top of page
Editorial

NGINX Open-Source, NGINX Plus, and open-appsec WAF – Which Is Better?

NGINX software solutions are known to multi-function as web servers and load balancers while ensuring the security and integrity of customer workloads and applications. Hence, it doesn't come as a surprise when Bernardo Castro, a back-end developer and founder of Bybrand (a cloud-based software company), testified the following: "NGINX provides SME startups with excellent web server security solutions that are one-piece outfits – especially when they’re counting their pennies."


Therefore, this article is for DevOps, DevSecOps, and Application Security Engineers working in startups looking for low-pricing, free, or open-source web security solutions to serve as an effective one-piece web security outfit.


Here we’ll talk about the features and benefits that make NGINX and open-appsec WAFs (two open-source solutions) stand out. We will also compare these features with NGINX Plus to get perspective from a paid tool.


We'll start by comparing the three software solutions.


What Is the Difference Between NGINX, NGINX Plus, and open-appsec WAF: A Tabular Comparison

Differentiating Factors

NGINX open-source

NGINX Plus

open-appsec WAF

Primary Function

Web server, load balancer, and reverse proxy

Advanced web server, load balancer, and reverse proxy

WAF

Machine Learning App Security Approach

Not available

Not available

Use two machine learning models (offline and online) to secure your web apps and APIs

Intrusion Prevention System Used

Not available

Not available

Uses Snort 3.0 engine

Type of System Configuration Used

Command Line Interface

Command Line Interface

Declarative configuration and WebUI (SaaS)

System Maintenance Complexity

Complex system maintenance due to the need for manual downloading and installing of a new version

Maintenance can be difficult because you have to manually download and install new versions, which adds complexity to the process

Enables effortless system maintenance by eliminating the need for threat signatures, rules, and exceptions to safeguard your internet application

Web Application Protection Features

Offers rate limiting and IP access control lists as web app security features

An additional NGINX App Protect service is needed to protect your web app from attacks

Is an independent web application and API security service capable of safeguarding web applications regardless of their hosting location

Free version

Free

Has a free trial

Offers a free and a paid premium version

Pricing

Free

Begins at 3675$ per instance when opting for an annual subscription and incurs additional costs when used with the NGINX App protect service

Offers a free version, a premium edition, and a pay-as-you-go pricing model

Malicious Bot Prevention

Not available

When used with NGINX App Protect service, it can detect and mitigate malicious bot traffic

Utilizes machine learning models to analyze incoming requests and compare them to the characteristics of known malicious bots and legitimate user behavior

Open-Source

Open-sourced

Not open-sourced

Is open-sourced and the software has also been verified by an independent group to ensure it's safe and reliable

Web Latency

Doesn't increase web latency

Doesn't increase web latency

No instances of increased web latency

False Positives

Unable to identify false positives

Unable to identify false positives

Strongly reduced cased of false positives because of its use of two machine learning models

Zero-Day Detection

Not available

Not available

Uses machine learning models, advanced threat prevention techniques, and the Snort 3.0 Intrusion Prevention System to effectively detect and prevent zero-day attacks

WAF Community and Customer Service

Has a large community, and readily available resources

Has a large community of users

Has a medium-sized user community


What Is NGINX Open-Source?

This is an open-source software solution developed by the NGINX team and is best known for being a web (HTTP) server, load balancer, and reverse proxy. Generally, it offers limit rate limiting, IP-based access control lists, integrations into many third-party modules, dynamic module support, and is backed by community involvement and support.


Features of NGINX


Load Balancer

In general, this feature helps to improve the efficiency, performance, and reliability of your web app. NGINX evenly distributes incoming traffic across platforms using different load balancing methods like round-robin and least-connected. It also enables horizontal traffic scaling to improve the capacity of your internet server and ensure constant availability.

Furthermore, it can maintain session persistence using IP-hash load balancing. Also, it upholds session persistence (sticky session) to ensure subsequent requests from a particular client are directed to the same server and resource.


