The document summarizes Kevin Jones' presentation on securing containerized applications with NGINX. It discusses the benefits of using a reverse proxy for security, NGINX best practices for TLS configuration, and deploying NGINX in Docker containers. It also provides code examples and configurations for setting up NGINX as a reverse proxy, optimizing TLS, and using NGINX as a sidecar proxy.

1. Securing Your Containerized
Applications with NGINX
Kevin Jones
Sr Product Manager
NGINX, now part of F5
@webopsx

2. • Benefits of a Reverse Proxy for Security
• NGINX Best Practices for TLS
• Running NGINX in Docker
• Q&A
Todays talk!

3. Benefits of a Reverse
Proxy
● HTTP Security and Façade Routing
● TLS Offload
● Authentication / Authorization Offload

4. HTTP Security & Façade Routing

5. ● Restrict Access to Specific URLs
● Intercept Response Headers from Upstream Servers
● Control Request Methods
● Control Domain Level Access
● Provide a Layer of Façade URLs for Routing to
Microservices
● Rewrite URLs for Backwards Compatibility
● API Version Control / Testing (A/B)
A Reverse Proxy can…

6. Service C
Service B
Service AService A
Login
Service
/login
:32706
Service B
Inventory
Service
/inventory
:32717
Service C
Partner
API
/api/beta
:32724
api.example.com
*:80
/api/v2/login
/api/v1/inventory
/admin/
partner.example.com
*:80
/api/v1
GET
Reverse Proxy /
Gateway
PUT
PATCH

7. Service C
Service B
Service AService A
Login
Service
/login
:32706
Service B
Inventory
Service
/inventory
:32717
Service C
Partner
API
/api/beta
:32724
api.example.com
*:80
/api/v2/login
/api/v1/inventory
/admin/
partner.example.com
*:80
/api/v1
Reverse Proxy /
GatewayNGINX Directive
server_name
listen
location
limit_except
proxy_pass
upstream
map
if
PUT
PATCH
GET

8. SSL/TLS

9. ● SSL/TLS Protocols
● Ciphers
● Sessions
● Certificate and Key Management
● OCSP
● Performance Degradation
● Security Vulnerabilities and Patching
Complexities of TLSComplexities of TLS RSA, DH, ECDH,
SRP, PSK??!

10. Let's Encrypt
● A Cron process can update
certificates and keys
NGINX
API
Cron (Certbot)
● The certificates and keys can be
stored on disk or in memory
depending on security
requirements
● If you are using NGINX,
certificates and keys can be
loaded from disk on demand
(lazy load)
● If using NGINX Plus, your
certificates and keys can be
stored in the NGINX Plus key-
value database

11. Authentication &
Authorization

12. ● Offload credential validation
● Intercept unauthenticated requests
● Support integration with an IDP or other
authentication flows
● Support multi factor requirements
● Once that client is validated, authorization provides
policy enforcement on specific HTTP access
Authentication and
Authorization

13. GET w/ JSON Web
Token
JSON Web Key
Payload
{
"alg": "HS256",
"typ": "JWT"
}
Header
{
"alg": "HS256",
"typ": "JWT"
}
Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd
WIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gR
G9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.N3Hb-
h4CdvYDpm6iT-kQVAXt_q2vBnnZ-BDLfOPrd18

14. Raffle Time! Check the chat to
see if you've won!

15. NGINX Best Practices
For Configuring TLS

16. https://www.ssllabs.com/ssltest/

17. server {
listen 443 ssl default_server;
server_name example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
# SSL protocols
ssl_protocols TLSv1.3 TLSv1.2;
# SSL ciphers
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-
SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
# DH parameters and curve
ssl_dhparam /path/to/dhparam.pem;
ssl_ecdh_curve secp384r1;
}
CODE EDITOR

18. Generate
stronger DH
parameters
• This will take a while, be
patient
• For highest security, It is
recommended to use a bit
length of 4096
CODE EDITOR
$ openssl dhparam -out /etc/ssl/certsdhparam.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
............+.......................+..................................................................
.........................................................................................................
...........................+............................................................................
............................................................+...........................................
.........................................................................................................
..................................................................................................+.....
.........+...........................+.................................................................

