feat: Add Response and Filetype pages, other fixes

content/includes/waf/table-policy-features.md

@@ -15,6 +15,7 @@
 | [Do-nothing]({{< ref "/waf/policies/do-nothing.md" >}}) | Do-nothing allows you to avoid inspecting or parsing a URL. |
 | [Disallowed file type extensions]({{< ref "/waf/policies/disallowed-extensions.md" >}}) | Support any file type, and includes a predefined list of file types by default |
 | [Evasion techniques]({{< ref "/waf/policies/evasion-techniques.md" >}}) | All evasion techniques are enabled by default, and can be disabled individually. These include directory traversal, bad escaped characters and more. |
+| [Filetypes]({{< ref "/waf/policies/filetypes.md" >}}) | The filetype feature allows you to selectively allow filetypes. |
 | [Geolocation]({{< ref "/waf/policies/geolocation.md" >}}) | The geolocation feature allows you to configure enforcement based on the location of an object using the two-letter ISO code representing a country. | 
 | [GraphQL protection]({{< ref "/waf/policies/graphql-protection.md" >}}) | GraphQL protection allows you to configure enforcement for GraphQL, an API query language. | 
 | [gRPC protection]({{< ref "/waf/policies/evasion-techniques.md" >}}) | gRPC protection detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection is available for unary or bidirectional traffic. |
@@ -23,6 +24,7 @@
 | [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) | Configure the IP Intelligence feature to customize enforcement based on the source IP of the request, limiting access from IP addresses with questionable reputation. |
 | [JWT protection]({{< ref "/waf/policies/jwt-protection.md" >}}) | JWT protection allows you to configure policies based on properties of JSON web tokens, such as their header and signature properties. | 
 | [Override rules]({{< ref "/waf/policies/override-rules.md" >}}) | Override rules allow you to override default policy settings under specific conditions. |
+| [Response signatures]({{< ref "/waf/policies/response-signatures.md" >}}) | Response signatures allow you to inspect HTTP responses, selectively allowing specific response codes or lengths. |
 | [Server technology signatures]({{< ref "/waf/policies/server-technology-signatures.md" >}}) | Support adding signatures per added server technology. |
 | [Time-based signature staging]({{< ref "/waf/policies/time-based-signature-staging.md" >}}) | Time-based signature staging allows you to stage signatures for a specific period of time. During the staging period, violations of staged signatures are logged but not enforced. After the staging period ends, violations of staged signatures are enforced according to the policy's enforcement mode. |
 | [Threat campaigns]({{< ref "/waf/policies/threat-campaigns.md" >}}) | These are patterns that detect all the known attack campaigns. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. The default policy enables threat campaigns but it is possible to disable it through the respective violation. |

content/waf/configure/secure-mtls.md

@@ -133,7 +133,6 @@ http {
     server {
         listen 80;
         server_name localhost;
-        proxy_http_version 1.1;
 
         app_protect_enable on;
         app_protect_policy_file app_protect_default_policy;

content/waf/install/docker.md

@@ -92,7 +92,6 @@ http {
     server {
         listen 80;
         server_name app.example.com;
-        proxy_http_version 1.1;
 
         app_protect_enable on;
         app_protect_security_log_enable on;
@@ -372,8 +371,6 @@ server {
     listen 80;
     server_name domain.com;
 
-    proxy_http_version 1.1;
-
     location / {
 
         # F5 WAF for NGINX
@@ -783,7 +780,6 @@ http {
     server {
         listen 80;
         server_name app.example.com;
-        proxy_http_version 1.1;
 
         app_protect_enable on;
         app_protect_security_log_enable on;
@@ -1275,8 +1271,6 @@ server {
     listen 80;
     server_name domain.com;
 
-    proxy_http_version 1.1;
-
     location / {
 
         # F5 WAF for NGINX

content/waf/install/kubernetes-plm.md

@@ -195,7 +195,6 @@ http {
     server {
         listen       80;
         server_name  localhost;
-        proxy_http_version 1.1;
 
         location / {
             app_protect_enable on;
@@ -454,7 +453,6 @@ appprotect:
           server {
               listen       80;
               server_name  localhost;
-              proxy_http_version 1.1;
 
               location / {
                   app_protect_enable on;

content/waf/logging/custom-dimensions.md

@@ -37,7 +37,6 @@ server {
         listen       80;
 
         server_name  localhost;
-        proxy_http_version 1.1;
         app_protect_custom_log_attribute 'environment' 'env1';
 
         location / {

content/waf/policies/configuration.md

@@ -96,7 +96,6 @@ http {
     server {
         listen       80;
         server_name  localhost;
-        proxy_http_version 1.1;
 
         location / {
             client_max_body_size 0;

