From 95173cc3263ad6e9382b6369f24804bf38dba8e6 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Thu, 8 May 2025 15:54:00 +0300 Subject: [PATCH 01/16] Create ip-groups-override-rules.md --- .../config/common/ip-groups-override-rules.md | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 content/includes/nap-waf/config/common/ip-groups-override-rules.md diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md new file mode 100644 index 000000000..973c27e16 --- /dev/null +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -0,0 +1,73 @@ +#### IP-Groups feature as part of Override Rules feature. +The Override Rules feature allows overriding of the original or parent policy settings. +This can be done by defining override rules in the designated section, based on specific override conditions. +Override rule condition with IP group based on JSON schema defined by the declarative policy and applied to "clientIp" attribute using “matches” function. +'clientIp.matches(ipAddressLists["standalone"])' + +The policy example +```json +{ + "policy": { + "name": "ip_group_override_rule", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "ip-address-lists": [ + { + "name": "standalone", + "description": "This is my list of IP addresses", + "ipAddresses": [ + { + "ipAddress": "6.5.3.3/32" + }, + { + "ipAddress": "6.5.4.2" + } + ] + } + ], + "override-rules": [ + { + "name": "myFirstRule", + "condition": "clientIp.matches(ipAddressLists['standalone'])", + "actionType": "violation", + "violation": { + "block": true, + "alarm": true, + "attackType": { + "name": "Forceful Browsing" + }, + "description": "Attempt to access from clientIp", + "rating": 4 + } + } + ], + "general": { + "trustXff": true + } + } +} +``` + +The above policy contains ip group with the name "standalone" which is used in override rule condition "clientIp.matches(ipAddressLists['standalone'])". +The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". +The value used in override rule condition must exist and be exactly equal the name in "ip-address-lists". + +#### Several error cases are verified: +- Using another keyword instead of ipAddressLists; + example: clientIp.matches(invalidList['standalone']); + error_message: " Invalid field invalidList" + +- Using empty name; + example: clientIp.matches(ipAddressLists['']); + error_message: " Invalid value empty string" + +- Using ipAddressLists with attribute otherwise then clientIp; + example: uri.matches(ipAddressLists['standalone']); + error_message: "Failed to compile policy - 'ipGroupOverridePolicy'" + + + From 3fe57052a205bdab7d3bd3957f94c8eed117bc57 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Thu, 8 May 2025 15:55:45 +0300 Subject: [PATCH 02/16] Create ip-groups-overview.md --- .../config/common/ip-groups-overview.md | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 content/includes/nap-waf/config/common/ip-groups-overview.md diff --git a/content/includes/nap-waf/config/common/ip-groups-overview.md b/content/includes/nap-waf/config/common/ip-groups-overview.md new file mode 100644 index 000000000..bbbf6743f --- /dev/null +++ b/content/includes/nap-waf/config/common/ip-groups-overview.md @@ -0,0 +1,83 @@ +IP groups is a feature to organize lists of allowed and forbidden IP addresses in several lists with common attributes. +With this enhancement, users have more control over how a unique policy setting is applied to incoming requests with a specific IP address. +Each IP Group contains a unique name, enforcement type (always, never and policy-default), list of IP addresses. + +An example of a declarative policy using IP Groups configuration: + +```json +{ + "policy": { + "name": "IpGroups_policy", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "ip-address-lists": [ + { + "name": "Standalone", + "description": "Optional Description", + "blockRequests": "policy-default", + "setGeolocation": "IN", + "ipAddresses": [ + { + "ipAddress": "1.2.3.4/32" + }, + { + "ipAddress": "1111:fc00:0:112::2" + } + ] + } + ] + } +} + +``` +The example with IP-Group definition in external file external_ip_groups.json + +```json +{ + "policy": { + "name": "IpGroups_policy2", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "ip-address-lists": [ + { + "name": "external_ip_groups", + "description": "Optional Description", + "blockRequests": "always", + "setGeolocation": "IL", + "ipAddresses": [ + { + "ipAddress": "31.8.194.27" + } + ], + "$ref": "file:///tmp/policy/external_ip_groups.json" + } + ] + } +} +``` +Example of the file external_ip_groups.json + +```json +{ + "name": "External Ip Groups List", + "description": "Optional Description", + "blockRequests": "always", + "setGeolocation": "IR", + "ipAddresses": [ + { + "ipAddress": "66.51.41.21" + }, + { + "ipAddress": "66.52.42.22" + } + ] +} +``` From a33004e2c2f087ea5bca158da8cccc39f88ea275 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Thu, 8 May 2025 15:58:07 +0300 Subject: [PATCH 03/16] Update configuration.md add IP Groups --- content/nap-waf/v4/configuration-guide/configuration.