section. Paste there the following lines in order to enable the authentication and apply the appropriate access rules:
auth_basic           "closed site";
auth_basic_user_file /etc/nginx/conf.d/{htpasswd_file};
where {htpasswd_file} - name of the file you’ve inserted the hash with password(s) to (in our case this file is password.htpasswd).
conf

Note that usually we recommend to modify the configurations in the nginx.conf file and keep the nginx-jelastic.conf one’s content as the default/backup settings. But in this case, since the required changes are rather simple and we are pretty sure that we know what we are doing, it will be easier to work directly with the nginx-jelastic file.

6. Save the changes you’ve made one more time and Restart the NGINX-balancer node.
restart
7. Now when trying to Open your application in browser, you (and any other client) will need to pass through the authentication window before accessing the application.
auth
After the appropriate credentials (i.e. the ones you’ve generated the hash from) are specified, your application will be opened.

IP Address Deny

If you suddenly notice some harm is caused to your application by a particular user, you can stop him by means of blocking any requests that are sent from that user’s IP address and thereby deny your application access. This can be easily done by following the steps below.
1. Open the Jelastic dashboard with your environment and click the Config button for the NGINX-balancer node.
config
2. Click on the nginx-jelastic.conf file in the conf folder within the opened Configuration Manager tab. Then find the location block inside the first server code section and paste the following line there:
deny {IP_ADDRESS};
where {IP_ADDRESS} - obviously the address you want to block the ability to open your application for.

Note: You can also set this parameter value to all, which means that no one will be able to access your application. In this case, it might be useful to specify one more allow directive here, that is used to define the IP address (or range of addresses) you’d like to grant the access for.

3. Save the changes and Restart your NGINX node using the appropriate buttons.
restart
4. As a result, a user with the denied IP address will be faced the 403 Forbidden error while trying to access your application.

Methods Combination

To combine both restriction by IP address and authentication methods implementation, you’ll need to use the satisfy directive. By default (i.e. if not visibly declared in the configuration) it is set to all, which means that a user should meet both types of conditions to be granted  access.
If you specify this directive inside your configuration file and set its value to any, a user will be able to open the application if at least one condition is satisfied. Here is an example of such a configuration:
protection methods combination
Thus, an unauthenticated user will be granted access if his IP address is listed among the allowed ones. Or, users with the denied IP addresses still will be able to access the website if they enter a valid username and password.
So, now you know a few basic ways to protect your app by granting the access permissions to the trusted users only, as well as denying it to the untrusted and possibly dangerous ones. We hope this article will be helpful for you (anyway, you can easily test these security methods free of charge with our two-week trial period).
Stay tuned for even more Jelastic awesome guides and news.