feat: NGINX App Protect WAF 5.8 release notes (#938)

ADubhlaoich · ohad-perets · mouraddmeiri · web-flow · commit a243f4473d3c · 2025-08-13T16:54:24.000+01:00
Co-authored-by: ohad-perets &lt;126083286+ohad-perets@users.noreply.github.com&gt;
Co-authored-by: mouraddmeiri &lt;67323028+mouraddmeiri@users.noreply.github.com&gt;
diff --git a/content/includes/nap-waf/policy.html b/content/includes/nap-waf/policy.html
@@ -3705,7 +3705,14 @@ <h2 id="policy/override-rules">override-rules</h2>
 <li><strong>headers['&lt;name&gt;']</strong>: (map-type) The value of the specified header name. Example: "headers['Accept'].startsWith('application')"</li>
 </ul>
 </blockquote>
-<p><strong>Note</strong>: The "headers['&lt;name&gt;']" attribute does not support 'Cookie' as a header name. Attribute "clientIp" supports using "ipAddressLists" in condition: "clientIp.matches(ipAddressLists['<name>'])</p></td>
+<dl>
+<dt><strong>Note</strong>:</dt>
+<dd><ul>
+<li>The "headers['&lt;name&gt;']" attribute does not support 'Cookie' as a header name.</li>
+<li>Attribute "clientIp" supports using "ipAddressLists" in condition: "clientIp.matches(ipAddressLists['&lt;name&gt;'])"</li>
+</ul>
+</dd>
+</dl></td>
 <td></td>
 </tr>
 <tr class="odd">
diff --git a/content/nap-waf/v4/admin-guide/install.md b/content/nap-waf/v4/admin-guide/install.md
@@ -1363,7 +1363,7 @@ RUN dnf config-manager --set-enabled crb \
 # Install NGINX App Protect WAF:
 RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
     --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
-    dnf install --enablerepo=codeready-builder-for-rhel-9-x86_64-rpms -y app-protect \
+    dnf install -y app-protect \
     && dnf clean all \
     && rm -rf /var/cache/dnf
 
diff --git a/content/nap-waf/v4/releases/about-4.16.md b/content/nap-waf/v4/releases/about-4.16.md
@@ -0,0 +1,27 @@
+---
+title: NGINX App Protect WAF 4.16
+weight: 70
+toc: true
+nd-content-type: reference
+nd-product: NAP-WAF
+---
+
+August 13th, 2025
+
+## New features
+
+- Added support for NGINX Plus R35
+
+## Supported packages
+
+| Distribution name        | Package file                                       |
+|--------------------------|----------------------------------------------------|
+| Alpine 3.19              | _app-protect-35.5.498.0-r1.apk_                    |
+| Amazon Linux 2023        | _app-protect-35+5.498.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11                | _app-protect_35+5.498.0-1\~bullseye_amd64.deb_     |
+| Debian 12                | _app-protect_35+5.498.0-1\~bookworm_amd64.deb_     |
+| Oracle Linux 8.1         | _app-protect-35+5.498.0-1.el8.ngx.x86_64.rpm_      |
+| Ubuntu 22.04             | _app-protect_35+5.498.0-1\~jammy_amd64.deb_        |
+| Ubuntu 24.04             | _app-protect_35+5.498.0-1\~noble_amd64.deb_        |
+| RHEL 8 and Rocky Linux 8 | _app-protect-35+5.498.0-1.el8.ngx.x86_64.rpm_      |
+| RHEL 9 and Rocky Linux 9 | _app-protect-35+5.498.0-1.el9.ngx.x86_64.rpm_      |
diff --git a/content/nap-waf/v5/releases/about-5.8.md b/content/nap-waf/v5/releases/about-5.8.md
@@ -0,0 +1,43 @@
+---
+title: NGINX App Protect WAF 5.8
+weight: 830
+toc: true
+nd-content-type: reference
+nd-product: NAP-WAF
+---
+
+August 13th, 2025
+
+## New features
+
+- Added support for NGINX Plus R34
+
+## Supported packages
+
+### NGINX Open Source
+
+| Distribution name        | Package file                                                      |
+|--------------------------|-------------------------------------------------------------------|
+| Alpine 3.19              | _app-protect-module-oss-1.29.0+5.498.0-r1.apk_                    |
+| Amazon Linux 2023        | _app-protect-module-oss-1.29.0+5.498.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11                | _app-protect-module-oss_1.29.0+5.498.0-1\~bullseye_amd64.deb_     |
+| Debian 12                | _app-protect-module-oss_1.29.0+5.498.0-1\~bookworm_amd64.deb_     |
+| Oracle Linux 8.1         | _app-protect-module-oss-1.29.0+5.498.0-1.el8.ngx.x86_64.rpm_      |
+| Ubuntu 22.04             | _app-protect-module-oss_1.29.0+5.498.0-1\~jammy_amd64.deb_        |
+| Ubuntu 24.04             | _app-protect-module-oss_1.29.0+5.498.0-1\~noble_amd64.deb_        |
+| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.29.0+5.498.0-1.el8.ngx.x86_64.rpm_      |
+| RHEL 9 and Rocky Linux 9 | _app-protect-module-oss-1.29.0+5.498.0-1.el9.ngx.x86_64.rpm_      |
+
+### NGINX Plus
+
+| Distribution name        | Package file                                                   |
+|--------------------------|----------------------------------------------------------------|
+| Alpine 3.19              | _app-protect-module-plus-35+5.498.0-r1.apk_                    |
+| Amazon Linux 2023        | _app-protect-module-plus-35+5.498.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11                | _app-protect-module-plus_35+5.498.0-1\~bullseye_amd64.deb_     |
+| Debian 12                | _app-protect-module-plus_35+5.498.0-1\~bookworm_amd64.deb_     |
+| Oracle Linux 8.1         | _app-protect-module-plus-35+5.498.0-1.el8.ngx.x86_64.rpm_      |
+| Ubuntu 22.04             | _app-protect-module-plus_35+5.498.0-1\~jammy_amd64.deb_        |
+| Ubuntu 24.04             | _app-protect-module-plus_35+5.498.0-1\~noble_amd64.deb_        |
+| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-35+5.498.0-1.el8.ngx.x86_64.rpm_      |
+| RHEL 9 and Rocky Linux 9 | _app-protect-module-plus-35+5.498.0-1.el9.ngx.x86_64.rpm_      |
diff --git a/data/nap-waf/schema/policy.json b/data/nap-waf/schema/policy.json
@@ -2368,7 +2368,7 @@
                            },
                            "blockRequests" : {
                               "default" : "policy-default",
-                              "description" : "Specifies how the system responds to blocking requests sent from this IP address list.\n- **Policy Default:** Specifies that the policy enforcementMode will be used for requests from this IP address list.\n- **Never Block:** Specifies that the system does not block requests sent from this IP address list, even if your security policy is configured to block all traffic.\n- **Always Block:** Specifies that the system blocks requests sent from this IP address list.\nOptional,  if absent Policy Default is used.",
+                              "description" : "Specifies how the system responds to blocking requests sent from this IP address list.\n- **Policy Default:** Specifies that the policy enforcementMode will be used for requests from this IP address list.\n- **Never Block:** Specifies that the system does not block requests sent from this IP address list, even if your security policy is configured to block all traffic.\n- **Always Block:** Specifies that the system blocks requests sent from this IP address list.\nOptional, if absent Policy Default is used.",
                               "enum" : [
                                  "always",
                                  "never",
@@ -2397,7 +2397,7 @@
                               "type" : "array"
                            },
                            "matchOrder" : {
-                              "description" : "Specifies the order matching index between different IP Address Lists. If unspecified, the order is implicitly as the lists appear in the policy. IP Address Lists with a lower matchOrder will be checked for a match prior to items with higher matchOrder.",
+                              "description" : "Specifies the order matching index between different IP Address Lists. If unspecified, the order is implicitly as the lists appear in the policy.\nIP Address Lists with a lower matchOrder will be checked for a match prior to items with higher matchOrder.",
                               "type" : "integer"
                            },
                            "name" : {
@@ -2406,11 +2406,11 @@
                            },
                            "neverLogRequests" : {
                               "default" : false,
-                              "description" : "Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic. Optional, if absent default value is false.",
+                              "description" : "Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic.\nOptional, if absent default value is false.",
                               "type" : "boolean"
                            },
                            "setGeolocation" : {
-                              "description" : "Specifies a geolocation to be associated for this IP address list. This will force the IP addresses in the list to be considered as though they are in that geolocation. This applies to blocking via \"disallowed-geolocations\" and to logging. Optional",
+                              "description" : "Specifies a geolocation to be associated for this IP address list.\nThis will force the IP addresses in the list to be considered as though they are in that geolocation. This applies to blocking via \"disallowed-geolocations\" and to logging. \nOptional",
                               "type" : "string"
                            }
                         },
@@ -3046,7 +3046,7 @@
                               "type" : "string"
                            },
                            "condition" : {
-                              "description" : "Specifies the condition under which the override rule should be applied.\n\nExample: \"clientIp != '10.0.0.5' and userAgent.lower().contains('WebRobot')\"\n\nCondition Syntax:\n\n- The condition consists of one or more clauses separated by **and** or **or**.\n\n  Example: \"clientIp == '10.0.0.5' and (host.startsWith('internal') or uri.contains('api'))\"\n\n- Each clause can optionally start with **not** - to negate the expression.\n\n  Example: \"not clientIp == '127.0.0.1'\"\n\n- **not** can also be used to negate a parenthesized expression.\n\n  Example: \"not (method == 'GET' or method == 'PUT')\"\n\n- A clause can be a simple comparison between two value expressions, or a boolean function applied to a literal value.\n\nSupported comparison operators:\n\n  - **==** - Checks for equality between two value expressions.\n  - **!=** - Checks for inequality between two value expressions.\n\n  Example: \"clientIp != '10.0.0.5'\" (equivalent to \"not clientIp == '10.0.0.5'\")\n\nSupported boolean functions:\n\n  - **matches**: Performs an exact match of a value expression, equivalent to **==**.\n  - **startsWith**: Checks if a value expression starts with a specific substring.\n  - **contains**: Checks if a value expression contains a specific substring.\n\n  Example: \"uri.startsWith('/api')\"\n\n**Note**: Functions \"startsWith\" and \"contains\" are not applicable to the \"clientIp\" attribute. Regular expressions are not supported.\n\n- Value expressions can be a request attribute, literal value, or a value function.\n- A literal can be a string value enclosed in single quotes, or can be the keyword \"null\" without quotes.\n\n  Example: \"userAgent == null\"\n\nSupported value functions:\n\n  - **lower**: Any boolean function applied on the resulting string will be **case insensitive**. Applicable to ANSI characters only.\n\n  Example: \"uri.lower().contains('BaR')\" will match the URI \"/Foo/bAr\"\n\nRequest Attributes:\n\n- **clientIp**: Client IP address in canonical IPv4 or IPv6 format or ip-address-list. Use CIDR notation for subnet definition. Example: *192.168.1.2* or *fd00:1::/48*. If *trustXff* (X-Forwarded-For) is enabled in the containing policy, then the value is taken from the configured header (XFF or other). The only supported boolean function for the clientIP attribute is *matches*.\n- **host**: The value of the Host header\n- **method**: The HTTP method in the request\n- **uri**: The URI (path part) of the request\n- **userAgent**: The value of the User-Agent header, or *null* (without quotes) if not present\n- **geolocation**: The geolocation of the client IP address. The value is the ISO 3166 two-letter code of the respective country.\n- **parameters['<name>']**: (map-type) The value of the specified parameter name (limited to query string parameters). Example: \"parameters['id'] == '11'\"\n- **cookies['<name>']**: (map-type) The value of the specified cookie name. Example: \"cookies['Path'].contains('product')\"\n- **headers['<name>']**: (map-type) The value of the specified header name. Example: \"headers['Accept'].startsWith('application')\"\n\n**Note**: \n - The \"headers['<name>']\" attribute does not support 'Cookie' as a header name.\n - Attribute \"clientIp\" supports using \"ipAddressLists\" in condition: \"clientIp.matches(ipAddressLists['<name>'])\"",