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 025870d05..4f709e149 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -478,6 +478,15 @@ For the full reference of Override Rules condition syntax and usage see the NGIN {{< include "nap-waf/config/common/geolocation-override-rules.md" >}} +## IP Groups + +### Overview + +{{< include "nap-waf/config/common/ip-groups-overview.md" >}} + +### IP Groups in Policy Override Rules Conditions + +{{< include "nap-waf/config/common/ip-groups-override-rules.md" >}} ## JSON Web Token Protection From 344be01faf19dfbb07862b9aebcad5416388ae70 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Thu, 8 May 2025 16:00:30 +0300 Subject: [PATCH 04/16] Update configuration.md add IP Groups in Policy Override Rules Conditions --- .../nap-waf/v5/configuration-guide/configuration.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index a17322367..c936023fa 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -475,6 +475,16 @@ For the full reference of Override Rules condition syntax and usage see the NGIN {{< include "nap-waf/config/common/geolocation-override-rules.md" >}} +## IP Groups + +### Overview + +{{< include "nap-waf/config/common/ip-groups-overview.md" >}} + +### IP Groups in Policy Override Rules Conditions + +{{< include "nap-waf/config/common/ip-groups-override-rules.md" >}} + ## JSON Web Token Protection ### Overview From f6835f25e2d8e54108021efb4155286848286b2a Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Tue, 13 May 2025 15:53:36 +0300 Subject: [PATCH 05/16] Update content/includes/nap-waf/config/common/ip-groups-override-rules.md Co-authored-by: Alan Dooley --- .../includes/nap-waf/config/common/ip-groups-override-rules.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md index 973c27e16..44095b3bd 100644 --- a/content/includes/nap-waf/config/common/ip-groups-override-rules.md +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -4,7 +4,8 @@ This can be done by defining override rules in the designated section, based on Override rule condition with IP group based on JSON schema defined by the declarative policy and applied to "clientIp" attribute using “matches” function. 'clientIp.matches(ipAddressLists["standalone"])' -The policy example +Here is a policy example: + ```json { "policy": { From db0efbe3a3b05bb994b09270723f458b83ee3391 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Tue, 13 May 2025 15:55:02 +0300 Subject: [PATCH 06/16] Update content/includes/nap-waf/config/common/ip-groups-overview.md Co-authored-by: Alan Dooley --- .../includes/nap-waf/config/common/ip-groups-overview.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/content/includes/nap-waf/config/common/ip-groups-overview.md b/content/includes/nap-waf/config/common/ip-groups-overview.md index bbbf6743f..60e983a19 100644 --- a/content/includes/nap-waf/config/common/ip-groups-overview.md +++ b/content/includes/nap-waf/config/common/ip-groups-overview.md @@ -1,6 +1,9 @@ -IP groups is a feature to organize lists of allowed and forbidden IP addresses in several lists with common attributes. -With this enhancement, users have more control over how a unique policy setting is applied to incoming requests with a specific IP address. -Each IP Group contains a unique name, enforcement type (always, never and policy-default), list of IP addresses. +IP groups is a feature to organize lists of allowed and forbidden IP addresses across several lists with common attributes. + +This allows you to control unique policy settings for incoming requests based on specific IP addresses. + +Each IP Group contains a unique name, enforcement type (_always_, _never_ and _policy-default_), and list of IP addresses. + An example of a declarative policy using IP Groups configuration: From c08147e3fe6d7242e8b2fffe2cbacd0dd62490b4 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Tue, 13 May 2025 15:55:56 +0300 