Releases

Release 3.5

September 6th, 2021

Supported Packages

App Protect

Debian 10

• app-protect_24+3.639.0-1~buster_amd64.deb

Ubuntu 18.04

• app-protect_24+3.639.0-1~bionic_amd64.deb

Ubuntu 20.04

• app-protect_24+3.639.0-1~focal_amd64.deb

Alpine 3.10

• app-protect-24.3.639.0-r1.apk

CentOS / RHEL / Amazon Linux 2

• app-protect-24+3.639.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 4494 Added - New timeout directive which allows the user to configure the period of time between reconnect retries of the module to the web application firewall (WAF) engine.
• 4454 Fixed - Workers disconnected prematurely on reload when there is a lot of traffic.
• 4317 Fixed - Connection errors on more than 16 workers on multiple reloads.
• 4526 Fixed - Maximum policy size limit of 1MB in NGINX App Protect. Limit was removed.
• 4519 Fixed - OpenAPI based policies that contains identically named path parameters with different configurations for different locations do not correctly enforce the specific validations for each unique location.
• 4560 Fixed - After a policy with a manual type signature set has been applied, changes to that signature set, or any same-named set in another policy, were not recognized.
• 4565 Fixed - Under certain conditions, NGINX App Protect may crash while processing HTML traffic. Fixed CVE-2021-23050.
• 4566 Fixed - When processing certain traffic, NGINX App Protect attack signatures may not match as intended. Fixed K30150004.
• 4584 Fixed - When no NGINX App Protect configuration has changed on a device, but the hostname of the device has changed, NGINX App Protect failed to start.

Important Notes

This version introduces the removal of the bd_agent process. This process is no longer required starting with NGINX App Protect version 3.5. The removal of bd_agent reduces the memory usage of NGINX App Protect by ~100 MB. The bd_agent executable is still available on the system, but will not consume any CPU resources if it is run. Existing orchestration systems that include this process will continue to work as expected.

Release 3.4

August 10, 2021

New Features

• Improved startup times of NGINX App Protect policy compiler when the configuration has not been changed.

Supported Packages

App Protect

Debian 10

• app-protect_24+3.612.0-1~buster_amd64.deb

Ubuntu 18.04

• app-protect_24+3.612.0-1~bionic_amd64.deb

Ubuntu 20.04

• app-protect_24+3.612.0-1~focal_amd64.deb

Alpine 3.10

• app-protect-24.3.612.0-r1.apk

CentOS / RHEL / Amazon Linux 2

• app-protect-24+3.612.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 4444 Fixed - Enforcer partially wrote config on startup.
• 4442 Fixed - Enforcer crash when using cookies that are over 2.6 Kb.
• 4397 Fixed - Convert-policy with --full-export is not suppressing all warnings.
• 4332 Fixed - Null character prefix and suffix in the Security log.
• 4407 Fixed - Empty signature names in the Security log.
• 4347 Fixed - Added python3 dependency for NGINX App Protect.

Release 3.3

July 7, 2021

New Features

• Amazon Linux 2 LTS Support
• Base64 auto-detection applies on JSON content type
• Full security policy export includes the policy base template
• FQDNs are now permitted in syslog destinations

Supported Packages

App Protect

Debian 10

• app-protect_24+3.583.0-1~buster_amd64.deb

Ubuntu 18.04

• app-protect_24+3.583.0-1~bionic_amd64.deb

Ubuntu 20.04

• app-protect_24+3.583.0-1~focal_amd64.deb

Alpine 3.10

• app-protect-24.3.583.0-r1.apk

CentOS / RHEL

• app-protect-24+3.583.0-1.el7.ngx.x86_64.rpm

Amazon Linux 2

• app-protect-24+3.583.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 4214 Fixed - Cookie false positives blocked requests and false reporting
• 4226 Fixed - Error in parsing OpenAPI file
• 4318 Fixed - Incorrect Export for convert-policy - gwt-content-profiles are not exported in NGINX App Protect policy converter anymore.

Known Issues

4347 - Missing dependency of python3 for Alpine Linux

• Workaround - run apk add python3 before installing NGINX App Protect on Alpine Linux

Release 3.2

April 28, 2021

New Features

In this release support for App Protect is added to NGINX Plus R24, for which Debian 9 support has been deprecated.

• Multiple Security Logs Support
• Default Policy Location Update
• Tighten Default Enforcer Cookie Settings

Supported Packages

App Protect

Debian 10

• app-protect_24+3.512.0-1~buster_amd64.deb

Ubuntu 18.04

• app-protect_24+3.512.0-1~bionic_amd64.deb

Ubuntu 20.04

• app-protect_24+3.512.0-1~focal_amd64.deb

Alpine 3.10

• app-protect-24.3.512.0-r1.apk

CentOS / RHEL

• app-protect-24+3.512.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 3586 Fixed - Incorrect base64 cookie value in security log
• 3705 Fixed - SELinux alerts on reload
• 3706 Fixed - Reload failure as a result of a file descriptor leak
• 3708 Fixed - JSON characters in log format failure
• 3709 Fixed - Spaces in JSON values are disallowed
• 3710 Added - Allow http-protocols High ASCII characters in headers to be configurable

