From 66bd37a7a1755126b1d46bea884071c6ba07393d Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Fri, 17 Oct 2025 13:07:51 +0100 Subject: [PATCH 1/5] feat: Add Response and Filetype pages, other fixes This commit adds the Response and Filetype feature pages to F5 WAF for NGINX, and also updates other documentation to address feedback regarding configuration or set-up problems. --- content/includes/waf/table-policy-features.md | 2 + content/waf/configure/secure-mtls.md | 1 - content/waf/install/docker.md | 6 -- content/waf/install/kubernetes-plm.md | 2 - content/waf/logging/custom-dimensions.md | 1 - content/waf/policies/configuration.md | 1 - content/waf/policies/filetypes.md | 63 ++++++++++++ content/waf/policies/graphql-protection.md | 1 - content/waf/policies/ip-intelligence.md | 3 +- content/waf/policies/response-signatures.md | 96 +++++++++++++++++++ 10 files changed, 163 insertions(+), 13 deletions(-) create mode 100644 content/waf/policies/filetypes.md create mode 100644 content/waf/policies/response-signatures.md diff --git a/content/includes/waf/table-policy-features.md b/content/includes/waf/table-policy-features.md index d98a7e425..75d42ccd7 100644 --- a/content/includes/waf/table-policy-features.md +++ b/content/includes/waf/table-policy-features.md @@ -15,6 +15,7 @@ | [Do-nothing]({{< ref "/waf/policies/do-nothing.md" >}}) | Do-nothing allows you to avoid inspecting or parsing a URL. | | [Disallowed file type extensions]({{< ref "/waf/policies/disallowed-extensions.md" >}}) | Support any file type, and includes a predefined list of file types by default | | [Evasion techniques]({{< ref "/waf/policies/evasion-techniques.md" >}}) | All evasion techniques are enabled by default, and can be disabled individually. These include directory traversal, bad escaped characters and more. | +| [Filetypes]({{< ref "/waf/policies/filetypes.md" >}}) | | The filetype feature allows you to selectively allow filetypes | | [Geolocation]({{< ref "/waf/policies/geolocation.md" >}}) | The geolocation feature allows you to configure enforcement based on the location of an object using the two-letter ISO code representing a country. | | [GraphQL protection]({{< ref "/waf/policies/graphql-protection.md" >}}) | GraphQL protection allows you to configure enforcement for GraphQL, an API query language. | | [gRPC protection]({{< ref "/waf/policies/evasion-techniques.md" >}}) | gRPC protection detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection is available for unary or bidirectional traffic. | @@ -23,6 +24,7 @@ | [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) | Configure the IP Intelligence feature to customize enforcement based on the source IP of the request, limiting access from IP addresses with questionable reputation. | | [JWT protection]({{< ref "/waf/policies/jwt-protection.md" >}}) | JWT protection allows you to configure policies based on properties of JSON web tokens, such as their header and signature properties. | | [Override rules]({{< ref "/waf/policies/override-rules.md" >}}) | Override rules allow you to override default policy settings under specific conditions. | +| [Response signatures]({{< ref "/waf/policies/response-signatures.md" >}}) | | Response signatures allow you to inspect HTTP responses, selectively allowing specific response codes or lengths. | | [Server technology signatures]({{< ref "/waf/policies/server-technology-signatures.md" >}}) | Support adding signatures per added server technology. | | [Time-based signature staging]({{< ref "/waf/policies/time-based-signature-staging.md" >}}) | Time-based signature staging allows you to stage signatures for a specific period of time. During the staging period, violations of staged signatures are logged but not enforced. After the staging period ends, violations of staged signatures are enforced according to the policy's enforcement mode. | | [Threat campaigns]({{< ref "/waf/policies/threat-campaigns.md" >}}) | These are patterns that detect all the known attack campaigns. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. The default policy enables threat campaigns but it is possible to disable it through the respective violation. | diff --git a/content/waf/configure/secure-mtls.md b/content/waf/configure/secure-mtls.md index fc49583eb..bf8d42ce0 100644 --- a/content/waf/configure/secure-mtls.md +++ b/content/waf/configure/secure-mtls.md @@ -133,7 +133,6 @@ http { server { listen 80; server_name localhost; - proxy_http_version 1.1; app_protect_enable on; app_protect_policy_file app_protect_default_policy; diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 5d0bed677..530c8f326 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -92,7 +92,6 @@ http { server { listen 80; server_name app.example.com; - proxy_http_version 1.1; app_protect_enable on; app_protect_security_log_enable on; @@ -372,8 +371,6 @@ server { listen 80; server_name domain.com; - proxy_http_version 1.1; - location / { # F5 WAF for