This integration enables users of the NGINX Proxy Manager (NPM) to protect their web applications and web APIs by easily activating and configuring open-appsec protection for each of the configured Proxy Host objects in NPM directly from the NPM Web UI and monitor security events. Alternatively open-appsec, when integrated with NPM, can also be managed by central WebUI (SaaS).

About NGINX Proxy Manager:

Nginx Proxy Manager is a popular open-source project that simplifies the management of NGINX reverse proxy configurations, offering a user-friendly web-based interface for easy setup and maintenance. It was created by “jc21” (https://www.jc21.com/). This project is particularly useful for individuals and organizations looking to streamline the deployment of web applications and services by efficiently managing multiple domains and subdomains through a centralized interface. With NGINX Proxy Manager, users can effortlessly create and manage SSL certificates, enabling secure HTTPS connections for their applications, while also providing advanced features such as Let's Encrypt integration for automated certificate renewal. NGINX Proxy Manager (NPM) is based on NGINX and provided as a container image that can be easily deployed in containerized environments like Docker (typically using Docker Compose) or others. NPM itself does not include any WAF solution for effective Threat Prevention against modern attacks or Zero day attacks. Website and Docs: nginxproxymanager.com Github: www.github.com/NginxProxyManager

Integration of open-appsec WAF with NGINX Proxy Manager:

With this integration, we are focusing on maximum simplicity for the user to maintain the low entry barrier as a key design principle of the NGINX proxy manager (NPM) project, which we want in the same way to apply also to the addition of open-appsec.

The actual deployment of NPM with open-appsec is performed using a slightly enhanced docker-compose file (see below) which also adds the open-appsec agent container to it, which will perform the actual security inspection. The NGINX proxy manager container deployed as part of the docker-compose is using the “nginx-proxy-manager-attachment” or the "nginx-proxy-manager-centrally-managed-attachment" images, provided by the open-appsec team, which are based on the regular NPM code but also add the open-appsec attachment to it as an NGINX module. This attachment enables the connection between the NGINX and the open-appsec agent and provides the HTTP data for inspection to the agent. The “nginx-proxy-manager-attachment” image also contains various NPM WebUI enhancements and the integration logic allowing the configuration, administration and monitoring of open-appsec directly from the NPM WebUI. You can read more about open-appsec’s technology here: https://www.openappsec.io/tech

The resulting architecture with the open-appsec Agent container and the NGINX Proxy Manager container then looks like this:

How does this integration work?

open-appsec was developed from the start in a way that would allow two alternative main ways of managing the open-appsec configuration:

• a user-friendly WebUI for central management (available at my.openappsec.io as a SaaS service)

• a local declarative configuration which is especially suitable for GitOps CD processes, Dev(Sec)Ops flows, etc.

With the new open-appsec NGINX Proxy Manager (NPM) integration now it is possible to manage open-appsec directly from within the NPM WebUI (in addition to the option to manage open-appsec from central open-appsec WebUI (SaaS) or locally with declarative configuration).

When managing open-appsec from the NGINX Proxy Manager UI, any changes to the open-appsec configuration are saved in the /ext/appsec folder in the local_policy.yaml file. This configuration file is volume-mounted (see docker compose) to both, the open-appsec agent container “appsec-agent” as well as the NPM container “appsec-npm”. This allows the open-appsec agent to automatically apply any changes observed in that file within a short time.

In order to allow the open-appsec agent to inspect traffic arriving at the NPM (NGINX) container an open-appsec “attachment” was added to the original NPM container, which technically is an NGINX module which is loaded based on a load_module directive added to the nginx.conf. This “attachment” is responsible for sending the content of incoming http as well as https requests to the open-appsec “agent” container, which will perform the inspection using machine learning and then notify the attachment about the decision, if traffic should be blocked or if it can pass.

Contribution

We are looking forward to receiving your contributions via the project’s GitHub repo. Please also let us know via info@openappsec.io if you intend to contribute in some way so we can provide you some initial feedback and perhaps align with some improvements we might be already working on on our side.