NGINX Plus’s latest release puts the focus on security

NGINX, the company behind the popular open-source NGINX server, launched the latest version (R10) of its NGINX Plus commercial offering today. Like similar open-source companies, NGINX offers its core product for free, but then charges for more advanced features and services.

Today marks the tenth major update to NGINX Plus and, as the company’s CMO Peter Guagenti and technical product marketer Faisal Memon told me, the focus of this release is squarely on adding new security features to the product. “This is the culmination of some work we’ve been putting in over the last year based on feedback from our larger enterprise customers,” Guagenti told me. He noted how NGINX has long offered some security features are part of its existing solution to, for example, help mitigate DDoS attacks.

Now, however, NGINX has integrated ModSecurity, a popular open-source web application firewall (WAF) that will also allow it to offer its paying users more advanced security tools like IP blacklisting and the ability to create application-specific rules for protecting applications.

Memon tells me that the team looked at other solutions but settled on ModSecurity because it’s actively maintained and because many of the enterprises the team talked to were already familiar with it.

Adding support for ModSecurity to an existing NGINX Plus subscription isn’t free, though, and will cost an additional $2,000 per year on top of the base fee.

Other new features in this release include support for JSON Web Tokens and dual-stack ECC-RSA certificates. Both of these features may not sound all that exciting, but the support for tokens will make adding support for single-sign-on solutions easier, for example, while ECC certificates essentially represent the next generation of the RSA standard for public-key cryptography. To provide support for legacy applications, though, these kind of dual-stack solutions remain necessary.

NGINX Plus R10 is also the first release to offer the company’s commercial users a preview of nginScript, the company’s new JavaScript-based configuration and control service. Because it allows admins to use JavaScript, admins can not just create static configurations, for example, but also can create them programmatically.