Release 3.1

March 31, 2021

New Features

• User-Defined Browser Control
• CSRF Protection Using Origin Validation
• Clickjacking Protection
• Log Rotate
• Enforcer Cookie Settings
• Ubuntu 20.04 Support

Supported Packages

App Protect

Debian 9

• app-protect_23+3.462.0-1~stretch_amd64.deb

Debian 10

• app-protect_23+3.462.0-1~buster_amd64.deb

Ubuntu 18.04

• app-protect_23+3.462.0-1~bionic_amd64.deb

Ubuntu 20.04

• app-protect_23+3.462.0-1~focal_amd64.deb

Alpine 3.10

• app-protect-23.3.462.0-r1.apk

CentOS / RHEL

• app-protect-23+3.462.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 3157 Fixed - Header settings case sensitivity issue
• 3259 Fixed - Disallow multiple cookie headers in request
• 3351 Fixed - Date-Time and Date formatted parameters in OpenAPI accept malformed values
• 3353 Fixed - ExclusiveMinimum in OpenAPI not enforced
• 3551 Fixed - Incorrect violation rating when low severity sub-violations are triggered
• 3576 Fixed - Cookie deletion configuration issue
• 3606 Fixed - Blocked logging filter is working incorrectly

Release 3.0

January 29, 2021

New Features

• Advanced gRPC Protection for Unary Traffic

Supported Packages

App Protect

Debian 9

• app-protect_23+3.332.0-1~stretch_amd64.deb

Debian 10

• app-protect_23+3.332.0-1~buster_amd64.deb

Ubuntu

• app-protect_23+3.332.0-1~bionic_amd64.deb

Alpine 3.10

• app-protect-23.3.332.0-r1.apk

CentOS / RHEL

• app-protect-23+3.332.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 3014 Fixed - HTTP2 browser traffic is classified as bot.
• 3105 Fixed - Missing app-protect-compiler Debian package dependency required for /opt/app_protect/bin/get-signatures tool.

Release 2.3

December 30, 2020

New Features

• Debian 10 Support
• Alpine 3.10 Support
• User-defined HTTP Headers
• Converter Tools
• Attack Signature Report Tool

Supported Packages

App Protect

Debian 9

• app-protect_23+3.281.0-1~stretch_amd64.deb

Debian 10

• app-protect_23+3.281.0-1~buster_amd64.deb

Ubuntu

• app-protect_23+3.281.0-1~bionic_amd64.deb

Alpine 3.10

• app-protect-23.3.281.0-r1.apk

CentOS / RHEL

• app-protect-23+3.281.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 1270 Fixed - Unit hostname N/A in security log.

Known Issues

3014 - HTTP2 browser traffic is classified as bot.

• Workaround - Disable bot defense in policies used on HTTP2 locations.

Release 2.2

December 09, 2020

New Features

In this release support for App Protect is added to NGINX Plus R23.

• Detect Base64
• Anti Automation Header Anomalies

Supported Packages

App Protect

Debian

• app-protect_23+3.263.0-1~stretch_amd64.deb

Ubuntu

• app-protect_23+3.263.0-1~bionic_amd64.deb

CentOS / RHEL

• app-protect-23+3.263.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 2482 Fixed - 100% CPU reached on reload of new security log configuration during traffic.
• 2670 Fixed - Cookie value in security log violation details showed name=value instead of value for base64 decodable cookies.
• 2872 Fixed - Security logs get sent to the previous destination as well as the new one after reload.

Release 2.1

October 28, 2020

New Features

• Bot Signatures & Bot Origin Validation Support
• EPEL Repository Dependency Removal from RHEL

Supported Packages

App Protect

Debian

• app-protect_22+3.216.0-1~stretch_amd64.deb

Ubuntu

• app-protect_22+3.216.0-1~bionic_amd64.deb

CentOS / RHEL

• app-protect-22+3.216.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 2357 Fixed - Decoding of unpadded base64 encoded strings fails as invalid base64 encoding.
• 2354 Fixed - Positional parameter detected as illegal URL with open-api-files reference.
• 2319 Fixed - Users permissions for users other than nginx .
• 2297 Fixed - Set-Cookie header discarded on 302 response code.
• 2296 Fixed - Large number of configured locations in nginx.conf result in long startup and reload times.
• 2163 Fixed - app-protect-compiler RPM requires epel-release.
• 2155 Fixed - No support for IPv6 remote logging syslog destination address.

Release 2.0

September 08, 2020

New Features

• Ubuntu 18.04 Support
• OpenAPI Support
• JSON Schema Validation
• User-Defined Signatures
• User-Defined URLs
• User-Defined Parameters
• Offline Installation

Supported Packages

App Protect

Debian

• app-protect_22+3.158.1-1~stretch_amd64.deb

Ubuntu

• app-protect_22+3.158.1-1~bionic_amd64.deb

CentOS / RHEL

• app-protect-22+3.158.1-1.el7.ngx.x86_64.rpm

Resolved Issues

• 1868 Fixed - Removal of the app-protect RPM package results in SELinux-related failure messages.
• 2099 Fixed - Missing SELinux configuration required to support writing the security log to a file.
• 2119 Fixed - Logging Profiles do not disassociate from location when multiple changes are made.
• 2134 Fixed - No security logs for requests on servers using IPv6 addresses.