Subject: [PATCH 07/16] Update content/includes/nap-waf/config/common/ip-groups-override-rules.md Co-authored-by: Alan Dooley --- .../includes/nap-waf/config/common/ip-groups-override-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md index 44095b3bd..2d291586c 100644 --- a/content/includes/nap-waf/config/common/ip-groups-override-rules.md +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -53,7 +53,7 @@ Here is a policy example: } ``` -The above policy contains ip group with the name "standalone" which is used in override rule condition "clientIp.matches(ipAddressLists['standalone'])". +The previous example policy contains an IP group with the name "standalone", used for the override rule condition "clientIp.matches(ipAddressLists['standalone'])". The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". The value used in override rule condition must exist and be exactly equal the name in "ip-address-lists". From e78a5ba65b3d93b0a9920d24c9199644e90a6969 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Tue, 13 May 2025 15:56:38 +0300 Subject: [PATCH 08/16] Update content/includes/nap-waf/config/common/ip-groups-override-rules.md Co-authored-by: Alan Dooley --- .../includes/nap-waf/config/common/ip-groups-override-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md index 2d291586c..b8ba5d459 100644 --- a/content/includes/nap-waf/config/common/ip-groups-override-rules.md +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -55,7 +55,7 @@ Here is a policy example: The previous example policy contains an IP group with the name "standalone", used for the override rule condition "clientIp.matches(ipAddressLists['standalone'])". The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". -The value used in override rule condition must exist and be exactly equal the name in "ip-address-lists". +The value used for the override condition must exist and exactly match the name in "ip-address-lists". #### Several error cases are verified: - Using another keyword instead of ipAddressLists; From 09ab5b8875548723139ef377f01df45a9290976e Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Tue, 13 May 2025 15:59:53 +0300 Subject: [PATCH 09/16] Update content/includes/nap-waf/config/common/ip-groups-override-rules.md Co-authored-by: Alan Dooley --- .../config/common/ip-groups-override-rules.md | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md index b8ba5d459..b65811819 100644 --- a/content/includes/nap-waf/config/common/ip-groups-override-rules.md +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -57,18 +57,13 @@ The previous example policy contains an IP group with the name "standalone", use The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". The value used for the override condition must exist and exactly match the name in "ip-address-lists". -#### Several error cases are verified: -- Using another keyword instead of ipAddressLists; - example: clientIp.matches(invalidList['standalone']); - error_message: " Invalid field invalidList" +#### Possible errors -- Using empty name; - example: clientIp.matches(ipAddressLists['']); - error_message: " Invalid value empty string" - -- Using ipAddressLists with attribute otherwise then clientIp; - example: uri.matches(ipAddressLists['standalone']); - error_message: "Failed to compile policy - 'ipGroupOverridePolicy'" +| Error text | Input | Explanation | +| -----------| ------------- | ------------ | +| _Invalid field invalidList_ | _clientIp.matches(invalidList['standalone']);_ | An incorrect keyword was used instead of _ipAddressLists_ | +| _Invalid value empty string_ | _clientIp.matches(ipAddressLists['']_ | An empty name was provided | +| _Failed to compile policy - 'ipGroupOverridePolicy'_ | _uri.matches(ipAddressLists['standalone']);_ | Used _ipAddressLists_ without the _clientIP_ attribute | From 8683d490c4f9e71ba625812c603bb018060dee20 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Tue, 13 May 2025 16:00:18 +0300 Subject: [PATCH 10/16] Update content/includes/nap-waf/config/common/ip-groups-override-rules.md Co-authored-by: Alan Dooley --- .../nap-waf/config/common/ip-groups-override-rules.