| title | weight | toc | url | type | |
|---|---|---|---|---|---|
Configure App Protect WAF |
300 |
true |
/nginxaas/azure/app-protect/configure-waf/ |
|
This guide explains how to configure the F5 NGINX App Protect WAF security features.
To use NGINX App Protect apply the following changes to the NGINX config file.
- Load the NGINX App Protect WAF module on the main context:
load_module modules/ngx_http_app_protect_module.so;- Set the enforcer address:
app_protect_enforcer_address 127.0.0.1:50000;{{}} The app_protect_enforcer_address directive is a required directive for Nginx App Protect to work and must match 127.0.0.1:50000{{}}
- Enable NGINX App Protect WAF with the
app_protect_enabledirectives in the appropriate scope. Theapp_protect_enabledirective may be set in thehttp,server, andlocationcontexts.
It is recommended to have a basic policy enabled in the http or server context to process malicious requests in a more complete manner.
app_protect_enable on;- Configure the path of the pre-compiled policy file to the
app_protect_policy_filedirective. You can find the list of supported policies and their paths under the Precompiled Policies section.
app_protect_policy_file /etc/app_protect/conf/NginxDefaultPolicy.json;Sample Config with App Protect configured:
user nginx;
worker_processes auto;
worker_rlimit_nofile 8192;
pid /run/nginx/nginx.pid;
load_module modules/ngx_http_app_protect_module.so;
events {
worker_connections 4000;
}
error_log /var/log/nginx/error.log debug;
http {
access_log off;
server_tokens "";
app_protect_enforcer_address 127.0.0.1:50000;
server {
listen 80 default_server;
location / {
app_protect_enable on;
app_protect_policy_file /etc/app_protect/conf/NginxDefaultPolicy.json;
proxy_pass http://127.0.0.1:80/proxy/$request_uri;
}
location /proxy {
default_type text/html;
return 200 "Hello World\n";
}
}
}NGINXaaS for Azure ships with the two reference policies (Default and Strict) supported in NGINX App Protect. These policies are supported in both the blocking and transparent enforcement modes. For more information on these policies refer the NGINX App Protect configuration guide.
The following table shows the path to the precompiled policy file that needs to be used with the app_protect_policy_file directive:
{{<bootstrap-table "table table-striped table-bordered">}}
| Policy | Enforcement Mode | Path |
|---|---|---|
| Default | Strict | /etc/app_protect/conf/NginxDefaultPolicy.json |
| Default | Transparent | /etc/app_protect/conf/NginxDefaultPolicy_transparent.json |
| Strict | Strict | /etc/app_protect/conf/NginxStrictPolicy.json |
| Strict | Transparent | /etc/app_protect/conf/NginxStrictPolicy_transparent.json |
| {{}} |
To view the contents of the available security policies, navigate to the azure portal and select the Security Policies tab in the App Protect section.
NGINXaas for Azure also supports custom security policies. You can create and modify custom security policies to deploy to NGINX App Protect Instances using the API or Azure Portal.
To create a custom security policy in the Azure Portal:
- Select your deployment
- Select NGINX app protect WAF from the menu on the left
- Select Custom Policies
- Select Add Custom Security Policy to open the policy editor
In the policy editor, enter the Name, File path, your policy content, and then select Save. The File path is optional and will default to the path "/etc/app_protect/conf/" plus the policy Name with a ".json" extension. After your policy has been saved, you can then reference it in your NGINX configuration. For more information on policy configuration and syntax, refer to the NGINX App Protect configuration guide.
{{}}The name field within the security policy must be unique among the policies referenced in your NGINX configuration.{{}}
{{}}Referencing both custom and precompiled policies in your NGINX configuration is not supported at this time. As a workaround, make a copy of the default policy you want to use, then add it as a custom policy with a different name. {{}}
The Custom Policies tab shows the status of your custom policies (Compilation and Application Status). Custom policies are automatically compiled when created or modified. Policies that are applied to the NGINX configuration cannot be deleted until they are first removed from the configuration.
It is highly recommended to use logging to monitor the performance of NGINX App Protect WAF and to help diagnose problems. See [Enable App Protect WAF Logs]({{< ref "/nginxaas-azure/app-protect/enable-logging.md" >}}) for directions to configure security and operational logs.
[Enable App Protect WAF Logs]({{< ref "/nginxaas-azure/app-protect/enable-logging.md" >}})