F5 DoS for NGINX Access Log Request Mechanism
Access Log is NGINX’s request log mechanism. It is controlled by the following two directives.
This directive determines the format of the log messages using predefined variables. App Protect DoS will enrich this set of variables with several security log attributes that are available to be included in the log_format
. If log_format
is not specified then the built-in format combined
is used but, because that format does not include the extended App Protect DoS variables, this directive must be used when the user wants to add App Protect DoS information to the log.
This directive determines the destination of the access_log
and the name of the format according to the official F5 NGINX documentation.
For example: access_log /var/log/nginx/access.log log_dos
; (log_dos
is predefined in the log_format directive).
These are the variables added to Access Log. They are a subset of the Security log attributes. The Security log names are prefixed with $app_protect_dos
.
Name | Meaning | Comment |
---|---|---|
$app_protect_dos_outcome |
One of: Allow: request was sent to origin server Redirect: http redirection Challenge: JS challenge Block: blocked request |
|
$app_protect_dos_outcome reason |
One of: Allow: Request not mitigated, passed DoS flow successfully. Allowlist: Request not mitigated because it is on the allowlist. Bypass: Request not mitigated due to internal failure. Bad_Actor:: Request mitigated as a bad actor. Signature: Request mitigated as a matched DoS attack signature. Global_Rate: Request mitigated as exceeding the calculated global request rate. Slow_Body: Request mitigated due to being a slow request. |
Combine MITIGATED_BY_GLOBAL_RATE with global rate value (in RPS) for example Global_Rate, value=152, |
$app_protect_dos_tls_fp |
TLS Fingerprint - a value which identifies the sender | Applicable only in TLS (SSL) traffic |
$app_protect_dos_policy_name |
The name of the policy that enforced the request | |
$app_protect_dos_vs_name |
The name of the protected object | |
$app_protect_dos_version |
The App Protect DoS version string: major.minor.build format. |
Does not include the F5 NGINX plus version (e.g. R21). The latter is available in $version variable. |
Many of the other Security log attributes that are not included here have exact or similar parallels among the NGINX variables also available for access log. For example,$request
is parallel to therequest
security log attribute. See the full list of NGINX variables.
During a DoS attack, there is a large quantity of incoming requests which can flood the Access Log. The rate of the access log’s entries can be limited in order to avoid this flood.
NGINX logs all the requests during peacetime and logs up to 10 entries per second for each outcome reason during attack time. In worst case it can be 50 requests per second under attack.
Two things should be configured in the nginx conf
file:
-
Create a variable called
loggable
using NGINX’sset
directive and give it any value (string or numerical).
Note that the scope of theset
directive is server or location block.
For example: set $loggable '1'; -
Add the string "if=$loggable" to the access_log directive’s argument. For example: access_log /var/log/nginx/access.log custom if=$loggable;
http {
log_format security_dos 'request_time=$request_time client_ip=$remote_addr,'
'request="$request", status=$status,'
'dos_policy=$app_protect_dos_policy_name, dos_protected_object=app_protect_dos_vs_name'
'dos_action=$app_protect_dos_outcome, dos_action_reason=$app_protect_dos_outcome_reason';
server {
location / {
set $loggable 1;
access_log /var/log/nginx/access.log security_dos if=$loggable;;
...
}
}
}