As organizations adopt API strategies to allow for faster innovation, it has become increasingly important to gather API traffic insights, which help to ensure customer satisfaction and maximize business value. These insights are made available by leveraging data science and applying machine learning to data derived from API traffic. But the analysis of API traffic requires tapping into the network or being fed metadata indirectly via a participant having visibility onto this API traffic, such as a gateway or load-balancer. It is not always an easy task, and today many organizations complain about a lack of visibility into the entirety of their API traffic.
The reasons for this limited visibility are multi-fold. APIs are published to different environments, often using different stacks with different technologies, and the visibility provided is disjointed and has gaps. In some cases, rogue APIs bypass API governance systems and practices altogether. In still other cases, APIs evolve and leave behind old versions that are still running but have fallen out of the organization’s radar.
We at Ping believe that API security is paramount, and PingIntelligence for APIs is able to monitor all your API traffic, from all your environments, to enhance that security. We are constantly working on maximizing this reach by integrating with technologies that are most likely to be processing API traffic in the first place. One such integration is with NGINX, one of the two dominant web server technologies in use today.
API Management with NGINX
NGINX is privy to an impressive chunk of web traffic. The best web technologists reuse the same core tools they trust from project to project, and NGINX built a reputation for being fast, powerful and stable. It’s not surprising, then, that when web APIs became a popular technology pattern, NGINX became one of the common tools on top of which many core API management requirements became implemented, such as routing, rate limiting, authentication and more. Not only does NGINX see a lot of web traffic, but it sees a lot of API traffic specifically.
The mechanism for extending NGINX is an important contributor of its enduring success. There is a rich list of open-source and third-party modules built for NGINX. Entire systems and platforms are built around this core technology. We see NGINX as a strategic point of data collection when it comes to feeding API traffic metadata into our specialized AI solution for API security: PingIntelligence for APIs.
Here’s how PingIntelligence for APIs integrates with NGINX. It receives API traffic metadata via a component named the API Security Enforcer (ASE). The ASE receives this information as a sidecar to NGINX; it does not inject itself into the API path. It is also through ASE that PingIntelligence for APIs communicates back to the API traffic node whether an API client should be blocked. All interactions between NGINX and PingIntelligence for APIs go through this ASE. The NGINX integration is composed of three separate modules:
The first module provides a communication channel for the sideband ASE and is used by the other two modules. The request module installs an event handler in the ngx_http_access_phase, which collects the relevant metadata about the incoming API call and sends it to the ASE, which returns a blacklist status for the API client in play. The actual analysis of the API metadata is out-of-band. The response module installs a response filter that correlates the API response metadata with the previous request, again for out-of-band analysis. You can download these libraries here. Using a provided script, the ASE configuration is captured in nginx.conf, and the modules can be built and started in static or dynamic modes.
For its part, PingIntelligence for APIs itself requires little to no configuration. Once the connection is established, it receives API traffic metadata from the NGINX server. Your APIs are discovered and the history of your API traffic is preserved for later analysis. Dashboards and reports provide insights into your APIs, how your users are calling them, and detailed forensics for each token and key used to access your APIs.
In addition, the AI engine also starts a machine-learning process to model API and user behaviors for each of the APIs. This modeling allows for the detection of anomalies and, when configured for it, PingIntelligence for APIs will instruct NGINX, via the ASE, to block a token or an IP address that is predicted to be associated with an API attack or abuse.
Unlocking Protection against API Attacks
Whether you use NGINX as a web server, an API gateway or a load-balancer, adding PingIntelligence for APIs to existing and new NGINX deployments lets you unlock advanced API insights and attack protection.