http-waf #
Handy, High performance Nginx firewall module.
Source: upstream source
Directives
waf #
syntax: waf on | off; · context: http, server, location
Enables, disables, or sets ngx_waf to bypass (log-only) mode for the given context.
waf_action #
syntax: waf_action 1 arg; · context: http, server, location
Configures the action taken when blacklist, CC-protection, ModSecurity, or bot-verification checks block a request.
waf_block_page #
syntax: waf_block_page 1 arg; · context: http, server, location
Specifies the HTML page returned to clients when ngx_waf blocks a request.
waf_cache #
syntax: waf_cache 1 arg; · context: server, location
Configures caching of inspection results, including capacity, to speed up repeated rule checks.
waf_captcha #
syntax: waf_captcha 1 arg; · context: http, server, location
Configures CAPTCHA-based human verification, including provider, sitekey, secret, expiry, and related parameters.
waf_cc_deny #
syntax: waf_cc_deny 1 arg; · context: server, location
Enables CC (challenge collapsar) attack protection that automatically blocks IPs exceeding a request-rate threshold.
waf_mode #
syntax: waf_mode 1+ args; · context: http, server, location
Specifies which inspection modes (methods, IP, URL, CC, cache, etc.) ngx_waf enables for the context.
waf_modsecurity #
syntax: waf_modsecurity 1 arg; · context: http, server, location
Enables ModSecurity rule inspection using a local rule file and/or a remotely fetched rule file.
waf_modsecurity_transaction_id #
syntax: waf_modsecurity_transaction_id 1 arg; · context: http, server, location
Specifies the transaction ID string, optionally built from variables, used for ModSecurity logging.
waf_priority #
syntax: waf_priority 1 arg; · context: http, server, location
Sets the ordered priority in which ngx_waf runs its various inspection processes.
waf_rule_path #
syntax: waf_rule_path 1 arg; · context: http, server, location
Sets the absolute directory path, ending in a slash, where ngx_waf rule files are located.
waf_under_attack #
syntax: waf_under_attack 1 arg; · context: http, server, location
Enables/disables the WAF's five-second-shield JS challenge page, optionally loading a custom HTML page from file=.
waf_verify_bot #
syntax: waf_verify_bot 1 arg; · context: http, server, location
Verifies that requests claiming to be Google, Bing, Baidu, or Yandex crawlers actually originate from those crawlers' IPs.
waf_zone #
syntax: waf_zone 2 args; · context: http
Declares a named shared-memory zone (name=/size=) used by the WAF module to store state such as rate-limit counters.
Example
waf on;
waf_mode FULL;
waf_rule_path ${base_dir}/waf/rules/;
waf_cc_deny off rate=100r/m;
waf_cache off capacity=50;
waf_modsecurity on file=${base_dir}/waf/modsec/modsecurity.conf;
waf_modsecurity_transaction_id modsecurity_transaction_id;
location /t {
}