NGINX @@ -783,7 +780,6 @@ http { server { listen 80; server_name app.example.com; - proxy_http_version 1.1; app_protect_enable on; app_protect_security_log_enable on; @@ -1275,8 +1271,6 @@ server { listen 80; server_name domain.com; - proxy_http_version 1.1; - location / { # F5 WAF for NGINX diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 1a6ee3850..d127e6bc1 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -195,7 +195,6 @@ http { server { listen 80; server_name localhost; - proxy_http_version 1.1; location / { app_protect_enable on; @@ -454,7 +453,6 @@ appprotect: server { listen 80; server_name localhost; - proxy_http_version 1.1; location / { app_protect_enable on; diff --git a/content/waf/logging/custom-dimensions.md b/content/waf/logging/custom-dimensions.md index ac84c3cbb..6a35dc03a 100644 --- a/content/waf/logging/custom-dimensions.md +++ b/content/waf/logging/custom-dimensions.md @@ -37,7 +37,6 @@ server { listen 80; server_name localhost; - proxy_http_version 1.1; app_protect_custom_log_attribute 'environment' 'env1'; location / { diff --git a/content/waf/policies/configuration.md b/content/waf/policies/configuration.md index 58f601ef8..94e1fd88d 100644 --- a/content/waf/policies/configuration.md +++ b/content/waf/policies/configuration.md @@ -96,7 +96,6 @@ http { server { listen 80; server_name localhost; - proxy_http_version 1.1; location / { client_max_body_size 0; diff --git a/content/waf/policies/filetypes.md b/content/waf/policies/filetypes.md new file mode 100644 index 000000000..cbdc5ee5d --- /dev/null +++ b/content/waf/policies/filetypes.md @@ -0,0 +1,63 @@ +--- +# We use sentence case and present imperative tone +title: "Filetypes" +# Weights are assigned in increments of 100: determines sorting order +weight: 1125 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +This page describes the filetype feature of F5 WAF for NGINX. + +Using this feature, you can enable or disable specific file types with your policies. + +The following example enables the violation in blocking mode. + +It allows the wildcard entity by default (All filetypes), then selectively blocks the `.bat` filetype . + +```json +{ + "policy": { + "name": "policy1", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "blocking-settings": { + "violations": [ + { + "name": "VIOL_FILETYPE", + "alarm": true, + "block": true + } + ] + }, + "filetypes": [ + { + "name": "*", + "type": "wildcard", + "allowed": true, + "checkPostDataLength": false, + "postDataLength": 4096, + "checkRequestLength": false, + "requestLength": 8192, + "checkUrlLength": true, + "urlLength": 2048, + "checkQueryStringLength": true, + "queryStringLength": 2048, + "responseCheck": false + }, + { + "name": "bat", + "allowed": false + } + ] + } +} +``` + +You can declare any additional file types in their own section (Denoted with curly brackets), disabling them with the `"allowed": false` directive. \ No newline at end of file diff --git a/content/waf/policies/graphql-protection.md b/content/waf/policies/graphql-protection.md index fb356e99c..ca42a0986 100644 --- a/content/waf/policies/graphql-protection.md +++ b/content/waf/policies/graphql-protection.md @@ -105,7 +105,6 @@ http { server { listen 80; server_name localhost; - proxy_http_version 1.1; location / { client_max_body_size 0; diff --git a/content/waf/policies/ip-intelligence.md b/content/waf/policies/ip-intelligence.md index e5a77bff2..85691082c 100644 --- a/content/waf/policies/ip-intelligence.md +++ b/content/waf/policies/ip-intelligence.md @@ -113,6 +113,7 @@ services: - "50000:50000" volumes: - /opt/app_protect/bd_config:/opt/app_protect/bd_config + - /var/IpRep:/var/IpRep networks: - waf_network restart: always @@ -218,7 +219,7 @@ spec: - name: app-protect-bundles mountPath: /etc/app_protect/bundles - name: waf-ip-intelligence - image: private-registry.nginx.com/napwaf-ip-intelligence: + image: private-registry.nginx.com/nap/waf-ip-intelligence: imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false diff --git a/content/waf/policies/response-signatures.md b/content/waf/policies/response-signatures.md new file mode 100644 index 000000000..3be1a93d5 --- /dev/null +++ b/content/waf/policies/response-signatures.md @@ -0,0 +1,96 @@ +--- +title: Response signatures +weight: 1850 +toc: true +nd-content-type: reference +nd-product: NAP-WAF +nd-docs: DOCS-000 +--- + +This page describes the response signatures feature of F5 WAF for NGINX. + +Response signatures are signatures detected in HTTP responses: [Attack signatures]({{< ref "/waf/policies/attack-signatures.md" >}}) are detected in HTTP requests. + +You may also want to view the [Allowed methods]({{< ref "/waf/policies/allowed-methods.md" >}}) topic. + +## Response codes + +F5 WAF for NGINX can be configured to selectively allow response codes while blocking all others. + +The `allowedResponseCodes` attribute is used to define which response codes are allowed as part of a comma-sepated list in the `general` block. + +The following example enables the response status codes violation in blocking mode. + +```json +{ + "policy": { + "name": "allowed_response", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "blocking-settings": { + "violations": [ + { + "name": "VIOL_HTTP_RESPONSE_STATUS", + "alarm": true, + "block": true + } + ] + }, + "general": { + "allowedResponseCodes": [ + 400, + 401, + 403, + 404, + 502, + 499 + ] + } + } +} +``` + +## Restricted response length + +F5 WAF for NGINX can define a limit to the amount of bytes that will be inspected in a response. This feature is disabled by default, with a default length of 20,000 bytes when enabled. + +Restrictions on known signatures will be enforced by policies independently of response length. + +To enable this, set the `responseCheck` parameter to true. Add the `responseCheckLength` attribute to set an alternative length to the default value. + +The response length checked refers to the number of uncompressed bytes in the response body. + +Usually F5 WAF for NGINX will buffer only that part of the response saving memory and CPU, but in some conditions the whole response may have to be buffered, such as when the response body is compressed. + +The following example enables the `responseCheck` parameter with `responseCheckLength` set to 1000, signifying that only the initial 1000 bytes of the response body should be inspected. + +It is nested within a [filetypes]({{< ref "/waf/policies/response-signatures.md" >}}) block. + +```json {hl_lines=[9, 13, 14]} +{ + "policy": { + "name": "response_signatures_block", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "filetypes": [ + { + "name": "*", + "type": "wildcard", + "responseCheck": true, + "responseCheckLength": 1000 + } + ], + "signature-sets": [ + { + "name": "All Response Signatures", + "block": true, + "alarm": true + } + ] + } +} +``` From bba8bb8297dca8836680a5aae43cded2b98f5c75 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Fri, 17 Oct 2025 13:19:02 +0100 Subject: [PATCH 2/5] Update content/includes/waf/table-policy-features.md --- content/includes/waf/table-policy-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/waf/table-policy-features.md b/content/includes/waf/table-policy-features.md index 75d42ccd7..3199b1e78 100644 --- a/content/includes/waf/table-policy-features.md +++ b/content/includes/waf/table-policy-features.md @@ -15,7 +15,7 @@ | [Do-nothing]({{< ref "/waf/policies/do-nothing.md" >}}) | Do-nothing allows you to avoid inspecting or parsing a URL. | | [Disallowed file type extensions]({{< ref "/waf/policies/disallowed-extensions.md" >}}) | Support any file type, and includes a predefined list of file types by default | | [Evasion techniques]({{< ref "/waf/policies/evasion-techniques.md" >}}) | All evasion techniques are enabled by default, and can be disabled individually. These include directory traversal, bad escaped characters and more. | -| [Filetypes]({{< ref "/waf/policies/filetypes.md" >}}) | | The filetype feature allows you to selectively allow filetypes | +| [Filetypes]({{< ref "/waf/policies/filetypes.md" >}}) | | The filetype feature allows you to selectively allow filetypes. | | [Geolocation]({{< ref "/waf/policies/geolocation.md" >}}) | The geolocation feature allows you to configure enforcement based on the location of an object using the two-letter ISO code representing a country. | | [GraphQL protection]({{< ref "/waf/policies/graphql-protection.md" >}}) | GraphQL protection allows you to configure enforcement for GraphQL, an API query language. | | [gRPC protection]({{< ref "/waf/policies/evasion-techniques.md" >}}) | gRPC protection detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection is available for unary or bidirectional traffic. | From e42a6aa615870f27328141535ccd4f3c9e3b6819 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Fri, 17 Oct 2025 15:51:01 +0100 Subject: [PATCH 3/5] Update content/waf/policies/response-signatures.md Co-authored-by: yar --- content/waf/policies/response-signatures.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/policies/response-signatures.md b/content/waf/policies/response-signatures.md index 3be1a93d5..9fdd53cb3 100644 --- a/content/waf/policies/response-signatures.md +++ b/content/waf/policies/response-signatures.md @@ -57,7 +57,7 @@ F5 WAF for NGINX can define a limit to the amount of bytes that will be inspecte Restrictions on known signatures will be enforced by policies independently of response length. -To enable this, set the `responseCheck` parameter to true. Add the `responseCheckLength` attribute to set an alternative length to the default value. +To enable this, set the `responseCheck` parameter to `true`. Add the `responseCheckLength` attribute to set an alternative length to the default value. The response length checked refers to the number of uncompressed bytes in the response body. From 76cfadc5bbf148cc546efeccb0433d1650eb1172 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Fri, 17 Oct 2025 15:51:09 +0100 Subject: [PATCH 4/5] Update content/waf/policies/response-signatures.md Co-authored-by: yar --- content/waf/policies/response-signatures.