agent icon indicating copy to clipboard operation
agent copied to clipboard

Published 20 hours ago verified publisher icon nginx

Securing access to the agent API

Open marcfielding1 opened this issue 1 year ago • 5 comments

Just a quick couple of questions, we have a number of Load balancers that we frequently add/remove customers from, and thus this looks great for us as we can just generate an NGINX conf and upload it via the agent tool!

Could you outline the steps to secure the Agent? Or is it simply install the agent on an instance that already has SSH keys associated with it, clone the repo and point the config at my local SSH keys to connect?

I couldn't quite see anywhere that detailed this in the docs so wanted to double-check that the agent is secure by default before we started testing it out!

marcfielding1 avatar Nov 21 '23 17:11 marcfielding1

hi @marcfielding1 thanks for your question!

We have docs on securing the REST API: https://docs.nginx.com/nginx-agent/getting-started/#enable-the-rest-interface The configuration would look similar to this:

api:
  # Set API address to allow remote management
  host: 127.0.0.1
  # Set this value to a secure port number to prevent information leaks
  port: 8038
  # REST TLS parameters
  cert: "<TLS-CERTIFICATE>.crt"
  key: "<PRIVATE-KEY>.key"

You can provide your cert/key here to allow tls/mtls on the API endpoint.

I'm not sure what context you mean in relation to your SSH keys? Is it repository access to the Agent binary or keys in your NGINX configuration? Or did I cover it by the API configuration I mentioned above?

oliveromahony avatar Nov 22 '23 10:11 oliveromahony

Heya, thanks for your reply!

When I look at the swagger documentation there's a PUT method for the nginx config but the only parameter is the file, what I was trying to figure out is how I prevent just anything calling that endpoint?

marcfielding1 avatar Nov 22 '23 11:11 marcfielding1

no problem @marcfielding1

If you configure the appropriate TLS certs you can hit the endpoint only using the client certificate. An example configuration of this would be using

make certs

Add the following entry to your hosts file

127.0.0.1	localhost  tls.example.com

Configure the Agent API using the certs and host

api:
  host: tls.example.com
  port: 8038
  cert: "build/certs/server.crt"
  key: "build/certs/server.key"

Run the appropriate request to hit the appropriate endpoint:

curl -X PUT --cacert "./build/certs/ca.pem" -F 'file=@/nginx.conf' https://tls.example.com:8038/metrics/

Then the API is hidden behind the usage of a cert. We have no RBAC on the endpoint or Authorization header today

oliveromahony avatar Nov 22 '23 16:11 oliveromahony

Note: the above is for illustration purposes only and is not recommended for production use

oliveromahony avatar Nov 23 '23 11:11 oliveromahony

Hey sorry I've been away on business and neglected to reply, I'll run through this today and come back with some sensible questions if they occur, thanks a lot for your help.

marcfielding1 avatar Dec 10 '23 13:12 marcfielding1

Hi @marcfielding1

As there hasn't been any further response, I'm going to close this issue. If you have any other questions or need further assistance, please feel free to reopen this issue or create a new one.

Thank you!

Best regards, @oCHRISo

oCHRISo avatar May 23 '24 08:05 oCHRISo