Unrestricted access to NGINX+ Upstream HTTP interface
Description
NGINX Plus is a commercial web server, load balancer, and content cache built on open source NGINX with additional enterprise features. The ngx_http_upstream_conf_module module provides a REST API interface for dynamically modifying upstream server groups without restarting NGINX Plus. This vulnerability occurs when the upstream configuration API endpoint is accessible without authentication, allowing unauthorized users to view and modify load balancing configurations. Unrestricted access to this interface exposes sensitive infrastructure details and enables configuration tampering.
Remediation
Restrict access to the NGINX Plus upstream configuration API using one or more of the following methods:
1. Limit access by IP address using the allow/deny directives:
location /api {
allow 192.168.1.0/24; # Allow only trusted network
deny all; # Deny all other access
api write=on;
}2. Implement HTTP Basic Authentication:
location /api {
auth_basic "Restricted API Access";
auth_basic_user_file /etc/nginx/.htpasswd;
api write=on;
}3. Bind the API to localhost only and use SSH tunneling or a reverse proxy for remote access:
server {
listen 127.0.0.1:8080;
location /api {
api write=on;
}
}4. Combine multiple security layers for defense in depth by implementing both IP restrictions and authentication.
After implementing restrictions, verify that unauthorized access is properly blocked by testing from an untrusted network location.