Releases

New Features

In this release support for App Protect is added to NGINX Plus R24, for which Debian 9 support has been deprecated.

• Multiple Security Logs Support
• Default Policy Location Update
• Tighten Default Enforcer Cookie Settings

Supported Packages

Resolved Issues

• 3586 Fixed - Incorrect base64 cookie value in security log
• 3705 Fixed - SELinux alerts on reload
• 3706 Fixed - Reload failure as a result of a file descriptor leak
• 3708 Fixed - JSON characters in log format failure
• 3709 Fixed - Spaces in JSON values are disallowed
• 3710 Added - Allow http-protocols High ASCII characters in headers to be configurable

New Features

• User-Defined Browser Control
• CSRF Protection Using Origin Validation
• Clickjacking Protection
• Log Rotate
• Enforcer Cookie Settings
• Ubuntu 20.04 Support

Supported Packages

Resolved Issues

• 3157 Fixed - Header settings case sensitivity issue
• 3259 Fixed - Disallow multiple cookie headers in request
• 3351 Fixed - Date-Time and Date formatted parameters in OpenAPI accept malformed values
• 3353 Fixed - ExclusiveMinimum in OpenAPI not enforced
• 3551 Fixed - Incorrect violation rating when low severity sub-violations are triggered
• 3576 Fixed - Cookie deletion configuration issue
• 3606 Fixed - Blocked logging filter is working incorrectly

New Features

• Advanced gRPC Protection for Unary Traffic

Supported Packages

Resolved Issues

• 3014 Fixed - HTTP2 browser traffic is classified as bot.
• 3105 Fixed - Missing app-protect-compiler Debian package dependency required for /opt/app_protect/bin/get-signatures tool.

New Features

• Debian 10 Support
• Alpine 3.10 Support
• User-defined HTTP Headers
• Converter Tools
• Attack Signature Report Tool

Supported Packages

Resolved Issues

• 1270 Fixed - Unit hostname N/A in security log.

Known Issues

New Features

In this release support for App Protect is added to NGINX Plus R23.

• Detect Base64
• Anti Automation Header Anomalies

Supported Packages

Resolved Issues

• 2482 Fixed - 100% CPU reached on reload of new security log configuration during traffic.
• 2670 Fixed - Cookie value in security log violation details showed name=value instead of value for base64 decodable cookies.
• 2872 Fixed - Security logs get sent to the previous destination as well as the new one after reload.

New Features

• Bot Signatures & Bot Origin Validation Support
• EPEL Repository Dependency Removal from RHEL

Supported Packages

Resolved Issues

• 2357 Fixed - Decoding of unpadded base64 encoded strings fails as invalid base64 encoding.
• 2354 Fixed - Positional parameter detected as illegal URL with open-api-files reference.
• 2319 Fixed - Users permissions for users other than nginx.
• 2297 Fixed - Set-Cookie header discarded on 302 response code.
• 2296 Fixed - Large number of configured locations in nginx.conf result in long startup and reload times.
• 2163 Fixed - app-protect-compiler RPM requires epel-release.
• 2155 Fixed - No support for IPv6 remote logging syslog destination address.

New Features

• Ubuntu 18.04 Support
• OpenAPI Support
• JSON Schema Validation
• User-Defined Signatures
• User-Defined URLs
• User-Defined Parameters
• Offline Installation

Supported Packages

Resolved Issues

• 1868 Fixed - Removal of the app-protect RPM package results in SELinux-related failure messages.
• 2099 Fixed - Missing SELinux configuration required to support writing the security log to a file.
• 2119 Fixed - Logging Profiles do not disassociate from location when multiple changes are made.
• 2134 Fixed - No security logs for requests on servers using IPv6 addresses.

New Features

• RHEL 7.4+ Support
• RHEL UBI7 Support
• SELinux Configuration
• New Strict Security Policy
• Security Log Write To File

Supported Packages

Known Issues

yum remove app-protect

Erasing : app-protect-22+3.90.2-1.el7.ngx.x86_64 1/5
libsemanage.semanage_direct_remove_key: Removing last app-protect module (no other app-protect module exists at another priority).
restorecon: lstat(/usr/lib64/systemd/system/nginx-app-protect-compiler.service) failed: No such file or directory
restorecon: lstat(/usr/lib64/systemd/system/nginx-app-protect.service) failed: No such file or directory

Resolved Issues

• 1758 Fixed - Non-CSV-compliant escaping of quotes as %22 in default security log fields.
• 1774 Added - Default security log settings file /etc/app_protect/conf/log_default.json.
• 1784 Added - “Unescaped space in URL” sub-violation.
• 1785 Fixed - LIBDATASYNC|ERR messages in bd-socket-plugin.log.
• 1811 Fixed - Empty non-CSV-compliant ‘is_truncated’ field in default security log settings.

New Features

• External References
• Threat Campaigns

Supported Packages

Resolved Issues

• 1455 Fixed - Data Guard masking policy resulted in core for large responses over 100MB.
• 1487 Fixed - HTTP compliance sub-violation “Chunked request with Content-Length” was not enabled.
• 1520 Fixed - Data Guard masking policy didn’t mask CCN/SSN found at the end of responses over 32KB.
• 1575 Added - Any request containing a value other than “identity” in a Content-Encoding Header will be dropped/passed according to the new directive: app_protect_compressed_requests_action. Such requests will be dropped by default if the directive is not set.
• 1576 Fixed - Signature matched on wrong context.
• 1580 Fixed - Crash during fail mode.
• 1742 Fixed - Documentation did not reflect the correct HTTP compliance sub-violations.

Supported Packages

Resolved Issue

1438 - Attack signature update on Debian

Security Features

• OWASP Top 10 based attack signatures & CVEs
• Metacharacter checking
• HTTP protocol compliance
• Evasion techniques
• Disallowed file types (bin, cgi, cmd, com, dll, exe, msi, sys, shtm, shtml, stm & more)
• Enforcement based on risk score (Violation Rating)
• Cookie integrity check
• JSON & XML well-formedness
• Sensitive parameters & Data Guard
• gRPC protocol support

OS Distribution

• CentOS 7.4+ (64bit)
• Debian 9 (64bit)

Supported Versions

NGINX Plus R19 and later

Supported Packages

Known Issues

sudo datetimectl set-timezone Etc/UTC