availability

Package: Invicti AppSec Core (on-demand)

NTA with NGINX

The Invicti Network Traffic Analyzer (NTA) integrates with NGINX by forwarding access logs to the NTA Traffic Signal Aggregator (TSA) via Syslog. The TSA receives these logs over UDP and passes them to the Reconstructor service, which analyzes the data to reconstruct API activity for API discovery.

This document explains how to deploy the NTA with NGINX in Docker or Kubernetes.

Why this matters

NGINX handles a large share of web traffic in many environments, but teams often haven't formally cataloged the APIs behind it. By forwarding NGINX access logs to the NTA, you get continuous API discovery from real traffic without modifying your application code or deploying additional agents.

Step 1: Generate a registration token

1. Select Discovery > API sources from the left-side menu.
2. Click Add source.
3. Select the Invicti Network Traffic Analyzer source type card.
4. Click Continue.
5. Click Generate token and copy the token. You'll need it when configuring the NTA services.

Step 2: Install and configure NTA

Select the tab for your environment:

Docker

Prerequisites

Before you begin, ensure the following:

• NGINX v1.9.11 or later installed (either natively or via Docker)
• Docker and Docker Compose installed
• UDP port 15400 open between the NGINX host and the TSA container

Install NTA via Docker Compose

Create a project folder and create a docker-compose.yml file with the following content, replacing <TOKEN> with the token you generated:

services:
  reconstructor:
    image: registry.invicti.com/invicti-api-discovery/reconstructor:latest
    container_name: reconst
    restart: always
    expose:
      - 8090
    ports:
      - 8090:8090
    environment:
      APIHUB_CONFIG: <TOKEN>

  traffic-signal-aggregator:
    depends_on:
      reconstructor:
        condition: service_started
    image: registry.invicti.com/invicti-api-discovery/tsa:latest
    container_name: tsa
    restart: always
    expose:
      - 15400/udp
    ports:
      - 15400:15400/udp
    environment:
      - TSA_SOURCE_SYSLOG_ENABLED=true
      - TSA_SOURCE_SYSLOG_ADDR=:15400
      - TSA_SINK_RECONSTRUCTOR_ENABLED=true
      - TSA_SINK_RECONSTRUCTOR_ADDR=reconstructor:8090

Start the services:

docker-compose up -d

Verify both containers are running:

docker ps

TSA must start before NGINX logging begins

NGINX drops Syslog messages if the TSA isn't reachable. Make sure the TSA container is running before NGINX starts sending access logs.

Configure NGINX

1. Locate or create your NGINX configuration file (typically at /etc/nginx/nginx.conf or inside /etc/nginx/conf.d/).

2. Add the following custom log format under the http block. Replace {{TSA_ADDRESS}} with the IP address or hostname of the TSA container:

log_format tsalogformat
'@@@http_x_request_id=$http_x_request_id'
'@@@request_scheme=$scheme'
'@@@request_host=$host'
'@@@remote_addr=$remote_addr'
'@@@request_method=$request_method'
'@@@request_uri=$request_uri'
'@@@server_protocol=$server_protocol'
'@@@response_status=$status'
'@@@request_body=$request_body'
'@@@header_referer=$http_referer'
'@@@header_accept=$http_accept'
'@@@header_content_type=$http_content_type'
'@@@server_port=$server_port';

access_log syslog:server={{TSA_ADDRESS}}:15400,facility=local7,tag=nginx,severity=info tsalogformat;

Starting from scratch?

If you're creating a new nginx.conf from scratch, use this complete example:

events {}

http {
    log_format tsalogformat
    '@@@http_x_request_id=$http_x_request_id'
    '@@@request_scheme=$scheme'
    '@@@request_host=$host'
    '@@@remote_addr=$remote_addr'
    '@@@request_method=$request_method'
    '@@@request_uri=$request_uri'
    '@@@server_protocol=$server_protocol'
    '@@@response_status=$status'
    '@@@request_body=$request_body'
    '@@@header_referer=$http_referer'
    '@@@header_accept=$http_accept'
    '@@@header_content_type=$http_content_type'
    '@@@server_port=$server_port';

    access_log syslog:server={{TSA_ADDRESS}}:15400,facility=local7,tag=nginx,severity=info tsalogformat;

    server {
        listen 8080;

        location / {
            return 200 'Hello from NGINX';
            add_header Content-Type text/plain;
        }
    }
}

Replace {{TSA_ADDRESS}} with the hostname or IP address of the TSA.

3. Validate the NGINX configuration:

docker exec -it nginx-test nginx -t

4. Reload NGINX to apply the configuration:

docker exec -it nginx-test nginx -s reload

Test the setup

Send a test request to your NGINX server:

curl http://localhost:8080

Verify that the TSA is receiving logs:

docker logs tsa

You should see structured logs representing the forwarded request.

Kubernetes

Prerequisites

• A running Kubernetes cluster
• kubectl configured for your cluster
• Helm installed
• NGINX v1.9.11 or later
• UDP port 15400 reachable between NGINX and the TSA service

Deploy NTA with Helm

Run the following command, replacing the placeholders with your registry credentials and the token you generated:

helm install invicti-api-discovery oci://registry.invicti.com/invicti-api-discovery \
  --version 25.11 \
  --set imageRegistryUsername=<USERNAME> \
  --set imageRegistryPassword=<PASSWORD> \
  --set trafficSource.tsa.enabled=true \
  --set trafficSource.tsa.syslogEnabled=true \
  --set reconstructor.JWT_TOKEN=<TOKEN>

Verify the pods are running:

kubectl get pods -n default

Configure NGINX

1. Locate the NGINX configuration file (typically at /etc/nginx/nginx.conf or within /etc/nginx/conf.d/).

2. Add the following custom log format under the http block:

http {
  log_format tsalogformat
    '@@@http_x_request_id=$http_x_request_id'
    '@@@request_scheme=$scheme'
    '@@@request_host=$host'
    '@@@remote_addr=$remote_addr'
    '@@@request_method=$request_method'
    '@@@request_uri=$request_uri'
    '@@@server_protocol=$server_protocol'
    '@@@response_status=$status'
    '@@@request_body=$request_body'
    '@@@header_referer=$http_referer'
    '@@@header_accept=$http_accept'
    '@@@header_content_type=$http_content_type'
    '@@@server_port=$server_port';
}

3. Still within the same http block, replace the access_log directive with the following. Replace invicti-api-discovery-tsa-service.default.svc.cluster.local with the actual DNS name of your TSA service in the cluster:

access_log syslog:server=invicti-api-discovery-tsa-service.default.svc.cluster.local:15400,facility=local7,tag=nginx,severity=info tsalogformat;

To retrieve the TSA service name, run:

kubectl get services

Look for the service associated with TSA (typically named invicti-api-discovery-tsa-service).

Validate NGINX config before reloading

Always run nginx -t to validate your configuration before restarting NGINX.

4. Reload NGINX:

nginx -s reload

or

systemctl restart nginx

Verify the setup

Check that all NTA pods are running and review the logs:

kubectl get pods
kubectl logs deployment/invicti-api-discovery-tsa
kubectl logs deployment/invicti-api-discovery-reconstructor

---

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center