Manage App Security

Overview

You can use the App Security add-on for NGINX Controller ADC to enable Web Application Firewall (WAF) capabilities to protect your applications. WAF lets you flag or block suspicious requests or attacks. WAF can be added to individual app components.

Important:
App Security is an add-on for the NGINX Controller Application Delivery Module. It is not included with the NGINX Controller API Management Module and cannot be added to API Components.

Before You Begin

Before proceeding with this guide, complete the following tasks.

Note:
These steps may need to be completed by a user with admin permissions.

  1. Add an NGINX App Protect instance to NGINX Controller.

In addition, the following resources must exist in order to complete the steps in this topic:

Enable WAF for a Component

To enable WAF functionality for Application Security, send a POST or PUT request to the Components endpoint, with a JSON object similar to the following:

        "security": {
            "waf": {
                "isEnabled": true
            }
        }

This JSON object should be added to the Component endpoint similar to the following example:

{
    "metadata": {
        "name": "secure",
        "displayName": "protected web server",
        "description": "ProtectedWeb Server",
        "tags": [
            "dev",
            "protected"
        ]
    },
    "desiredState": {
        "ingress": {
            "gatewayRefs": [
                {
                    "ref": "/services/environments/dev/gateways/dev-gw"
                }
            ],
            "uris": {
                "/secure": {
                    "matchMethod": "PREFIX"
                }
            }
        },
        "security": {
            "waf": {
                "isEnabled": true
            }
        },
        "backend": {
            "ntlmAuthentication": "DISABLED",
            "preserveHostHeader": "DISABLED",
            "workloadGroups": {
                "farm": {
                    "locationRefs": [
                        {
                            "ref": "/infrastructure/locations/unspecified"
                        }
                    ],
                    "loadBalancingMethod": {
                        "type": "ROUND_ROBIN"
                    },
                    "uris": {
                        "http://{{workload-1}}:8080": {
                            "isBackup": false,
                            "isDown": false,
                            "isDrain": false,
                            "resolve": "DISABLED"
                        },
                        "http://{{workload-2}}:8080": {
                            "isBackup": false,
                            "isDown": false,
                            "isDrain": false,
                            "resolve": "DISABLED"
                        },
                        "http://{{workload-3}}:8080": {
                            "isBackup": false,
                            "isDown": false,
                            "isDrain": false,
                            "resolve": "DISABLED"
                        },
                        "http://{{workload-4}}:8080": {
                            "isBackup": false,
                            "isDown": false,
                            "isDrain": false,
                            "resolve": "DISABLED"
                        }
                    }
                }
            }
        },
        "logging": {
            "errorLog": "ENABLED",
            "accessLog": {
                "state": "DISABLED",
                "format": ""
            }
        }
    }
}

Verify that WAF is Enabled

Complete the tasks in this section to verify that the Web Application Firewall is active and processing traffic.

To verify that WAF has been enabled by NGINX Controller App Security to protect your app component, send a GET request to the app component.

Example: GET: https://[gateway FQDN]<app component path>/?a=<script>.

Note:
The WAF does not begin to emit security events immediately upon activation. We recommend that you wait a minute or two after enabling WAF for your Component to query the REST API for security events.

The request should be blocked. You should be able to view the Security Violation event for the request using the Analytics Events API or Security Events in the web interface. Detailed steps are mentioned below.

Note:
The [gateway FQDN] is the URI specified in the ingress block of the Gateway referenced by the app component. The <app component path> is the URI specified in the ingress block of the app component.

Take the steps below to review the WAF Security Events that correspond to the simulated malicious request.

  1. Open the NGINX Controller user interface and log in.
  2. Select the NGINX Controller menu icon, then select Services.
  3. On the Services menu, select Apps.
  4. On the Analytics sub-menu, select Security Events.
  5. If you see a list of security violations and the outcome, this confirms that App Protect and WAF are running.

To view all events:

  1. Open the NGINX Controller user interface and log in.
  2. Select the NGINX Controller menu icon, then select Analytics.
  3. On the Analytics menu, select Events.
  4. Select All Events to view security violations and the status. Flagged and rejected status means that App Protect and WAF are running.
Note:
The WAF does not begin to emit security events immediately upon activation. We recommend that you wait a minute or two after enabling WAF for your Component to query the REST API for security events.
Note:
If NGINX Controller isn’t logging any Security Violation Events for your app component, check Security Events Not Available for troubleshooting instructions.

Disable WAF for Component

To disable WAF for App Security, send a POST or PUT request to the Components endpoint, with a JSON object similar to the following:

        "security": {
            "waf": {
                "isEnabled": false
            }
        }

You can also delete the WAF block from the Components endpoint to disable WAF.


This documentation applies to the following versions of NGINX Controller Documentation: 3.11, 3.12, 3.13, 3.14, 3.15 and 3.16.