19. https://www.ssllabs.com/ssltest/

20. CODE EDITOR
server {
# HTTP STS
add_header Strict-Transport-Security "max-
age=31536000; includeSubDomains; preload" always;
}
Enable HTTP
Strict
Transport
Security
• Informs browsers to always
interact with your site over
HTTPS
• This will protect your site
against various attacks such as
downgrade attacks and
possible cookie hijacking

21. https://www.ssllabs.com/ssltest/

22. Deploying NGINX on
Docker

23. Service C
Service B
Service AService A
Login
Service
:32706
Service B
Inventory
Service
:32717
Service C
Partner
API
:32724
api.example.com
*:80 / *:443
/api/v2/login
/api/v1/inventory
/admin/
partner.example.com
:443
/api/v1
Reverse Proxy /
Gateway
api.example.com
*:80 / *:443
/api/v2/login
/api/v1/inventory
/admin
partner.example.com
:443
/api/v1

24. Configure
NGINX with
Docker Compose
• Configure services you want
to communicate thru NGINX
using "expose"
• Link your services together
with the "links" option
• Then publish your NGINX
service using the "ports"
mapping
CODE EDITOR
nginx:
build: ./nginx
container_name: nginx
restart: always
links:
- login
ports:
- "80:80"
volumes:
- ./etc/nginx/conf.d/server.conf:/etc/nginx/conf.d/server.conf
login:
build: ./login
container_name: login
restart: always
expose:
- "80"

25. NGINX
Configuration
CODE EDITOR
user nginx;
events {
worker_connections 1024;
}
http {
server {
listen 80;
location /login {
proxy_pass http://login:80;
}
}
}
Use the proxy_pass
directive to configure
NGINX to resolve the
embedded Docker DNS
server; this will support
any scaling of your
services while using
Docker Compose

26. Login
Servicelogin.example.com
Reverse Proxy
Inventory
Serviceinventory.example.com
Reverse Proxy
Partner
APIpartner.example.com
Reverse Proxy
Login
Service
127.0.0.1:9001login.example.com
Sidecar Proxy
Inventory
Service
127.0.0.1:7001inventory.example.com
Sidecar Proxy
Partner
API
127.0.0.1:5001partner.example.com
Sidecar Proxy
Sidecar
Proxy
Deploying NGINX as a
Sidecar Proxy provides
the ability to optimize
TLS, standardize on
HTTP protocol behavior
and offload functionality
that is already designed
into NGINX without the
need of developing it as
code, such as
authentication and
authorization

27. Sidecar Proxy
• Using proxy_pass you can
route requests to your
application listening on
localhost within the
container
CODE EDITOR
http {
server {
listen 80;
server_name partner.example.com;
location /api/v2 {
proxy_pass http://127.0.0.1:5001;
}
}
}
Partner
API
127.0.0.1:5001partner.example.com
Sidecar Proxy

28. Thank you for watching!
Visit https://swag-nginx.com
Use code: DOCKERCON30
For 30% off!
Questions?
kevin@nginx.com

29. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
}

30. Side title
Secondary
headline
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
}Sed ut perspiciatis unde
omnis iste natus error sit
voluptatem accusantium
dolor laudantium, totam
rem aperiam, eaque ipsa
quae ab illo inventore
veritatis et quasi
architecto beatae vitae.

31. Side title
Secondary
headline
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
} Sed ut perspiciatis unde
omnis iste natus error sit
voluptatem accusantium
dolor laudantium, totam
rem aperiam, eaque ipsa
quae ab illo inventore
veritatis et quasi
architecto beatae vitae.

32. At vero eos et accusamus et
iusto odio dignissimos ducimus
qui blanditiis praesentium
voluptatum deleniti atque
corrupti.
Headline here

33. Slide title / 2 line max.
Secondary headline / 1 line max. Delete if slide title is
2 lines.
Sed ut perspiciatis unde omnis iste natus error sit
voluptatem accusantium doloremque laudantium, totam
rem aperiam, eaque ipsa quae ab illo inventore veritatis et
quasi architecto beatae vitae dicta sunt explicabo.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur
aut odit aut fugit, sed quia consequuntur.

34. Slide title / 2 line max.
Secondary headline / 1 line max. Delete if slide title is
2 lines.
Sed ut perspiciatis unde omnis iste natus error sit
voluptatem accusantium doloremque laudantium, totam
rem aperiam, eaque ipsa quae ab illo inventore veritatis et
quasi architecto beatae vitae dicta sunt explicabo.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur
aut odit aut fugit, sed quia consequuntur.

