|
| 1 | +--- |
| 2 | +# We use sentence case and present imperative tone |
| 3 | +title: "Directives" |
| 4 | +# Weights are assigned in increments of 100: determines sorting order |
| 5 | +weight: 150 |
| 6 | +# Creates a table of contents and sidebar, useful for large documents |
| 7 | +toc: true |
| 8 | +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this |
| 9 | +nd-content-type: reference |
| 10 | +# Intended for internal catalogue and search, case sensitive: |
| 11 | +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit |
| 12 | +nd-product: NAP-WAF |
| 13 | +--- |
| 14 | + |
| 15 | +## Global directives |
| 16 | + |
| 17 | +Global configuration consists of a series of `nginx.conf` directives at the `http` context controlling aspects that are not specific to a specific application. |
| 18 | + |
| 19 | +When applied to a cluster, all cluster members will get the same globals as expected. |
| 20 | + |
| 21 | +{{< call-out "note" >}} Whether an incoming request is inspected by F5 WAF for NGINX may be determined by the URL in the request. This happens if you configure `app_protect_enable` and `app_protect_policy_file` directives in the `location` scope. In the case where the URL itself has violations such as *bad unescape* or *illegal metacharacter* then the request might be assigned to a location in which F5 WAF for NGINX is disabled or has a relaxed policy that does not detect these violations. Such malicious requests will be allowed without inspection. In order to avoid this, it is recommended to have a basic policy enabled at the `http` scope or at least at the `server` scope to process malicious requests in a more complete manner.{{< /call-out >}} |
| 22 | + |
| 23 | +{{< bootstrap-table "table table-striped table-bordered table-sm table-responsive" >}} |
| 24 | +|Directive Name | Syntax | Description | Default | |
| 25 | +| ---| ---| ---| --- | |
| 26 | +|app_protect_physical_memory_util_thresholds | app_protect_physical_memory_util_thresholds high=<number_0-100> low=<number_0-100> | Sets the physical memory utilization thresholds for entering (high) and exiting (low) failure mode. When the high threshold is exceeded the system enters failure mode until memory drops below the low threshold. Setting the value of 100 disables this feature. | high=low=100 (disabled) | |
| 27 | +|app_protect_cpu_thresholds | app_protect_cpu_thresholds high=<number_0-100> low=<number_0-100> | Sets the CPU utilization thresholds for entering and exiting failure mode respectively: when the high threshold is exceeded the system enters failure mode until CPU drops below the low threshold. Setting the value of 100 disables this feature.<br> **Note**: The system does not enter failure mode during policy compilation after reload even if the threshold is exceeded. | high=low=100 (disabled) | |
| 28 | +|app_protect_failure_mode_action | app_protect_failure_mode_action pass | drop | How to handle requests when the App Protect Enforcer cannot process them, either because it is down, disconnected or because of excessive CPU or memory utilization. There are two values:<ul><li>**pass**: Pass the request without App Protect Enforcer inspection, a.k.a. "fail-open".</li><li>**drop**: Drop the request by returning the response "503 Service Unavailable", a.k.a. "fail-close".</li></ul> | pass | |
| 29 | +|app_protect_cookie_seed | app_protect_cookie_seed <string> | A long randomized string that serves to generate the encryption key for the cookies generated by App Protect. The string should contain only alphanumeric characters and be no longer than 1000 characters. | Auto-generated random string | |
| 30 | +|app_protect_compressed_requests_action | app_protect_compressed_requests_action pass | drop | Determines how to handle compressed requests. There are two values:<ul><li>**pass**: Pass the request without App Protect Enforcer inspection, a.k.a. "fail-open".</li><li>**drop**: Drop the request by returning the response "501 Not Implemented", a.k.a. "fail-close".</li></ul> **Note**: Starting with App Protect release version 4.6, this directive has been deprecated from the `nginx.conf` file. | drop | |
| 31 | +|app_protect_request_buffer_overflow_action | app_protect_request_buffer_overflow_action pass | drop | Determines how to handle requests in case the NGINX request buffer is full and requests cannot be buffered anymore. There are two values:<ul><li>**pass**: Pass the request without App Protect Enforcer inspection, a.k.a. "fail-open".</li><li>**drop**: Drop the request by resetting connection. No response page is returned, a.k.a. "fail-close".</li></ul> | pass | |
| 32 | +|app_protect_user_defined_signatures | app_protect_user_defined_signatures <path> | Imports the user-defined tagged signature file with the respective tag name from the provided path. Multiple instances of this directive are supported. In order to import multiple signatures files, each file must have a different tag. | N/A | |
| 33 | +|app_protect_reconnect_period_seconds| app_protect_reconnect_period_seconds <value> <br> **Value type**: number with decimal fraction <br> **Value Range**: 0-60. 0 is illegal | Determines the period of time between reconnect retries of the module to the web application firewall (WAF) engine. The time unit is seconds.| 5 | |
| 34 | +{{< /bootstrap-table >}} |
| 35 | + |
| 36 | +### App Protect Specific Directives |
| 37 | + |
| 38 | +This table summarizes the nginx.conf directives for F5 WAF for NGINX functionality. |
| 39 | + |
| 40 | +{{<bootstrap-table "table table-striped table-bordered table-sm table-responsive">}} |
