Configure App Protect WAF
Overview
This guide explains how to configure the F5 NGINX App Protect WAF security features.
Configure
To use NGINX App Protect apply the following changes to the NGINX config file.
- Load the NGINX App Protect WAF module on the main context:
load_module modules/ngx_http_app_protect_module.so;
- Set the enforcer address:
app_protect_enforcer_address 127.0.0.1:50000;
Note:
The app_protect_enforcer_address directive is a required directive for Nginx App Protect to work and must match 127.0.0.1:50000
- Enable NGINX App Protect WAF with the
app_protect_enabledirectives in the appropriate scope. Theapp_protect_enabledirective may be set in thehttp,server, andlocationcontexts.
It is recommended to have a basic policy enabled in the http or server context to process malicious requests in a more complete manner.
app_protect_enable on;
- Configure the path of the pre-compiled policy file to the
app_protect_policy_filedirective. You can find the list of supported policies and their paths under the Precompiled Policies section.
app_protect_policy_file /etc/app_protect/conf/NginxDefaultPolicy.json;
Sample Config with App Protect configured:
user nginx;
worker_processes auto;
worker_rlimit_nofile 8192;
pid /run/nginx/nginx.pid;
load_module modules/ngx_http_app_protect_module.so;
events {
worker_connections 4000;
}
error_log /var/log/nginx/error.log debug;
http {
access_log off;
server_tokens "";
app_protect_enforcer_address 127.0.0.1:50000;
server {
listen 80 default_server;
location / {
app_protect_enable on;
app_protect_policy_file /etc/app_protect/conf/NginxDefaultPolicy.tgz;
proxy_pass http://127.0.0.1:80/proxy/$request_uri;
}
location /proxy {
default_type text/html;
return 200 "Hello World\n";
}
}
}
Precompiled Policies
NGINXaaS for Azure ships with the two reference policies (Default and Strict) supported in NGINX App Protect. These policies are supported in both the blocking and transparent enforcement modes. For more information on these policies refer the NGINX App Protect configuration guide.
The following table shows the path to the precompiled policy file that needs to be used with the app_protect_policy_file directive:
| Policy | Enforcement Mode | Path |
|---|---|---|
| Default | Strict | /etc/app_protect/conf/NginxDefaultPolicy.json |
| Default | Transparent | /etc/app_protect/conf/NginxDefaultPolicy_transparent.json |
| Strict | Strict | /etc/app_protect/conf/NginxStrictPolicy.json |
| Strict | Transparent | /etc/app_protect/conf/NginxStrictPolicy_transparent.json |
To view the contents of the available security policies, navigate to the azure portal and select the Security Policies tab in the App Protect section.
Note:
Custom policies are not supported at this time.