+                              "description" : "Specifies the condition under which the override rule should be applied.\n\nExample: \"clientIp != '10.0.0.5' and userAgent.lower().contains('WebRobot')\"\n\nCondition Syntax:\n\n- The condition consists of one or more clauses separated by **and** or **or**.\n\n  Example: \"clientIp == '10.0.0.5' and (host.startsWith('internal') or uri.contains('api'))\"\n\n- Each clause can optionally start with **not** - to negate the expression.\n\n  Example: \"not clientIp == '127.0.0.1'\"\n\n- **not** can also be used to negate a parenthesized expression.\n\n  Example: \"not (method == 'GET' or method == 'PUT')\"\n\n- A clause can be a simple comparison between two value expressions, or a boolean function applied to a literal value.\n\nSupported comparison operators:\n\n  - **==** - Checks for equality between two value expressions.\n  - **!=** - Checks for inequality between two value expressions.\n\n  Example: \"clientIp != '10.0.0.5'\" (equivalent to \"not clientIp == '10.0.0.5'\")\n\nSupported boolean functions:\n\n  - **matches**: Performs an exact match of a value expression, equivalent to **==**.\n  - **startsWith**: Checks if a value expression starts with a specific substring.\n  - **contains**: Checks if a value expression contains a specific substring.\n\n  Example: \"uri.startsWith('/api')\"\n\n**Note**: Functions \"startsWith\" and \"contains\" are not applicable to the \"clientIp\" attribute. Regular expressions are not supported.\n\n- Value expressions can be a request attribute, literal value, or a value function.\n- A literal can be a string value enclosed in single quotes, or can be the keyword \"null\" without quotes.\n\n  Example: \"userAgent == null\"\n\nSupported value functions:\n\n  - **lower**: Any boolean function applied on the resulting string will be **case insensitive**. Applicable to ANSI characters only.\n\n  Example: \"uri.lower().contains('BaR')\" will match the URI \"/Foo/bAr\"\n\nRequest Attributes:\n\n- **clientIp**: Client IP address in canonical IPv4 or IPv6 format or ip-address-list. Use CIDR notation for subnet definition. Example: *192.168.1.2* or *fd00:1::/48*. If *trustXff* (X-Forwarded-For) is enabled in the containing policy, then the value is taken from the configured header (XFF or other). The only supported boolean function for the clientIP attribute is *matches*.\n- **host**: The value of the Host header\n- **method**: The HTTP method in the request\n- **uri**: The URI (path part) of the request\n- **userAgent**: The value of the User-Agent header, or *null* (without quotes) if not present\n- **geolocation**: The geolocation of the client IP address. The value is the ISO 3166 two-letter code of the respective country.\n- **parameters['<name>']**: (map-type) The value of the specified parameter name (limited to query string parameters). Example: \"parameters['id'] == '11'\"\n- **cookies['<name>']**: (map-type) The value of the specified cookie name. Example: \"cookies['Path'].contains('product')\"\n- **headers['<name>']**: (map-type) The value of the specified header name. Example: \"headers['Accept'].startsWith('application')\"\n\n**Note**: \n- The \"headers['<name>']\" attribute does not support 'Cookie' as a header name.\n- Attribute \"clientIp\" supports using \"ipAddressLists\" in condition: \"clientIp.matches(ipAddressLists['<name>'])\" ",
                               "type" : "string"
                            },
                            "name" : {
