NGINX software solutions are known to multi-function as web servers and load balancers while ensuring the security and integrity of customer workloads and applications. Hence, it doesn't come as a surprise when Bernardo Castro, a back-end developer and founder of Bybrand (a cloud-based software company), testified the following: "NGINX provides SME startups with excellent web server security solutions that are one-piece outfits – especially when they’re counting their pennies."
Therefore, this article is for DevOps, DevSecOps, and Application Security Engineers working in startups looking for low-pricing, free, or open-source web security solutions to serve as an effective one-piece web security outfit.
Here we’ll talk about the features and benefits that make NGINX and open-appsec WAFs (two open-source solutions) stand out. We will also compare these features with NGINX Plus to get perspective from a paid tool.
We'll start by comparing the three software solutions.
What Is the Difference Between NGINX, NGINX Plus, and open-appsec WAF: A Tabular Comparison
Differentiating Factors | NGINX open-source | NGINX Plus | open-appsec WAF |
Primary Function | Web server, load balancer, and reverse proxy | Advanced web server, load balancer, and reverse proxy | WAF |
Machine Learning App Security Approach | Not available | Not available | Use two machine learning models (offline and online) to secure your web apps and APIs |
Intrusion Prevention System Used | Not available | Not available | Uses Snort 3.0 engine |
Type of System Configuration Used | Command Line Interface | Command Line Interface | Declarative configuration and WebUI (SaaS) |
System Maintenance Complexity | Complex system maintenance due to the need for manual downloading and installing of a new version | Maintenance can be difficult because you have to manually download and install new versions, which adds complexity to the process | Enables effortless system maintenance by eliminating the need for threat signatures, rules, and exceptions to safeguard your internet application |
Web Application Protection Features | Offers rate limiting and IP access control lists as web app security features | An additional NGINX App Protect service is needed to protect your web app from attacks | Is an independent web application and API security service capable of safeguarding web applications regardless of their hosting location |
Free version | Free | Has a free trial | Offers a free and a paid premium version |
Pricing | Free | Begins at 3675$ per instance when opting for an annual subscription and incurs additional costs when used with the NGINX App protect service | Offers a free version, a premium edition, and a pay-as-you-go pricing model |
Malicious Bot Prevention | Not available | When used with NGINX App Protect service, it can detect and mitigate malicious bot traffic | Utilizes machine learning models to analyze incoming requests and compare them to the characteristics of known malicious bots and legitimate user behavior |
Open-Source | Open-sourced | Not open-sourced | Is open-sourced and the software has also been verified by an independent group to ensure it's safe and reliable |
Web Latency | Doesn't increase web latency | Doesn't increase web latency | No instances of increased web latency |
False Positives | Unable to identify false positives | Unable to identify false positives | Strongly reduced cased of false positives because of its use of two machine learning models |
Zero-Day Detection | Not available | Not available | Uses machine learning models, advanced threat prevention techniques, and the Snort 3.0 Intrusion Prevention System to effectively detect and prevent zero-day attacks |
WAF Community and Customer Service | Has a large community, and readily available resources | Has a large community of users | Has a medium-sized user community |
What Is NGINX Open-Source?
This is an open-source software solution developed by the NGINX team and is best known for being a web (HTTP) server, load balancer, and reverse proxy. Generally, it offers limit rate limiting, IP-based access control lists, integrations into many third-party modules, dynamic module support, and is backed by community involvement and support.
Features of NGINX
● Load Balancer
In general, this feature helps to improve the efficiency, performance, and reliability of your web app. NGINX evenly distributes incoming traffic across platforms using different load balancing methods like round-robin and least-connected. It also enables horizontal traffic scaling to improve the capacity of your internet server and ensure constant availability.
Furthermore, it can maintain session persistence using IP-hash load balancing. Also, it upholds session persistence (sticky session) to ensure subsequent requests from a particular client are directed to the same server and resource.
● Reverse Proxy
NGINX caches your web app's static and dynamic content to reduce the load on your server and shorten its request response time. It does this by compressing and optimizing outgoing HTML, CSS, and JavaScript files to reduce the amount of data transmitted over your network.
It also helps your server handle SSL/TLS encryption and decryption and uses HTTP/2 gateway, HTTP/2 server push, and gRPC proxy to streamline server-client communication in your network.
● HTTP/2 Gateway
This open-source NGINX feature acts as an intermediary between clients and servers. It enables communication between different protocols, optimizes performance, ensures security, handles load balancing, caching, and provides traffic monitoring and logging capabilities. It bridges the gap between older and newer protocols, facilitating seamless communication in a mixed protocol environment.
Pros and Cons of Using NGINX
Pros | Cons |
Dynamic module support allows for functionality extension | Doesn’t offer sufficient and advanced web application security |
Offers basic web app security functionalities at no cost | Dynamic content caching support is too limited and might need additional features like Varnish Cache or Memcached |
Fast loading time and performance | |
What Is NGINX Plus?
"I found the ability to implement advanced load balancing algorithms in NGINX Plus particularly useful."
NGINX Plus is known to have all the basic features of NGINX open-source with additional advanced features, as quoted above by Daniel Chabert, founder of PurpleFire, a web development agency.
It is the paid version of NGINX open-source, but it still has a free trial. You can also use it with NGINX App Protect, but it comes with an additional cost. It offers basic security controls like rate-limiting, TLS 1.3 support, etc. Additionally, it offers JSON Web Token (JWT) authentication and OpenID Connect Single Sign-on (SSO) for authentication, authorization, token storage, and verification, as well as other app security processes.
Features of NGINX Plus
● Advanced Load Balancing Features
As Chabert mentioned, this is NGINX Plus' most outstanding feature. It offers TCP and UDP load balancing, session persistence, active health checks, RESTful API, etc. Furthermore, NGINX Plus offers Domain Name System (DNS) service-discovery integration to securely discover and integrate services and components within your app’s architecture.
