NGINX Documentation

Releases

Release 1.3.0

21 July 2020

Supported Packages

App Protect

Debian
  • app-protect_22+3.90.2-1~stretch_amd64.deb
CentOS
  • app-protect-22+3.90.2-1.el7.ngx.x86_64.rpm

Known Issues

Resolved Issues

  • 1758 Fixed - Non-CSV-compliant escaping of quotes as %22 in default security log fields.
  • 1774 Added - Default security log settings file /etc/app_protect/conf/log_default.json.
  • 1784 Added - “Unescaped space in URL” sub-violation.
  • 1785 Fixed - LIBDATASYNC|ERR messages in bd-socket-plugin.log.
  • 1811 Fixed - Empty non-CSV-compliant ‘is_truncated’ field in default security log settings.

Release 1.2.0

30 June 2020

Supported Packages

App Protect

Debian
  • app-protect_22+3.74.0-1~stretch_amd64.deb
CentOS
  • app-protect-22+3.74.0-1.el7.ngx.x86_64.rpm

Resolved Issues

  • 1455 Fixed - Data Guard masking policy resulted in core for large responses over 100MB.
  • 1487 Fixed - HTTP compliance sub-violation “Chunked request with Content-Length” was not enabled.
  • 1520 Fixed - Data Guard masking policy didn’t mask CCN/SSN found at the end of responses over 32KB.
  • 1575 Added - Any request containing a value other than “identity” in a Content-Encoding Header will be dropped/passed according to the new directive: app_protect_compressed_requests_action. Such requests will be dropped by default if the directive is not set.
  • 1576 Fixed - Signature matched on wrong context.
  • 1580 Fixed - Crash during fail mode.
  • 1742 Fixed - Documentation did not reflect the correct HTTP compliance sub-violations.

Release 1.1.0

9 June 2020

In this release support for App Protect is added to NGINX Plus R22. There are no new App Protect features in this release.

Supported Packages

App Protect

Debian
  • app-protect_22+2.52.5-1~stretch_amd64.deb
CentOS
  • app-protect-22+2.52.5-1.el7.ngx.x86_64.rpm

Resolved Issue

1438 - Attack signature update on Debian

Release 1.0.0

19 May 2020

Security Features

  • OWASP Top 10 based attack signatures & CVEs
  • Metacharacter checking
  • HTTP protocol compliance
  • Evasion techniques
  • Disallowed file types (bin, cgi, cmd, com, dll, exe, msi, sys, shtm, shtml, stm & more)
  • Enforcement based on risk score (Violation Rating)
  • Cookie integrity check
  • JSON & XML well-formedness
  • Sensitive parameters & Data Guard
  • gRPC protocol support

OS Distribution

  • CentOS 7.4+ (64bit)
  • Debian 9 (64bit)

Supported Versions

NGINX Plus R19 and later

Supported Packages

App Protect

Debian
  • app-protect_19+2.52.1-1~stretch_amd64.deb
  • app-protect_20+2.52.1-1~stretch_amd64.deb
  • app-protect_21+2.52.1-1~stretch_amd64.deb
CentOS
  • app-protect-19+2.52.1-1.el7.ngx.x86_64.rpm
  • app-protect-20+2.52.1-1.el7.ngx.x86_64.rpm
  • app-protect-21+2.52.1-1.el7.ngx.x86_64.rpm

Attack Signatures

Debian
  • from app-protect-attack-signatures_2019.07.16-1~stretch_amd64.deb (original installed, to allow downgrade)
CentOS
  • from app-protect-attack-signatures-2019.07.16-1.el7.ngx.x86_64.rpm (original installed, to allow downgrade)

Known Issues

1341 - Syslog Clock

The time stamps in the NGINX and App Protect log messages are presented in the local time zone of your machine. If you would like to see this in a different time zone, for example UTC, you must change the local time zone. On most systems this can be done using the command:

sudo datetimectl set-timezone Etc/UTC

For other options to change the timezone see your system manual.

1438 - Attack signature update on Debian

After an attack signature update on Debian, the operational log shows the wrong version. “version”:”%{version}”

General - proxy_pass buffering

The proxy_pass directive must always be used. proxy_request_buffering off is not supported.