Releases
Release 2.3
30 December 2020
Release 2.2
09 December 2020
Resolved Issues
- 2482 Fixed - 100% CPU reached on reload of new security log configuration during traffic.
- 2670 Fixed - Cookie value in security log violation details showed
name=value
instead ofvalue
for base64 decodable cookies. - 2872 Fixed - Security logs get sent to the previous destination as well as the new one after reload.
Release 2.1
28 October 2020
Resolved Issues
- 2357 Fixed - Decoding of unpadded base64 encoded strings fails as invalid base64 encoding.
- 2354 Fixed - Positional parameter detected as illegal URL with open-api-files reference.
- 2319 Fixed - Users permissions for users other than
nginx
. - 2297 Fixed -
Set-Cookie
header discarded on 302 response code. - 2296 Fixed - Large number of configured locations in
nginx.conf
result in long startup and reload times. - 2163 Fixed -
app-protect-compiler
RPM requiresepel-release
. - 2155 Fixed - No support for IPv6 remote logging syslog destination address.
Release 2.0
08 September 2020
Resolved Issues
- 1868 Fixed - Removal of the app-protect RPM package results in SELinux-related failure messages.
- 2099 Fixed - Missing SELinux configuration required to support writing the security log to a file.
- 2119 Fixed - Logging Profiles do not disassociate from location when multiple changes are made.
- 2134 Fixed - No security logs for requests on servers using IPv6 addresses.
Release 1.3
21 July 2020
Resolved Issues
- 1758 Fixed - Non-CSV-compliant escaping of quotes as %22 in default security log fields.
- 1774 Added - Default security log settings file
/etc/app_protect/conf/log_default.json
. - 1784 Added - “Unescaped space in URL” sub-violation.
- 1785 Fixed -
LIBDATASYNC|ERR
messages inbd-socket-plugin.log
. - 1811 Fixed - Empty non-CSV-compliant ‘is_truncated’ field in default security log settings.
Release 1.2
30 June 2020
Resolved Issues
- 1455 Fixed - Data Guard masking policy resulted in core for large responses over 100MB.
- 1487 Fixed - HTTP compliance sub-violation “Chunked request with Content-Length” was not enabled.
- 1520 Fixed - Data Guard masking policy didn’t mask CCN/SSN found at the end of responses over 32KB.
- 1575 Added - Any request containing a value other than “identity” in a Content-Encoding Header will be dropped/passed according to the new directive:
app_protect_compressed_requests_action
. Such requests will be dropped by default if the directive is not set. - 1576 Fixed - Signature matched on wrong context.
- 1580 Fixed - Crash during fail mode.
- 1742 Fixed - Documentation did not reflect the correct HTTP compliance sub-violations.
Release 1.1
9 June 2020
In this release support for App Protect is added to NGINX Plus R22. There are no new App Protect features in this release.
Release 1.0
19 May 2020
Security Features
- OWASP Top 10 based attack signatures & CVEs
- Metacharacter checking
- HTTP protocol compliance
- Evasion techniques
- Disallowed file types (bin, cgi, cmd, com, dll, exe, msi, sys, shtm, shtml, stm & more)
- Enforcement based on risk score (Violation Rating)
- Cookie integrity check
- JSON & XML well-formedness
- Sensitive parameters & Data Guard
- gRPC protocol support
Supported Packages
Known Issues
1341 - Syslog Clock
The time stamps in the NGINX and App Protect log messages are presented in the local time zone of your machine. If you would like to see this in a different time zone, for example UTC, you must change the local time zone. On most systems this can be done using the command:
sudo datetimectl set-timezone Etc/UTC
For other options to change the timezone see your system manual.