| 41 | +|Directive Name | Syntax | Functionality | nginx.conf Contexts | Example | |
| 42 | +| ---| ---| ---| ---| --- | |
| 43 | +|load_module | load_module <library_file_path> | NGINX directive to load the App Protect module. It must be invoked with the App Protect library path | Global | load_module modules/ngx_http_app_protect_module.so | |
| 44 | +|app_protect_enable | app_protect_enable on | off | Whether to enable App Protect at the respective context. If not present, inherits from the parent context | HTTP, Server, Location | app_protect_enable on | |
| 45 | +|app_protect_policy_file | app_protect_policy_file <file_path> | Set a App Protect policy configuring behavior for the respective context. | HTTP, Server, Location | app_protect_policy_file /config/waf/strict_policy.json | |
| 46 | +|app_protect_security_log_enable | app_protect_security_log_enable on | off | Whether to enable the App Protect per-request log at the respective context. | HTTP, Server, Location | app_protect_security_log_enable on | |
| 47 | +|app_protect_security_log | app_protect_security_log <file_path> <destination> | Specifies the per-request logging: what to log and where | HTTP, Server, Location | app_protect_security_log /config/waf/log_illegal.json syslog:localhost:522 | |
| 48 | +|app_protect_custom_log_attribute | app_protect_custom_log_attribute <key_value> | Specifies the assigned location/server/http dimension of each request. | HTTP, Server, Location | app_protect_custom_log_attribute ‘environment' 'env1' | |
| 49 | +{{</bootstrap-table>}} |
| 50 | + |
| 51 | +#### Horizontal Scaling |
| 52 | + |
| 53 | +F5 WAF for NGINX can be deployed in multiple instances that share the traffic to the same applications. In that case all the instances must share the same configuration files. It is your responsibility to synchronize the files on all instances. You also have to provide a load balancing solution in front of those instances such as another NGINX instance. |
| 54 | + |
| 55 | +When deploying multiple scalability instances you have to add the `app_protect_cookie_seed` directive to nginx.conf in the `http` block: |
| 56 | + |
| 57 | +```nginx |
| 58 | +... |
| 59 | +http { |
| 60 | + ... |
| 61 | + app_protect_cookie_seed jkldsf90upiokasdj120; |
| 62 | + ... |
| 63 | + server { |
| 64 | + listen 80; |
| 65 | +... |
| 66 | +} |
| 67 | +... |
| 68 | +``` |
| 69 | + |
| 70 | +As the argument of this directive, put a random alphanumeric string of at least 20 characters length (but not more than 1000 characters). That seed is used by F5 WAF for NGINX to generate the encryption key for the cookies it creates. These cookies are used for various purposes such as validating the integrity of the cookies generated by the application. |
| 71 | + |
| 72 | +In the absence of this directive, App Protect generates a random string by itself. In that case, each instance will have a different seed. A cookie created and encrypted on one instance of App Protect will fail to be decrypted when sent by the same client to another App Protect instance having a different encryption key. |
| 73 | + |
| 74 | + |
| 75 | +#### Failure Mode |
| 76 | + |
| 77 | +If the App Protect daemons are down or disconnected from the NGINX workers, there are two modes of operation until they are up and connected again: |
| 78 | + |
| 79 | +- **Pass** the traffic without inspection. Use this when preferring availability over security. This mode is also known as "fail open". |
| 80 | +- **Drop** the traffic. Use this when preferring security over availability. This mode is also known as "fail closed". |
| 81 | + |
| 82 | +The default is to **pass**, fail open, but you can control this using the `app_protect_failure_mode_action` directive with one argument with two possible values: "pass" or "fail" for the two above options. |
| 83 | + |
| 84 | +This directive is also placed in the `http` block of the nginx.conf file. |
| 85 | + |
| 86 | +```nginx |
| 87 | +... |
| 88 | +http { |
| 89 | + ... |
| 90 | + app_protect_failure_mode_action drop; |
| 91 | + ... |
| 92 | + server { |
| 93 | + listen 80; |
| 94 | +... |
| 95 | + } |
| 96 | +... |
| 97 | +``` |
| 98 | + |
| 99 | +#### Handling Compressed Requests |
| 100 | + |
| 101 | +Starting with F5 WAF for NGINX release version 4.6, the [`app_protect_compressed_requests_action`](#global-directives) directive has been deprecated from the nginx configuration. When configuring this directive in the `nginx.conf` file, App Protect will disregard any previously used values ("pass" or "drop") and issue a warning. |
| 102 | + |
| 103 | +#### Handling Decompression |
| 104 | + |
| 105 | +Now by default the enforcer will decompress all the HTTP compressed payload request and will apply the enforcment. The supported compression algorithms for this feature are "**gzip**" and "**deflate**". There will be no decompression, if the compression method is not supported. |
| 106 | + |
| 107 | +The 'Content-Encoding' header must match the compression algorithm used while sending compressed payload in a HTTP request, else the enfocer will fail to decompress the payload. |
| 108 | + |
| 109 | +The decompressed request must not exceed the size limit of 10 MB. If it does exceed this limit, F5 WAF for NGINX will only decompress the first 10 KB, ignoring the remainder, and trigger the `VIOL_REQUEST_MAX_LENGTH` violation, just as it would for an uncompressed request that exceeds 10 MB. |
| 110 | + |
| 111 | +In the cases where decompression fails, F5 WAF for NGINX will continue with the scan in the same manner as it does for uncompressed requests. |
0 commit comments