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md index b65811819..4a5e99d87 100644 --- a/content/includes/nap-waf/config/common/ip-groups-override-rules.md +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -1,7 +1,10 @@ #### IP-Groups feature as part of Override Rules feature. -The Override Rules feature allows overriding of the original or parent policy settings. -This can be done by defining override rules in the designated section, based on specific override conditions. -Override rule condition with IP group based on JSON schema defined by the declarative policy and applied to "clientIp" attribute using “matches” function. +The Override Rules feature allows you to modify original or parent policy settings. + +Rules are defined using specific conditions, which can include an IP group based on the declarative policy JSON schema. + +When triggered, the rule is applied to the _clientIp_ attribute using the _matches_ function. + 'clientIp.matches(ipAddressLists["standalone"])' Here is a policy example: From b3dac52c92208e0b56b0b31ca8c02d57afdf0d26 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Wed, 14 May 2025 07:25:47 +0300 Subject: [PATCH 11/16] Update content/includes/nap-waf/config/common/ip-groups-overview.md Co-authored-by: Mike Jang <3287976+mjang@users.noreply.github.com> --- content/includes/nap-waf/config/common/ip-groups-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/nap-waf/config/common/ip-groups-overview.md b/content/includes/nap-waf/config/common/ip-groups-overview.md index 60e983a19..635cd4c67 100644 --- a/content/includes/nap-waf/config/common/ip-groups-overview.md +++ b/content/includes/nap-waf/config/common/ip-groups-overview.md @@ -37,7 +37,7 @@ An example of a declarative policy using IP Groups configuration: } ``` -The example with IP-Group definition in external file external_ip_groups.json +The example with IP-Group definition in external file external_ip_groups.json: ```json { From 940baa2137d03ed9a09935ad746070e5b1b103b4 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Wed, 14 May 2025 07:26:23 +0300 Subject: [PATCH 12/16] Update content/includes/nap-waf/config/common/ip-groups-override-rules.md Co-authored-by: Mike Jang <3287976+mjang@users.noreply.github.com> --- .../includes/nap-waf/config/common/ip-groups-override-rules.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md index 4a5e99d87..5ad373350 100644 --- a/content/includes/nap-waf/config/common/ip-groups-override-rules.md +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -1,4 +1,5 @@ #### IP-Groups feature as part of Override Rules feature. + The Override Rules feature allows you to modify original or parent policy settings. Rules are defined using specific conditions, which can include an IP group based on the declarative policy JSON schema. From 82f0f1fd88a6f0e17647921131e78a27063be318 Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Tue, 20 May 2025 19:52:49 +0300 Subject: [PATCH 13/16] Update configuration.md brute-force and login-pages configuration --- .../v4/configuration-guide/configuration.md | 100 +++++++++++++----- 1 file changed, 76 insertions(+), 24 deletions(-) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 4f709e149..6c890dc0a 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -669,12 +669,23 @@ systematic, username/password combinations to discover legitimate authentication To prevent brute force attacks, NGINX App Protect WAF monitors IP addresses, usernames, and the number of failed login attempts beyond a maximum threshold. When brute force patterns are detected, the NGINX App Protect WAF policy either trigger an alarm or block the attack if the failed login attempts reached a maximum threshold for a specific username or coming from a specific IP address. -To enable brute force protection, at least one login page must be created. -The login page entity is created separately and is not included in the brute force configuration block. +In order to create a brute force configuration for a specific URL in Nginx App Protect you must first create a User-Defined URL, then a Login Page and finally define the URL element in the Brute Force configuration section. --- +### The User-Defined URL example -### Login page policy example +```json +"urls": [ + { + "method": "*", + "name": "/html_login", + "protocol": "http", + "type": "explicit" + } + ], +``` + +### Login page example A login page specifies the login URL that users must pass through to get authenticated. The configuration of a login URL includes the URL itself, the username and passwords parameters and the validation criteria (how we know that a login was successful or failed) ```json @@ -699,18 +710,10 @@ A login page specifies the login URL that users must pass through to get authent {{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< ref "/nap-waf/v4/declarative-policy/policy/#policy/login-pages" >}}). {{< /note >}} --- -### Brute force policy example +### Brute force example Example1: A single brute force configuration is applied universally to all login pages. ```json -{ - "policy": { - "name": "BruteForcePolicy", - "template": { - "name": "POLICY_TEMPLATE_NGINX_BASE" - }, - "applicationLanguage": "utf-8", - "enforcementMode": "blocking", "brute-force-attack-preventions" : [ { "bruteForceProtectionForAllLoginPages" : true, @@ -728,21 +731,11 @@ Example1: A single brute force configuration is applied universally to all login "sourceBasedProtectionDetectionPeriod" : 3600 } ] - } -} ``` Example2: Different brute force configurations can be defined for individual login pages, with each configuration referencing a specific login page. ```json -{ - "policy": { - "name": "BruteForcePolicySpec", - "template": { - "name": "POLICY_TEMPLATE_NGINX_BASE" - }, - "applicationLanguage": "utf-8", - "enforcementMode": "blocking", "brute-force-attack-preventions" : [ { "bruteForceProtectionForAllLoginPages" : false, @@ -762,13 +755,72 @@ Example2: Different brute force configurations can be defined for individual log "method": "*", "name": "/html_login", "protocol": "http" - } + } } ], +``` - } +The following example adds all three of the pieces for a complete example policy. + +```json +{ + "policy": { + "name": "BruteForcePolicy", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "urls": [ + { + "method": "*", + "name": "/html_login", + "protocol": "http", + "type": "explicit" + } + ], + "login-pages": [ + { + "accessValidation": { + "responseContains": "Success" + }, + "authenticationType": "form", + "url": { + "method": "*", + "name": "/html_login", + "protocol": "http", + "type": "explicit" + }, + "usernameParameterName": "username", + "passwordParameterName": "password" + } + ], + "brute-force-attack-preventions": [ + { + "bruteForceProtectionForAllLoginPages": false, + "loginAttemptsFromTheSameIp": { + "action": "alarm", + "enabled": true, + "threshold": 20 + }, + "loginAttemptsFromTheSameUser": { + "action": "alarm", + "enabled": true, + "threshold": 3 + }, + "reEnableLoginAfter": 3600, + "sourceBasedProtectionDetectionPeriod": 3600, + "url": { + "method": "*", + "name": "/html_login", + "protocol": "http" + } + } + ] + } } ``` + {{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< ref "/nap-waf/v4/declarative-policy/policy/#policy/brute-force-attack-preventions" >}}). {{< /note >}} ## Custom Dimensions Log Entries From fe6bfa3638cc2e5da92e01129aef036c0d5e5f0d Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Wed, 21 May 2025 10:02:41 +0300 Subject: [PATCH 14/16] Update configuration.md in V5 Brute-force configuration description --- .../v5/configuration-guide/configuration.md | 99 ++++++++++++++----- 1 file changed, 75 insertions(+), 24 deletions(-) diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index c936023fa..80d5dfe7c 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -808,12 +808,23 @@ systematic, username/password combinations to discover legitimate authentication To prevent brute force attacks, NGINX App Protect WAF monitors IP addresses, usernames, and the number of failed login attempts beyond a maximum threshold. When brute force patterns are detected, the NGINX App Protect WAF policy either trigger an alarm or block the attack if the failed login attempts reached a maximum threshold for a specific username or coming from a specific IP address. -To enable brute force protection, at least one login page must be created. -The login page entity is created separately and is not included in the brute force configuration block +In order to create a brute force configuration for a specific URL in Nginx App Protect you must first create a User-Defined URL, then a Login Page and finally define the URL element in the Brute Force configuration section. --- +### The User-Defined URL example -### Login page policy example +```json +"urls": [ + { + "method": "*", + "name": "/html_login", + "protocol": "http", + "type": "explicit" + } + ], +``` + +### Login page example A login page specifies the login URL that users must pass through to get authenticated. The configuration of a login URL includes the URL itself, the username and passwords parameters and the validation criteria (how we know that a login was successful or failed) ```json @@ -839,18 +850,10 @@ A login page specifies the login URL that