Time to Rethink Nginx?

Technical Support
  • Received a bit of a perplexing email recently from Nginx:

    We always strive to be transparent with you, our valued customers, and we are committed to keeping you updated on relevant business developments. While this is a developing situation, and we are currently trying to ascertain what prompted it, we wanted to share with you the facts we have.

    On December 12, law enforcement officials came to the Moscow office of NGINX (acquired by F5 Networks earlier this year) apparently seeking evidence related to an intellectual property dispute, to which F5 is currently not a party. The officers had a warrant, and we are still working to confirm the full
    nature of the investigation. NGINX cofounders Igor Sysoev and Maxim Konovalov were interviewed by law enforcement officials, but no employees have been arrested or are currently detained. F5 fully supports our employees and we believe these claims against them do not have merit.

    Promptly following the event we took measures to ensure the security of our master software builds for NGINX, NGINX Plus, NGINX WAF and NGINX Unit—all of which are stored on servers outside of Russia. No other products are developed within Russia. F5 remains committed to innovating with NGINX,
    NGINX Plus, NGINX WAF and NGINX Unit, and we will continue to provide the best-in-class support you’ve come to expect.

    We will keep you updated on developments, as appropriate, and please reach out if you have further questions.

    We deeply appreciate your continued support of F5.

    After my initial WTF? I did a bit of digging and found a ZDnet article here:

    Russian police raid NGINX Moscow office

    tl;dr- This seems to ultimately be a patent/intellectual property lawsuit wherein new owners claim they own all of Nginx code.

    I have used Apache alternatives for decades now and embraced Nginx early on. Dual licensed FOSS projects have always been cause for concern for me, as they all to often result in somewhat sordid histories resulting from losing control to the bean counters and various sociopath CEO types bending others to their will.

    Rather than speculate on just what is really going on from a less than forthcoming commercial operation I am thinking maybe it is time to switch back to a real FOSS, no strings attached webserver like Apache.

    Interested in hearing others' thoughts, particularly those who are presently using Apache.

  • @gotwf said in Time to Rethink Nginx?:

    tl;dr- This seems to ultimately be a patent/intellectual property lawsuit wherein new owners claim they own all of Nginx code.

    Just to correct this: new owners of a company the creator of Nginx worked at close to 20 years ago as a sysadmin claim that they own all of Nginx code despite the fact that he started development before he was employed there, it wasn't within the scope of his position there and the company wasn't even the first one to use the product.

    If Russian courts have any respect for Russian law this won't fly imo.
    Unless they can prove they asked a sysadmin to develop a webserver - it's not theirs. And I think even if they could this isn't a some case as it might not have been within his job description.

  • I've been passively following this story as well, and at the moment, my opinion of nginx is unchanged, if only because I don't want to go back to writing Apache config files 😝

    What I imagine would happen is if the code was ruled to be owned by some other company, then there would be an immediate hard fork of the web server software.

    I actually was not aware that nginx had a dual license structure.

    @gotwf it is important to note that NodeBB itself is also dual licensed, but only in the sense that we offer a proprietary license for clients that require it. Acceptance of that license is completely optional, of course, and the core of NodeBB will always be open source, so if we start acting badly, someone could always fork NodeBB away from us haha...

    ... 😬

  • @julian Yeah, I was thinking more of the Nginx Plux vs. Nginx Open Source duality. Too often such results in major split personality disorders wh/end up essentially forcing extortion to even get access to any reasonable docs or support.

    Nginx woes are still unclear. My concern is that if the bad actors succeed in their claims, then the license itself may be declared null and void. I can imagine this then leading to a scenario where "might makes right" and any forks then become their next targets. Crazy stuff happens in the US Federal Courts these days, particularly a certain district court in Texas, which has a well earned reputation for being very pro corporation in its rulings. Some towns thrive on industry, others eco tourism, etc. That TX town's niche is rich corporate lawyers dumping buckets of cash into the local economy.

    Anyways, I am still curious as to community reports regarding Apache deployments, as I have not used it in many years now.

    NodeBB rocks and is one of the best pieces of FOSS this ol' dinosaur had the pleasure of using. Keep up the great work.

Suggested Topics

  • 0 Votes
    1 Posts

    we want to send the digest email at a particular day and time can you suggest me the changes i should make in any particular file

  • 2 Votes
    5 Posts

    Maybe not a lot of interest in this due to complexity of deploying/configuring ModSecurity, combined w/absence of nodebb stack specific rulesets. Security is difficult so not much can be done about the deploy/config aspects but ModSecurity devs are starting to focus some efforts on the latter.

    For those interested, and willing to roll up their sleeves, development of node.js targeted attack ruleset is slated for next release of OWASP CRS, scheduled for Sept. 2019. More info here:

    some node.js unserialization + javascript RCE snippets by lifeforms · Pull Request #1487 · SpiderLabs/owasp-modsecurity-crs

    Libraries performing insecure unserialization: node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941) funcster: __js_function See: https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/ Some generic snippets used: function() { new Function( eval( String.fromCharCode( Last two are used by nodejsshell.py, https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py As base64 is sometimes (but not always) used to encode serialized values, use multiMatch and t:base64decode.


    GitHub (github.com)

    P.S.; Obviously ModSecurity can be deployed on Apache setups as well but my sense is that Nginx is the overwhelming favorite w/the nodebb community and I didn't want to start a new thread.

  • 0 Votes
    21 Posts

    I upgraded from v1.5.3 to v1.6.1 and the nginx related problem I was having in v1.6.0 is no longer there. Therefore the problem has been resolved but I don't know why.

  • 0 Votes
    7 Posts

    Thanks @rod and @tqwhite for helping @Cyb3r with this 😄

    Glad we have you on the community!

  • 0 Votes
    5 Posts

    Thanx! 🙂