content/waf/policies/filetypes.md

@@ -0,0 +1,63 @@
+---
+# We use sentence case and present imperative tone
+title: "Filetypes"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 1125
+# Creates a table of contents and sidebar, useful for large documents
+toc: true
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: reference
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NAP-WAF
+---
+
+This page describes the filetype feature of F5 WAF for NGINX.
+
+Using this feature, you can enable or disable specific file types with your policies.
+
+The following example enables the violation in blocking mode.
+
+It allows the wildcard entity by default (All filetypes), then selectively blocks the `.bat` filetype .
+
+```json
+{
+    "policy": {
+        "name": "policy1",
+        "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },
+        "applicationLanguage": "utf-8",
+        "enforcementMode": "blocking",
+        "blocking-settings": {
+            "violations": [
+                {
+                    "name": "VIOL_FILETYPE",
+                    "alarm": true,
+                    "block": true
+                }
+            ]
+        },
+        "filetypes": [
+            {
+                "name": "*",
+                "type": "wildcard",
+                "allowed": true,
+                "checkPostDataLength": false,
+                "postDataLength": 4096,
+                "checkRequestLength": false,
+                "requestLength": 8192,
+                "checkUrlLength": true,
+                "urlLength": 2048,
+                "checkQueryStringLength": true,
+                "queryStringLength": 2048,
+                "responseCheck": false
+            },
+            {
+                "name": "bat",
+                "allowed": false
+            }
+        ]
+    }
+}
+```
+
+You can declare any additional file types in their own section (Denoted with curly brackets), disabling them with the `"allowed": false` directive.

content/waf/policies/graphql-protection.md

@@ -105,7 +105,6 @@ http {
     server {
         listen       80;
         server_name  localhost;
-        proxy_http_version 1.1;
 
         location / {
             client_max_body_size 0;

content/waf/policies/ip-intelligence.md

@@ -113,6 +113,7 @@ services:
       - "50000:50000"
     volumes:
       - /opt/app_protect/bd_config:/opt/app_protect/bd_config
+      - /var/IpRep:/var/IpRep
     networks:
       - waf_network
     restart: always
@@ -218,7 +219,7 @@ spec:
             - name: app-protect-bundles
               mountPath: /etc/app_protect/bundles
         - name: waf-ip-intelligence
-          image: private-registry.nginx.com/napwaf-ip-intelligence:<version-tag>
+          image: private-registry.nginx.com/nap/waf-ip-intelligence:<version-tag>
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false

content/waf/policies/response-signatures.md

@@ -0,0 +1,96 @@
+---
+title: Response signatures
+weight: 1850
+toc: true
+nd-content-type: reference
+nd-product: NAP-WAF
+nd-docs: DOCS-000
+---
+
+This page describes the response signatures feature of F5 WAF for NGINX.
+
+Response signatures are signatures detected in HTTP responses: [Attack signatures]({{< ref "/waf/policies/attack-signatures.md" >}}) are detected in HTTP requests.
+
+You may also want to view the [Allowed methods]({{< ref "/waf/policies/allowed-methods.md" >}}) topic.
+
+## Response codes
+
+F5 WAF for NGINX can be configured to selectively allow response codes while blocking all others.
+
+The `allowedResponseCodes` attribute is used to define which response codes are allowed as part of a comma-sepated list in the `general` block.
+
+The following example enables the response status codes violation in blocking mode. 
+
+```json
+{
+    "policy": {
+        "name": "allowed_response",
+        "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },
+        "applicationLanguage": "utf-8",
+        "enforcementMode": "blocking",
+        "blocking-settings": {
+            "violations": [
+                {
+                    "name": "VIOL_HTTP_RESPONSE_STATUS",
+                    "alarm": true,
+                    "block": true
+                }
+            ]
+        },
+        "general": {
+            "allowedResponseCodes": [
+                400,
+                401,
+                403,
+                404,
+                502,
+                499
+            ]
+        }
+    }
+}
+```
+
+## Restricted response length
+
+F5 WAF for NGINX can define a limit to the amount of bytes that will be inspected in a response. This feature is disabled by default, with a default length of 20,000 bytes when enabled.
+
+Restrictions on known signatures will be enforced by policies independently of response length.
+
+To enable this, set the `responseCheck` parameter to `true`. Add the `responseCheckLength` attribute to set an alternative length to the default value.
+
+The response length checked refers to the number of uncompressed bytes in the response body. 
+
+Usually F5 WAF for NGINX will buffer only that part of the response saving memory and CPU, but in some conditions the whole response may have to be buffered, such as when the response body is compressed.
+
+The following example enables the `responseCheck` parameter with `responseCheckLength` set to `1000`, signifying that only the initial 1000 bytes of the response body should be inspected.
+
+It is nested within a [filetypes]({{< ref "/waf/policies/response-signatures.md" >}}) block.
+
+```json {hl_lines=[9, 13, 14]}
+{
+    "policy": {
+        "name": "response_signatures_block",
+        "template": {
+            "name": "POLICY_TEMPLATE_NGINX_BASE"
+        },
+        "applicationLanguage": "utf-8",
+        "enforcementMode": "blocking",
+        "filetypes": [
+           {
+            "name": "*",
+            "type": "wildcard",
+            "responseCheck": true,
+		    "responseCheckLength": 1000
+           }
+        ],
+            "signature-sets": [
+          {
+                "name": "All Response Signatures",
+                "block": true,
+                "alarm": true
+           }
+        ]
+    }
+}
+```