Application Platform High Performance Application Delivery for Microservices NGINX Application Platform

Simplify the journey to microservices.

Many organizations today would like to move to microservices but are held back by complex application infrastructures. They use a mix of open source , proprietary solutions, and custom code that has become a nightmare for these companies to manage. These fragile application stacks ultimately limit the agility that businesses need to stay competitive in today’s market.

The NGINX Application Platform helps reduce complexity by consolidating common functions down to far fewer components – in many cases, down to a single piece of software. Using the NGINX Application Platform our customers are able to reduce complexity in their application stack and begin migrating to a modern, microservices-based architecture.

The NGINX Application Platform is a modern, open source software-based tool set for delivering applications with performance, reliability, security, and scale. It includes NGINX Plus for load balancing and application delivery, NGINX WAF for security, and NGINX Unit to run the application code, all monitored and managed by NGINX Controller.

2 N GINX Controller entralized monitoring and management

Analytics Control Policy

Load Balancer Content Cache

Monolith Microservices

API Gateway WAF

N GINX Plus N GINX Unit A pplication delivery Web and application server

Cloud Virtual Machine Container Bare Metal Infrastructure – Multi-cloud versatility

3 NGINX Plus

The only all-in-one load balancer, content cache, and

Ask anyone in IT and they’ll tell you complexity is Many organizations today are dependent on legacy the enemy. By combining multiple tools into one, hardware application delivery controllers (ADCs). NGINX Plus reduces complexity. With a simpler Hardware ADCs are a roadblock to creating scalable infrastructure to manage, application teams can applications. NGINX Plus can be used to replace achieve greater agility and feature velocity. Whether hardware ADCs, to give you significant cost savings you’re modernizing legacy apps or building new, combined with the agility of open source software. microservices-based apps, NGINX Plus helps you reliably scale digital services.

“The amount of traffic that NGINX Plus can handle is unreal – even beyond our needs.” – James Ridle, IT Operations Manager at Montana Interactive

Why NGINX Plus?

Cost savings – Save 80% Flexibility – You can run Community – NGINX Plus is over hardware ADCs while NGINX Plus software in built on NGINX Open Source and exceeding performance bare metal, virtual machines, backed by an enthusiastic com- and functionality. container-based environments, munity of over 400 million users, and any cloud environment with thousands of community- with no vendor lock-in. contributed articles available to help you in your journey.

4 How NGINX Plus works NGINX Plus Features: NGINX Plus installs on x86, ARM, and Power8 servers running a Unix-like system, such as Linux or FreeBSD. • HTTP/TCP/UDP • JWT authentication load balancer It’s installed using standard package management • High availability tools (apt, yum). NGINX Plus typically runs one worker • Content cache • Reverse proxy for process per CPU core for maximum performance. • Web server HTTP, FastCGI, memcached, SCGI, NGINX Plus functions as a reverse proxy, accepting • SSL/TLS offload and uwsgi accepting TCP connections and making new TCP with dual-stack connections to upstream servers. As a web server RSA/ECC • 20+ dynamic modules it serves static content directly and reverse proxies • Content • OpenID Connect SSO to PHP-FPM, uwsgi, and other application servers. compression As a cache, NGINX Plus handles both static and • Rate limiting dynamic content. In addition, NGINX Plus can be used to stream media.

Application eves

Cache, load balance, and serve static content with a single tool, NGINX Plus. 5 NGINX WAF module

Protect your applications

Even when you understand security, it is difficult websites today. As open source software, to create secure applications given the pressures ModSecurity is backed by a large, enthusiastic on today’s companies. The NGINX community of security experts. Community backing Firewall (WAF module) protects applications against extends beyond ModSecurity itself to the OWASP sophisticated Layer 7 attacks that might otherwise Core Rule Set (CRS), which protects against the lead to loss of sensitive data, downtime, and reputation most common and devastating attacks. damage. The NGINX WAF module is based on the widely used ModSecurity open source software. Like ADCs, WAFs have typically been in the realm of hardware appliances, within the enterprise. ModSecurity is one of the most trusted names And like ADCs, hardware WAFs suffer from the same in application security, protecting over a million shortcomings. They are costly and inflexible.

“Web applications – yours, mine, everyone’s – are terribly insecure on average. We struggle to keep up with the security issues and need any help we can get to secure them.” – Ivan Ristić, creator of ModSecurity

Why NGINX WAF?

Cost savings – PCI compliance Battle tested – Used by Agility – Respond quickly to at a fraction of the cost of the more than a million websites, emerging security threats with hardware WAFs. ModSecurity is the most trusted virtual patching. name in application security.

6 How NGINX WAF module works The NGINX WAF module provides NGINX WAF is a dynamic module for NGINX Plus. the following protections: It plugs into a running NGINX Plus instance. NGINX Plus • Layer 7 attack protection still terminates connections and performs redirects SQL injection (SQLi), cross-site scripting and rate limiting as usual, but requests are sent to (XSS), Local File Inclusion (LFI), Cross-site the NGINX WAF module before being forwarded to request forgery (CSRF), Remote File the backend server. Inclusion (RFI), and more. • IP reputation After doing initial processing, NGINX Plus passes the Block known bad IP addresses in real time traffic to the NGINX WAF module, which inspects all using Project Honey Pot. parts of the request for malicious content or other • Scanner and bot detection anomalies. If the request is deemed malicious it can be The NGINX WAF module can detect and block blocked, logged, or both, depending on configuration. most scanners in use today.

