Tutorial: Deliver and Secure GraphQL APIs with F5 NGINX

NGINX | July 20, 2023

Akash AnanthanarayananTechnical Marketing Manager

Developers are increasingly embracing GraphQL as a preferred method to build APIs. GraphQL simplifies retrieving data from multiple sources, streamlining data access and aggregation. By querying multiple data sources with one POST request from a single endpoint, developers using GraphQL can precisely request the data they need from various sources. This approach helps solve limitations encountered in REST API architectures, where problems like under-querying (requests lacking all the necessary data) or over-querying (requests going to multiple endpoints and gathering excessive data) can occur.

GraphQL is the optimal choice for microservices architectures, as it grants clients the ability to retrieve only the essential data from each service or data source. This fosters heightened flexibility and agility, which are critical components to thrive in a modern business environment.

Security Is Critical for GraphQL APIs

With a greater degree of access and flexibility, GraphQL APIs also present a more extensive attack surface that’s enticing to bad actors. Despite being relatively new, GraphQL is still prone to many of the same vulnerabilities found in other API architectures. Fortunately, you can protect GraphQL APIs from these common threats by leveraging some of your existing infrastructure and tools.

Tutorial Overview

This tutorial helps build an understanding of how to deliver and secure GraphQL APIs. We illustrate how to deploy an Apollo GraphQL server on F5 NGINX Unit with F5 NGINX Plus as the API gateway. In addition, we show how to deploy F5 NGINX App Protect WAF at the API gateway for advanced security and use F5 NGINX Management Suite to configure your WAF and monitor for potential threats. This setup also allows you to use NGINX App Protect WAF to detect attacks like SQL injection.

Follow the steps in these sections to complete the tutorial:

Check the Prerequisites
Install and Configure NGINX Management Suite Security Monitoring
Deploy NGINX Unit and Install the Apollo GraphQL Server
Deploy NGINX Plus as an API Gateway and Install NGINX App Protect WAF
Test the Configuration

Figure 1: Architecture with NGINX Plus and NGINX App Protect WAF providing security and authentication for GraphQL APIs, NGINX Management Suite monitoring for attacks, and the Apollo GraphQL server running on NGINX Unit

Prerequisites

Before you begin this tutorial, you need the following:

The API Connectivity Stack 30-day free trial to access NGINX Plus, NGINX App Protect, and NGINX Management Suite
Linux/Unix or another compatible environment
Basic familiarity with the Linux command line
A text editor (Vi or Vim)
Curl

Install and Configure NGINX Management Suite Security Monitoring

NGINX Management Suite integrates several advanced features into a unified platform to simplify the process of configuring, monitoring, and troubleshooting NGINX instances. It also facilitates the management and governance of APIs, optimizes application load balancing, and enhances overall security for organizations.

Follow these steps to install and configure NGINX Management Suite:

Follow the instructions on the Virtual Machine or Bare Metal page of the Installation page. This page includes the Security Monitoring module (used in this tutorial) and other modules you may install at your discretion.
Add the license for each installed module.
Install the NGINX Agent package from the NGINX Management Suite host and set up Security Monitoring for NGINX App Protect instances by following the instructions here.

Deploy NGINX Unit and Install the Apollo GraphQL Server

NGINX Unit is an efficient and streamlined runtime application with a lightweight design, making it an ideal choice for organizations seeking high performance without compromising speed or agility. It’s an open-source server that can handle TLS, request routing, and run application code. You can learn more about NGINX Unit on its Key Features page.

In this tutorial, we use Express as a Node.js web application framework on NGINX Unit that offers extensive capabilities for constructing an Apollo GraphQL server. At the time of this writing, the current version is Apollo Server 4.

Follow these steps to deploy NGINX Unit and install the Apollo GraphQL server:

Install NGINX Unit on a supported operating system.
Follow the GitHub repo to build an Apollo GraphQL server and create your Apollo GraphQL hello app.

Deploy NGINX Plus as an API Gateway and Install NGINX App Protect WAF

Select a suitable environment to deploy an NGINX Plus instance. In this tutorial, we use an AWS Ubuntu instance and set up an API gateway reverse proxy using NGINX Plus. We then deploy NGINX App Protect WAF in front of our API gateway for added security.

Follow these instructions to install NGINX Plus and NGINX App Protect WAF:

Install NGINX Plus on a supported operating system.
Install the NGINX JavaScript module (njs).
Add the load_modules in the nginx.conf directory.

Install NGINX App Protect WAF on a supported operating system.
Add the NGINX App Protect WAF module to the main context in the nginx.conf file:

Enable NGINX App Protect WAF on an http/server/location context in the nginx.conf file:

Create a GraphQL policy configuration in the directory /etc/app_protect/conf. For further information on how to create an NGINX App Protect WAF policy, please refer to the relevant guidelines. Here is an example GraphQL policy configuration:

To enforce GraphQL settings, update the app_protect_policy_file field with the GraphQL policy name in the nginx.conf file. Once you have updated the file, perform an NGINX reload to enforce the GraphQL settings.Here is an example of the nginx.conf file that includes an NGINX App Protect policy:

Restart NGINX Plus by running this command:

Test the Configuration

Now you can test your configuration by following these steps:

Start the Apollo GraphQL application by navigating to the NGINX Unit server and typing in this command:

After a successful update, you should see that the app is available on the listener’s IP address and port:

To access the Apollo GraphQL server, open your web browser and paste the public IP address of your server. For example: http://3..X.X.X:4003/graphql (this example uses port 4003).
To test the application, enter the correct GraphQL query and run the query.

Figure 2: Apollo GraphQL UI playground

Consider a situation where an individual inputs an SQL injection into a query. In this case, NGINX App Protect WAF safeguards the Apollo GraphQL server and produces a support ID that describes the nature of the attack.

To check the attack’s details, refer to the NGINX Plus instance’s logs, which are located in /var/log/app_protect/security.log.

In the NGINX Management Security Monitoring module, you can monitor the data of your instances and review potential threats, as well as adjust policies as needed for optimal protection.

Figure 3: Overview of the NGINX Management Suite Security Monitoring moduleFigure 4: Comprehensive summary of security violations in the Security Monitoring module

Conclusion

In this tutorial, you learned how to set up an Apollo GraphQL Server on NGINX Unit, deploy NGINX Plus as an API gateway, and secure your GraphQL APIs with NGINX App Protect WAF in front of your API gateway.

You can also use NGINX Management Suite Security Monitoring to identify and block common advanced threats before they compromise your GraphQL APIs. This simple architecture defends GraphQL APIs from some of the most common API vulnerabilities, including missing authentication and authorization, injection attacks, unrestricted resource consumption, and more.

Test drive NGINX today with a 30-day free trial of the API Connectivity Stack, which includes NGINX Plus, NGINX App Protect, and NGINX Management Suite.