Unrestricted access to NGINX+ API interface (read only)
Description
NGINX Plus includes the ngx_http_api_module module that provides a REST API for monitoring status information, managing upstream server groups, and controlling key-value pairs without restarting the service. This API interface has been detected as publicly accessible without any authentication requirements. While the API is currently configured in read-only mode (preventing configuration changes), it still exposes internal system information that should be restricted to authorized administrators only. Unrestricted access to this interface violates the principle of least privilege and may expose sensitive operational data.
Remediation
Restrict access to the NGINX Plus API interface by implementing IP-based access controls and authentication. Apply the following configuration changes:
1. Limit access by IP address:
location /api {
api write=off; # Keep read-only if write access not needed
allow 10.0.0.0/8; # Allow internal network
allow 192.168.1.100; # Allow specific admin IP
deny all; # Deny all other access
}2. Add HTTP Basic Authentication:
location /api {
api write=off;
auth_basic "NGINX Plus API";
auth_basic_user_file /etc/nginx/.htpasswd;
allow 10.0.0.0/8;
deny all;
}3. Consider using client certificate authentication for enhanced security:
location /api {
api write=off;
ssl_client_certificate /etc/nginx/ca.crt;
ssl_verify_client on;
}After implementing these controls, verify that unauthorized access is properly blocked and monitor access logs for any suspicious activity.