users must pass through to get authent --- -### Brute force policy example +### Brute force example Example1: A single brute force configuration is applied universally to all login pages. ```json -{ - "policy": { - "name": "BruteForcePolicy", - "template": { - "name": "POLICY_TEMPLATE_NGINX_BASE" - }, - "applicationLanguage": "utf-8", - "enforcementMode": "blocking", "brute-force-attack-preventions" : [ { "bruteForceProtectionForAllLoginPages" : true, @@ -868,21 +871,11 @@ Example1: A single brute force configuration is applied universally to all login "sourceBasedProtectionDetectionPeriod" : 3600 } ] - } -} ``` Example2: Different brute force configurations can be defined for individual login pages, with each configuration referencing a specific login page. ```json -{ - "policy": { - "name": "BruteForcePolicySpec", - "template": { - "name": "POLICY_TEMPLATE_NGINX_BASE" - }, - "applicationLanguage": "utf-8", - "enforcementMode": "blocking", "brute-force-attack-preventions" : [ { "bruteForceProtectionForAllLoginPages" : false, @@ -902,13 +895,71 @@ Example2: Different brute force configurations can be defined for individual log "method": "*", "name": "/html_login", "protocol": "http" - } + } } ], +``` - } +The following example adds all three of the pieces for a complete example policy. +```json +{ + "policy": { + "name": "BruteForcePolicy", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "urls": [ + { + "method": "*", + "name": "/html_login", + "protocol": "http", + "type": "explicit" + } + ], + "login-pages": [ + { + "accessValidation": { + "responseContains": "Success" + }, + "authenticationType": "form", + "url": { + "method": "*", + "name": "/html_login", + "protocol": "http", + "type": "explicit" + }, + "usernameParameterName": "username", + "passwordParameterName": "password" + } + ], + "brute-force-attack-preventions": [ + { + "bruteForceProtectionForAllLoginPages": false, + "loginAttemptsFromTheSameIp": { + "action": "alarm", + "enabled": true, + "threshold": 20 + }, + "loginAttemptsFromTheSameUser": { + "action": "alarm", + "enabled": true, + "threshold": 3 + }, + "reEnableLoginAfter": 3600, + "sourceBasedProtectionDetectionPeriod": 3600, + "url": { + "method": "*", + "name": "/html_login", + "protocol": "http" + } + } + ] + } } ``` + {{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< ref "/nap-waf/v5/declarative-policy/policy/#policy/brute-force-attack-preventions" >}}). {{< /note >}} ## Custom Dimensions Log Entries From 2b153be923096cf2ce0db8f5a23f18cf21af5d0d Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Wed, 21 May 2025 10:31:37 +0300 Subject: [PATCH 15/16] Update ip-groups-override-rules.md remove xff in override rules --- .../includes/nap-waf/config/common/ip-groups-override-rules.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md index 5ad373350..3ec4d47a1 100644 --- a/content/includes/nap-waf/config/common/ip-groups-override-rules.md +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -50,9 +50,6 @@ Here is a policy example: } } ], - "general": { - "trustXff": true - } } } ``` From dfb5c572e9ec760a9f9614ebc6bde3751ad87d2e Mon Sep 17 00:00:00 2001 From: kudriavitsky <109550454+kudriavitsky@users.noreply.github.com> Date: Wed, 21 May 2025 10:42:51 +0300 Subject: [PATCH 16/16] Update configuration.md (ip-groups) add IP Groups in features table --- content/nap-waf/v4/configuration-guide/configuration.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 6c890dc0a..1514a31bf 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -39,6 +39,7 @@ When configuring NGINX App Protect WAF, `app_protect_enable` should always be en |[XFF headers & trust](#xff-headers-and-trust) | Disabled by default. User can enable it and optionally add a list of custom XFF headers. | |[gRPC Protection](#grpc-protection-for-unary-traffic) | gRPC content profile detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection can be on [unary](#grpc-protection-for-unary-traffic) or [bidirectional](#grpc-protection-for-bidirectional-streaming) traffic.| |[Brute Force Attack Preventions](#brute-force-attack-preventions) | Configure brute-force-attack-preventions parameters to secured areas of a web application from brute force attacks.|} +|[IP Groups](#ip-address-lists) | Configure IP Groups feature to organize lists of allowed and forbidden IP addresses across several lists with common attributes.|} ### Disallowed File Types {{< include "nap-waf/config/common/disallowed-file-types.md" >}}