Ask NGINX | May 2019

Every month, we take a moment to share the expertise of our team, and answer a number of great questions we’ve received from both our customers and open source users. These questions range from how to use our products in a variety of use cases to how to effectively integrate third?party tools and platforms with NGINX.

These answers come from our experts including technical architects, systems engineers, and our award?winning customer support specialists.

How do I perform health checks for UDP servers in a load?balanced upstream server group?

Both NGINX Open Source and NGINX Plus perform passive UDP health checks by default: if a UDP server generates an error or times out in response to just one request, it is marked unavailable and removed from the load?balancing rotation for ten seconds. You can change the defaults for number of failures and time on a per?server basis, with the max_fails and fail_time parameters to the server directive in the upstream block.

NGINX Plus can also perform active health checks by sending separate “out-of-band” requests that test for correct server responses. Keep in mind that health checks for TCP and UDP servers are configured in the stream{} context, whereas health checks for HTTP servers are configured in the http{} context. Also, the parameters to the health_check directives in the two contexts (Stream, HTTP) vary slightly because of differences between the protocols themselves. For complete instructions, see the NGINX Plus Admin Guide.

Can NGINX Plus handle authentication with Microsoft Active Directory?

Yes. In Microsoft Azure, for example, when clients authenticate with the Microsoft identity platform they receive an OpenID Connect token in JSON Web Token (JWT) format as proof of authentication. NGINX Plus can validate JWTs and optionally perform role?based access control (RBAC) using group membership information recorded in the JWT. Offloading these tasks from backend applications and APIs not only frees up backend capacity for actual request processing, it also ensures that only properly authenticated requests ever reach the backend. For details, see Conditional Access Control with Microsoft Azure Active Directory on our blog.

You can also use NGINX Plus to configure high availability of Active Directory Federation Services (AD FS), a feature that enables single sign-on (SSO) for employees of trusted partner organizations who are accessing one another’s assets. See High Availability for Microsoft Active Directory Federation Services with NGINX Plus on our blog.

Does NGINX gather metrics about the number of website visitors or page views?

Not directly, but you can feed the NGINX access log to a log?analysis tool to derive these types of metrics. For instructions on configuring the access log, see the NGINX Plus Admin Guide. For information about the types of information you can record in the access log, see the list of NGINX variables.

Can NGINX perform certificate-based client authentication for IIS web servers?

Yes. When NGINX is reverse proxying or load balancing for IIS servers (or other servers, for that matter), it can authenticate the SSL/TLS certificates presented by clients who are requesting access to protected content hosted by the servers.

Enable authentication of client certificates with the ssl_verify_client directive, either globally (in the http context) or for particular domains (in the server context corresponding to each domain). The ssl_client_certificate directive names the file containing the trusted certificates (or use ssl_trusted_certificate if you do not want NGINX to share the list of certificates with clients).

Note that the IIS server cannot also directly inspect or validate the client certificate in this scenario, because NGINX cannot establish an HTTPS connection to the IIS server and authenticate it using the certificate. Instead, NGINX can pass the certificate to the IIS server in an HTTP header, which the IIS server inspects to extract the relevant data. The client certificate data is captured in the $ssl_client_escaped_cert variable.

Ask Us!

Got a question for our Ask NGINX series? Leave a comment below or get in touch with our team, and we’ll be happy to help!

Posted by Web Monkey