NGINX App Protect WAF Release 1.0
May 19, 2020
Security Features
- OWASP Top 10 based attack signatures & CVEs
- Metacharacter checking
- HTTP protocol compliance
- Evasion techniques
- Disallowed file types (bin, cgi, cmd, com, dll, exe, msi, sys, shtm, shtml, stm & more)
- Enforcement based on risk score (Violation Rating)
- Cookie integrity check
- JSON & XML well-formedness
- Sensitive parameters & Data Guard
- gRPC protocol support
OS Distribution
- CentOS 7.4+ (64bit)
- Debian 9 (64bit)
Supported Versions
NGINX Plus R19 and later
Supported Packages
App Protect
Debian
- app-protect_19+2.52.1-1~stretch_amd64.deb
- app-protect_20+2.52.1-1~stretch_amd64.deb
- app-protect_21+2.52.1-1~stretch_amd64.deb
CentOS
- app-protect-19+2.52.1-1.el7.ngx.x86_64.rpm
- app-protect-20+2.52.1-1.el7.ngx.x86_64.rpm
- app-protect-21+2.52.1-1.el7.ngx.x86_64.rpm
Attack Signatures
Debian
- from app-protect-attack-signatures_2019.07.16-1~stretch_amd64.deb (original installed, to allow downgrade)
CentOS
- from app-protect-attack-signatures-2019.07.16-1.el7.ngx.x86_64.rpm (original installed, to allow downgrade)
Known Issues
1341 - Syslog Clock
The time stamps in the NGINX and NGINX App Protect WAF log messages are presented in the local time zone of your machine. If you would like to see this in a different time zone, for example UTC, you must change the local time zone. On most systems this can be done using the command:
sudo datetimectl set-timezone Etc/UTC
For other options to change the timezone see your system manual.
General - proxy_pass buffering
The proxy_pass directive must always be used.
proxy_request_buffering off is not supported.