From 49391733b8a869110e1e5ba5d1e647adff45ce9a Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Tue, 2 Dec 2025 16:00:31 +0000
Subject: [PATCH 01/21] fixed nginx conf

---
 content/waf/configure/nginx-features.md | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 60e763138..0bcfba2b8 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -35,22 +35,15 @@ The following example demonstrates the general rule:
 
 {{< tabs name="subrequest-example" >}}
 
-{{% tab name="nginx.js" %}}
+{{% tab name="nginx.conf" %}}
 
 ```nginx
 user nginx;
-worker_processes  4;
-#daemon off;
+worker_processes  auto;
 
 load_module modules/ngx_http_app_protect_module.so;
 load_module modules/ngx_http_js_module.so;
 
-error_log /var/log/nginx/error.log warn;
-
-events {
-    worker_connections  65536;
-}
-
 http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;

From 95227b5b550754ad4e21bd05c8317f451282d592 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Tue, 2 Dec 2025 16:56:14 +0000
Subject: [PATCH 02/21] fix: changed the order

---
 content/waf/configure/nginx-features.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 0bcfba2b8..6a25b7886 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -26,10 +26,10 @@ F5 WAF for NGINX will secure and inspect direct client-facing requests, but will
 
 This applies to:
 
+* njs (r.subrequest)
 * Client authorization (auth_request)
 * Mirror (mirror)
 * SSI (virtual include)
-* njs (r.subrequest)
 
 The following example demonstrates the general rule:
 

From ca3a9240ca02ae8a47418b8c009d06cde720fb19 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Wed, 3 Dec 2025 09:48:10 +0000
Subject: [PATCH 03/21] doc: change the format

---
 content/waf/configure/nginx-features.md | 143 ++++++++++++++----------
 1 file changed, 82 insertions(+), 61 deletions(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 6a25b7886..1fc1c44c5 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -11,27 +11,29 @@ nd-content-type: reference
 # Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
 nd-product: NAP-WAF
 ---
-
-This document shows example of how to modify your NGINX configuration to enable F5 WAF for NGINX features. 
+This document shows examples of how to modify your NGINX configuration to enable F5 WAF for NGINX features. 
 
 It is intended as a reference for small, self-contained examples of how F5 WAF for NGINX can be configured. 
 
-Modules requiring the _Range_ header (Such as _Slice_) are unsupported in a scope which enables F5 WAF for NGINX. The examples below work around the contraints of these modules.
+Important constraints when F5 WAF for NGINX is enabled:
+
+- Subrequest-based modules (NGINX modules that create internal HTTP subrequests) are not inspected in any scope block where __app_protect_enable on__ is set. F5 WAF for NGINX inspects only direct, client-facing HTTP requests.
+- Modules that require the HTTP Range header are not supported in the same configuration scope as __app_protect_enable on__. Place Range-dependent configuration in a server or location block without F5 WAF for NGINX enabled.
 
 For additional information on configuring NGINX, you should view the [NGINX documentation]({{< ref "/nginx/" >}}).
 
-## Internal subrequests
+## Subrequest-based modules
 
-F5 WAF for NGINX will secure and inspect direct client-facing requests, but will not inspect internal subrequests triggered by modules.
+F5 WAF for NGINX inspects direct client-facing requests, but does not inspect internal subrequests generated by subrequest-based modules. 
 
-This applies to:
+Examples of subrequest-based modules:
 
 * njs (r.subrequest)
 * Client authorization (auth_request)
 * Mirror (mirror)
 * SSI (virtual include)
 
-The following example demonstrates the general rule:
+### Example
 
 {{< tabs name="subrequest-example" >}}
 
@@ -41,6 +43,10 @@ The following example demonstrates the general rule:
 user nginx;
 worker_processes  auto;
 
+events {
+    worker_connections  1024;
+}
+
 load_module modules/ngx_http_app_protect_module.so;
 load_module modules/ngx_http_js_module.so;
 
@@ -125,59 +131,11 @@ Your support ID is: 123456789
 <a href='javascript:history.back();'>[Go Back]</a></body></html>
 ```
 
