M.A.X. IT secures all its applications with NGINX
October 2018 by Marc Jacob
Achieving enhanced security and saving time & effort with effortless installation, configuration and ongoing management.
m.a.x. Informationstechnologie AG (m.a.x. IT) is a well established IT solution partner and managed service provider from Munich. Since 1989, m.a.x. IT has supported medium sized and large companies with solutions for IT infrastructure and software development. These solutions enable their clients to maintain competitiveness as well as optimize their IT spend.
As a managed service provider hosting critical applications for many enterprises, m.a.x. IT cannot compromise on reliability, availability, and security. They were using Apache as a reverse proxy, but it had limited security capabilities. Upgrading security became topmost priority in order to address their clients’ concerns. They wanted to implement virtual patching – a rapid way to address public vulnerabilities – and needed a more stable solution that handled upstream server failures in a graceful fashion. Last but not least, they wanted a nimble solution which enabled them to perform operational tasks such as making configuration changes and troubleshooting faster. In sum, they wanted to undertake a complete overhaul of their existing infrastructure to improve their reliability and operational agility and achieve high security.
m.a.x. IT considered many other vendors and settled on NGINX Plus. Reasons? NGINX Plus is the only solution that met all their needs. Simplicity and ease of use during installation and configuration phases was very beneficial. They were able to achieve robust security with the NGINX WAF capability, which enables them to apply ModSecurity commercial rules. They were also able to apply password and IP range restrictions on specific web paths.
To improve performance on the backend, they were able to use NGINX Plus to offload SSL/TLS processing in both directions.
From an operational standpoint, m.a.x. IT has implemented active health checks with NGINX Plus resulting in improved availability as any upstream server failure is automatically detected and load is spread out across the remaining servers by NGINX Plus. Load balancing is now based on the Least Time algorithm. With this method, NGINX Plus selects the upstream server with the lowest average latency and lowest number of active connections, thereby maximizing performance of web applications. Dynamic reconfiguration using the NGINX Plus API allows them to update upstream configurations such as rewriting of URLs without resulting in any downtime for their customers. NGINX Plus’ live activity monitoring provides critical insights into the health and performance of their applications.
“We tried to honestly consider other solutions. They all lost because of NGINX’s ease of use, its simplicity and cleanliness of installation and configuration, on the fly reconfiguration of upstream nodes via a web GUI, and overall stable and professional feel of the complete setup.”
– Patrick Bestek, IT Security Manager
Comprehensive Security with NGINX WAF
With NGINX WAF, they are able to detect and prevent a wide range of Layer 7 attacks including SQL injection (SQLi), cross site scripting (XSS), and Local File Include (LFI), which together account for over 90% of known Layer 7 attacks. They were also able to maintain detailed logs about all transactions including requests, responses, and visibility into which rules were activated. These capabilities helped the team to meet their customers’ requirements and thereby retain their business.
Improved Reliability and Availability
m.a.x. IT was able to achieve higher reliability with live activity monitoring. They were able to detect and resolve issues faster.
According to Patrick, “Apache 2 needed more restarts than NGINX Plus when making changes to the configuration or loading new modules. The live activity monitoring capability available from the web GUI monitors the health of any upstream server. It allows us to quickly remove any unhealthy servers. We are able to spot problems sooner compared to Apache 2.”
Active health checks and executing configuration changes without any downtime helped improve availability. Furthermore, it is very easy to make configuration changes using NGINX Plus’ dynamic reconfiguration capability – there’s no steep learning curve.
“Due to the clear and simple setup of NGINX Plus with WAF, configuration changes and maintenance, such as exceptions to specific rules of ModsSecurity or rewriting of URLs, can take place in a faster manner compared to Apache 2. This is especially beneficial if the system administrator maintaining the configuration does so only infrequently – it’s very easy to get back into it and find one’s way again,” says Patrick.
Improved Operational Agility
Ease of use as well as the ability to make rapid configuration changes using the NGINX Plus API helps m.a.x. IT to reduce time, effort, and costs. They are able to deploy new applications faster – and this keeps their customers happy and helps them to attract new customers and stand out from competition.