Photo by James Wheeler from Pexels
NGINX first gained popularity as a fast and efficient web server with cache, load balancing and reverse proxy capabilities. With the evolution to NGINX Plus it gained additional capabilities, such as acting as an API Gateway with built in security controls. These security controls can be further extended via dynamic modules and we will utilise them to integrate Approov into the platform without changing any API code.
The history of NGINX goes back to 1999, when Igor Sysoev originally wrote code to solve the problem of web servers being able to handle more than 10K concurrent connections, known as the C10K problem. NGINX solved the C10K problem by adopting an event-driven and asynchronous architecture, an approach that made it the fastest web server available, and that revolutionized how web servers work in high throughput load conditions. It was not until 2004 that Igor decided to open source it and co-founded NGINX, Inc. to offer commercial support and to market NGINX Plus with its additional features for enterprise customers. The company was acquired by F5, Inc. in 2019.
To prevent data breaches and fraudulent activity via your APIs, it is vital to ensure that scripts which impersonate traffic from your mobile app are unable to access your backend assets and services. For such use cases, you need something purpose built to protect mobile businesses. The Approov integration with Nginx Plus will ensure that your API can only be accessed by genuine instances of your mobile app. Scripts and bots will be blocked. This is achieved by adding the Approov SDK to your mobile app and does not require you to change a single line of code in the API itself. Implementing the Approov Token in Nginx Plus couldn’t be easier because the token is a regular signed JWT. All you need is to use the native NGINX JWT module to check the expiry time and verify the signature with the secret only known by the Approov cloud service and your Nginx Plus instance.
To enhance the protection of each transaction further, you can secure each request by checking the Approov Token Binding with the Approov dynamic module specially built for NGINX Plus, and you can find the source code for it in this repo on Github. The token binding advanced feature of Approov can be used to bind a header in your request with the Approov token itself, for example the user authentication header.
Please follow this Quickstart guide to learn how to add Approov into your current Nginx Plus instance.
If you have any questions around why or how to use the Approov Integration with Nginx Plus, don’t hesitate to contact us.
Paulo Renato is known more often than not as paranoid about security. He strongly believes that all software should be secure by default. He thinks security should be always opt-out instead of opt-in and be treated as a first class citizen in the software development cycle, instead of an after thought when the product is about to be finished or released.
