Jun
20
2018
--

Nginx lands $43 million Series C to fuel expansion

Nginx, the commercial company behind the open source web server, announced a $43 million Series C investment today led by Goldman Sachs Growth Equity.

NEA, which has been on board as an early investor is also participating. As part of the deal, David Campbell, managing director at Goldman Sachs’ Merchant Banking Division will join the Nginx board. Today’s investment brings the total raised to $103 million, according to the company.

The company was not willing to discuss valuation for this round.

Nginx’s open source approach is already well established running 400 million websites including some of the biggest in the world. Meanwhile, the commercial side of the business has 1,500 paying customers, giving those customers not just support, but additional functionality such as load balancing, an API gateway and analytics.

Nginx CEO Gus Robertson was pleased to get the backing of such prestigious investors. “NEA is one of the largest venture capitalists in Silicon Valley and Goldman Sachs is one of the largest investment banks in the world. And so to have both of those parceled together to lead this round is a great testament to the company and the technology and the team,” he said.

The company already has plans to expand its core commercial product, Nginx Plus in the coming weeks. “We need to continue to innovate and build products that help our customers alleviate the complexity of delivery of distributed or micro service based applications. So you’ll see us release a new product in the coming weeks called Controller. Controller is the control plane on top of Nginx Plus,” Robertson explained. (Controller was launched in Beta last fall.)

But with $43 million in the bank, they want to look to build out Nginx Plus even more in the next 12-18 months. They will also be opening new offices globally to add to its international presence, while expanding its partners ecosystem. All of this means an ambitious goal to increase the current staff of 220 to 300 by the end of the year.

The open source product was originally created by Igor Sysoev back in 2002. He introduced the commercial company on top of the open source project in 2011. Robertson came on board as CEO a year later. The company has been growing 100 percent year over year since 2013 and expects to continue that trajectory through 2019.

Sep
06
2017
--

Nginx goes beyond its server roots and launches its application platform

 Nginx, in its commercial and open source forms, is one of the most popular load balancers, proxies, web and application servers on the internet today. But Nginx Inc, the company behind the project, wants to cast a wider net, especially now that the way developers are writing and deploying their applications is quickly changing. As the company announced at its developer conference in… Read More

Aug
23
2016
--

NGINX Plus’s latest release puts the focus on security

R10-blog-modsecurity-ddos NGINX, the company behind the popular open-source NGINX server, launched the latest version (R10) of its NGINX Plus commercial offering today. Like similar open-source companies, NGINX offers its core product for free, but then charges for more advanced features and services. Today marks the tenth major update to NGINX Plus and, as the company’s CMO Peter Guagenti and technical… Read More

Jun
22
2016
--

NGINX’s Amplify monitoring tool is now in public beta

graphs-screen NGINX today launched Amplify, its new application monitoring tool, out of private beta. While the cloud-based tool is still officially in beta, it’s now available to all NGINX users — both those who run the paid NGINX Plus edition or the free open-source version. As NGINX CEO Gus Robertson and CMO Peter Guagenti told me, the company’s users told the team that they wanted to… Read More

Sep
16
2015
--

NGINX Brings HTTP/2 Support To Its Commercial Release

server NGINX, the well-funded and increasingly popular web and application server company, today announced that it now supports HTTP/2, the next generation of the HTTP standard, in its latest commercial release. The company, which already offered some HTTP/2 support in its free open source product, today released NGINX Plus R7 to its customers. While HTTP/2 support is definitely the highlight of… Read More

Oct
15
2014
--

How to close POODLE SSLv3 security flaw (CVE-2014-3566)

Padding Oracle On Downgraded Legacy Encryption

POODLE security flaw disables SSLv3 secure browsing (CVE-2014-3566)First off, the naming “convention” as of late for security issues has been terrible. The newest vulnerability (CVE­-2014-3566) is nicknamed POODLE, which at least is an acronym and as per the header above has some meaning.

The summary of this issue is that it is much the same as the earlier B.E.A.S.T (Browser Exploit Against SSL TLS), however there’s no known mitigation method in this case – other than entirely disabling SSLv3 support, in short, an attacker has a vector by which they can retrieve the plaintext form your encrypted streams.

So let’s talk mitigation, the Mozilla Security Wiki Serverside TLS has for some time made strict recommendations of ciphers and protocols; and is certainly worth your attention.

Apache

Disable SSLv2 and SSLv3 in your ssh apache configuration by setting:
SSLProtocol all -SSLv2 -SSLv3

Nginx

Allow support only for TLS in Nginx with the following:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

MySQL

This is where things get far more interesting; unlike Apache and Nginx there’s no way to allow / disallow entire protocols of the SSL / TLS spec within mysql; there is however the ability to specify the cipher spec to be used in SSL communication.

As such to remove SSLv3 support from MySQL you need only ensure that none of the SSLv3 ciphers are in use wihtin your configuration.

As per information in this bug you can find a list of SSLv3 ciphers by simply
openssl ciphers -v 'DEFAULT' | awk '/SSLv3 Kx=(RSA|DH|DH(512))/ { print $1 }'
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
AES256-SHA
CAMELLIA256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Removing the above form your ssl-cipher configuration should disable SSLv3 support; of course ensuring your MySQL service is NOT generally accessible is by far one of the most important steps you can take in securing your MySQL deployment against CVE-2014-3566.

You can read more about POODLE here.

The following script will help to identify support for any none SSLv3 ciphers; unfortunately in my limited testing I have yet to have found a supported none SSLv3 cipher.

Formatting is an issue for the script as such please see the Github gist

 

UPDATE 2014-10-16: openssl updates are now becoming available with patches against this issue

AMI Linux: openssl-1.0.1j-1.80.amzn1 “add patch for CVE-2014-3566 (Padding Oracle On Downgraded Legacy Encryption attack)”

RedHat: no update is yet available

 

The post How to close POODLE SSLv3 security flaw (CVE-2014-3566) appeared first on MySQL Performance Blog.

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com