Reverse Proxy

NGINX caches your web app's static and dynamic content to reduce the load on your server and shorten its request response time. It does this by compressing and optimizing outgoing HTML, CSS, and JavaScript files to reduce the amount of data transmitted over your network.

It also helps your server handle SSL/TLS encryption and decryption and uses HTTP/2 gateway, HTTP/2 server push, and gRPC proxy to streamline server-client communication in your network.


HTTP/2 Gateway

This open-source NGINX feature acts as an intermediary between clients and servers. It enables communication between different protocols, optimizes performance, ensures security, handles load balancing, caching, and provides traffic monitoring and logging capabilities. It bridges the gap between older and newer protocols, facilitating seamless communication in a mixed protocol environment.


Pros and Cons of Using NGINX

Pros

Cons

Dynamic module support allows for functionality extension

Doesn’t offer sufficient and advanced web application security

Offers basic web app security functionalities at no cost

Dynamic content caching support is too limited and might need additional features like Varnish Cache or Memcached

Fast loading time and performance

What Is NGINX Plus?



"I found the ability to implement advanced load balancing algorithms in NGINX Plus particularly useful."


NGINX Plus is known to have all the basic features of NGINX open-source with additional advanced features, as quoted above by Daniel Chabert, founder of PurpleFire, a web development agency.


It is the paid version of NGINX open-source, but it still has a free trial. You can also use it with NGINX App Protect, but it comes with an additional cost. It offers basic security controls like rate-limiting, TLS 1.3 support, etc. Additionally, it offers JSON Web Token (JWT) authentication and OpenID Connect Single Sign-on (SSO) for authentication, authorization, token storage, and verification, as well as other app security processes.

Features of NGINX Plus


Advanced Load Balancing Features

As Chabert mentioned, this is NGINX Plus' most outstanding feature. It offers TCP and UDP load balancing, session persistence, active health checks, RESTful API, etc. Furthermore, NGINX Plus offers Domain Name System (DNS) service-discovery integration to securely discover and integrate services and components within your app’s architecture.


Live Monitoring and Logging

Simon Bacher, the CEO of Simya Solutions (an app development agency), insists that NGINX Plus's live monitoring feature is by far its best. According to him, NGINX Plus provides an "intuitive activity-monitoring user interface", providing critical insights into your app’s real-time performance metrics and key load stats.

This is to say that NGINX Plus has a simple built-in dashboard and log analysis tool that allows you to monitor all that is going on within your app. With an additional cost, this feature also allows you to export data to external monitoring tools like AppDynamics, Splunk, New Relic, Datadog, etc.


High Availability (HA)

NGINX Plus offers HA functionality, allowing it to be set up as either an active-passive or active-active cluster. In an active-passive setup, there are two NGINX Plus servers: a primary server that actively handles traffic and a backup one that monitors the primary's health and automatically takes over if it fails. In an active-active setup, both servers actively handle traffic simultaneously.


Pros and Cons of NGINX Plus

Pros

Cons

Better and faster traffic distribution across multiple servers

Costly

​Provides detailed live monitoring and logging analytics

​Offers constant customer support

open-appsec WAF


Are you looking for a way to block attacks on your web application before they happen? Look no further, as open-appsec uses machine learning to continuously detect and preemptively block threats before they can do any damage. Its code has also been published on GitHub, and the effectiveness of its WAF has been successfully proven in numerous tests by third parties. Try open-appsec in the Playground today.

This open-source WAF uses machine learning models to accurately detect malicious requests with a low number of false positives. It is simple to manage and expand and can be deployed as an add-on to NGINX reverse proxy, a K8s Ingress controller, an envoy, or API gateways. It can also be integrated with GraphQL, Terraform, and Helm.

It is known to protect apps against OWASP Top 10 attacks, web app and API attacks, and zero-day attacks. Also, it offers simple WAF maintenance due to the absence of signatures and exception handling, as seen in traditional WAFs.


