Skip to content

feat: Clarify subrequest information for F5 WAF #1445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 20, 2025
Merged

feat: Clarify subrequest information for F5 WAF #1445

merged 2 commits into from
Nov 20, 2025

Conversation

@ADubhlaoich
Copy link
Member

@ADubhlaoich ADubhlaoich commented Nov 14, 2025
edited
Loading

Proposed changes

This commit updates the Configure NGINX features with F5 WAF document by clarifying the language around subrequest limitations. The prior phrasing leads by suggesting they do not work at all.

The new phrasing explains that it works, but has a caveat. Further language has been clarified in the sentence following it, supporting the overall structure of the document.

Closes #1436

Checklist

Before sharing this pull request, I completed the following checklist:

Footnotes

  1. Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content.

@ADubhlaoich
feat: Clarify subrequest information for F5 WAF
d8c5a29 
This commit updates the Configure NGINX features with F5 WAF document by
clarifying the language around subrequest limitations. The prior
phrasing leads by suggesting they do not work at all.

The new phrasing explains that it works, but has a caveat. Further
language has been clarified in the sentence following it, supporting the
overall structure of the document.

Closes #1436
@ADubhlaoich ADubhlaoich requested a review from a team as a code owner November 14, 2025 16:34
@github-actions github-actions bot added documentation Improvements or additions to documentation product/waf Issues related to F5 WAF for NGINX labels Nov 14, 2025
@github-actions
Copy link

github-actions bot commented Nov 14, 2025

Deploy Preview will be available once build job completes!

Name Link
😎 Deploy Preview https://frontdoor-test-docs.nginx.com/previews/docs/1445/

@ADubhlaoich ADubhlaoich requested a review from a team November 14, 2025 16:37
@ohad-perets
Copy link
Contributor

ohad-perets commented Nov 16, 2025

Looks good, Daniel K is working on an example for the sub-request.

@dkleinF5
Copy link

dkleinF5 commented Nov 17, 2025

Is it possible @ADubhlaoich to add this example in?
I was thinking about something around the lines like
1 Install NGINX Plus with NJS Module
2 Apply the Provided nginx.conf and example.js
nginx.conf

user nginx;
worker_processes  4;
#daemon off;

load_module modules/ngx_http_app_protect_module.so;
load_module modules/ngx_http_js_module.so;

error_log /var/log/nginx/error.log warn;

events {
    worker_connections  65536;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    js_import main from example.js;

    server {
        listen       80;
        server_name  localhost;
        proxy_http_version 1.1;
        app_protect_enable on;

        location / {
            proxy_pass    http://127.0.0.1:8080/foo/$request_uri;
        }
    }
    server {
        listen       127.0.0.1:8080;
        server_name  localhost;
        proxy_http_version 1.1;

        location /foo {
            js_content main.fetch_subrequest;
        }

        location / {
            internal;
            return 200  "Hello! I got your URI request - $request_uri\n";
        }
    }
}

example.js

async function fetch_subrequest(r) {
    let reply = await r.subrequest('/<script>');
    let response = {
        uri: reply.uri,
        code: reply.status,
        body: reply.responseText,
    };
    r.return(200, JSON.stringify(response));
}

export default {join};

3 Test App Protect Enforcement and Bypass
curl "localhost/"
{"uri":"/<script>>","code":200,"body":"Hello! I got your URI request - /foo//\n"}
This request goes to /, which is configured to use the NJS module. The NJS handler makes an internal subrequest to /<script>.
Even though a direct request to /<script> would be blocked by App Protect, the internal subrequest is not inspected or blocked by App Protect and is processed successfully.
curl "localhost/<script>"
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 123456789<br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>
The request to /<script> is client-facing and is inspected and blocked by App Protect according to your configured security policies.

@JTorreG
Copy link
Contributor

JTorreG commented Nov 20, 2025

@dkleinF5 can you suggest that change creating an issue in the repository?

Alan is on PTO and I don't want to block progress in this PR. We can address that separately

@JTorreG JTorreG merged commit 04e2a5a into main Nov 20, 2025
9 checks passed
@JTorreG JTorreG deleted the waf/subrequest-note branch November 20, 2025 14:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mjang mjang mjang approved these changes

@JTorreG JTorreG JTorreG approved these changes

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation product/waf Issues related to F5 WAF for NGINX

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Request]: Clarify NGINX configuration limitations for F5 WAF for NGINX

6 participants

@ADubhlaoich @ohad-perets @dkleinF5 @JTorreG @mjang