Configure NGINX features with F5 WAF
This document shows examples of how to modify your NGINX configuration to enable F5 WAF for NGINX features.
It is intended as a reference for small, self-contained examples of how F5 WAF for NGINX can be configured.
Important constraints when F5 WAF for NGINX is enabled:
- Subrequest-based modules (modules that generate internal HTTP subrequests) are not supported when F5 WAF for NGINX (app_protect_enable) is applied to the same scope. As an alternative, it is recommended to enable F5 WAF for NGINX at an additional scope. In this configuration, F5 WAF for NGINX inspects only direct, client-facing HTTP requests, while internal subrequests fall outside that scope and are not inspected.
- Modules that require the HTTP Range header are not supported in the same configuration scope as app_protect_enable on. Place Range-dependent configuration in a server or location block without F5 WAF for NGINX enabled.
For additional information on configuring NGINX, you should view the NGINX documentation.
F5 WAF for NGINX inspects direct client-facing requests, but does not inspect internal subrequests generated by subrequest-based modules.
Examples of subrequest-based modules:
- Slice
- Mirror
- Client authorization
- njs
load_module modules/ngx_http_app_protect_module.so;
http {
server {
listen 127.0.0.1:8080;
server_name localhost;
location / {
app_protect_enable on;
proxy_pass http://127.0.0.1:8081$request_uri;
}
}
server {
listen 127.0.0.1:8081;
server_name localhost;
location / {
proxy_pass http://1.2.3.4$request_uri;
slice 2;
proxy_set_header Range $slice_range;
}
}
}load_module modules/ngx_http_app_protect_module.so;
http {
log_format test $uri;
server {
listen 127.0.0.1:8080;
server_name localhost;
location / {
app_protect_enable on;
mirror /mirror;
}
location /mirror {
log_subrequest on;
access_log test$args.log test;
}
}
}load_module modules/ngx_http_app_protect_module.so;
http {
server {
listen 127.0.0.1:8080;
server_name localhost;
location / {
auth_request /scan;
proxy_pass http://localhost:8888;
}
location /scan {
proxy_pass http://localhost:8081$request_uri;
}
}
server {
listen 127.0.0.1:8081;
server_name localhost;
location /scan {
app_protect_enable on;
proxy_pass http://localhost:8888;
}
}
}load_module modules/ngx_http_app_protect_module.so;
load_module modules/ngx_http_js_module.so;
http {
js_include service.js
server {
listen 127.0.0.1:8080;
server_name localhost;
location / {
app_protect_enable on;
proxy_pass http://127.0.0.1:8081$request_uri;
}
}
server {
listen 127.0.0.1:8081;
server_name localhost;
location / {
js_content foo;
}
}
}Features that add or depend on the HTTP Range header are unsupported in the same scope as app_protect_enable on. Place Range-dependent logic in a separate scope that does not enable F5 WAF for NGINX, and have the F5 WAF for NGINX enable frontend proxy to that backend.
Examples of Range-dependent features:
- Static location
- Range
load_module modules/ngx_http_app_protect_module.so;
http {
server {
listen 127.0.0.1:8080;
server_name localhost;
location / {
app_protect_enable on;
proxy_pass http://127.0.0.1:8080/proxy/$request_uri;
}
location /proxy {
default_type text/html;
return 200 "Hello! I got your URI request - $request_uri\n";
}
}
}load_module modules/ngx_http_app_protect_module.so;
http {
server {
listen 127.0.0.1:8080;
server_name localhost;
location / {
app_protect_enable on;
proxy_pass http://127.0.0.1:8081$request_uri;
}
}
server {
listen 127.0.0.1:8081;
server_name localhost;
location / {
proxy_pass http://1.2.3.4$request_uri;
proxy_force_ranges on;
}
}
}