● Live Monitoring and Logging
Simon Bacher, the CEO of Simya Solutions (an app development agency), insists that NGINX Plus's live monitoring feature is by far its best. According to him, NGINX Plus provides an "intuitive activity-monitoring user interface", providing critical insights into your app’s real-time performance metrics and key load stats.
This is to say that NGINX Plus has a simple built-in dashboard and log analysis tool that allows you to monitor all that is going on within your app. With an additional cost, this feature also allows you to export data to external monitoring tools like AppDynamics, Splunk, New Relic, Datadog, etc.
● High Availability (HA)
NGINX Plus offers HA functionality, allowing it to be set up as either an active-passive or active-active cluster. In an active-passive setup, there are two NGINX Plus servers: a primary server that actively handles traffic and a backup one that monitors the primary's health and automatically takes over if it fails. In an active-active setup, both servers actively handle traffic simultaneously.
Pros and Cons of NGINX Plus
Pros | Cons |
Better and faster traffic distribution across multiple servers | Costly |
Provides detailed live monitoring and logging analytics | |
Offers constant customer support | |
open-appsec WAF
Are you looking for a way to block attacks on your web application before they happen? Look no further, as open-appsec uses machine learning to continuously detect and preemptively block threats before they can do any damage. Its code has also been published on GitHub, and the effectiveness of its WAF has been successfully proven in numerous tests by third parties. Try open-appsec in the Playground today.
This open-source WAF uses machine learning models to accurately detect malicious requests with a low number of false positives. It is simple to manage and expand and can be deployed as an add-on to NGINX reverse proxy, a K8s Ingress controller, an envoy, or API gateways. It can also be integrated with GraphQL, Terraform, and Helm.
It is known to protect apps against OWASP Top 10 attacks, web app and API attacks, and zero-day attacks. Also, it offers simple WAF maintenance due to the absence of signatures and exception handling, as seen in traditional WAFs.
Features of open-appsec WAF
● Machine-Learning Threat Prevention
This feature is what differentiates open-appsec WAF from other solutions. Unlike traditional WAFs that use rules and exceptions as a security threshold to detect malicious activities in incoming requests, open-appsec uses two machine learning models to protect web applications preemptively.
This feature analyzes HTTP/S requests and protects apps from zero-day attacks like Log4Shell and Spring4Shell without app updates, signatures, or patching. Moreover, open-appsec's machine learning engine consists of two models, a supervised and a non-supervised model.
The supervised model is offline and has been trained with millions of malicious and benign requests. Its job is to differentiate legitimate traffic from hostile ones by comparing their attack vectors with those in its database, after which it assigns threat scores to them. This model allows a request to access the internet server if it is considered legitimate, but if it is deemed malicious, it is pushed to the second model.
open-appsec's second machine learning algorithm is unsupervised, online, and works in real-time. It uses contextual analysis, reputation score, user behavior, and payload score to verify if requests sent over by the supervised model are indeed malicious. Its main aim is to reduce false positives as much as possible, after which it either allows legitimate requests to access a web app or completely blocks dangerous and harmful requests.
● API Discovery and Security
The WAF by open-appsec helps discover all your hidden APIs and narrows your attack surface. It keeps API activity within safe limits using machine learning-based malicious content blocking and OpenAPI schema validation. This feature helps you to focus your security team's efforts and resources on a set of APIs without leaving any unattended and serving as bait for web attacks.
● Intrusion Prevention System (IPS)
open-appsec monitors and filters web traffic using NSS-certified Intrusion Prevention System (IPS) and open-source Snort 3.0. This feature is known to have protected against over 2800 Web CVEs.
Pros and Cons of open-appsec WAF
Pros | Cons |
Simplifies system maintenance by removing the need for constant exceptions, rules, and threat signatures management | A fairly new WAF |
Has a free version | Has a medium-sized open-source community |
Open-sourced | |
Offers preemptive protection against attacks | |
Conclusion
These three solutions provide various levels of security against web attacks. NGINX open-source is a good option for smaller teams looking for a free solution to help with the availability and stability of their web applications. In contrast, NGINX Plus is a good commercial internet application security tool for teams looking for additional security and availability capabilities. Finally, open-appsec WAF is the best option if you want a free, reliable solution to secure your web app against known and zero-day attacks. Try open-appsec in the Playground today.
Frequently Asked Questions
What are the different types of NGINX?
The different types of NGINX include the following:
● NGINX open-source: this is a free version of NGINX. It works as a web server, reverse proxy, and load balancer.
● NGINX Plus: this is the commercial version of NGINX. It offers all features of NGINX open-source plus additional features like advanced load balancing, server health checks, real-live monitoring, etc.
● Nginx App Protect: this is a web app security module that provides application layer and API layer security.
Why use Traefik over NGINX?
Traefik and NGINX are popular reverse proxy and load-balancing solutions, and choosing one over the other depends on your specific requirement and use case. Traefik is best known for its ease of configuration and integrated service discovery with container orchestrators like Docker and Kubernetes. On the other hand, NGINX is best known for its detailed real-time dashboard/metrics and automated SSL/TLS Certificate management.
What language is NGINX open-source?
NGINX open-source is primarily written in the C programming language, but it also includes modules and extensions that can be written in other languages, such as Lua or JavaScript, using the NGINX API.
What type of license is NGINX open-source?
NGINX open-source is released under the 2-clause BSD (Berkeley Software Distribution) license, a permissive open-source license that allows users to use, modify, and distribute the software freely. It grants users the right to modify and distribute the NGINX source code and its modified versions without imposing strict requirements or limitations – including using it as a proprietary license.
