Finding Out Nginx Instances Running In An Environment

Assuming the environment is a container based environment. Other kinds of environments - Virtual Machines, Physical Machines, etc

Blind Basic Checks for checking if nginx is running or not and how many nginx are running:

• Check if the names of all the containers in all the pods have nginx in the name. Also check if the names of all the pods have nginx in the name

  • Why? This is based on the idea that if nginx is running in a container / pod, its container or pod name probably has the name nginx in it

  • Problems with this approach

    • It misses out containers where the container name may not mention nginx but maybe nginx is running in them. You never know

    • It misses out pods where the pod name may not mention nginx but maybe nginx is running in them. You never know

    • Maybe some containers may have nginx in the container name but may not be running nginx in them. You never know

    • Maybe some pods may have nginx in the pod name but may not be running nginx in them. You never know

• Check if the image names of all the containers in all the pods have nginx in the name

  • Why? This is based on the idea that if nginx is running in a container, its image name probably has the name nginx in it

  • Problems with this approach

    • It misses out containers where the image name may not mention nginx but maybe nginx is running in them. You never know

    • Maybe some containers may have nginx in the image name but may not be running nginx in them. You never know

• Check if the command names and/ entry points of all the container images (the build and runtime specification of the container image - for example Dockerfile ) of all containers in all the pods have nginx in the command name / entry point. You can check the source code of the command and/ entry points - for example, if it’s a script - say shell script (sh, bash etc) or Python script, or JavaScript, or Perl Script etc and see if it runs a nginx by checking for nginx in the command name of the command that’s being executed

  • Why? This is based on the idea that if nginx is running in a container, its command name / entry point name probably has the name nginx in it

  • Problems with this approach

    • It misses out containers where the command name / entry point may not mention nginx but maybe nginx is running in them. You never know

    • Maybe some containers may have nginx in the command name / entry point name but may not be running nginx in them. You never know

• Check if the command names of all the containers (container specification) in all the pods have nginx in the name. This refers to - the container’s command field (not the args field)

  • Why? This is based on the idea that if nginx is running in a container, its command name probably has the name nginx in it

  • Problems with this approach

    • It misses out containers where the command name may not mention nginx but maybe nginx is running in them. You never know

    • Maybe some containers may have nginx in the command name but may not be running nginx in them. You never know

• Check if nginx command works in all the containers in all the pods. Maybe run nginx --version

  • Why? This is based on the idea that if nginx is running in a container, it has nginx command installed in it

  • Problems with this approach

    • Maybe nginx is installed in the container (in the container image), but it’s not running

    • Maybe some other command (and not nginx server) is named as nginx

    • Maybe nginx command is renamed as something else which doesn’t refer to nginx in the name

• Check if nginx process is running in all the containers in all the pods

  • Why? This is based on the idea that if nginx is running in a container, then, it’s running in the container?

  • Problems with this approach

    • It’s not easy to check if nginx is running in a container. For example, one thing that one could do is - check if the nginx process is running by checking ps aux command output and checking if there’s any process running the nginx command. But then, a command can be named anything else too and still be running nginx. You never know. ps aux just looks at the command name. Also, just because the commandname in px aux output has nginx in it or the name itself is nginx, doesn’t mean nginx server is running in it

• Hit all container ports and check if the port serves HTTP and/ HTTPS assuming you are looking for an nginx serving web traffic and hit some non existent URL(s) and check if it returns a response with response body or response headers containing nginx in it

  • Usually non-existent HTTP/HTTPS URL(s) are served by nginx with a 404 mentioning the response came from a nginx - usually in the response body

  • nginx by default sends almost any response with the response header Server: nginx/<version>. For example, Server: nginx/1.29.0

  • Problems with this approach

    • It’s not necessary that our nginx is serving HTTP/HTTPS traffic - so, this violates any assumptions around that. So, if we are looking for an nginx server serving TCP traffic as a TCP proxy (for example), for a protocol other than Web Protocols (like HTTP, HTTPS), for example, PostgreSQL Proxy, MySQL Proxy or any Proxy for any custom protocol on top of TCP, or it can be a TCP server for something else.

    • Maybe the nginx server is configured in such a way that it will not return anything about the nginx server - for security reasons - for example, if one knows that we use nginx and the specific version of nginx we use, then, they can try to attack us by using the existing vulnerabilities for that version of nginx and cause harm to us

• Maybe a mix of the above approaches can be used

• Look at base container images (recursively) and understand what’s installed in it and how it’s installed - for example, nginx command being installed (through binaries, package managers, or compiled source code etc). Even then, it’s not easy and even then, nginx may not be running it and just because a command or software is named nginx , it may not refer to the nginx web server that we think of