Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Support
API Discovery

Integrate NTA with NGINX in Docker

This document is for:
Invicti Enterprise On-Demand

This feature is available with Invicti API Security Standalone or Bundle.

To collect access logs from NGINX, configure it to forward logs using the Syslog protocol.

In this setup, NGINX acts as a reverse proxy. When users send their requests through NGINX, these requests can be logged externally to the Network Traffic Analyzer (NTA).

The NTA, combined with the Traffic Signal Aggregator (TSA), reconstructs users' activity for analysis.

When customers install this solution in their environment, they will configure the NTA installation as a Syslog server, with minimal configuration changes

This document describes how to configure NGINX to forward access logs to an external application using Syslog.

The configuration is a 4-step process:

Step 1: Install NTA

Follow the installation instructions in the linked document to install NTA.

Step 2: Configure NGINX to forward Logs

  1. Locate the NGINX configuration file
  • Typically found at /etc/nginx/nginx.conf or inside /etc/nginx/conf.d/.
  1. Add a custom log format under the http block:

log_format tsalogformat '@@@http_x_request_id=$http_x_request_id'
                   '@@@request_scheme=$scheme'
                   '@@@request_host=$host'
                   '@@@remote_addr=$remote_addr'
                   '@@@request_method=$request_method'
                   '@@@request_uri=$request_uri'
                   '@@@server_protocol=$server_protocol'
                   '@@@response_status=$status'
                   '@@@request_body=$request_body'
                   '@@@header_referer=$http_referer'
                   '@@@header_accept=$http_accept'
                   '@@@header_content_type=$http_content_type'
                   '@@@server_port=$server_port';

  1. Configure NGINX to send logs to the Syslog server
  • Locate the access_log path and past the following path instead:

access_log syslog:server={{TSA_ADDRESS}}:15140,facility=local7,tag=nginx,severity=info tsalogformat;

  • Replace {{TSA_ADDRESS}} with the IP address or hostname of the server running the Network Traffic Analyzer and Traffic Signal Aggregator.
  • The port number should match the port configured in the NTA.

  1. Validate the NGINX configuration

nginx -t

  1. Reload NGINX to apply the changes

nginx -s reload

Step 3: Deploy the application with Docker Compose

Create a docker-compose.yml file with the following content:

name: nta
services:
 reconstructor:
   image: registry.invicti.com/api-discovery/reconstructor:latest
   container_name: reconst
   restart: always
   expose:
     - 8090
   ports:
     - 8090:8090
   environment:
     APIHUB_CONFIG: {{APIHUB_TOKEN_FROM_APIHUB}}
 traffic-signal-aggregator:
   depends_on:
     reconstructor:
       condition: service_started
   image: registry.invicti.com/api-discovery/tsa:latest
   container_name: tsa
   restart: always
   expose:
     - 15140/udp
   ports:
     - 15140:15140/udp
   environment:
     - TSA_SOURCE_SYSLOG_ENABLED=true
     - TSA_SOURCE_SYSLOG_ADDR=:15140
     - TSA_SINK_RECONSTRUCTOR_ENABLED=true
     - TSA_SINK_RECONSTRUCTOR_URL=http://reconstructor:8090

Replace {{APIHUB_TOKEN_FROM_APIHUB}} with the appropriate APIHub token.

Step 4: Start the application

Navigate to the directory containing the docker-compose.yml file and run:

docker-compose up -d

This starts the NTA and TSA services in detached mode.

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports