diff --git a/content/includes/nap-waf/config/v5/build-nginx-image-oss/build-alpine.md b/content/includes/nap-waf/config/v5/build-nginx-image-oss/build-alpine.md
index 8bad890cd..a00a92d5c 100644
--- a/content/includes/nap-waf/config/v5/build-nginx-image-oss/build-alpine.md
+++ b/content/includes/nap-waf/config/v5/build-nginx-image-oss/build-alpine.md
@@ -1,8 +1,8 @@
```dockerfile
# syntax=docker/dockerfile:1
-# Supported OS_VER's are 3.16/3.17
-ARG OS_VER="3.17"
+# Supported OS_VER's are 3.16/3.17/3.19
+ARG OS_VER="3.19"
# Base image
FROM alpine:${OS_VER}
diff --git a/content/includes/nap-waf/config/v5/build-nginx-image-plus/build-alpine.md b/content/includes/nap-waf/config/v5/build-nginx-image-plus/build-alpine.md
index 8bb4b0728..df663084b 100644
--- a/content/includes/nap-waf/config/v5/build-nginx-image-plus/build-alpine.md
+++ b/content/includes/nap-waf/config/v5/build-nginx-image-plus/build-alpine.md
@@ -1,8 +1,8 @@
```dockerfile
# syntax=docker/dockerfile:1
-# Supported OS_VER's are 3.16/3.17
-ARG OS_VER="3.17"
+# Supported OS_VER's are 3.16/3.17/3.19
+ARG OS_VER="3.19"
# Base image
FROM alpine:${OS_VER}
diff --git a/content/includes/nap-waf/policy.html b/content/includes/nap-waf/policy.html
index 016b5004b..446d4fc44 100644
--- a/content/includes/nap-waf/policy.html
+++ b/content/includes/nap-waf/policy.html
@@ -93,27 +93,34 @@ policy
|
+| brute-force-attack-preventions |
+Yes |
+array of objects |
+Defines configuration for Brute Force Protection feature. There is default configuration (one with bruteForceProtectionForAllLoginPages flag and without url) that applies to all configured login URLs unless there exists another brute force configuration for a specific login page. |
+ |
+
+
caseInsensitive |
No |
boolean |
Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not. When this setting is enabled, the system stores these security policy elements in lowercase in the security policy configuration. |
|
-
+
| character-sets |
Yes |
array of objects |
|
|
-
+
| cookie-settings |
Yes |
object |
The maximum length of a cookie header name and value that the system processes. The system calculates and enforces a cookie header length based on the sum of the length of the cookie header name and value. |
|
-
+
cookies |
Yes |
array of objects |
@@ -126,42 +133,42 @@ policy
|
-
+
| csrf-protection |
Yes |
object |
|
|
-
+
| csrf-urls |
Yes |
array of objects |
|
|
-
+
| data-guard |
Yes |
object |
Data Guard feature can prevent responses from exposing sensitive information by masking the data. |
|
-
+
description |
No |
string |
Specifies the description of the policy. |
|
-
+
| disallowed-geolocations |
Yes |
array of objects |
Specifies a list of countries that may not access the web application. |
|
-
+
enforcementMode |
No |
string |
@@ -178,14 +185,14 @@ policy
transparent
-
+
| enforcer-settings |
Yes |
object |
This section contains all enforcer settings. |
|
-
+
filetypes |
Yes |
array of objects |
@@ -199,62 +206,69 @@ policy
|
-
+
fullPath |
No |
string |
The full name of the policy including partition. |
|
-
+
| general |
Yes |
object |
This section includes several advanced policy configuration settings. |
|
-
+
| graphql-profiles |
Yes |
array of objects |
|
|
-
+
| grpc-profiles |
Yes |
array of objects |
|
|
-
+
| header-settings |
Yes |
object |
The maximum length of an HTTP header name and value that the system processes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. |
|
-
+
| headers |
Yes |
array of objects |
This section defines Header entities for your policy. |
|
-
+
| host-names |
Yes |
array of objects |
|
|
-
+
| idl-files |
Yes |
array of objects |
|
|
+
+| ip-address-lists |
+Yes |
+array of objects |
+An IP address list is a list of IP addresses that you want the system to treat in a specific way for a security policy. |
+ |
+
| json-profiles |
Yes |
@@ -270,131 +284,131 @@ policy
|
+| login-pages |
+Yes |
+array of objects |
+A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions. |
+ |
+
+
| methods |
Yes |
array of objects |
|
|
-
+
name |
No |
string |
The unique user-given name of the policy. Policy names cannot contain spaces or special characters. Allowed characters are a-z, A-Z, 0-9, dot, dash (-), colon (:) and underscore (_). |
|
-
+
| open-api-files |
Yes |
array of objects |
|
|
-
+
| override-rules |
Yes |
array of objects |
This section defines policy override rules. |
|
-
+
| parameters |
Yes |
array of objects |
This section defines parameters that the security policy permits in requests. |
|
-
+
performStaging |
No |
boolean |
Determines staging handling for all applicable entities in the policy, such as signatures, URLs, parameters, and cookies. If disabled, all entities will be enforced and any violations triggered will be considered illegal. |
|
-
+
| response-pages |
Yes |
array of objects |
The Security Policy has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. You can change the way the system responds to blocked requests. All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page. |
|
-
+
| sensitive-parameters |
Yes |
array of objects |
This section defines sensitive parameters. The contents of these parameters are not visible in logs nor in the user interfaces. Instead of actual values a string of asterisks is shown for these parameters. Use these parameters to protect sensitive user input, such as a password or a credit card number, in a validated request. A parameter name of "password" is always defined as sensitive by default. |
|
-
+
| server-technologies |
Yes |
array of objects |
The server technology is a server-side application, framework, web server or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology. |
|
-
+
| signature-requirements |
Yes |
array of objects |
|
|
-
+
| signature-sets |
Yes |
array of objects |
Defines behavior when signatures found within a signature-set are detected in a request. Settings are culmulative, so if a signature is found in any set with block enabled, that signature will have block enabled. |
|
-
+
| signature-settings |
Yes |
object |
|
|
-
+
| signatures |
Yes |
array of objects |
This section defines the properties of a signature on the policy. |
|
-
+
| template |
Yes |
object |
Specifies the template to populate the default attributes of a new policy. |
|
-
+
| threat-campaigns |
Yes |
array of objects |
This section defines the enforcement state for the threat campaigns in the security policy. |
|
-
+
| urls |
Yes |
array of objects |
In a security policy, you can manually specify the HTTP URLs that are allowed (or disallowed) in traffic to the web application being protected. When you create a security policy, wildcard URLs of * (representing all HTTP URLs) are added to the Allowed HTTP URLs lists. |
|
-
+
wafEngineVersion |
No |
string |
|
|
-
-| whitelist-ips |
-Yes |
-array of objects |
-An IP address exception is an IP address that you want the system to treat in a specific way for a security policy. You can use the IP address exception feature to create exceptions for IP addresses of internal tools that your company uses, such as penetration tools, manual or automatic scanners, or web scraping tools. You can add an IP address exception and instruct the system how to handle traffic coming from that address. |
- |
-
| xml-profiles |
Yes |
@@ -765,6 +779,229 @@ browser-definitions
+brute-force-attack-preventions
+
+
+
+
+
+
+
+
+
+
+
+
+bruteForceProtectionForAllLoginPages |
+boolean |
+When enabled, enables Brute Force Protection for all configured login URLs. When disabled, only brute force configurations for specific login pages are applied in case they exist. |
+ |
+
+
+| detectionCriteria |
+object |
+Specifies configuration for detecting distributed brute force attacks. |
+ |
+
+
+| loginAttemptsFromTheSameIp |
+object |
+Specifies configuration for detecting brute force attacks from IP Address. |
+ |
+
+
+| loginAttemptsFromTheSameUser |
+object |
+Specifies configuration for detecting brute force attacks for Username. |
+ |
+
+
+measurementPeriod |
+integer minimum: 60 maximum: 90000 |
+Defines detection period (measured in seconds) for distributed brute force attacks. |
+ |
+
+
+preventionDuration |
+
+- integer minimum: 60 maximum: 90000
+- string
+ |
+Defines prevention period (measured in seconds) for distributed brute force attacks. |
+
+- Integer values
+- "unlimited"
+ |
+
+
+reEnableLoginAfter |
+integer minimum: 60 maximum: 90000 |
+Defines prevention period (measured in seconds) for source-based brute force attacks. |
+ |
+
+
+sourceBasedProtectionDetectionPeriod |
+integer minimum: 60 maximum: 90000 |
+Defines detection period (measured in seconds) for source-based brute force attacks. |
+ |
+
+
+| url |
+object |
+Reference to the URL used in login URL configuration (policy/login-pages). This login URL is protected by Brute Force Protection feature. |
+ |
+
+
+
+detectionCriteria
+
+
+
+
+
+
+
+
+
+
+
+
+action
|
+string |
+Specifies action that is applied when one of the defined thresholds (credentialsStuffingMatchesReached, failedLoginAttemptsRateReached) is reached.
+
+
+- alarm: The system will log the login attempt.
+- alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
+
+ |
+
+- alarm
+- alarm-and-client-side-integrity
+ |
+
+
+credentialsStuffingMatchesReached |
+integer minimum: 1 maximum: 10000 |
+After configured threshold (number of detected login attempts that match known leaked credentials library) defined action will be applied for the next login attempt. |
+ |
+
+
+failedLoginAttemptsRateReached |
+integer minimum: 1 maximum: 10000 |
+After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt. |
+ |
+
+
+
+loginAttemptsFromTheSameIp
+
+
+
+
+
+
+
+
+
+
+
+
+action
|
+string |
+Specifies action that is applied when defined threshold is reached.
+
+
+- alarm: The system will log the login attempt.
+- alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
+- alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
+- alarm-and-drop: The system will log the login attempt and reset the TCP connection.
+- alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
+
+ |
+
+- alarm
+- alarm-and-blocking-page
+- alarm-and-client-side-integrity
+- alarm-and-drop
+- alarm-and-honeypot-page
+ |
+
+
+enabled |
+boolean |
+When enabled, the system counts failed login attempts from IP Address. |
+ |
+
+
+threshold |
+integer minimum: 1 maximum: 1000 |
+After configured threshold (number of failed login attempts from IP Address) defined action will be applied for the next login attempt. |
+ |
+
+
+
+loginAttemptsFromTheSameUser
+
+
+
+
+
+
+
+
+
+
+
+
+action
|
+string |
+Specifies action that is applied when defined threshold is reached.
+
+
+- alarm: The system will log the login attempt.
+- alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
+
+ |
+
+- alarm
+- alarm-and-client-side-integrity
+ |
+
+
+enabled |
+boolean |
+When enabled, the system counts failed login attempts for each Username. |
+ |
+
+
+threshold |
+integer minimum: 1 maximum: 100 |
+After configured threshold (number of failed login attempts for each Username) defined action will be applied for the next login attempt. |
+ |
+
+
+
character-sets
@@ -2431,12 +2668,18 @@
|
-checkSignatures |
+autoDetectBinaryValue |
boolean |
|
|
+checkSignatures |
+boolean |
+ |
+ |
+
+
decodeValueAsBase64
|
string |
Specifies whether the the system should detect or require values to be Base64 encoded:
@@ -2453,25 +2696,25 @@
required
|
-
+
htmlNormalization |
boolean |
|
|
-
+
mandatory |
boolean |
|
|
-
+
maskValueInLogs |
boolean |
Specifies, when true, that the headers's value will be masked in the request log. |
|
-
+
name
|
string |
Specifies the HTTP header name. The header name length is limited to 254 characters.
@@ -2496,25 +2739,25 @@
Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard. |
|
-
+
normalizationViolations |
boolean |
|
|
-
+
percentDecoding |
boolean |
|
|
-
+
| signatureOverrides |
array of objects |
Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this header, and which action the security policy takes when it discovers a request for this header that matches these attack signatures. |
|
-
+
type |
string |
Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such. |
@@ -2523,13 +2766,13 @@
wildcard
-
+
urlNormalization |
boolean |
|
|
-
+
wildcardOrder |
integer |
Specifies the order index for wildcard header matching. Wildcard headers with lower wildcard order will get checked for a match prior to headers with higher wildcard order. |
@@ -2611,7 +2854,118 @@ host-names
-idl-files
+idl-files
+
+
+
+
+
+
+
+
+
+
+
+
+contents |
+string |
+ |
+ |
+
+
+fileName |
+string |
+ |
+ |
+
+
+isBase64 |
+boolean |
+ |
+ |
+
+
+
+ip-address-lists
+
+
+
+
+
+
+
+
+
+
+
+
+blockRequests
|
+string |
+
+- Specifies how the system responds to blocking requests sent from this IP address list.
+
+- Policy Default: Specifies that the Policy Blocking Settings will be used for requests from this IP address list.
+- Never Block: Specifies that the system does not block requests sent from this IP address list, even if your security policy is configured to block all traffic.
+- Always Block: Specifies that the system blocks requests sent from this IP address list.
+
+
+Optional |
+
+- always
+- never
+- policy-default
+ |
+
+
+description |
+string |
+Specifies a brief description of the IP address list. Optional |
+ |
+
+
+| ipAddresses |
+array of objects |
+Specifies the IP addresses. |
+ |
+
+
+matchOrder |
+integer |
+Specifies the order index for IP Address List matching. If unspecified, the order is implicitly as the lists appear in the policy. IP Address Groups with a lower matchOrder will be checked for a match prior to items with higher matchOrder. |
+ |
+
+
+name |
+string |
+Specifies the name of ip address list. |
+ |
+
+
+neverLogRequests |
+boolean |
+Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic. |
+ |
+
+
+setGeolocation |
+string |
+Specifies a geolocation to be associated for this IP address list. Optional |
+ |
+
+
+
+ipAddresses
@@ -2629,23 +2983,11 @@ idl-files
-contents |
-string |
- |
- |
-
-
-fileName |
+ipAddress |
string |
|
|
-
-isBase64 |
-boolean |
- |
- |
-
json-profiles
@@ -2967,6 +3309,170 @@ json-validation-files
+login-pages
+
+
+
+
+
+
+
+
+
+
+
+
+| accessValidation |
+object |
+Access Validation define validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL. |
+ |
+
+
+authenticationType
|
+string |
+Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user.
+
+
+- none: The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.
+- form: The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.
+- http-basic: The user name and password are transmitted in Base64 and stored on the server in plain text.
+- http-digest: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
+- ntlm: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
+- ajax-or-json-request: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.
+
+ |
+
+- ajax-or-json-request
+- form
+- http-basic
+- http-digest
+- none
+- ntlm
+- request-body
+ |
+
+
+passwordParameterName |
+string |
+A name of parameter which will contain password string. |
+ |
+
+
+passwordRegex |
+string |
+ |
+ |
+
+
+| url |
+object |
+URL string used for login page. |
+ |
+
+
+usernameParameterName |
+string |
+A name of parameter which will contain username string. |
+ |
+
+
+usernameRegex |
+string |
+ |
+ |
+
+
+
+accessValidation
+
+
+
+
+
+
+
+
+
+
+
+
+cookieContains |
+string |
+A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL. |
+ |
+
+
+headerContains |
+string |
+A header name and value that the response to the login URL must match to permit user access to the authenticated URL. |
+ |
+
+
+headerContainsMatchCondition |
+string |
+ |
+ |
+
+
+headerOmits |
+string |
+A header name and value that indicates a failed login attempt and prohibits user access to the authenticated URL. |
+ |
+
+
+headerOmitsMatchCondition |
+string |
+ |
+ |
+
+
+parameterContains |
+string |
+A parameter that must exist in the login URL's HTML body to allow access to the authenticated URL. |
+ |
+
+
+responseContains |
+string |
+A string that must appear in the response for the system to allow the user to access the authenticated URL; for example, "Successful Login". |
+ |
+
+
+responseHttpStatus |
+string |
+An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, "200". |
+ |
+
+
+responseHttpStatusOmits |
+array of strings |
+An HTTP response code that indicates a failed login attempt and prohibits user access to the authenticated URL. |
+ |
+
+
+responseOmits |
+string |
+A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, "Authentication failed". |
+ |
+
+
+
methods
@@ -5223,12 +5729,21 @@ urlContentProfiles
|
+decodeValueAsBase64 |
+string |
+ |
+ |
+
+
headerName |
string |
Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive. |
|
-
+
headerOrder |
- integer
@@ -5240,13 +5755,13 @@ urlContentProfiles
- "default"
|
-
+
headerValue |
string |
Specifies a simple pattern string (glob pattern matching) for the header value that must appear in legal requests for this URL; for example, json, xml_method?, or method[0-9]. If the header includes this pattern, the system assumes the request contains the type of data you select in the Request Body Handling setting. This field is case-sensitive. |
|
-
+
type |
string |
@@ -5328,7 +5843,7 @@ urls
|
-whitelist-ips
+xml-profiles
@@ -5346,97 +5861,54 @@ whitelist-ips
-blockRequests |
-string |
-
-- Specifies how the system responds to blocking requests sent from this IP address.
-
-- Policy Default: Specifies that the Policy Blocking Settings will be used for requests from this IP address.
-- Never Block: Specifies that the system does not block requests sent from this IP address, even if your security policy is configured to block all traffic.
-- Always Block: Specifies that the system blocks requests sent from this IP address on condition that IP is denylisted is set to Block under Policy Building Settings.
-
- |
-
-- always
-- never
-- policy-default
- |
+attackSignaturesCheck |
+boolean |
+ |
+ |
-description |
-string |
-Specifies a brief description of the IP address. |
+defenseAttributes |
+object |
+ |
|
-ipAddress |
+description |
string |
-Specifies the IP address that you want the system to trust. |
|
-
-
-ipMask |
-string |
-Specifies the netmask of the exceptional IP address. This is an optional field. |
|
-
-neverLogRequests |
+
+metacharAttributeCheck |
boolean |
-Specifies when enabled that the system does not log requests or responses sent from this IP address, even if the traffic is illegal, and even if your security policy is configured to log all traffic. |
+ |
|
-
-
-xml-profiles
-
-
-
-
-
-
-
-
-
-
-
-attackSignaturesCheck |
+metacharElementCheck |
boolean |
|
|
-| defenseAttributes |
-object |
+metacharOverrides |
+array of objects |
|
|
-description |
-string |
- |
- |
-
-
name |
string |
|
|
-
+
| signatureOverrides |
array of objects |
|
|
-
+
useXmlResponsePage |
boolean |
|
@@ -5613,6 +6085,37 @@ defenseAttributes
+
+
+
+
+
+
+
+
+
+
+
+
+
+isAllowed |
+boolean |
+ |
+ |
+
+
+metachar |
+string |
+ |
+ |
+
+
+
signatureOverrides
@@ -5832,6 +6335,8 @@ violations
VIOL_ACCESS_MISSING
VIOL_ASM_COOKIE_MODIFIED
VIOL_BLACKLISTED_IP
+VIOL_BOT_CLIENT
+VIOL_BRUTE_FORCE
VIOL_COOKIE_EXPIRED
VIOL_COOKIE_LENGTH
VIOL_COOKIE_MALFORMED
@@ -5858,6 +6363,7 @@ violations
VIOL_JSON_FORMAT
VIOL_JSON_MALFORMED
VIOL_JSON_SCHEMA
+VIOL_LOGIN
VIOL_MANDATORY_HEADER
VIOL_MANDATORY_PARAMETER
VIOL_MANDATORY_REQUEST_BODY
diff --git a/content/nap-waf/v4/admin-guide/install.md b/content/nap-waf/v4/admin-guide/install.md
index a3385a156..4db108917 100644
--- a/content/nap-waf/v4/admin-guide/install.md
+++ b/content/nap-waf/v4/admin-guide/install.md
@@ -1,12 +1,11 @@
---
-description: This guide explains how to deploy F5 NGINX App Protect WAF v4 as well as
- upgrade App Protect and the App Protect signature sets.
-docs: DOCS-646
-doctypes:
-- task
title: NGINX App Protect WAF Administration Guide
-toc: true
weight: 100
+toc: true
+type: how-to
+product: NAP-WAF
+docs: DOCS-646
+
---
## Overview
@@ -41,23 +40,22 @@ NGINX App Protect WAF supports the following operating systems:
- [Ubuntu 20.04 (Focal)](#ubuntu-1804--ubuntu-2004--ubuntu-2204--ubuntu-2404-installation)
- [Ubuntu 22.04 (Jammy)](#ubuntu-1804--ubuntu-2004--ubuntu-2204--ubuntu-2404-installation)
- [Ubuntu 24.04 (Noble)](#ubuntu-1804--ubuntu-2004--ubuntu-2204--ubuntu-2404-installation)
-- [Alpine 3.16](#alpine-316--alpine-317-installation) - (Deprecated starting from NGINX Plus R33)
-- [Alpine 3.17](#alpine-316--alpine-317-installation)
-
+- [Alpine 3.17](#alpine-316-317--319-installation)
+- [Alpine 3.19](#alpine-316-317--319-installation)
The NGINX App Protect WAF package has the following dependencies:
1. **nginx-plus-module-appprotect** - NGINX Plus dynamic module for App Protect
-2. **app-protect-engine** - The App Protect enforcement engine
-3. **app-protect-plugin** - The App Protect connector API between the engine and the NGINX Plus dynamic module
-4. **app-protect-compiler** - The App Protect enforcement engine compiler agent
-5. **app-protect-common** - The App Protect shared libraries package
-6. **app-protect-geoip** - The App Protect geolocation update package
-6. **app-protect-graphql** - The App Protect shared library package for GraphQL protection
-7. **app-protect-attack-signatures** - The App Protect attack signatures update package
-8. **app-protect-threat-campaigns** - The App Protect threat campaigns update package
-9. **app-protect-bot-signatures** - The App Protect bot signatures update package
-9. **app-protect-selinux** - The prebuilt SELinux policy module for NGINX App Protect WAF (optional dependency)
+1. **app-protect-engine** - The App Protect enforcement engine
+1. **app-protect-plugin** - The App Protect connector API between the engine and the NGINX Plus dynamic module
+1. **app-protect-compiler** - The App Protect enforcement engine compiler agent
+1. **app-protect-common** - The App Protect shared libraries package
+1. **app-protect-geoip** - The App Protect geolocation update package
+1. **app-protect-graphql** - The App Protect shared library package for GraphQL protection
+1. **app-protect-attack-signatures** - The App Protect attack signatures update package
+1. **app-protect-threat-campaigns** - The App Protect threat campaigns update package
+1. **app-protect-bot-signatures** - The App Protect bot signatures update package
+1. **app-protect-selinux** - The prebuilt SELinux policy module for NGINX App Protect WAF (optional dependency)
See the NGINX Plus full list of prerequisites for more details. NGINX App Protect WAF can be installed as a module to an existing NGINX Plus installation or as a complete NGINX Plus with App Protect installation in a clean environment.
@@ -1208,7 +1206,7 @@ If a user other than **nginx** is to be used, note the following:
{{< /note >}}
-## Alpine 3.16 / Alpine 3.17 Installation
+## Alpine 3.16, 3.17 & 3.19 Installation
1. If you already have NGINX packages in your system, back up your configs and logs:
@@ -1804,12 +1802,12 @@ COPY entrypoint.sh /root/
CMD ["sh", "/root/entrypoint.sh"]
```
-### Alpine 3.16 / Alpine 3.17 Docker Deployment Example
+### Alpine 3.16 / Alpine 3.17 / Alpine 3.19 Docker Deployment Example
```dockerfile
# syntax=docker/dockerfile:1
-# For Alpine 3.16 / 3.17:
-FROM alpine:3.16/3.17
+# For Alpine 3.16/3.17/3.19:
+FROM alpine:3.19
# Download and add the NGINX signing keys:
RUN wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
@@ -2205,12 +2203,12 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-compiler
```
-### Alpine 3.16 / Alpine 3.17 Converter Docker Deployment Example
+### Alpine 3.16 / Alpine 3.17 / Alpine 3.19 Converter Docker Deployment Example
```dockerfile
# syntax=docker/dockerfile:1
-# For Alpine 3.16/3.17:
-FROM alpine:3.16/3.17
+# For Alpine 3.16/3.17/3.19:
+FROM alpine:3.19
# Download and add the NGINX signing keys:
RUN wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
@@ -2432,13 +2430,13 @@ After having updated the Attack Signature package you have to reload the configu
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo
```
-2. Update the attack signatures:
+2. Update the attack signatures to the latest:
```shell
sudo yum install app-protect-attack-signatures
```
- To install a specific version, list the available versions:
+3. To install a specific version, list the available versions:
```shell
sudo yum --showduplicates list app-protect-attack-signatures
@@ -2464,13 +2462,13 @@ After having updated the Attack Signature package you have to reload the configu
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-8.repo
```
-2. Update the attack signatures:
+2. Update the attack signatures to the latest:
```shell
sudo dnf install app-protect-attack-signatures
```
- To install a specific version, list the available versions:
+3. To install a specific version, list the available versions:
```shell
sudo dnf --showduplicates list app-protect-attack-signatures
@@ -2496,13 +2494,13 @@ After having updated the Attack Signature package you have to reload the configu
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-9.repo
```
-2. Update the attack signatures:
+2. Update the attack signatures to the latest:
```shell
sudo dnf install app-protect-attack-signatures
```
- To install a specific version, list the available versions:
+3. To install a specific version, list the available versions:
```shell
sudo dnf --showduplicates list app-protect-attack-signatures
@@ -2543,13 +2541,13 @@ After having updated the Attack Signature package you have to reload the configu
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx
```
-4. Update the attack signatures:
+4. Update the attack signatures to the latest:
```shell
sudo apt-get update && sudo apt-get install app-protect-attack-signatures
```
- To install a specific version, list the available versions:
+5. To install a specific version, list the available versions:
```shell
sudo apt-cache policy app-protect-attack-signatures
@@ -2598,13 +2596,13 @@ After having updated the Attack Signature package you have to reload the configu
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx
```
-4. Update the attack signatures:
+4. Update the attack signatures to the latest:
```shell
sudo apt-get update && sudo apt-get install app-protect-attack-signatures
```
- To install a specific version, list the available versions:
+5. To install a specific version, list the available versions:
```shell
sudo apt-cache policy app-protect-attack-signatures
@@ -2636,7 +2634,7 @@ After having updated the Attack Signature package you have to reload the configu
sudo apt-get install app-protect-attack-signatures=2020.07.16-1~noble
```
-### Alpine 3.16 / Alpine 3.17
+### Alpine 3.16 / Alpine 3.17 / Alpine 3.19
1. If not already configured, add the NGINX App Protect WAF Security Updates repository:
@@ -2714,13 +2712,13 @@ Example: app-protect-threat-campaigns-2022.07.21
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo
```
-2. Update Threat Campaigns:
+2. Update Threat Campaigns to the latest:
```shell
sudo yum install app-protect-threat-campaigns
```
- To install a specific version, list the available versions:
+3. To install a specific version, list the available versions:
```shell
sudo yum --showduplicates list app-protect-threat-campaigns
@@ -2740,13 +2738,13 @@ Example: app-protect-threat-campaigns-2022.07.21
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-8.repo
```
-2. Update Threat Campaigns:
+2. Update Threat Campaigns to the latest:
```shell
sudo dnf install app-protect-threat-campaigns
```
- To install a specific version, list the available versions:
+3. To install a specific version, list the available versions:
```shell
sudo dnf --showduplicates list app-protect-threat-campaigns
@@ -2766,13 +2764,13 @@ Example: app-protect-threat-campaigns-2022.07.21
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-9.repo
```
-2. Update Threat Campaigns:
+2. Update Threat Campaigns to the latest:
```shell
sudo dnf install app-protect-threat-campaigns
```
- To install a specific version, list the available versions:
+3. To install a specific version, list the available versions:
```shell
sudo dnf --showduplicates list app-protect-threat-campaigns
@@ -2784,7 +2782,7 @@ Example: app-protect-threat-campaigns-2022.07.21
sudo dnf install app-protect-threat-campaigns-2023.12.11
```
-### Alpine 3.16 / Alpine 3.17
+### Alpine 3.16 / Alpine 3.17 / Alpine 3.19
1. If not already configured, add the NGINX App Protect WAF Security Updates repository:
@@ -2798,13 +2796,13 @@ Example: app-protect-threat-campaigns-2022.07.21
sudo wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub
```
-3. Update Threat Campaigns:
+3. Update Threat Campaigns to the latest:
```shell
sudo apk update && sudo apk add app-protect-threat-campaigns
```
- To install a specific version, list the available versions:
+4. To install a specific version, list the available versions:
```shell
sudo apk search app-protect-threat-campaigns
@@ -2839,13 +2837,13 @@ Example: app-protect-threat-campaigns-2022.07.21
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx
```
-4. Update Threat Campaigns:
+4. Update Threat Campaigns to the latest:
```shell
sudo apt-get update && sudo apt-get install app-protect-threat-campaigns
```
- To install a specific version, list the available versions:
+5. To install a specific version, list the available versions:
```shell
sudo apt-cache policy app-protect-threat-campaigns
@@ -2894,13 +2892,13 @@ Example: app-protect-threat-campaigns-2022.07.21
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx
```
-4. Update Threat Campaigns:
+4. Update Threat Campaigns to the latest:
```shell
sudo apt-get update && sudo apt-get install app-protect-threat-campaigns
```
- To install a specific version, list the available versions:
+5. To install a specific version, list the available versions:
```shell
sudo apt-cache policy app-protect-threat-campaigns
@@ -2947,13 +2945,13 @@ The App Protect Bot Signatures is named: app-protect-bot-signatures and it is a
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo
```
-2. Update bot signatures:
+2. Update bot signatures to the latest:
```shell
sudo yum install app-protect-bot-signatures
```
- To install a specific version, list the available versions:
+3. To install a specific version, list the available versions:
```shell
sudo yum --showduplicates list app-protect-bot-signatures
@@ -2979,13 +2977,13 @@ The App Protect Bot Signatures is named: app-protect-bot-signatures and it is a
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-8.repo
```
-2. Update Bot Signatures:
+2. Update Bot Signatures to the latest:
```shell
sudo dnf install app-protect-bot-signatures
```
- To install a specific version, list the available versions:
+3. To install a specific version, list the available versions:
```shell
sudo dnf --showduplicates list app-protect-bot-signatures
@@ -3011,13 +3009,13 @@ The App Protect Bot Signatures is named: app-protect-bot-signatures and it is a
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-9.repo
```
-2. Update Bot Signatures:
+2. Update Bot Signatures to the latest:
```shell
sudo dnf install app-protect-bot-signatures
```
- To install a specific version, list the available versions:
+3. To install a specific version, list the available versions:
```shell
sudo dnf --showduplicates list app-protect-bot-signatures
@@ -3035,7 +3033,7 @@ The App Protect Bot Signatures is named: app-protect-bot-signatures and it is a
sudo dnf downgrade app-protect-bot-signatures-2023.12.11
```
-### Alpine 3.16 / Alpine 3.17
+### Alpine 3.16 / Alpine 3.17 / Alpine 3.19
1. If not already configured, add the NGINX App Protect WAF Security Updates repository:
@@ -3049,13 +3047,13 @@ The App Protect Bot Signatures is named: app-protect-bot-signatures and it is a
sudo wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub
```
-3. Update Bot Signatures:
+3. Update Bot Signatures to the latest:
```shell
sudo apk update && sudo apk add app-protect-bot-signatures
```
- To install a specific version, list the available versions:
+4. To install a specific version, list the available versions:
```shell
sudo apk search app-protect-bot-signatures
@@ -3091,13 +3089,13 @@ The App Protect Bot Signatures is named: app-protect-bot-signatures and it is a
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx
```
-4. Update Bot Signatures:
+4. Update Bot Signatures to the latest:
```shell
sudo apt-get update && sudo apt-get install app-protect-bot-signatures
```
- To install a specific version, list the available versions:
+5. To install a specific version, list the available versions:
```shell
sudo apt-cache policy app-protect-bot-signatures
@@ -3141,13 +3139,13 @@ The App Protect Bot Signatures is named: app-protect-bot-signatures and it is a
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx
```
-4. Update Bot Signatures:
+4. Update Bot Signatures to the latest:
```shell
sudo apt-get update && sudo apt-get install app-protect-bot-signatures
```
- To install a specific version, list the available versions:
+5. To install a specific version, list the available versions:
```shell
sudo apt-cache policy app-protect-bot-signatures
@@ -3227,7 +3225,7 @@ app-protect-threat-campaigns \
app-protect-bot-signatures
```
-### Alpine 3.16 / Alpine 3.17
+### Alpine 3.16 / Alpine 3.17 / Alpine 3.19
```shell
sudo apk del app-protect \
diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md
index 393a2275f..8441b62f8 100644
--- a/content/nap-waf/v4/configuration-guide/configuration.md
+++ b/content/nap-waf/v4/configuration-guide/configuration.md
@@ -20,7 +20,6 @@ When configuring NGINX App Protect WAF, `app_protect_enable` should always be en
## Supported Security Policy Features
-{{}}
|Protection Mechanism | Description |
| ---| --- |
|[Attack Signatures](#attack-signatures-overview) | Default policy covers all the OWASP top 10 attack patterns enabling signature sets detailed in a section below. The user can disable any of them or add other sets. |
@@ -39,8 +38,7 @@ When configuring NGINX App Protect WAF, `app_protect_enable` should always be en
|[Deny and Allow IP lists](#deny-and-allow-ip-lists) | Manually define denied & allowed IP addresses as well as IP addresses to never log. |
|[XFF headers & trust](#xff-headers-and-trust) | Disabled by default. User can enable it and optionally add a list of custom XFF headers. |
|[gRPC Protection](#grpc-protection-for-unary-traffic) | gRPC content profile detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection can be on [unary](#grpc-protection-for-unary-traffic) or [bidirectional](#grpc-protection-for-bidirectional-streaming) traffic.|
-{{}}
-
+|[Brute Force Attack Preventions](#brute-force-attack-preventions) | Configure brute-force-attack-preventions parameters to secured areas of a web application from brute force attacks.|}
### Disallowed File Types
{{< include "nap-waf/config/common/disallowed-file-types.md" >}}
@@ -653,6 +651,55 @@ claims['address'] = "{ \"address\": { .... } }" # JSON structs can be accessed u
### Other References
{{< include "nap-waf/config/common/json-web-tokens-other-references.md" >}}
+## Brute Force Attack Preventions
+
+### Overview
+
+Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive,
+systematic, username/password combinations to discover legitimate authentication credentials.
+To prevent brute force attacks, WAF tracks the number of failed attempts to reach login pages
+with enforced brute force protection. When brute force patterns are detected,
+the WAF policy considers it to be an attack if the failed logon rate increased significantly or
+if failed logins reached a maximum threshold.
+
+### Brute force policy example
+
+```json
+{
+ "policy": {
+ "name": "BruteForcePolicy",
+ "template": {
+ "name": "POLICY_TEMPLATE_NGINX_BASE"
+ },
+ "applicationLanguage": "utf-8",
+ "enforcementMode": "blocking",
+ "brute-force-attack-preventions" : [
+ {
+ "bruteForceProtectionForAllLoginPages" : true,
+ "detectionCriteria" : {
+ "action" : "alarm",
+ "failedLoginAttemptsRateReached" : 100
+ },
+ "loginAttemptsFromTheSameIp" : {
+ "action" : "alarm",
+ "enabled" : true,
+ "threshold" : 20
+ },
+ "loginAttemptsFromTheSameUser" : {
+ "action" : "alarm",
+ "enabled" : true,
+ "threshold" : 3
+ },
+ "measurementPeriod" : 900,
+ "preventionDuration" : "3600",
+ "reEnableLoginAfter" : 3600,
+ "sourceBasedProtectionDetectionPeriod" : 3600
+ }
+ ]
+ }
+}
+
+```
## Custom Dimensions Log Entries
diff --git a/content/nap-waf/v4/releases/about-1.0.md b/content/nap-waf/v4/releases/about-1.0.md
index 6e1204fe8..a92eb466c 100644
--- a/content/nap-waf/v4/releases/about-1.0.md
+++ b/content/nap-waf/v4/releases/about-1.0.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 1.0
-toc: true
weight: 1060
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-649
---
diff --git a/content/nap-waf/v4/releases/about-1.1.md b/content/nap-waf/v4/releases/about-1.1.md
index 7eb47d53c..658adcae8 100644
--- a/content/nap-waf/v4/releases/about-1.1.md
+++ b/content/nap-waf/v4/releases/about-1.1.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 1.1
-toc: true
weight: 1040
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-650
---
diff --git a/content/nap-waf/v4/releases/about-1.2.md b/content/nap-waf/v4/releases/about-1.2.md
index ed01535dd..1e23af684 100644
--- a/content/nap-waf/v4/releases/about-1.2.md
+++ b/content/nap-waf/v4/releases/about-1.2.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 1.2
-toc: true
weight: 1020
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-000
---
diff --git a/content/nap-waf/v4/releases/about-1.3.md b/content/nap-waf/v4/releases/about-1.3.md
index e106f963f..c59b87bef 100644
--- a/content/nap-waf/v4/releases/about-1.3.md
+++ b/content/nap-waf/v4/releases/about-1.3.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 1.3
-toc: true
weight: 1000
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-652
---
diff --git a/content/nap-waf/v4/releases/about-2.0.md b/content/nap-waf/v4/releases/about-2.0.md
index b4848bb04..e88a88b8d 100644
--- a/content/nap-waf/v4/releases/about-2.0.md
+++ b/content/nap-waf/v4/releases/about-2.0.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 2.0
-toc: true
weight: 980
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-653
---
diff --git a/content/nap-waf/v4/releases/about-2.1.md b/content/nap-waf/v4/releases/about-2.1.md
index 016db352b..7af54d990 100644
--- a/content/nap-waf/v4/releases/about-2.1.md
+++ b/content/nap-waf/v4/releases/about-2.1.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 2.1
-toc: true
weight: 960
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-654
---
diff --git a/content/nap-waf/v4/releases/about-2.2.md b/content/nap-waf/v4/releases/about-2.2.md
index 977cf27a3..0f705534f 100644
--- a/content/nap-waf/v4/releases/about-2.2.md
+++ b/content/nap-waf/v4/releases/about-2.2.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 2.2
-toc: true
weight: 940
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-655
---
diff --git a/content/nap-waf/v4/releases/about-2.3.md b/content/nap-waf/v4/releases/about-2.3.md
index 380cf2e8c..b929210b3 100644
--- a/content/nap-waf/v4/releases/about-2.3.md
+++ b/content/nap-waf/v4/releases/about-2.3.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 2.3
-toc: true
weight: 920
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-656
---
diff --git a/content/nap-waf/v4/releases/about-3.0.md b/content/nap-waf/v4/releases/about-3.0.md
index a585afdd4..ce48bf9fd 100644
--- a/content/nap-waf/v4/releases/about-3.0.md
+++ b/content/nap-waf/v4/releases/about-3.0.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.0
-toc: true
weight: 800
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-657
---
diff --git a/content/nap-waf/v4/releases/about-3.1.md b/content/nap-waf/v4/releases/about-3.1.md
index 9510c138b..e3d8a1ed0 100644
--- a/content/nap-waf/v4/releases/about-3.1.md
+++ b/content/nap-waf/v4/releases/about-3.1.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.1
-toc: true
weight: 790
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-658
---
diff --git a/content/nap-waf/v4/releases/about-3.10.md b/content/nap-waf/v4/releases/about-3.10.md
index 118c33e8a..7097419e4 100644
--- a/content/nap-waf/v4/releases/about-3.10.md
+++ b/content/nap-waf/v4/releases/about-3.10.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.10
-toc: true
weight: 680
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-846
---
diff --git a/content/nap-waf/v4/releases/about-3.11.md b/content/nap-waf/v4/releases/about-3.11.md
index f867fc60d..f95a6c508 100644
--- a/content/nap-waf/v4/releases/about-3.11.md
+++ b/content/nap-waf/v4/releases/about-3.11.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.11
-toc: true
weight: 660
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-891
---
diff --git a/content/nap-waf/v4/releases/about-3.12.2.md b/content/nap-waf/v4/releases/about-3.12.2.md
index 7e76eba44..579b98006 100644
--- a/content/nap-waf/v4/releases/about-3.12.2.md
+++ b/content/nap-waf/v4/releases/about-3.12.2.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.12.2
-toc: true
weight: 620
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-988
---
diff --git a/content/nap-waf/v4/releases/about-3.12.md b/content/nap-waf/v4/releases/about-3.12.md
index dca37db34..9b6b36d93 100644
--- a/content/nap-waf/v4/releases/about-3.12.md
+++ b/content/nap-waf/v4/releases/about-3.12.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.12
-toc: true
weight: 640
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-943
---
diff --git a/content/nap-waf/v4/releases/about-3.2.md b/content/nap-waf/v4/releases/about-3.2.md
index aaa89574b..55f31acae 100644
--- a/content/nap-waf/v4/releases/about-3.2.md
+++ b/content/nap-waf/v4/releases/about-3.2.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.2
-toc: true
weight: 780
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-659
---
diff --git a/content/nap-waf/v4/releases/about-3.3.md b/content/nap-waf/v4/releases/about-3.3.md
index 03ee56b8b..1d18e1e1a 100644
--- a/content/nap-waf/v4/releases/about-3.3.md
+++ b/content/nap-waf/v4/releases/about-3.3.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.3
-toc: true
weight: 770
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-660
---
diff --git a/content/nap-waf/v4/releases/about-3.4.md b/content/nap-waf/v4/releases/about-3.4.md
index 33a50aade..ae3880eed 100644
--- a/content/nap-waf/v4/releases/about-3.4.md
+++ b/content/nap-waf/v4/releases/about-3.4.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.4
-toc: true
weight: 760
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-661
---
diff --git a/content/nap-waf/v4/releases/about-3.5.md b/content/nap-waf/v4/releases/about-3.5.md
index b5c9dda6a..895f68c39 100644
--- a/content/nap-waf/v4/releases/about-3.5.md
+++ b/content/nap-waf/v4/releases/about-3.5.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.5
-toc: true
weight: 750
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-662
---
diff --git a/content/nap-waf/v4/releases/about-3.6.md b/content/nap-waf/v4/releases/about-3.6.md
index 7e78c9e44..41b9ebc12 100644
--- a/content/nap-waf/v4/releases/about-3.6.md
+++ b/content/nap-waf/v4/releases/about-3.6.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.6
-toc: true
weight: 740
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-663
---
diff --git a/content/nap-waf/v4/releases/about-3.7.md b/content/nap-waf/v4/releases/about-3.7.md
index cb62ea93e..944a2bd98 100644
--- a/content/nap-waf/v4/releases/about-3.7.md
+++ b/content/nap-waf/v4/releases/about-3.7.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.7
-toc: true
weight: 730
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-664
---
diff --git a/content/nap-waf/v4/releases/about-3.8.md b/content/nap-waf/v4/releases/about-3.8.md
index 5be7e796a..d4bb100fa 100644
--- a/content/nap-waf/v4/releases/about-3.8.md
+++ b/content/nap-waf/v4/releases/about-3.8.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.8
-toc: true
weight: 720
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-832
---
diff --git a/content/nap-waf/v4/releases/about-3.9.1.md b/content/nap-waf/v4/releases/about-3.9.1.md
index dde592f01..4580080ca 100644
--- a/content/nap-waf/v4/releases/about-3.9.1.md
+++ b/content/nap-waf/v4/releases/about-3.9.1.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.9.1
-toc: true
weight: 700
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-842
---
diff --git a/content/nap-waf/v4/releases/about-3.9.md b/content/nap-waf/v4/releases/about-3.9.md
index 7449c4342..ffede02ad 100644
--- a/content/nap-waf/v4/releases/about-3.9.md
+++ b/content/nap-waf/v4/releases/about-3.9.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 3.9
-toc: true
weight: 710
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-838
---
diff --git a/content/nap-waf/v4/releases/about-4.0.md b/content/nap-waf/v4/releases/about-4.0.md
index 2d7130a39..6dbd1cd06 100644
--- a/content/nap-waf/v4/releases/about-4.0.md
+++ b/content/nap-waf/v4/releases/about-4.0.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.0
-toc: true
weight: 410
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-994
---
diff --git a/content/nap-waf/v4/releases/about-4.1.md b/content/nap-waf/v4/releases/about-4.1.md
index 81a58214f..4f9294a26 100644
--- a/content/nap-waf/v4/releases/about-4.1.md
+++ b/content/nap-waf/v4/releases/about-4.1.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.1
-toc: true
weight: 400
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1116
---
diff --git a/content/nap-waf/v4/releases/about-4.10.md b/content/nap-waf/v4/releases/about-4.10.md
index a52080c1f..8097546aa 100644
--- a/content/nap-waf/v4/releases/about-4.10.md
+++ b/content/nap-waf/v4/releases/about-4.10.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.10
-toc: true
weight: 130
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-000
---
diff --git a/content/nap-waf/v4/releases/about-4.11.md b/content/nap-waf/v4/releases/about-4.11.md
index 04031affc..546a0e475 100644
--- a/content/nap-waf/v4/releases/about-4.11.md
+++ b/content/nap-waf/v4/releases/about-4.11.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.11
-toc: true
weight: 120
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-000
---
diff --git a/content/nap-waf/v4/releases/about-4.12.md b/content/nap-waf/v4/releases/about-4.12.md
index 06bc805a0..9a8f86d06 100644
--- a/content/nap-waf/v4/releases/about-4.12.md
+++ b/content/nap-waf/v4/releases/about-4.12.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.12
-toc: true
weight: 110
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-000
---
diff --git a/content/nap-waf/v4/releases/about-4.13.md b/content/nap-waf/v4/releases/about-4.13.md
new file mode 100644
index 000000000..b332f4aa9
--- /dev/null
+++ b/content/nap-waf/v4/releases/about-4.13.md
@@ -0,0 +1,35 @@
+---
+title: NGINX App Protect WAF 4.13
+weight: 100
+toc: true
+type: reference
+product: NAP-WAF
+docs: DOCS-000
+---
+
+January 30th, 2025
+
+---
+
+## New features
+
+- Added support for Alpine 3.19
+- Added support for [Brute force attack preventions]({{< ref "/nap-waf/v4/configuration-guide/configuration.md#brute-force-attack-preventions" >}})
+
+---
+
+## Supported packages
+
+| Distribution name | Package file |
+|--------------------------|----------------------------------------------------|
+| Alpine 3.17 | _app-protect-33.5.264.0-r1.apk_ |
+| Alpine 3.19 | _app-protect-33.5.264.0-r1.apk_ |
+| Debian 11 | _app-protect_33+5.264.0-1\~bullseye_amd64.deb_ |
+| Debian 12 | _app-protect_33+5.264.0-1\~bookworm_amd64.deb_ |
+| Ubuntu 20.04 | _app-protect_33+5.264.0-1\~focal_amd64.deb_ |
+| Ubuntu 22.04 | _app-protect_33+5.264.0-1\~jammy_amd64.deb_ |
+| Ubuntu 24.04 | _app-protect_33+5.264.0-1\~noble_amd64.deb_ |
+| Amazon Linux 2023 | _app-protect-33+5.264.0-1.amzn2023.ngx.x86_64.rpm_ |
+| RHEL 8 and Rocky Linux 8 | _app-protect-33+5.264.0-1.el8.ngx.x86_64.rpm_ |
+| RHEL 9 | _app-protect-33+5.264.0-1.el9.ngx.x86_64.rpm_ |
+| Oracle Linux 8.1 | _app-protect-33+5.264.0-1.el8.ngx.x86_64.rpm_ |
diff --git a/content/nap-waf/v4/releases/about-4.2.md b/content/nap-waf/v4/releases/about-4.2.md
index 45c93c152..4ecb61b9e 100644
--- a/content/nap-waf/v4/releases/about-4.2.md
+++ b/content/nap-waf/v4/releases/about-4.2.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.2
-toc: true
weight: 310
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1172
---
diff --git a/content/nap-waf/v4/releases/about-4.3.md b/content/nap-waf/v4/releases/about-4.3.md
index ea8c94bf4..52e39393e 100644
--- a/content/nap-waf/v4/releases/about-4.3.md
+++ b/content/nap-waf/v4/releases/about-4.3.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.3
-toc: true
weight: 210
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1202
---
diff --git a/content/nap-waf/v4/releases/about-4.4.md b/content/nap-waf/v4/releases/about-4.4.md
index fc39ccb65..497d2b6db 100644
--- a/content/nap-waf/v4/releases/about-4.4.md
+++ b/content/nap-waf/v4/releases/about-4.4.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.4
-toc: true
weight: 200
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1252
---
diff --git a/content/nap-waf/v4/releases/about-4.5.md b/content/nap-waf/v4/releases/about-4.5.md
index 5a57b5917..3807c3c5f 100644
--- a/content/nap-waf/v4/releases/about-4.5.md
+++ b/content/nap-waf/v4/releases/about-4.5.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.5
-toc: true
weight: 190
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1253
---
diff --git a/content/nap-waf/v4/releases/about-4.6.md b/content/nap-waf/v4/releases/about-4.6.md
index 7f3f81499..2d2a80134 100644
--- a/content/nap-waf/v4/releases/about-4.6.md
+++ b/content/nap-waf/v4/releases/about-4.6.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.6
-toc: true
weight: 180
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1347
---
diff --git a/content/nap-waf/v4/releases/about-4.7.md b/content/nap-waf/v4/releases/about-4.7.md
index 831420d94..c53a75c2f 100644
--- a/content/nap-waf/v4/releases/about-4.7.md
+++ b/content/nap-waf/v4/releases/about-4.7.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.7
-toc: true
weight: 170
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1360
---
diff --git a/content/nap-waf/v4/releases/about-4.8.1.md b/content/nap-waf/v4/releases/about-4.8.1.md
index eb6a1ecb0..ed85394d9 100644
--- a/content/nap-waf/v4/releases/about-4.8.1.md
+++ b/content/nap-waf/v4/releases/about-4.8.1.md
@@ -1,12 +1,13 @@
---
title: NGINX App Protect WAF 4.8.1
-toc: true
weight: 150
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1477
---
-Mar 6, 2024
-
+March 6, 2024
### Supported Packages
diff --git a/content/nap-waf/v4/releases/about-4.8.md b/content/nap-waf/v4/releases/about-4.8.md
index dab2a2258..21d8000d3 100644
--- a/content/nap-waf/v4/releases/about-4.8.md
+++ b/content/nap-waf/v4/releases/about-4.8.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.8
-toc: true
weight: 160
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1391
---
diff --git a/content/nap-waf/v4/releases/about-4.9.md b/content/nap-waf/v4/releases/about-4.9.md
index 6e486f962..0b98850c5 100644
--- a/content/nap-waf/v4/releases/about-4.9.md
+++ b/content/nap-waf/v4/releases/about-4.9.md
@@ -1,7 +1,9 @@
---
title: NGINX App Protect WAF 4.9
-toc: true
weight: 140
+toc: true
+type: reference
+product: NAP-WAF
docs: DOCS-1478
---
diff --git a/content/nap-waf/v5/admin-guide/compiler.md b/content/nap-waf/v5/admin-guide/compiler.md
index 8a84764c1..d9694a31d 100644
--- a/content/nap-waf/v5/admin-guide/compiler.md
+++ b/content/nap-waf/v5/admin-guide/compiler.md
@@ -1,12 +1,10 @@
---
-description: This guide describes the steps to build, use, and update the F5 NGINX App
- Protect WAF v5 Compiler.
-docs: DOCS-1367
-doctypes:
-- task
title: NGINX App Protect WAF Compiler
-toc: true
weight: 500
+toc: true
+type: how-to
+product: NAP-WAF
+docs: DOCS-1367
---
## Overview
@@ -22,7 +20,7 @@ The F5 NGINX App Protect WAF v5 Compiler is a tool that compiles security polici
## Building Compiler Image
{{< important >}}
-Regularly rebuild your compiler image and recompile security policies to ensure you are using the latest security updates.
+To ensure you are using the latest security updates, it is recommended to regularly rebuild your compiler image with the latest signature packages and recompile security policies.
{{< /important >}}
1. Download Certificates
@@ -75,6 +73,7 @@ Regularly rebuild your compiler image and recompile security policies to ensure
# non-root default user (UID 101)
USER nginx
```
+{{< note >}}The user can upgrade or downgrade one of the Signatures by specifying a specific version, for example: app-protect-attack-signatures-2020.04.30.{{< /note >}}
You can use the Docker registry API to list the available image tags.
Replace `` with the location of your client key and `` with the location of your client certificate. The optional `jq` command is used to format the JSON output for easier reading and requires the [jq](https://jqlang.github.io/jq/) JSON processor to be installed.
@@ -119,6 +118,12 @@ Make sure that input files are accessible to UID 101.
To compile a security policy from a JSON file and create a policy bundle, execute the following command:
+{{< warning >}}
+
+Ensure that the output directory is writable, otherwise you may encounter a permission denied error.
+
+{{< /warning >}}
+
```shell
docker run --rm \
-v $(pwd):$(pwd) \
@@ -182,6 +187,8 @@ docker run \
-dump -bundle $(pwd)/compiled_policy.tgz
```
+---
+
## Global Settings
The global settings allows configuration of the following items:
diff --git a/content/nap-waf/v5/admin-guide/deploy-on-docker.md b/content/nap-waf/v5/admin-guide/deploy-on-docker.md
index f5247a2ad..27de0c4cc 100644
--- a/content/nap-waf/v5/admin-guide/deploy-on-docker.md
+++ b/content/nap-waf/v5/admin-guide/deploy-on-docker.md
@@ -1,11 +1,10 @@
---
-description: This guide explains how to deploy F5 NGINX App Protect WAF v5 release using Docker Compose.
-docs: DOCS-1365
-doctypes:
-- task
title: Deploying NGINX App Protect WAF on Docker
+weight: 400
toc: true
-weight: 300
+type: how-to
+product: NAP-WAF
+docs: DOCS-1365
---
## Prerequisites
@@ -209,7 +208,7 @@ In your nginx configuration:
2. Configure the Enforcer address at the `http` context:
```nginx
- app_protect_enforcer_address waf-enforcer:50000;
+ app_protect_enforcer_address 127.0.0.1:50000;
```
3. Enable NGINX App Protect WAF on an `http/server/location` context (make sure you only enable NGINX App Protect WAF with `proxy_pass`/`grpc_pass` locations):
@@ -523,11 +522,11 @@ You are ready to [Build the image](#build-image-sub)
{{< include "nap-waf/setup-docker-registry.md" >}}
#### Download Waf-Enforcer and Waf-Config-mgr Images
-Pull the `waf-enforcer` and `waf-config-mgr` images. Replace `5.2.0` with the actual release version you are deploying.
+Pull the `waf-enforcer` and `waf-config-mgr` images. Replace `5.4.0` with the actual release version you are deploying.
```shell
-docker pull private-registry.nginx.com/nap/waf-enforcer:5.2.0
-docker pull private-registry.nginx.com/nap/waf-config-mgr:5.2.0
+docker pull private-registry.nginx.com/nap/waf-enforcer:5.4.0
+docker pull private-registry.nginx.com/nap/waf-config-mgr:5.4.0
```
#### Saving and Transferring Images
@@ -540,13 +539,13 @@ docker pull private-registry.nginx.com/nap/waf-config-mgr:5.2.0
2. Save the `waf-enforcer` docker image:
```shell
- docker save -o waf-enforcer.tar private-registry.nginx.com/nap/waf-enforcer:5.2.0
+ docker save -o waf-enforcer.tar private-registry.nginx.com/nap/waf-enforcer:5.4.0
```
3. Save the `waf-config-mgr` docker image:
```shell
- docker save -o waf-config-mgr.tar private-registry.nginx.com/nap/waf-config-mgr:5.2.0
+ docker save -o waf-config-mgr.tar private-registry.nginx.com/nap/waf-config-mgr:5.4.0
```
4. Transfer the tar files from the online machine to the offline/air-gapped machine:
@@ -602,7 +601,7 @@ In this guide, we have created the following files under `/conf/` directory on t
#### Docker Compose File
-Create a `docker-compose.yml` with the following configuration on the offline machine: Replace `5.2.0` with the actual release version you are deploying.
+Create a `docker-compose.yml` with the following configuration on the offline machine: Replace `5.4.0` with the actual release version you are deploying.
```yaml
services:
@@ -622,7 +621,7 @@ services:
waf-enforcer:
container_name: waf-enforcer
- image: "private-registry.nginx.com/nap/waf-enforcer:5.2.0"
+ image: "private-registry.nginx.com/nap/waf-enforcer:5.4.0"
environment:
- ENFORCER_PORT=50000
volumes:
@@ -633,7 +632,7 @@ services:
waf-config-mgr:
container_name: waf-config-mgr
- image: "private-registry.nginx.com/nap/waf-config-mgr:5.2.0"
+ image: "private-registry.nginx.com/nap/waf-config-mgr:5.4.0"
volumes:
- app_protect_bd_config:/opt/app_protect/bd_config
- app_protect_config:/opt/app_protect/config
diff --git a/content/nap-waf/v5/admin-guide/deploy-on-kubernetes.md b/content/nap-waf/v5/admin-guide/deploy-on-kubernetes.md
index ed2e5608b..096837b2e 100644
--- a/content/nap-waf/v5/admin-guide/deploy-on-kubernetes.md
+++ b/content/nap-waf/v5/admin-guide/deploy-on-kubernetes.md
@@ -1,12 +1,10 @@
---
-description: This guide explains how to deploy F5 NGINX App Protect WAF v5 release in
- a Kubernetes environment.
-docs: DOCS-1366
-doctypes:
-- task
title: Deploying NGINX App Protect WAF on Kubernetes
+weight: 300
toc: true
-weight: 400
+type: how-to
+product: NAP-WAF
+docs: DOCS-1366
---
## Prerequisites
diff --git a/content/nap-waf/v5/admin-guide/install.md b/content/nap-waf/v5/admin-guide/install.md
index 276723034..d7d2315ce 100644
--- a/content/nap-waf/v5/admin-guide/install.md
+++ b/content/nap-waf/v5/admin-guide/install.md
@@ -1,6 +1,9 @@
---
title: Installing NGINX App Protect WAF
+weight: 200
toc: true
+type: how-to
+product: NAP-WAF
docs: DOCS-1363
---
@@ -32,17 +35,15 @@ If not already installed, `nginx` or `nginx-plus` will be installed automaticall
### Common Steps for NGINX Open Source and NGINX Plus
Please follow these steps before you install either NGINX Open Source or NGINX Plus.
+
{{}}
-{{%tab name="Alpine Linux 3.16"%}}
-
-{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-alpine" >}}
-{{%/tab%}}
-{{%tab name="Alpine Linux 3.17"%}}
+{{%tab name="Alpine Linux 3.16/3.17/3.19"%}}
{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-alpine" >}}
{{%/tab%}}
+
{{%tab name="Amazon Linux 2"%}}
1. Create the `/etc/ssl/nginx` directory:
@@ -126,19 +127,10 @@ Please follow these steps before you install either NGINX Open Source or NGINX P
{{}}
### For NGINX Open Source
-{{}}
-{{%tab name="Alpine Linux 3.16"%}}
-{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md" >}}
-
-3. Install the NGINX App Protect WAF v5 package:
+{{}}
- ```shell
- sudo apk add app-protect-module-oss
- ```
-
-{{%/tab%}}
-{{%tab name="Alpine Linux 3.17"%}}
+{{%tab name="Alpine Linux 3.16/3.17/3.19"%}}
{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md" >}}
@@ -149,6 +141,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P
```
{{%/tab%}}
+
{{%tab name="Amazon Linux 2"%}}
1. Create the file named `/etc/yum.repos.d/nginx.repo` with the following contents:
@@ -309,18 +302,8 @@ Please follow these steps before you install either NGINX Open Source or NGINX P
### For NGINX Plus
{{}}
-{{%tab name="Alpine Linux 3.16"%}}
-
-{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-alpine.md" >}}
-3. Install the NGINX App Protect WAF v5 package:
-
- ```shell
- sudo apk add app-protect-module-plus
- ```
-
-{{%/tab%}}
-{{%tab name="Alpine Linux 3.17"%}}
+{{%tab name="Alpine Linux 3.16/3.17/3.19"%}}
{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-alpine.md" >}}
@@ -331,6 +314,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P
```
{{%/tab%}}
+
{{%tab name="Amazon Linux 2"%}}
1. Download the NGINX Plus repository file [nginx-plus-amazon2.repo](https://cs.nginx.com/static/files/nginx-plus-amazon2.repo) to `/etc/yum.repos.d`:
@@ -623,18 +607,17 @@ If not already installed, `nginx` or `nginx-plus` will be installed automaticall
{{< /note >}}
### Common Steps for NGINX Open Source and NGINX Plus
+
Please follow these steps before you install either NGINX Open Source or NGINX Plus.
+
{{}}
-{{%tab name="Alpine Linux 3.16"%}}
-
-{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-alpine" >}}
-{{%/tab%}}
-{{%tab name="Alpine Linux 3.17"%}}
+{{%tab name="Alpine Linux 3.16/3.17/3.19"%}}
{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-alpine" >}}
{{%/tab%}}
+
{{%tab name="Amazon Linux 2023"%}}
{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amzn2023.md" >}}
@@ -683,7 +666,9 @@ Please follow these steps before you install either NGINX Open Source or NGINX P
{{}}
### For NGINX Open Source
+
{{}}
+
{{%tab name="Alpine Linux 3.16"%}}
{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md" >}}
@@ -697,6 +682,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P
```
{{%/tab%}}
+
{{%tab name="Alpine Linux 3.17"%}}
{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md" >}}
@@ -710,6 +696,21 @@ Please follow these steps before you install either NGINX Open Source or NGINX P
```
{{%/tab%}}
+
+{{%tab name="Alpine Linux 3.19"%}}
+
+{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md" >}}
+
+3. Download all NGINX Open Source packages, including all dependencies:
+
+ ```shell
+ sudo mkdir /etc/packages/
+ sudo apk update
+ sudo apk fetch --recursive --output /etc/packages app-protect-module-oss
+ ```
+
+{{%/tab%}}
+
{{%tab name="Amazon Linux 2"%}}
1. Create the file named `/etc/yum.repos.d/nginx.repo` with the following contents:
@@ -895,21 +896,10 @@ Please follow these steps before you install either NGINX Open Source or NGINX P
{{}}
### For NGINX Plus
-{{}}
-{{%tab name="Alpine Linux 3.16"%}}
-{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-alpine.md" >}}
+{{}}
-3. Download all NGINX Plus packages, including all dependencies:
-
- ```shell
- sudo mkdir /etc/packages/
- sudo apk update
- sudo apk fetch --recursive --output /etc/packages app-protect-module-plus
- ```
-
-{{%/tab%}}
-{{%tab name="Alpine Linux 3.17"%}}
+{{%tab name="Alpine Linux 3.16/3.17/3.19"%}}
{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-alpine.md" >}}
@@ -922,6 +912,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P
```
{{%/tab%}}
+
{{%tab name="Amazon Linux 2023"%}}
{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amzn2023.md" >}}
@@ -1260,25 +1251,10 @@ sudo docker compose stop
```
### Uninstall the NGINX App Protect WAF v5 Package
-{{}}
-{{%tab name="Alpine Linux 3.16"%}}
-
-For NGINX Open Source
-Uninstall the NGINX App Protect WAF v5 package:
-
-```shell
-sudo apk del app-protect-module-oss
-```
-
-For NGINX Plus
-Uninstall the NGINX App Protect WAF v5 package:
-```shell
-sudo apk del app-protect-module-plus
-```
+{{}}
-{{%/tab%}}
-{{%tab name="Alpine Linux 3.17"%}}
+{{%tab name="Alpine Linux 3.16/3.17/3.19"%}}
For NGINX Open Source
Uninstall the NGINX App Protect WAF v5 package:
@@ -1295,6 +1271,7 @@ sudo apk del app-protect-module-plus
```
{{%/tab%}}
+
{{%tab name="Amazon Linux 2"%}}
For NGINX Open Source
diff --git a/content/nap-waf/v5/admin-guide/overview.md b/content/nap-waf/v5/admin-guide/overview.md
index 91a719638..b656d2872 100644
--- a/content/nap-waf/v5/admin-guide/overview.md
+++ b/content/nap-waf/v5/admin-guide/overview.md
@@ -1,11 +1,10 @@
---
-description: This guide explains how to deploy F5 NGINX App Protect WAF v5.
-docs: DOCS-1362
-doctypes:
-- task
title: NGINX App Protect WAF Administration Guide
-toc: true
weight: 100
+toc: true
+type: how-to
+product: NAP-WAF
+docs: DOCS-1362
---
## Introduction
@@ -35,7 +34,7 @@ NGINX App Protect WAF v5 supports the following operating systems:
| Distribution | Version |
| ------------ | ------------------- |
-| Alpine | 3.17 |
+| Alpine | 3.17, 3.19 |
| Debian | 11, 12 |
| Ubuntu | 20.04, 22.04, 24.04 |
| Amazon Linux | 2023 |
@@ -63,7 +62,11 @@ NGINX App Protect WAF v5 supports a range of deployment scenarios to meet variou
NGINX App Protect WAF v5 enhances deployment speed through the pre-compilation of security policies and logging profiles into bundle files.
-Use the [NGINX App Protect WAF Compiler]({{< relref "/nap-waf/v5/admin-guide/compiler.md" >}}) to transform security policies and logging profiles from JSON format into a consumable bundle files.
+Use the [NGINX App Protect WAF Compiler]({{< ref "/nap-waf/v5/admin-guide/compiler.md" >}}) to transform security policies and logging profiles from JSON format into a consumable bundle files.
+
+For signature updates, read the [Update App Protect Signatures]({{< ref "/nap-waf/v5/admin-guide/compiler.md#update-app-protect-signatures" >}}) section of the compiler documentation.
+
+---
## Transitioning from NGINX App Protect WAF v4 to v5
@@ -98,6 +101,7 @@ We recommend that you deploy the NGINX App Protect WAF v5 in a staging environme
1. Restart the deployment if it has already been initiated. Additionally, restart NGINX if utilizing the VM + containers deployment type. After the migrations, check that the NGINX process is running in the NGINX error log and there are no issues.
+---
## Troubleshooting and FAQs
diff --git a/content/nap-waf/v5/admin-guide/upgrade-nap-waf.md b/content/nap-waf/v5/admin-guide/upgrade-nap-waf.md
index 31413667d..ea6124970 100644
--- a/content/nap-waf/v5/admin-guide/upgrade-nap-waf.md
+++ b/content/nap-waf/v5/admin-guide/upgrade-nap-waf.md
@@ -1,17 +1,19 @@
---
-title: "Upgrade NGINX App Protect WAF on Managed Instances"
-description: "How to Upgrade F5 NGINX App Protect WAF on managed NGINX instances"
+title: Upgrade NGINX App Protect WAF on Managed Instances
weight: 600
toc: true
-tags: [ "NGINX Management Suite" ]
-docs: "DOCS-1640"
+type: how-to
+product: NAP-WAF
+docs: DOCS-1640
---
## Overview
Learn how to upgrade F5 NGINX App Protect WAF on your managed NGINX instances using NGINX Instance Manager. This guide covers the steps to update both the NGINX Management Suite server and NGINX App Protect on the data plane, ensuring your security policies and configurations are up-to-date.
-Before starting, confirm that your data plane has the latest NGINX Agent compatible with NGINX App Protect. Also, verify that your NGINX Management Suite server has the [WAF compiler installed]({{< relref "/nim/nginx-app-protect/setup-waf-config-management.md#install-the-waf-compiler" >}}). If you're updating the WAF compiler, simply upload the NGINX App Protect WAF certificate and key to NGINX Management Suite following the instructions to [Automatically Download and Install New WAF Compiler]({{< relref "/nim/nginx-app-protect/setup-waf-config-management.md#automatically-download-and-install-new-waf-compiler" >}}).
+Before starting, confirm that your data plane has the latest NGINX Agent compatible with NGINX App Protect. Also, verify that your NGINX Management Suite server has the [WAF compiler installed]({{< relref "/nim/nginx-app-protect/setup-waf-config-management.md#install-the-waf-compiler" >}}). If you're updating the WAF compiler, simply upload the NGINX App Protect WAF certificate and key to NGINX Management Suite following the instructions to [Automatically Download and Install New WAF Compiler]({{< relref "/nim/nginx-app-protect/setup-waf-config-management.md#automatically-download-and-install-new-waf-compiler" >}}). The compiler version may not be greater than the enforcer one.
+
+if you're updating the WAF enforcer, make sure that its major version is the same as of the WAF compiler and the minor version is greater than the compiler's.
## Upgrade WAF Compiler on NGINX Management Suite
diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md
index 472b547a8..09463695b 100644
--- a/content/nap-waf/v5/configuration-guide/configuration.md
+++ b/content/nap-waf/v5/configuration-guide/configuration.md
@@ -37,6 +37,7 @@ For more information on the NGINX App Protect WAF security features, see [NGINX
|[XFF headers & trust](#xff-headers-and-trust) | Disabled by default. User can enable it and optionally add a list of custom XFF headers. |
|[gRPC Protection](#grpc-protection-for-unary-traffic) | gRPC content profile detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection can be on [unary](#grpc-protection-for-unary-traffic) or [bidirectional](#grpc-protection-for-bidirectional-streaming) traffic.|
|[Secure Traffic Between NGINX and App Protect Enforcer using mTLS](#secure-traffic-between-nginx-and-app-protect-enforcer-using-mtls) | Disabled by default. You can manually configure mTLS to secure the traffic between NGINX and App Protect Enforcer.|
+|[Brute Force Attack Preventions](#brute-force-attack-preventions) | Configure brute-force-attack-preventions parameters to secured areas of a web application from brute force attacks.|
### Disallowed File Types
@@ -788,6 +789,55 @@ To enable mTLS in NGINX, you need to perform the following steps:
Refer to the example for mTLS deployment in the admin guide, whether you're using [Docker]({{< relref "/nap-waf/v5/admin-guide/deploy-on-docker.md#docker-compose-file-with-mtls" >}}) or [Kubernetes]({{< relref "/nap-waf/v5/admin-guide/deploy-on-kubernetes.md#mtls-deployment" >}}).
+## Brute Force Attack Preventions
+
+Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive,
+systematic, username/password combinations to discover legitimate authentication credentials.
+To prevent brute force attacks, WAF tracks the number of failed attempts to reach login pages
+with enforced brute force protection. When brute force patterns are detected,
+the WAF policy considers it to be an attack if the failed logon rate increased significantly or
+if failed logins reached a maximum threshold.
+
+### Brute force policy example
+
+```json
+{
+ "policy": {
+ "name": "BruteForcePolicy",
+ "template": {
+ "name": "POLICY_TEMPLATE_NGINX_BASE"
+ },
+ "applicationLanguage": "utf-8",
+ "enforcementMode": "blocking",
+ "brute-force-attack-preventions" : [
+ {
+ "bruteForceProtectionForAllLoginPages" : true,
+ "detectionCriteria" : {
+ "action" : "alarm",
+ "detectDistributedBruteForceAttack" : true,
+ "failedLoginAttemptsRateReached" : 100
+ },
+ "loginAttemptsFromTheSameIp" : {
+ "action" : "alarm",
+ "enabled" : true,
+ "threshold" : 20
+ },
+ "loginAttemptsFromTheSameUser" : {
+ "action" : "alarm",
+ "enabled" : true,
+ "threshold" : 3
+ },
+ "measurementPeriod" : 900,
+ "preventionDuration" : "3600",
+ "reEnableLoginAfter" : 3600,
+ "sourceBasedProtectionDetectionPeriod" : 3600
+ }
+ ]
+ }
+}
+
+```
+
## Custom Dimensions Log Entries
### Overview
@@ -858,7 +908,6 @@ To enable mTLS in NGINX, you need to perform the following steps:
This table summarizes the nginx.conf directives for NGINX App Protect WAF functionality.
-{{}}
|Directive Name | Syntax | Functionality | nginx.conf Contexts | Example |
| ---| ---| ---| ---| --- |
|load_module | load_module | NGINX directive to load the App Protect module. It must be invoked with the App Protect library path | Global | load_module modules/ngx_http_app_protect_module.so |
@@ -868,7 +917,6 @@ This table summarizes the nginx.conf directives for NGINX App Protect WAF functi
|app_protect_security_log_enable | app_protect_security_log_enable on | off | Whether to enable the App Protect per-request log at the respective context. | HTTP, Server, Location | app_protect_security_log_enable on |
|app_protect_security_log | app_protect_security_log | Specifies the per-request logging: what to log and where | HTTP, Server, Location | app_protect_security_log /config/waf/log_illegal.tgz syslog:localhost:522 |
|app_protect_custom_log_attribute | app_protect_custom_log_attribute | Specifies the assigned location/server/http dimension of each request. | HTTP, Server, Location | app_protect_custom_log_attribute ‘environment' 'env1' |
-{{}}
#### Failure Mode
@@ -931,7 +979,11 @@ In the cases where decompression fails, NGINX App Protect WAF will continue wit
---
-## Policy Converter
+## Converter tools
+
+NGINX App Protect WAF includes a number of tools that can be used to facilitate the process of porting existing resources or configuration files from the BIG-IP for use in the NGINX App Protect WAF environment. Note that these tools are available in the compiler package, and do not require a full installation of NGINX App Protect WAF or NGINX Plus.
+
+### Policy Converter
The NGINX App Protect WAF v5 Policy Converter tool `/opt/app_protect/bin/convert-policy` is used to convert XML policies to JSON format. The converted JSON policy is based on the NGINX App Protect WAF policy base template and contains the minimal differences to it in JSON declarative policy format.
@@ -943,7 +995,7 @@ Using the tool:
/opt/app_protect/bin/convert-policy
```
-### Convert Policy using Command Line Interface (CLI Usage)
+#### Convert Policy using Command Line Interface (CLI Usage)
The input policy can also be converted using convert-policy as a CLI tool from within NGINX App Protect WAF Converter container by using the following commands:
@@ -957,7 +1009,7 @@ docker run -it --rm \
--full-export
```
-### Command Line Options
+#### Command Line Options
{{}}
|Field Name | Notes |
@@ -969,6 +1021,173 @@ docker run -it --rm \
| --dos-profile | Filename of JSON DoS Profile (pre-converted to JSON from tmsh syntax) |
| --full-export | If specified, the full policy with all entities will be exported. Otherwise, only entities that differ from the template will be included.
Default for the CLI is not specific (only differing entities).
Default for the REST endpoint above is "--full-export" (you can not override this).|{{}}
+### User Defined Signatures Converter
+
+The User Defined Signatures Converter tool `/opt/app_protect/bin/convert-signatures` takes a User Defined Signatures XML file as input and exports the content as a JSON file suitable for use in an NGINX App Protect WAF environment.
+
+The tool can optionally accept a tag argument as an input. Otherwise, the default tag value `user-defined-signatures` is assigned to the exported JSON file.
+
+Note that the User Defined signatures XML file can be obtained by exporting the signatures from a BIG-IP device.
+
+Using the tool:
+```shell
+/opt/app_protect/bin/convert-signatures
+```
+
+Output:
+```shell
+USAGE:
+ /opt/app_protect/bin/convert-signatures
+
+Required arguments:
+ --outfile|o='/path/to/signatures.json'
+ File name to write JSON format export
+ Can also be set via an environment variable: EXPORT_FILE
+ --infile|i='/path/to/signatures.xml'
+ Advanced WAF/ASM User Defined Signatures file to Convert
+ Can also be set via an environment variable: IMPORT_FILE
+
+Optional arguments:
+ --tag|t='mytag'
+ Signature Tag to associate with User Defined Signatures.
+ If no tag is specified in the XML file, a default tag of 'user-defined-signatures' will be assigned.
+ Can also be set via an environment variable: TAG
+ --format|f='json'
+ Desired output format for signature file. Default 'json'
+ Supported formats: 'json'
+
+Optionally, using --help will issue this help message.
+```
+
+Example of generating a user defined signature JSON file (with default tag):
+```shell
+docker run -v `pwd`:`pwd` -w `pwd` --entrypoint /opt/app_protect/bin/convert-signatures docker_img:latest -i /path/to/signatures.xml -o /path/to/signatures.json | jq
+```
+
+Output:
+```json
+{
+ "filename": "/path/to/signatures.json",
+ "file_size": 1602,
+ "completed_successfully": true
+}
+```
+
+Example of the contents of the output file (displayed and piped into `jq`):
+```json
+{
+ "tag": "user-defined-signatures",
+ "signatures": [
+ {
+ "accuracy": "high",
+ "risk": "high",
+ "systems": [],
+ "rule": "content:\"header1\"; nocase;",
+ "description": "",
+ "signatureType": "request",
+ "signatureId": "300000000",
+ "revision": "1",
+ "lastUpdateMicros": 1731425468000000,
+ "name": "sig_1_header",
+ "attackType": {
+ "name": "Abuse of Functionality"
+ }
+ },
+ {
+ "signatureId": "300000002",
+ "signatureType": "request",
+ "attackType": {
+ "name": "Cross Site Scripting (XSS)"
+ },
+ "name": "sig_3_uri",
+ "lastUpdateMicros": 1731425631000000,
+ "revision": "1",
+ "risk": "high",
+ "accuracy": "high",
+ "description": "",
+ "rule": "uricontent:\"