You can install PingIntelligence sideband policy on NGINX Plus R22 or R23 systems with PingAccess agent.
- API Security Enforcer (ASE) is installed, and the pre-conditions listed under prequisites for PingIntelligence are met.
- PingAccess and PingFederate are installed.
- PingAccess agent is installed and configured on NGINX. For more information, see PingAccess Agent for NGINX.
- PingAccess is configured to use PingFederate as a token provider and token introspection is enabled on PingAccess. For more information, see Configure PingFederate as the token provider for PingAccess.
Configure the nginx.conf to setup NGINX Plus and PingIntelligence sideband policy. Complete the following steps to integrate the sideband policy:
- Verify that NGINX has restarted by entering the following
command.
# netstat -tulpn | grep <NGINX port number> For example : # netstat -tulpn | grep 4443
- Configure API JSON file as explained in Configuring API JSON to extract user information.
Sample nginx.conf file - Following is a sample nginx.conf
file.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
load_module modules/ngx_ase_integration_module.so;
load_module modules/ngx_http_ase_integration_request_module.so;
load_module modules/ngx_http_ase_integration_response_module.so;
load_module modules/ngx_http_paa_module.so;
events {
worker_connections 1024;
}
http {
include /etc/nginx/paa/http.conf;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
upstream test.ase.pi {
server 127.1.1.1:8443 max_fails=1 max_conns=100 fail_timeout=10;
server 127.1.1.1:8443 max_fails=1 max_conns=100 fail_timeout=10 backup;
keepalive 32;
# keepalive_timeout 3600s; # NOT allowed < 1.15.3
}
server {
listen 44444 ssl bind;
server_name localhost;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
add_header Allow "GET, POST, HEAD" always;
location /todo/api-only {
ase_integration_request;
proxy_pass https://172.16.40.38:8443/todo/api-only;
proxy_ssl_verify off;
ase_integration_response;
}
location /shopapi {
proxy_pass https://172.16.40.70:4100/shopapi;
proxy_ssl_verify off;
}
#DO NOT EDIT BELOW VARIABLE
set $correlationid $pid-$request_id-$server_addr-$remote_addr-$remote_port-$request_length-$connection;
#Certificate location of ASE
set $certificate /etc/ssl/nginx/test.ase.pi;
#ASE Token for sideband authentication
set $ase_token 76748f33353940efab31e9fbe15d930a;
#Host header which should be send to ASE
set $ase_host test.ase.pi;
#SNI value to use for ASE
set $ase_ssl_host test.ase.pi;
#ASE Request Proxy Configuration
location = /ase/request {
internal;
ase_integration https://test.ase.pi;
ase_integration_method "POST";
ase_integration_http_version 1.1;
ase_integration_ase_token $ase_token;
ase_integration_correlation_id $correlationid;
ase_integration_host $ase_host;
# set token key here.
ase_integration_token_key access_token;
ase_integration_ssl_trusted_certificate $certificate;
ase_integration_ssl_verify off;
ase_integration_ssl_verify_depth 1;
ase_integration_ssl_server_name off;
ase_integration_ssl_name $ase_ssl_host;
ase_integration_next_upstream error timeout non_idempotent;
}
#ASE Response Proxy Configuration
location = /ase/response {
internal;
ase_integration https://test.ase.pi;
ase_integration_method "POST";
ase_integration_http_version 1.1;
ase_integration_ase_token $ase_token;
ase_integration_correlation_id $correlationid;
ase_integration_host $ase_host;
ase_integration_ssl_trusted_certificate $certificate;
ase_integration_ssl_verify off;
ase_integration_ssl_verify_depth 1;
ase_integration_ssl_server_name off;
ase_integration_ssl_name $ase_ssl_host;
ase_integration_next_upstream error timeout non_idempotent;
}
location /introspect {
internal;
proxy_method POST;
if ($arg_auth_token) {
set $auth_token $arg_auth_token;
}
if ($http_authorization ~* .*?(bearer)(\s+)([-a-zA-Z0-9._~+/]+)(,|\s|$)) {
set $auth_token $3;
}
#proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass_request_body off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass $oauth_url;
proxy_read_timeout 60;
proxy_set_header authorization "";
}
}
include /etc/nginx/conf.d/*.conf;
}