Features of open-appsec WAF


Machine-Learning Threat Prevention

This feature is what differentiates open-appsec WAF from other solutions. Unlike traditional WAFs that use rules and exceptions as a security threshold to detect malicious activities in incoming requests, open-appsec uses two machine learning models to protect web applications preemptively.

This feature analyzes HTTP/S requests and protects apps from zero-day attacks like Log4Shell and Spring4Shell without app updates, signatures, or patching. Moreover, open-appsec's machine learning engine consists of two models, a supervised and a non-supervised model.

The supervised model is offline and has been trained with millions of malicious and benign requests. Its job is to differentiate legitimate traffic from hostile ones by comparing their attack vectors with those in its database, after which it assigns threat scores to them. This model allows a request to access the internet server if it is considered legitimate, but if it is deemed malicious, it is pushed to the second model.

open-appsec's second machine learning algorithm is unsupervised, online, and works in real-time. It uses contextual analysis, reputation score, user behavior, and payload score to verify if requests sent over by the supervised model are indeed malicious. Its main aim is to reduce false positives as much as possible, after which it either allows legitimate requests to access a web app or completely blocks dangerous and harmful requests.


API Discovery and Security

The WAF by open-appsec helps discover all your hidden APIs and narrows your attack surface. It keeps API activity within safe limits using machine learning-based malicious content blocking and OpenAPI schema validation. This feature helps you to focus your security team's efforts and resources on a set of APIs without leaving any unattended and serving as bait for web attacks.


Intrusion Prevention System (IPS)

open-appsec monitors and filters web traffic using NSS-certified Intrusion Prevention System (IPS) and open-source Snort 3.0. This feature is known to have protected against over 2800 Web CVEs.


Pros and Cons of open-appsec WAF

Pros

Cons

Simplifies system maintenance by removing the need for constant exceptions, rules, and threat signatures management

A fairly new WAF

Has a free version

Has a medium-sized open-source community

Open-sourced

Offers preemptive protection against attacks

Conclusion


These three solutions provide various levels of security against web attacks. NGINX open-source is a good option for smaller teams looking for a free solution to help with the availability and stability of their web applications. In contrast, NGINX Plus is a good commercial internet application security tool for teams looking for additional security and availability capabilities. Finally, open-appsec WAF is the best option if you want a free, reliable solution to secure your web app against known and zero-day attacks. Try open-appsec in the Playground today.


Frequently Asked Questions


What are the different types of NGINX?

The different types of NGINX include the following:

NGINX open-source: this is a free version of NGINX. It works as a web server, reverse proxy, and load balancer.

NGINX Plus: this is the commercial version of NGINX. It offers all features of NGINX open-source plus additional features like advanced load balancing, server health checks, real-live monitoring, etc.

Nginx App Protect: this is a web app security module that provides application layer and API layer security.


Why use Traefik over NGINX?

Traefik and NGINX are popular reverse proxy and load-balancing solutions, and choosing one over the other depends on your specific requirement and use case. Traefik is best known for its ease of configuration and integrated service discovery with container orchestrators like Docker and Kubernetes. On the other hand, NGINX is best known for its detailed real-time dashboard/metrics and automated SSL/TLS Certificate management.


What language is NGINX open-source?

NGINX open-source is primarily written in the C programming language, but it also includes modules and extensions that can be written in other languages, such as Lua or JavaScript, using the NGINX API.


What type of license is NGINX open-source?

NGINX open-source is released under the 2-clause BSD (Berkeley Software Distribution) license, a permissive open-source license that allows users to use, modify, and distribute the software freely. It grants users the right to modify and distribute the NGINX source code and its modified versions without imposing strict requirements or limitations – including using it as a proprietary license.



Experiment with open-appsec for Linux, Kubernetes or Kong using a free virtual lab

bottom of page