Release 1.3

July 21, 2020

New Features

• RHEL 7.4+ Support
• RHEL UBI7 Support
• SELinux Configuration
• New Strict Security Policy
• Security Log Write To File

Supported Packages

App Protect

Debian

• app-protect_22+3.90.2-1~stretch_amd64.deb

CentOS / RHEL

• app-protect-22+3.90.2-1.el7.ngx.x86_64.rpm

Known Issues

1868 - Removal of the app-protect RPM package results in SELinux-related failure messages

This is a cosmetic issue only:

yum remove app-protect

Erasing : app-protect-22+3.90.2-1.el7.ngx.x86_64 1/5
libsemanage.semanage_direct_remove_key: Removing last app-protect module (no other app-protect module exists at another priority).
restorecon: lstat(/usr/lib64/systemd/system/nginx-app-protect-compiler.service) failed: No such file or directory
restorecon: lstat(/usr/lib64/systemd/system/nginx-app-protect.service) failed: No such file or directory

Resolved Issues

• 1758 Fixed - Non-CSV-compliant escaping of quotes as %22 in default security log fields.
• 1774 Added - Default security log settings file /etc/app_protect/conf/log_default.json.
• 1784 Added - “Unescaped space in URL” sub-violation.
• 1785 Fixed - LIBDATASYNC|ERR messages in bd-socket-plugin.log.
• 1811 Fixed - Empty non-CSV-compliant ‘is_truncated’ field in default security log settings.

Release 1.2

June 30, 2020

New Features

• External References
• Threat Campaigns

Supported Packages

App Protect

Debian

• app-protect_22+3.74.0-1~stretch_amd64.deb

CentOS

• app-protect-22+3.74.0-1.el7.ngx.x86_64.rpm

Resolved Issues

• 1455 Fixed - Data Guard masking policy resulted in core for large responses over 100MB.
• 1487 Fixed - HTTP compliance sub-violation “Chunked request with Content-Length” was not enabled.
• 1520 Fixed - Data Guard masking policy didn’t mask CCN/SSN found at the end of responses over 32KB.
• 1575 Added - Any request containing a value other than “identity” in a Content-Encoding Header will be dropped/passed according to the new directive: app_protect_compressed_requests_action. Such requests will be dropped by default if the directive is not set.
• 1576 Fixed - Signature matched on wrong context.
• 1580 Fixed - Crash during fail mode.
• 1742 Fixed - Documentation did not reflect the correct HTTP compliance sub-violations.

Release 1.1

June 9, 2020

In this release support for App Protect is added to NGINX Plus R22. There are no new App Protect features in this release.

Supported Packages

App Protect

Debian

• app-protect_22+2.52.5-1~stretch_amd64.deb

CentOS

• app-protect-22+2.52.5-1.el7.ngx.x86_64.rpm

Resolved Issue

1438 - Attack signature update on Debian

Release 1.0

May 19, 2020

Security Features

• OWASP Top 10 based attack signatures & CVEs
• Metacharacter checking
• HTTP protocol compliance
• Evasion techniques
• Disallowed file types (bin, cgi, cmd, com, dll, exe, msi, sys, shtm, shtml, stm & more)
• Enforcement based on risk score (Violation Rating)
• Cookie integrity check
• JSON & XML well-formedness
• Sensitive parameters & Data Guard
• gRPC protocol support

OS Distribution

• CentOS 7.4+ (64bit)
• Debian 9 (64bit)

Supported Versions

NGINX Plus R19 and later

Supported Packages

App Protect

Debian

• app-protect_19+2.52.1-1~stretch_amd64.deb
• app-protect_20+2.52.1-1~stretch_amd64.deb
• app-protect_21+2.52.1-1~stretch_amd64.deb

CentOS

• app-protect-19+2.52.1-1.el7.ngx.x86_64.rpm
• app-protect-20+2.52.1-1.el7.ngx.x86_64.rpm
• app-protect-21+2.52.1-1.el7.ngx.x86_64.rpm

Attack Signatures

Debian

• from app-protect-attack-signatures_2019.07.16-1~stretch_amd64.deb (original installed, to allow downgrade)

CentOS

• from app-protect-attack-signatures-2019.07.16-1.el7.ngx.x86_64.rpm (original installed, to allow downgrade)

Known Issues

1341 - Syslog Clock

The time stamps in the NGINX and App Protect log messages are presented in the local time zone of your machine. If you would like to see this in a different time zone, for example UTC, you must change the local time zone. On most systems this can be done using the command:

sudo datetimectl set-timezone Etc/UTC

For other options to change the timezone see your system manual.

General - proxy_pass buffering

The proxy_pass directive must always be used. proxy_request_buffering off is not supported.