Four ways to boost your NGINX web server

Intro­duc­ing NGINX — SGX web server

NGINX is an open-source web serv­er, designed for max­i­mum per­for­mance and stability.

If you are devel­op­ing a web appli­ca­tion and you want to host this appli­ca­tion, you might have a tough time han­dling all incom­ing requests. There­fore you might expe­ri­ence many down­times of your serv­er while han­dling a hand­ful of requests. NGINX is a web serv­er that solves such effi­cien­cy issues because it pro­vides you with the tools to opti­mal­ly han­dle thou­sands of requests at the same time. This is why NGINX is one of the most reli­able servers out there.

With enclaive NGINX – Con­fi­den­tial Com­pute Enter­prise Enclave 4 SGX you can now boost your “old” NGINX web serv­er with the encryp­tion func­tion­al­i­ties of Intel® Soft­ware Guard Exten­sions (SGX).

What does this mean? Our NGINX-SGX can now pro­tect all your data from insid­er and out­sider attacks. NGINX-SGX com­bines the con­fi­den­tial com­put­ing tech­nol­o­gy used with­in Intel® SGX with the NGINX web serv­er. The appli­ca­tion code is now exe­cut­ed with­in this secure enclave while being sent back to the requester of the spe­cif­ic URL con­tent. NGINX-SGX pro­vides this “black box” that now holds the entire con­tent request­ed, mak­ing sure there will be no leaks of sen­si­tive data. There­fore, it deliv­ers a fast and effec­tive way to pro­tect NGINX-served data against unau­tho­rized use.

How we boost your NGINX web server

Tai­lor-made for con­fi­den­tial computing

By lever­ag­ing Intel® SGX-enabled CPUs and enclaive’s Enter­prise Enclaves soft­ware, we pro­vide you with a ful­ly encrypt­ed NGINX web serv­er. With a sin­gle com­mand, enclaive auto­mat­i­cal­ly cre­ates a secure enclave that iso­lates and encrypts all appli­ca­tion resources in run­time, at rest, and on the net­work to achieve the strongest end-to-end data pro­tec­tion available. 

The focus of SGX is to pro­tect sen­si­tive data against untrust­ed users, even on already com­pro­mised sys­tems. How is this acchieved? With the help of hard imple­ment­ed secu­ri­ty and cryp­to mech­a­nism inside the CPU itself. These enclaves are only acces­si­ble from inside them­selves and plain text is only vis­i­ble dur­ing the pro­cess­ing inside the CPU. There­fore, keep­ing the stored infor­ma­tion safe at any giv­en moment.

Great per­for­mance com­bined with great confidentiality

NGINX is a free and wide­ly used open-source web serv­er, reverse proxy, load bal­ancer, mail proxy, and cache. How­ev­er, NGINX has a vul­ner­a­bil­i­ty com­mon to vir­tu­al­ly all appli­ca­tions. It stores data in plain text in mem­o­ry and an insid­er can eas­i­ly scan mem­o­ry using pub­lic scan­ning tools to gain unfet­tered access to any sen­si­tive infor­ma­tion stored in mem­o­ry. But this will not hap­pen with our enclaive NGINX–SGX. Our con­tain­ers pro­tect that data and the appli­ca­tion itself from any insid­er attacks, even when the host is com­plete­ly com­pro­mised. And if some­one stops or inter­rupts a run­ning enclave, any con­text infor­ma­tion like reg­is­ters is removed from the CPU. There­fore by inter­rupt­ing the enclave an attack­er can­not gain any infor­ma­tion from the enclave.

Easy deploy­ment

Fur­ther­more, enclaive NGINX-SGX con­tain­ers are high­ly secure and built to work right out of the box. You don’t need to change the appli­ca­tion code or SDKs. Because our intu­itive and self-con­tained dock­er con­tain­ers make infra­struc­ture con­fig­u­ra­tion easier.

Remote­ly attestable

By lever­ag­ing NGINX-SGX you are auto­mat­i­cal­ly pro­tect­ing every sin­gle per­son­al­ly iden­ti­fi­able infor­ma­tion on your web­site. Our con­tain­ers sat­is­fy every pri­va­cy leg­is­la­tion: we keep your data always encrypt­ed, in every part of the data life­cy­cle, mak­ing sure your busi­ness stays GDPR-com­pli­ant. Any user or legal audi­tor may attest at any moment to the integri­ty and con­fi­den­tial­i­ty of both code and data. Any pri­vate or per­son­al data shared through the web serv­er will now be com­plete­ly encrypt­ed with­in this “black box”. There­fore, no data leak­age can occur dur­ing the data pro­cess­ing time span.

Are you curi­ous about try­ing SGX pow­ered NGINX web server?

This sounds inter­est­ing to you, but you don’t want to use the entire next week to com­plete­ly change your imple­men­ta­tion? No wor­ries: NGINX–CCEE4SGX pro­vides a pre-con­fig­ured instance and step-by-step instruc­tions that help you to quick­ly get a ful­ly secure NGINX run­ning in an enclave on all instances.

So why are you still read­ing? Try it out now here. Free of charge, of course!