Imperva Cyber Community

 View Only
  • 1.  Replace NGINX (without load balancing) with Imperva's on-prem WAF

    Posted 21 days ago

    Hello Imperva Community,

    I am exploring the possibility of replacing our current NGINX setup with an on-premises WAF solution and would appreciate your insights on this matter. Below is a summary of our current NGINX configuration:

    # Configuration Highlights
    - SSL configuration with TLSv1.3 and specific ciphers.
    - Client certificate validation.
    - Detailed proxy settings and header manipulations.
    - Access and error logging configurations.
    - Specific location block for /payments with custom proxy settings.
    - Security directives like hiding server tokens and limiting methods.

    Given this setup, my question is: Can an on-premises WAF from Imperva fully replace this NGINX configuration, particularly with respect to SSL/TLS handling, client certificate validation, and the detailed proxy and header settings we currently have in place?

    Additionally, how would the Imperva WAF handle the following aspects:

    • Complex SSL/TLS setups and client authentication.
    • Detailed access control and logging.
    • Proxying requests with specific header modifications.
    • Security measures like method restriction and server information obfuscation.

    I am particularly interested in understanding any limitations or additional considerations that may be relevant in transitioning to an on-prem WAF solution.

    Thank you in advance!


    Lasha Lomjaria
    Cybersecurity engineer
    Green Systems LLC

  • 2.  RE: Replace NGINX (without load balancing) with Imperva's on-prem WAF

    Posted 7 days ago
    Edited by Dimitar Georgiev 7 days ago

    Hi Lasha,

    A significant chunk of the functionalities you requested could be replaced by Imperva WAF (on-premises), but not all I am afraid. Specifically, some advanced proxy settings and header manipulation is something that WAF doesn't do - you simply can't strip, modify or add headers apart from adding the IP of the original request origin in reverse proxy mode. Furthermore, you can't use WAF as a load balancer if that's what your current reverse proxy does.

    Could you also please elaborate more on the concept of "hiding server tokens"?

    Everything else seems to be something that you can easily do with WAF.