35. Paragraph font Open Sans 18pt.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt

36. Paragraph font Open Sans 18pt.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt

37. Section title.
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium
doloremque laudantium, totam rem aperiam.
Section title.
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium
doloremque laudantium, totam rem aperiam.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt

38. Section title.
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium
doloremque laudantium, totam rem aperiam.
Section title.
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium
doloremque laudantium, totam rem aperiam.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt

39. Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam
rem aperiam.
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam
rem aperiam.

40. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam
rem aperiam.
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam
rem aperiam.

41. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem
quia voluptas sit aspernatur
aut odit aut fugit, sed quia
consequuntur. Sed ut
perspiciatis unde omnis.
Section title.
Nemo enim ipsam voluptatem
quia voluptas sit aspernatur
aut odit aut fugit, sed quia
consequuntur. Sed ut
perspiciatis unde omnis.
Section title.
Nemo enim ipsam voluptatem
quia voluptas sit aspernatur
aut odit aut fugit, sed quia
consequuntur. Sed ut
perspiciatis unde omnis.

42. ● Bullet One
● Bullet Two
● Bullet Three
● Bullet Four
● Bullet Five
● Bullet Six
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt

43. 1. Bullet One
2. Bullet Two
3. Bullet Three
4. Bullet Four
5. Bullet Five
6. Bullet Six
Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt

44. Side title
Secondary
headline 1,000+
Paragraph title bold 14pt
Body copy open sans 14pt
1,000+
Paragraph title bold 14pt
Body copy open sans 14pt
1,000+
Paragraph title bold 14pt
Body copy open sans 14pt
1,000+
Paragraph title bold 14pt
Body copy open sans 14pt

45. Title here
Sed ut perspiciatis unde omnis iste natus error
sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa quae
ab illo inventore veritatis et quasi architecto
beatae vitae dicta sunt explicabo.
Nemo enim ipsam voluptatem quia voluptas sit
aspernatur aut odit aut fugit, sed quia
consequuntur magni dolores eos qui ratione
voluptatem sequi nesciunt.
● Lorem ipsum
● Lorem ipsum
● Lorem ipsum
● Lorem ipsum
● Lorem ipsum
● Lorem ipsum

46. Image &
diagram Slides

47. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit.

48. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
Section title.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit, sed quia
consequuntur. Sed ut perspiciatis unde
omnis.
Nemo enim ipsam voluptatem quia voluptas
sit aspernatur aut odit aut fugit.

49. Title font Monserrat bold 30pt

50. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt

51. Title here
Sed ut perspiciatis unde omnis iste natus
error sit voluptatem accusantium
doloremque laudantium, totam rem
aperiam, eaque ipsa quae ab illo inventore
veritatis et quasi architecto beatae vitae
dicta sunt explicabo.
Nemo enim ipsam voluptatem quia
voluptas sit aspernatur aut odit aut fugit,
sed quia consequuntur magni dolores eos
qui ratione voluptatem.

52. Title here
● Bullet One
● Bullet Two
● Bullet Three
● Bullet Four
● Bullet Five
● Bullet Six

53. Title font Monserrat

54. Title font Monserrat

55. Screenshot Slides

56. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt

57. Side title
Secondary
headline

58. Side title
Secondary headline

60. Code block Slides

61. Title font Monserrat bold 30pt
Secondary headline font Monserrat 18pt
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
}

62. Side title
Secondary
headline
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
}Sed ut perspiciatis unde
omnis iste natus error sit
voluptatem accusantium
dolor laudantium, totam
rem aperiam, eaque ipsa
quae ab illo inventore
veritatis et quasi
architecto beatae vitae.

63. Side title
Secondary
headline
CODE EDITOR
{
“Lorem”: “ipsum”,
“laudantium”: 42
} Sed ut perspiciatis unde
omnis iste natus error sit
voluptatem accusantium
dolor laudantium, totam
rem aperiam, eaque ipsa
quae ab illo inventore
veritatis et quasi
architecto beatae vitae.

64. Callout Slides

65. Callout or quote text
Monserrat bold 36pt
Body copy font Monserrat 18pt

71. Logos on dark

72. Docker Logos

73. Docker Logos

74. Logos on white

75. Text styles
Display
Slide Title
Section Title
BodyParagraph Title
Caption
Small BodySmall Paragraph Title
Large Body
LABEL

76. Color Palette
Primary
Color Palette
Secondary
Color Palette

77. Icons

78. Icons

79. Icons