nginx · kudriavitsky · May 8, 2025 · May 8, 2025 · May 8, 2025 · May 8, 2025
@@ -0,0 +1,73 @@
+#### IP-Groups feature as part of Override Rules feature.
+
+The Override Rules feature allows you to modify original or parent policy settings.
+
+Rules are defined using specific conditions, which can include an IP group based on the declarative policy JSON schema.
+
+When triggered, the rule is applied to the _clientIp_ attribute using the _matches_ function.
+
+'clientIp.matches(ipAddressLists["standalone"])'
+
+Here is a policy example:
+
+```json
+{ 
+  "policy": { 
+    "name": "ip_group_override_rule", 
+    "template": { 
+      "name": "POLICY_TEMPLATE_NGINX_BASE" 
+    }, 
+    "applicationLanguage": "utf-8", 
+    "caseInsensitive": false, 
+    "enforcementMode": "blocking", 
+    "ip-address-lists": [ 
+      { 
+        "name": "standalone", 
+        "description": "This is my list of IP addresses", 
+        "ipAddresses": [ 
+          { 
+            "ipAddress": "6.5.3.3/32" 
+          }, 
+          { 
+            "ipAddress": "6.5.4.2" 
+          } 
+        ] 
+      } 
+     ], 
+     "override-rules": [ 
+      { 
+        "name": "myFirstRule", 
+        "condition": "clientIp.matches(ipAddressLists['standalone'])", 
+        "actionType": "violation", 
+        "violation": { 
+          "block": true, 
+          "alarm": true, 
+          "attackType": { 
+            "name": "Forceful Browsing" 
+          }, 
+          "description": "Attempt to access from clientIp", 
+          "rating": 4
+        }
+      }
+    ],
+    "general": {
+      "trustXff": true
+    }
+  }
+}
+```
+
+The previous example policy contains an IP group with the name "standalone", used for the override rule condition "clientIp.matches(ipAddressLists['standalone'])".
+The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". 
+The value used for the override condition must exist and exactly match the name in "ip-address-lists".  
+
+#### Possible errors
+
+| Error text | Input          | Explanation |
+| -----------| ------------- | ------------ |
+| _Invalid field invalidList_ | _clientIp.matches(invalidList['standalone']);_ | An incorrect keyword was used instead of _ipAddressLists_ |
+| _Invalid value empty string_ | _clientIp.matches(ipAddressLists['']_ | An empty name was provided |
+| _Failed to compile policy - 'ipGroupOverridePolicy'_ | _uri.matches(ipAddressLists['standalone']);_ |  Used _ipAddressLists_ without the _clientIP_ attribute |
+
+
+
@@ -0,0 +1,86 @@
+IP groups is a feature to organize lists of allowed and forbidden IP addresses across several lists with common attributes.
+
+This allows you to control unique policy settings for incoming requests based on specific IP addresses.
+
+Each IP Group contains a unique name, enforcement type (_always_, _never_ and _policy-default_), and list of IP addresses.
+
+
+An example of a declarative policy using IP Groups configuration: 
+
+```json
+{ 
+  "policy": { 
+    "name": "IpGroups_policy", 
+    "template": { 
+       "name": "POLICY_TEMPLATE_NGINX_BASE" 
+    }, 
+    "applicationLanguage": "utf-8", 
+    "caseInsensitive": false, 
+    "enforcementMode": "blocking", 
+    "ip-address-lists": [ 
+       { 
+         "name": "Standalone",
+         "description": "Optional Description",
+         "blockRequests": "policy-default",
+         "setGeolocation": "IN",
+         "ipAddresses": [
+          {
+             "ipAddress": "1.2.3.4/32"
+          },
+          {
+             "ipAddress": "1111:fc00:0:112::2"
+          }
+        ]
+      }
+    ]
+  }
+}
+
+```
+The example with IP-Group definition in external file external_ip_groups.json:
+
+```json
+{
+  "policy": { 
+    "name": "IpGroups_policy2", 
+    "template": { 
+       "name": "POLICY_TEMPLATE_NGINX_BASE" 
+    }, 
+    "applicationLanguage": "utf-8", 
+    "caseInsensitive": false, 
+    "enforcementMode": "blocking", 
+    "ip-address-lists": [
+      { 
+        "name": "external_ip_groups",
+        "description": "Optional Description",
+        "blockRequests": "always",
+        "setGeolocation": "IL",
+        "ipAddresses": [ 
+           {
+             "ipAddress": "31.8.194.27"
+           }
+        ],
+        "$ref": "file:///tmp/policy/external_ip_groups.json"
+      }
+    ]
+  }
+}
+```
+Example of the file external_ip_groups.json
+
+```json
+{ 
+    "name": "External Ip Groups List",
+    "description": "Optional Description",
+    "blockRequests": "always",
+    "setGeolocation": "IR",
+    "ipAddresses": [
+      {
+        "ipAddress": "66.51.41.21"
+      },
+      {
+        "ipAddress": "66.52.42.22"
+      }
+    ]
+}
+```
@@ -478,6 +478,15 @@ For the full reference of Override Rules condition syntax and usage see the NGIN
 
 {{< include "nap-waf/config/common/geolocation-override-rules.md" >}}
 
+## IP Groups
+
+### Overview
+
+{{< include "nap-waf/config/common/ip-groups-overview.md" >}}
+
+### IP Groups in Policy Override Rules Conditions
+
+{{< include "nap-waf/config/common/ip-groups-override-rules.md" >}}
 
 ## JSON Web Token Protection
 

@@ -475,6 +475,16 @@ For the full reference of Override Rules condition syntax and usage see the NGIN
 
 {{< include "nap-waf/config/common/geolocation-override-rules.md" >}}
 
+## IP Groups
+
+### Overview
+
+{{< include "nap-waf/config/common/ip-groups-overview.md" >}}
+
+### IP Groups in Policy Override Rules Conditions
+
+{{< include "nap-waf/config/common/ip-groups-override-rules.md" >}}
+
 ## JSON Web Token Protection
 
 ### Overview