http-waf #

Handy, High performance Nginx firewall module.

Source: upstream source

Directives

waf #

syntax: waf on | off;  ·  context: http, server, location

Enables, disables, or sets ngx_waf to bypass (log-only) mode for the given context.

waf_action #

syntax: waf_action 1 arg;  ·  context: http, server, location

Configures the action taken when blacklist, CC-protection, ModSecurity, or bot-verification checks block a request.

waf_block_page #

syntax: waf_block_page 1 arg;  ·  context: http, server, location

Specifies the HTML page returned to clients when ngx_waf blocks a request.

waf_cache #

syntax: waf_cache 1 arg;  ·  context: server, location

Configures caching of inspection results, including capacity, to speed up repeated rule checks.

waf_captcha #

syntax: waf_captcha 1 arg;  ·  context: http, server, location

Configures CAPTCHA-based human verification, including provider, sitekey, secret, expiry, and related parameters.

waf_cc_deny #

syntax: waf_cc_deny 1 arg;  ·  context: server, location

Enables CC (challenge collapsar) attack protection that automatically blocks IPs exceeding a request-rate threshold.

waf_mode #

syntax: waf_mode 1+ args;  ·  context: http, server, location

Specifies which inspection modes (methods, IP, URL, CC, cache, etc.) ngx_waf enables for the context.

waf_modsecurity #

syntax: waf_modsecurity 1 arg;  ·  context: http, server, location

Enables ModSecurity rule inspection using a local rule file and/or a remotely fetched rule file.

waf_modsecurity_transaction_id #

syntax: waf_modsecurity_transaction_id 1 arg;  ·  context: http, server, location

Specifies the transaction ID string, optionally built from variables, used for ModSecurity logging.

waf_priority #

syntax: waf_priority 1 arg;  ·  context: http, server, location

Sets the ordered priority in which ngx_waf runs its various inspection processes.

waf_rule_path #

syntax: waf_rule_path 1 arg;  ·  context: http, server, location

Sets the absolute directory path, ending in a slash, where ngx_waf rule files are located.

waf_under_attack #

syntax: waf_under_attack 1 arg;  ·  context: http, server, location

Enables/disables the WAF's five-second-shield JS challenge page, optionally loading a custom HTML page from file=.

waf_verify_bot #

syntax: waf_verify_bot 1 arg;  ·  context: http, server, location

Verifies that requests claiming to be Google, Bing, Baidu, or Yandex crawlers actually originate from those crawlers' IPs.

waf_zone #

syntax: waf_zone 2 args;  ·  context: http

Declares a named shared-memory zone (name=/size=) used by the WAF module to store state such as rate-limit counters.

Example

waf on;
waf_mode FULL;
waf_rule_path ${base_dir}/waf/rules/;
waf_cc_deny off rate=100r/m;
waf_cache off capacity=50;
waf_modsecurity on file=${base_dir}/waf/modsec/modsecurity.conf;
waf_modsecurity_transaction_id modsecurity_transaction_id;

location /t {

}

↑ back to index