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/policies/response-signatures.md b/content/waf/policies/response-signatures.md index 9fdd53cb3..f7c48e5bd 100644 --- a/content/waf/policies/response-signatures.md +++ b/content/waf/policies/response-signatures.md @@ -63,7 +63,7 @@ The response length checked refers to the number of uncompressed bytes in the re Usually F5 WAF for NGINX will buffer only that part of the response saving memory and CPU, but in some conditions the whole response may have to be buffered, such as when the response body is compressed. -The following example enables the `responseCheck` parameter with `responseCheckLength` set to 1000, signifying that only the initial 1000 bytes of the response body should be inspected. +The following example enables the `responseCheck` parameter with `responseCheckLength` set to `1000`, signifying that only the initial 1000 bytes of the response body should be inspected. It is nested within a [filetypes]({{< ref "/waf/policies/response-signatures.md" >}}) block. From 0a8b65674fd9614e8a14fe61751edca4d5ba71f7 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Mon, 20 Oct 2025 13:25:56 +0100 Subject: [PATCH 5/5] Apply suggestions from code review --- content/includes/waf/table-policy-features.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/includes/waf/table-policy-features.md b/content/includes/waf/table-policy-features.md index 3199b1e78..8e8f2bc8c 100644 --- a/content/includes/waf/table-policy-features.md +++ b/content/includes/waf/table-policy-features.md @@ -15,7 +15,7 @@ | [Do-nothing]({{< ref "/waf/policies/do-nothing.md" >}}) | Do-nothing allows you to avoid inspecting or parsing a URL. | | [Disallowed file type extensions]({{< ref "/waf/policies/disallowed-extensions.md" >}}) | Support any file type, and includes a predefined list of file types by default | | [Evasion techniques]({{< ref "/waf/policies/evasion-techniques.md" >}}) | All evasion techniques are enabled by default, and can be disabled individually. These include directory traversal, bad escaped characters and more. | -| [Filetypes]({{< ref "/waf/policies/filetypes.md" >}}) | | The filetype feature allows you to selectively allow filetypes. | +| [Filetypes]({{< ref "/waf/policies/filetypes.md" >}}) | The filetype feature allows you to selectively allow filetypes. | | [Geolocation]({{< ref "/waf/policies/geolocation.md" >}}) | The geolocation feature allows you to configure enforcement based on the location of an object using the two-letter ISO code representing a country. | | [GraphQL protection]({{< ref "/waf/policies/graphql-protection.md" >}}) | GraphQL protection allows you to configure enforcement for GraphQL, an API query language. | | [gRPC protection]({{< ref "/waf/policies/evasion-techniques.md" >}}) | gRPC protection detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection is available for unary or bidirectional traffic. | @@ -24,7 +24,7 @@ | [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) | Configure the IP Intelligence feature to customize enforcement based on the source IP of the request, limiting access from IP addresses with questionable reputation. | | [JWT protection]({{< ref "/waf/policies/jwt-protection.md" >}}) | JWT protection allows you to configure policies based on properties of JSON web tokens, such as their header and signature properties. | | [Override rules]({{< ref "/waf/policies/override-rules.md" >}}) | Override rules allow you to override default policy settings under specific conditions. | -| [Response signatures]({{< ref "/waf/policies/response-signatures.md" >}}) | | Response signatures allow you to inspect HTTP responses, selectively allowing specific response codes or lengths. | +| [Response signatures]({{< ref "/waf/policies/response-signatures.md" >}}) | Response signatures allow you to inspect HTTP responses, selectively allowing specific response codes or lengths. | | [Server technology signatures]({{< ref "/waf/policies/server-technology-signatures.md" >}}) | Support adding signatures per added server technology. | | [Time-based signature staging]({{< ref "/waf/policies/time-based-signature-staging.md" >}}) | Time-based signature staging allows you to stage signatures for a specific period of time. During the staging period, violations of staged signatures are logged but not enforced. After the staging period ends, violations of staged signatures are enforced according to the policy's enforcement mode. | | [Threat campaigns]({{< ref "/waf/policies/threat-campaigns.md" >}}) | These are patterns that detect all the known attack campaigns. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. The default policy enables threat campaigns but it is possible to disable it through the respective violation. |