-## Static location
-
-```nginx
-load_module modules/ngx_http_app_protect_module.so;
-
-http {
-    server {
-        listen       127.0.0.1:8080;
-        server_name  localhost;
-
-        location / {
-            app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8080/proxy/$request_uri;
-        }
-
-        location /proxy {
-            default_type text/html;
-            return 200 "Hello! I got your URI request - $request_uri\n";
-        }
-    }
-}
-```
-
-## Range
-
-```nginx
-load_module modules/ngx_http_app_protect_module.so;
-
-http {
+### Additional subrequest-based examples
 
-    server {
-        listen       127.0.0.1:8080;
-        server_name  localhost;
+These examples show other subrequest-based modules. In each case, internal subrequests are not inspected by WAF.
 
-        location / {
-            app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8081$request_uri;
-        }
-    }
-
-    server {
-        listen       127.0.0.1:8081;
-        server_name  localhost;
-
-        location / {
-            proxy_pass http://1.2.3.4$request_uri;
-            proxy_force_ranges on;
-        }
-    }
-}
-```
-
-## Slice
+#### Slice
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -206,7 +164,7 @@ http {
 }
 ```
 
-## Mirror
+#### Mirror
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -231,7 +189,7 @@ http {
 }
 ```
 
-## njs
+#### njs
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -261,7 +219,7 @@ http {
 }
 ```
 
-## Client authorization
+#### Client authorization
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -290,4 +248,67 @@ http {
         }
     }
 }
+```
+
+## Range header–dependent modules
+
+Features that add or depend on the HTTP Range header are unsupported in the same scope as __app_protect_enable__ on. Place Range-dependent logic in a separate scope that does not enable F5 WAF for NGINX, and have the F5 WAF for NGINX enable frontend proxy to that backend.
+
+Examples of Range-dependent features:
+
+- Static location
+- Range
+
+### Additional range-based examples
+
+### Static location
+
+```nginx
+load_module modules/ngx_http_app_protect_module.so;
+
+http {
+    server {
+        listen       127.0.0.1:8080;
+        server_name  localhost;
+
+        location / {
+            app_protect_enable on;
+            proxy_pass    http://127.0.0.1:8080/proxy/$request_uri;
+        }
+
+        location /proxy {
+            default_type text/html;
+            return 200 "Hello! I got your URI request - $request_uri\n";
+        }
+    }
+}
+```
+
+### Range
+
+```nginx
+load_module modules/ngx_http_app_protect_module.so;
+
+http {
+
+    server {
+        listen       127.0.0.1:8080;
+        server_name  localhost;
+
+        location / {
+            app_protect_enable on;
+            proxy_pass    http://127.0.0.1:8081$request_uri;
+        }
+    }
+
+    server {
+        listen       127.0.0.1:8081;
+        server_name  localhost;
+
+        location / {
+            proxy_pass http://1.2.3.4$request_uri;
+            proxy_force_ranges on;
+        }
+    }
+}
 ```
\ No newline at end of file

From d61c323054c18cfeaf716166a0b8488bb27938d3 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Wed, 3 Dec 2025 13:15:32 +0000
Subject: [PATCH 04/21] fix header

---
 content/waf/configure/nginx-features.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 1fc1c44c5..5a59f7455 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -261,7 +261,7 @@ Examples of Range-dependent features:
 
