Merge branch 'waf/refactor' of github.com:nginx/documentation into waf/refactor

Author: ADubhlaoich

content/includes/waf/table-policy-features.md

@@ -15,11 +15,11 @@
 | [Evasion techniques]({{< ref "/waf/policies/evasion-techniques.md" >}})            | All evasion techniques are enabled by default, and can be disabled individually. These include directory traversal, bad escaped characters and more. |
 | [gRPC protection]({{< ref "/waf/policies/evasion-techniques.md" >}})                 | gRPC protection detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection can be on unary or bidirectional traffic. |
 | [HTTP compliance]()                 | All HTTP protocol compliance checks are enabled by default except for GET with body and POST without body. It is possible to enable any of these two. Some of the checks enabled by default can be disabled, but others, such as bad HTTP version and null in request are performed by the NGINX parser and NGINX App Protect WAF only reports them. These checks cannot be disabled. |
-| [IP address lists]()                | Organize lists of allowed and forbidden IP addresses across several lists with common attributes. |
+| [IP address lists]({{< ref "/waf/policies/ip-address-lists.md" >}})                | Organize lists of allowed and forbidden IP addresses across several lists with common attributes. |
 | [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) | Configure the IP Intelligence feature to customize enforcement based on the source IP of the request, limiting access from IP addresses with questionable reputation. |
 | [Parameter parsing]()               | Support only auto-detect parameter value type and acts according to the result: plain alphanumeric string, XML or JSON. |
 | [Sensitive parameters]()            | The default policy masks the “password” parameter in the security log, and can be customized for more |
-| [Server technology signatures]()    | Support adding signatures per added server technology. |
+| [Server technology signatures]({{< ref "/waf/policies/server-technology-signatures.md" >}})    | Support adding signatures per added server technology. |
 | [Threat campaigns]({{< ref "/waf/policies/threat-campaigns.md" >}})                | These are patterns that detect all the known attack campaigns. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. The default policy enables threat campaigns but it is possible to disable it through the respective violation. |
 | [User-defined HTTP headers]({{< ref "/waf/policies/user-headers.md" >}}) | Handling headers as a special part of requests |
 | [XFF trusted headers]({{< ref "/waf/policies/xff-headers.md" >}}) | Disabled by default, and can accept an optional list of custom XFF headers. |

content/waf/policies/ip-address-lists.md

@@ -0,0 +1,155 @@
+---
+title: IP Address Lists
+weight: 1600
+toc: true
+nd-content-type: reference
+nd-product: NAP-WAF
+nd-docs: DOCS-000
+---
+
+IP address lists are a feature that let you organize allowed and forbidden IP addresses into reusable lists with common attributes.
+
+They make it possible to apply specific policy settings to incoming requests based on the source IP address.
+
+Each IP address list includes:
+- A unique name
+- An enforcement type (`always`, `never`, or `policy-default`)
+- A list of IP addresses
+
+Here is an example of a declarative policy using an IP address lists configuration:
+
+```json
+{
+  "policy": {
+    "name": "IpGroups_policy",
+    "template": {
+       "name": "POLICY_TEMPLATE_NGINX_BASE"
+    },
+    "applicationLanguage": "utf-8",
+    "caseInsensitive": false,
+    "enforcementMode": "blocking",
+    "ip-address-lists": [
+       {
+         "name": "Standalone",
+         "description": "Optional Description",
+         "blockRequests": "policy-default",
+         "setGeolocation": "IN",
+         "ipAddresses": [
+          {
+             "ipAddress": "1.2.3.4/32"
+          },
+          {
+             "ipAddress": "1111:fc00:0:112::2"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+The following example shows an IP group definition stored in an external file `external_ip_groups.json`:
+
+```json
+{
+  "policy": {
+    "name": "IpGroups_policy2",
+    "template": {
+       "name": "POLICY_TEMPLATE_NGINX_BASE"
+    },
+    "applicationLanguage": "utf-8",
+    "caseInsensitive": false,
+    "enforcementMode": "blocking",
+    "ip-address-lists": [
+      {
+        "name": "external_ip_groups",
+        "description": "Optional Description",
+        "blockRequests": "always",
+        "setGeolocation": "IL",
+        "$ref": "file:///tmp/policy/external_ip_groups.json"
+      }
+    ]
+  }
+}
+```
+
+Example of the file `external_ip_groups.json`:
+
+```json
+{
+    "name": "External IP address lists",
+    "description": "Optional Description",
+    "blockRequests": "always",
+    "setGeolocation": "IR",
+    "ipAddresses": [
+      {
+        "ipAddress": "66.51.41.21"
+      },
+      {
+        "ipAddress": "66.52.42.22"
+      }
+    ]
+}
+```
+
+## IP address lists in policy override rules conditions
+
+The **Override Rules** feature allows you to override original or parent policy settings.
+
+Rules are defined using specific conditions, which can include an IP address list based on the declarative policy JSON schema.
+
+When triggered, the rule is applied to the `clientIp` attribute using the `matches` function:
+
+`clientIp.matches(ipAddressLists["standalone"])`
+
+Here is a policy example:
+
+```json
+{
+  "policy": {
+    "name": "ip_group_override_rule",
+    "template": {
+      "name": "POLICY_TEMPLATE_NGINX_BASE"
+    },
+    "applicationLanguage": "utf-8",
+    "caseInsensitive": false,
+    "enforcementMode": "blocking",
+    "ip-address-lists": [
+      {
+        "name": "standalone",
+        "ipAddresses": [
+          {
+            "ipAddress": "1.1.1.1/32"
+          }
+        ]
+      }
+     ],
+     "override-rules": [
+      {
+        "name": "myRule1",
+        "condition": "clientIp.matches(ipAddressLists['standalone'])",
+        "actionType": "extend-policy",
+        "override": {
+          "policy": {
+            "enforcementMode": "transparent"
+          }
+        }
+      }
+    ]
+  }
+}
+```
+
+The previous example policy contains an IP address list named `standalone`, which is used in the override rule condition `clientIp.matches(ipAddressLists['standalone'])`.
+
+This condition means that the rule enforcement is applied and overrides the base policy enforcement whenever the `clientIp` matches one of the `ipAddresses` in the `ip-address-list` named `standalone`.
+
+The value used in the override condition must exist and exactly match the name defined in `ip-address-lists`.
+
+### Possible errors
+
+| Error text                              | Input                                             | Explanation                                               |
+|-----------------------------------------|---------------------------------------------------|-----------------------------------------------------------|
+| Invalid field `invalidList`             | `clientIp.matches(invalidList['standalone']);`    | An incorrect keyword was used instead of `ipAddressLists` |
+| Invalid value empty string              | `clientIp.matches(ipAddressLists[''])`            | An empty name was provided                                |
+| Failed to compile policy - `ipGroupOverridePolicy` | `uri.matches(ipAddressLists['standalone']);`     | Used `ipAddressLists` without the `clientIp` attribute    |