Unrestricted access to NGINX+ API interface (read write)
Description
NGINX Plus includes the ngx_http_api_module module, which provides a REST API for real-time monitoring and configuration management, including the ability to view status information, modify upstream server groups, and manage key-value pairs without reloading the server.
This vulnerability occurs when the NGINX Plus API is exposed without authentication controls and configured with read-write permissions. This allows any network-accessible user to interact with the API and modify the NGINX Plus configuration dynamically. The lack of access restrictions on this sensitive management interface creates a significant security risk.
Remediation
Implement access controls to restrict the NGINX Plus API interface to authorized users and networks only. Follow these steps:
1. Restrict API access by IP address:
Configure the API location block to allow access only from trusted IP addresses or networks:
location /api {
api write=on;
allow 10.0.0.0/8; # Allow internal network
allow 192.168.1.100; # Allow specific admin IP
deny all; # Deny all other access
}2. Implement authentication:
Add HTTP Basic Authentication to the API endpoint:
location /api {
api write=on;
auth_basic "NGINX Plus API";
auth_basic_user_file /etc/nginx/.htpasswd;
allow 10.0.0.0/8;
deny all;
}3. Consider setting the API to read-only mode if write access is not required:
location /api {
api write=off; # Read-only mode
# ... access controls ...
}4. Use HTTPS:
Ensure the API is only accessible over encrypted connections to protect credentials and sensitive data in transit.
5. Monitor API access:
Enable logging for the API endpoint to detect unauthorized access attempts.