NGINX App Protect WAF Release 4.7

December 19, 2023

In this release, NGINX App Protect WAF supports NGINX Plus R31.

New Features

Supported Packages

App Protect

Alpine 3.16
  • app-protect-31.4.641.0-r1.apk
Alpine 3.17
  • app-protect-31.4.641.0-r1.apk
CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
  • app-protect-31+4.641.0-1.el7.ngx.x86_64.rpm
Debian 11
  • app-protect_31+4.641.0-1~bullseye_amd64.deb
Oracle Linux 8.1+
  • app-protect-31+4.641.0-1.el8.ngx.x86_64.rpm
RHEL 8.1+
  • app-protect-31+4.641.0-1.el8.ngx.x86_64.rpm
  • app-protect-31+4.641.0-1.el9.ngx.x86_64.rpm
Ubuntu 20.04
  • app-protect_31+4.641.0-1~focal_amd64.deb
Ubuntu 22.04
  • app-protect_31+4.641.0-1~jammy_amd64.deb


  • NGINX Plus R31

Resolved Issues

  • 9065 Fixed - Increasing the limit for “max_request_size” in log configuration from 2k to 10k. The default will change from “any” to 2k to maintain the old behaviour.
  • 9297 Fixed - Add new limit from responseCheckLength to response ingress event handling in order to reduce the memory used for buffering.


  • 9992 - There is a limitation on Edwards-curve Digital Signature Algorithm (EdDSA) protocol on CentOS 7 as the Enforcer does not support this protocol on this Operating System (OS). When a JSON Web Token (JWT) signed with EdDSA is used on CentOS 7, it results in a VIOL_ACCESS_INVALID error.

Important Notes

  • Starting with this release, the bot signatures list is generated automatically as a part of the app-protect-bot-signatures package, which is a dependency of the app-protect-compiler package. It resembles a format similar to the README-style text file found in the attack signature. Refer to the Bot Signatures Update File for more details.

  • Starting with the next release version of NGINX App Protect WAF, the existing bot signatures file included_bot_signatures which is located at the following path: /opt/app-protect/var/update_files/included_bot_signatures will be removed from the app-protect-compile package.