diff --git a/content/ngf/support.md b/content/ngf/support.md index 29f671a44..d2cde2020 100644 --- a/content/ngf/support.md +++ b/content/ngf/support.md @@ -38,4 +38,4 @@ Visit the [project’s GitHub repository](https://github.com/nginx/nginx-support - You can also get help through the [NGINX Community Forum](https://community.nginx.org/). -- If you need dedicated support for NGINX Gateway Fabric, or you would like to leverage our [advanced NGINX Plus features](https://docs.nginx.com/nginx-gateway-fabric/overview/nginx-plus/), you can contact [F5 Sales](https://www.f5.com/content/f5-com/en_us/products/get-f5). +- If you need dedicated support for NGINX Gateway Fabric, or you would like to leverage our [advanced NGINX Plus features](https://docs.nginx.com/nginx-gateway-fabric/overview/nginx-plus/), you can contact [F5 Sales](https://www.f5.com/products/get-f5). diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 6299edc45..4c4f7091a 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -71,7 +71,7 @@ user nginx; worker_processes auto; load_module modules/ngx_http_app_protect_module.so; -error_log /var/log/nginx/error.log debug; +error_log /var/log/nginx/error.log warn; events { worker_connections 10240; @@ -839,7 +839,7 @@ user nginx; worker_processes auto; load_module modules/ngx_http_app_protect_module.so; -error_log /var/log/nginx/error.log debug; +error_log /var/log/nginx/error.log warn; events { worker_connections 10240; diff --git a/content/waf/logging/custom-dimensions.md b/content/waf/logging/custom-dimensions.md index 6a35dc03a..57f56b30e 100644 --- a/content/waf/logging/custom-dimensions.md +++ b/content/waf/logging/custom-dimensions.md @@ -3,7 +3,7 @@ title: Custom dimensions for log entries toc: false weight: 200 nd-content-type: reference -nd-product: NAP-WAF +nd-product: WAF --- F5 WAF for NGINX can configure custom dimensions for log entries using the directive `app_protect_custom_log_attribute`. @@ -27,7 +27,7 @@ The following example defines the `app_protect_custom_log_attribute` directive a ```nginx user nginx; load_module modules/ngx_http_app_protect_module.so; -error_log /var/log/nginx/error.log debug; +error_log /var/log/nginx/error.log warn; events { worker_connections 65536; @@ -85,6 +85,4 @@ The log will specify the precise issue: ```text app_protect_custom_log_attribute directive is invalid. Number of app_protect_custom_log_attribute directives exceeds maximum -``` - - +``` \ No newline at end of file diff --git a/content/waf/policies/configuration.md b/content/waf/policies/configuration.md index 94e1fd88d..52f940dad 100644 --- a/content/waf/policies/configuration.md +++ b/content/waf/policies/configuration.md @@ -7,9 +7,7 @@ weight: 100 toc: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: WAF --- This page describes the security features available with F5 WAF for NGINX and how to configure policies. @@ -76,7 +74,7 @@ worker_processes 4; load_module modules/ngx_http_app_protect_module.so; -error_log /var/log/nginx/error.log debug; +error_log /var/log/nginx/error.log warn; events { worker_connections 65536; @@ -141,6 +139,7 @@ By default, other requests which have a lower violation rating are not blocked, For example, if you want to add blocking on a violation rating of 3 as well, enable blocking for the `VIOL_RATING_NEED_EXAMINATION` violation. The following violations and signature sets have a low chance of being false positives and are, therefore, configured by default to block the request regardless of its Violation Rating: + - High accuracy attack signatures - Threat campaigns - Malformed request: unparsable header, malformed cookie and malformed body (JSON or XML). @@ -249,6 +248,7 @@ In addition, the Strict policy also enables the following features in **alarm on The policy JSON file specifies the settings that are different from the base template, such as enabling more signatures, disabling some violations, adding server technologies, etc. These will be shown in the next sections. There are two ways to tune those settings: + - Within the `policy` structure property, the organic structure of the policy. - Within the `modifications` structure property that contains a list of changes expressed in a generic manner. @@ -297,6 +297,7 @@ The same configuration in the `modifications` array looks like this: Note the generic schema that can express manipulation in any policy element: `entity`, `entityType`, `action` etc. The `modifications` array is a flat list of individual changes applied to the policy after evaluating the `policy` block. So when to use `policy` and when to use `modifications`? There are some recommended practice guidelines for that: + - Use `policy` to express the security policy as you intended it to be: the features you want to enable, disable, the signature sets, server technologies and other related configuration attributes. This part of the policy is usually determined when the application is deployed and changes at a relatively slow pace. - Use `modifications` to express **exceptions** to the intended policy. These exceptions are usually the result of fixing false positive incidents and failures in tests applied to those policies. Usually these are granular modifications, typically disabling checks of individual signatures, metacharacters and sub-violations. These changes are more frequent. - Use `modifications` also for **removing** individual collection elements from the base template, for example disallowed file types. diff --git a/content/waf/policies/graphql-protection.md b/content/waf/policies/graphql-protection.md index ca42a0986..69ffb0420 100644 --- a/content/waf/policies/graphql-protection.md +++ b/content/waf/policies/graphql-protection.md @@ -84,7 +84,7 @@ worker_processes 4; load_module modules/ngx_http_app_protect_module.so; -error_log /var/log/nginx/error.log debug; +error_log /var/log/nginx/error.log warn; events { worker_connections 65536; diff --git a/content/waf/policies/grpc-protection.md b/content/waf/policies/grpc-protection.md index 8a2e6dc2a..17f1e405d 100644 --- a/content/waf/policies/grpc-protection.md +++ b/content/waf/policies/grpc-protection.md @@ -7,9 +7,7 @@ weight: 1200 toc: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: WAF --- This topic describes the gRPC protection feature for F5 WAF for NGINX. @@ -36,7 +34,6 @@ They include: - **Security enforcement**, which detect signatures and/or metacharacters and optionally an exception list of signatures (Such as overrides) that need to be disabled in the context of a profile. - **Defense attributes**, special restrictions applied to the gRPC traffic. This includes a size limit for the gRPC messages in the request, and whether to tolerate fields that are not defined in the definition of the Protocol Buffer messages. - An example service might have the following IDL file: ```proto @@ -66,7 +63,6 @@ The definitions of `OperationResult` and `Condition` messages are in the importe Both files need to be referenced in the gRPC content profile: - ```json { "policy": { @@ -331,6 +327,7 @@ gRPC guarantees message ordering within an individual RPC call. ```shell rpc LotsOfGreetings(stream HelloRequest) returns (HelloResponse); ``` + #### Server stream The client sends a request to the server and gets a stream to read a sequence of messages back. @@ -340,6 +337,7 @@ The client reads from the returned stream until there are no more messages. gRPC ```shell rpc LotsOfReplies(HelloRequest) returns (stream HelloResponse); ``` + #### Bidirectional streams Both sides send a sequence of messages using a read-write stream. @@ -381,7 +379,7 @@ worker_processes auto; load_module modules/ngx_http_app_protect_module.so; -error_log /var/log/nginx/error.log debug; +error_log /var/log/nginx/error.log warn; working_directory /tmp/cores; worker_rlimit_core 1000M;