If the request is determined to be acceptable, it • Virtual patching is returned to NGINX Plus, which then satisfies Respond to emerging threats in real time with a flexible PCRE-regex based rules language. the request.

Application eves

The NGINX WAF module protects against a broad range of Layer 7 attacks. 7 NGINX Unit

Dynamic web and application server

Most application servers we use in production envi- a single binary. NGINX Unit is dynamic by design ronments today were written for static, monolithic and configured via a RESTful JSON API. All config- architectures. Most have been retrofitted with side- uration changes are handled in memory, so there cars and other add-ons for the dynamic functionality are no process reloads, no service disruptions, and and consistent behavior needed in today’s application no downtime. environments. Unfortunately these add-ons increase complexity, decrease performance, and create a Many organizations today have applications written greater surface for failure. in multiple languages. With NGINX Unit you can run multiple languages on the same server, enabling NGINX Unit is a new dynamic web and application you to consolidate application servers and reduce server built to meet the demands of both monolithic complexity. Go, Perl, PHP, Python, and Ruby are and distributed applications. NGINX Unit combines supported, with more language support to come. the functions of a web and application server into

“Modern web applications are more complex than before. I see the lack of a simple and flexible base that is easy to use and reduces the complexity of modern web stacks. I created NGINX Unit to be this base.” – Igor Sysoev, creator of NGINX and Unit

Why NGINX Unit?

Reduce complexity – No need Dynamic by design – NGINX Unit Deploy with confidence – to tangle with multiple application was created to adapt in real time to NGINX Unit is developed by servers and software stacks. the demands of distributed appli- the team behind NGINX, the Run your apps written in Go, Perl, cations, with a RESTful JSON most reliable and trusted PHP, Python, and Ruby using the API, and immediate in-memory name in application delivery. same consistent and powerful changes without process application server. reloads or service disruptions.

8 How NGINX Unit works Supported languages: NGINX Unit is software installed on a Unix-like system, • Go • Python such as Linux or FreeBSD. NGINX Unit creates a group • Perl • Ruby of separate processes on one system. For security • PHP purposes only the is run as . Main process root Client connections, application processes, and code are run in separate isolated processes with limited rights.

The is responsible for config­ The interacts with clients. It accepts Controller process Router process uration. NGINX Unit is dynamically configured using client requests and passes them to the application a RESTful JSON API. You can upload the whole processes. It then gets responses back from the configuration at once, or just a part of it. NGINX Unit applications, and forwards them to the clients. Each does not reload the whole configuration for every worker thread in the Router process can simultane- change, instead performing relevant changes directly ously handle thousands of connections. in memory and reloading only the necessary parts. The run the application code. NGINX Unit configuration can be updated as Application processes frequently as needed without worrying about taking New application processes are created on demand by up additional system resources. the Main process.

A Client ove

Application ocesses Contolle Config pocess Route pocess multiple teads

Config Auxiliay tead Application ocesses oe tead oe tead ain oe tead pocess Reuests and Application esponses ae ocesses tansfeed via saed memoy

ain pocess ceates application pocesses

NGINX Unit architecture 9 NGINX Controller

Centralized monitoring and management for NGINX Plus

Enterprises managing large production deployments SSL termination. Controller has rich monitoring need a centralized point of control and visibility. capabilities to help you monitor application health NGINX Controller helps the most demanding enter- and performance. prises scale by providing a centralized monitoring and management platform for NGINX Plus. NGINX NGINX Controller helps enterprises move beyond Controller makes managing large NGINX Plus the manual processes that stifle innovation. With clusters easy. NGINX Controller, IT provisions virtual load balancers for application teams, and then allows them to manage With NGINX Controller, you can manage hundreds the load balancers themselves. This self‑service of NGINX Plus servers from a single location. Using capability enables application teams to adopt agile an intuitive graphical user interface you can create development practices, while freeing IT to focus on new instances of NGINX Plus and centrally configure maintaining a stable infrastructure, without disruptions. features like load balancing, URL routing, and

“Our vision is for NGINX Controller to be the intelligent brain within the infrastructure, absorbing information and making decisions in real time without human intervention.” – Gus Robertson, CEO of NGINX, Inc.

NGINX Controller gives businesses the following benefits:

Ease of use – Easily manage Agility – Give application teams Compliance – Gain granular control and monitor large NGINX Plus self‑service capabilities to over every process with role‑ clusters from a single location. deploy new applications faster. based access control – putting the right tools in the right hands.

10 How NGINX Controller works Configurable with NGINX Controller NGINX Controller works by way of a small agent • Virtual servers • Request routing that is installed on NGINX Plus servers. Once installed and registered, the target server will • Pools • Load-balancing algorithm appear in the NGINX Controller inventory on the • SSL/TLS offload left side panel of the UI and is ready to have a virtual • Let’s Encrypt integration load balancer configuration assigned to it. • HTTP/2 The middle panel of the NGINX Controller UI is where you create instance groups, virtual load balancers, routes, and backend pools of micro­ services. This is the heart of your network; it’s where all of the data flows. drag and drop the desired server to the policy you want to deploy on it. You can drop in multiple servers Once the configuration has been defined, you assign for heavily traffic applications and NGINX Controller it to a server in the inventory. To do this, you simply ensures the configuration is in sync.

NGINX Controller provides a UI to centrally manage and monitor NGINX Plus. 11 For more information, visit nginx.com or send us an email at [email protected]

NGINX and NGINX Plus are registered trademarks of NGINX, Inc.