NGINX is a high performance webserver designed to handle thousands of simultaneous requests and has become one of the most deployed web server platforms on the Internet. Kemp LoadMaster can provide Single Sign-On across multiple applications including those hosted on NGNIX. LoadMaster offers a number of authentication options including Active Directory, Kerberos Constrained Delegation (KCS), LDAP, RADIUS and SAML and provides a single point of control for user access to applications. Two factor authentication schemes are also supported.
- SSL Offload - Remove the security processing and administration overhead from NGNIX servers to the reverse proxy
- Web Acceleration - Caching and compression of content on the Reverse Proxy along with optimizations such as HTTP/2 provide a better user experience
- Security - A Reverse Proxy can protect NGNIX and other resources by offering features such as single sign-on (SSO) and IPS/IDS
- Web Application Protection - A web application firewall (WAF) deployed on the Reverse Proxy can protect applications from well known and emerging threats
- Load Balancing - a Reverse Proxy can load balance user traffic between NGNIX and other servers based on multiple criteria such as server availability, load, request type and even geographic location.
Kemp LoadMaster ticks all the boxes for an easily deployed reverse proxy that secures and enhances the application delivery infrastructure. It is available as a virtual appliance that may be deployed on a local hypervisor, as a virtual appliance on major cloud platforms and as a physical device. Regardless of the deployment model, Loadmaster is a proven, easily managed, supported and fully featured Reverse Proxy for NGNIX and other web server environments.
Fig 1. LoadMaster SSO topology for NGNIX and AD
IIn fig 1. above, users are presented with a custom authentication form where the credentials provided are authenticated via LoadMaster. LoadMaster supports multiple SSO domains for different groups (e.g. Staff or Partners) on different security domains. Once authenticated, the remote user can seamlessly access the SSO enabled applications – in this case NGNIX, Exchange OWA and Sharepoint.
Getting your SSO Enabled Load Balancer for NGINX
LoadMaster is available as a 30 day trial or if you have traffic requirements of less than 20Mbit/s then you can have a LoadMaster for free. The trials are delivered as pre-built appliances for the major hypervisor platforms or if you wish, you can select the trial and free versions from the Azure and Amazon Web Services (AWS) marketplaces.
Configuring Load Balancing and SSO for NGINX
The LoadMaster documentation set provides guidelines on how to deploy and configure a LoadMaster appliance to load balance application workloads on NGINX and how to configure advanced features such as single sign-on and reverse proxy for NGINX. The following documents will assist with getting started with SSO for NGNIX.
- Configuring Kerberos (KCD) authentication and SSO
- Authentication & SSO configuration with Kemp ESP (Edge Security Pack)
- Setting up RADIUS SSO and Authentication
- Authentication and SSO using SAML
Custom images for user authentication dialogs can be downloaded here
Load Balancing Features for NGINX
As well as offering SSO services, LoadMaster delivers a wide range of features to enhance the performance, availability and manageability of application delivery infrastructure.
- SSL Offload – LoadMaster can offload the SSL processing workload from the NGINX servers and also provide a single point of administration for SSL certificates and security.
- Context Switching – Redirection of requests to back end servers based on the content of the request
- DDOS Protection – LoadMaster includes a snort compatible engine to offer DDOS protection for NGNIX servers
- Authentication – The Edge Security Pack in LoadMaster provides comprehensive authentication and single sign-on services for NGNIX
- Reverse Proxy ‐ LoadMaster can act as a reverse proxy for NGNIX environments
- Caching and Compression – LoadMaster uses caching and compression as a way to improve NGNIX performance
- SSL Redirect – Redirection of all non-HTTPS requests to HTTPS
- Intelligent Session Persistence – Multiple options available to ensure clients are load balanced to the same server for the session lifetime
- Web Application Firewall (WAF) – The LoadMaster WAF for NGNIX provides application level protection from common and day-zero vulnerabilities
- Global Load Balancing (GSLB) – Load balance NGNIX across multiple physical locations including cloud to provide disaster recovery failover and geo-aware traffic distribution.