 ### Additional range-based examples
 
-### Static location
+#### Static location
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -284,7 +284,7 @@ http {
 }
 ```
 
-### Range
+#### Range
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;

From 2abfda93756cdf5d26b76745afc3d100673b6187 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Wed, 3 Dec 2025 13:39:11 +0000
Subject: [PATCH 05/21] added back slice

---
 content/waf/configure/nginx-features.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 5a59f7455..186a210d1 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -28,10 +28,10 @@ F5 WAF for NGINX inspects direct client-facing requests, but does not inspect in
 
 Examples of subrequest-based modules:
 
-* njs (r.subrequest)
-* Client authorization (auth_request)
-* Mirror (mirror)
-* SSI (virtual include)
+* njs 
+* Client authorization 
+* Slice 
+* Mirror 
 
 ### Example
 

From 5d43bb490bf95b1f4f65bd8a2eff7a5f431bf830 Mon Sep 17 00:00:00 2001
From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com>
Date: Wed, 3 Dec 2025 15:46:48 +0200
Subject: [PATCH 06/21] Update content/waf/configure/nginx-features.md

Co-authored-by: yar <y82@users.noreply.github.com>
---
 content/waf/configure/nginx-features.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 186a210d1..4ebd525d0 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -273,7 +273,7 @@ http {
 
         location / {
             app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8080/proxy/$request_uri;
+            proxy_pass         http://127.0.0.1:8080/proxy/$request_uri;
         }
 
         location /proxy {

From e729539cb6d3efb90c5225cc9e4a03994bb5ab56 Mon Sep 17 00:00:00 2001
From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com>
Date: Wed, 3 Dec 2025 15:46:55 +0200
Subject: [PATCH 07/21] Update content/waf/configure/nginx-features.md

Co-authored-by: yar <y82@users.noreply.github.com>
---
 content/waf/configure/nginx-features.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 4ebd525d0..b820ea25f 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -306,7 +306,7 @@ http {
         server_name  localhost;
 
         location / {
-            proxy_pass http://1.2.3.4$request_uri;
+            proxy_pass         http://1.2.3.4$request_uri;
             proxy_force_ranges on;
         }
     }

From ab30a55677c6c0f9fd5a406502d4ed0397cdf49a Mon Sep 17 00:00:00 2001
From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com>
Date: Wed, 3 Dec 2025 15:47:02 +0200
Subject: [PATCH 08/21] Update content/waf/configure/nginx-features.md

Co-authored-by: yar <y82@users.noreply.github.com>
---
 content/waf/configure/nginx-features.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index b820ea25f..14f05a55c 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -297,7 +297,7 @@ http {
 
         location / {
             app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8081$request_uri;
+            proxy_pass         http://127.0.0.1:8081$request_uri;
         }
     }
 

From 4a636167a88680b0fe42610cc019e5245c7d86d3 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Wed, 3 Dec 2025 13:49:43 +0000
Subject: [PATCH 09/21] added more space by proxy pass

---
 content/waf/configure/nginx-features.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 14f05a55c..99b3cc922 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -64,7 +64,7 @@ http {
         app_protect_enable on;
 
         location / {
-            proxy_pass    http://127.0.0.1:8080/foo/$request_uri;
+            proxy_pass        http://127.0.0.1:8080/foo/$request_uri;
         }
     }
     server {
@@ -147,7 +147,7 @@ http {
 
         location / {
             app_protect_enable on;
-            proxy_pass http://127.0.0.1:8081$request_uri;
+            proxy_pass        http://127.0.0.1:8081$request_uri;
         }
     }
 
@@ -156,7 +156,7 @@ http {
         server_name localhost;
 
         location / {
-            proxy_pass http://1.2.3.4$request_uri;
+            proxy_pass        http://1.2.3.4$request_uri;
             slice 2;
             proxy_set_header Range $slice_range;
         }
@@ -204,7 +204,7 @@ http {
 
         location / {
             app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8081$request_uri;
+            proxy_pass        http://127.0.0.1:8081$request_uri;
         }
     }
 
@@ -231,10 +231,10 @@ http {
 
         location / {
             auth_request /scan;
-            proxy_pass http://localhost:8888;
+            proxy_pass        http://localhost:8888;
         }
         location /scan {
-            proxy_pass http://localhost:8081$request_uri;
+            proxy_pass        http://localhost:8081$request_uri;
        }
     }
 
@@ -244,7 +244,7 @@ http {
 
         location /scan {
             app_protect_enable on;
-            proxy_pass http://localhost:8888;
+            proxy_pass        http://localhost:8888;
         }
     }
 }
@@ -273,7 +273,7 @@ http {
 
         location / {
             app_protect_enable on;
-            proxy_pass         http://127.0.0.1:8080/proxy/$request_uri;
+            proxy_pass        http://127.0.0.1:8080/proxy/$request_uri;
         }
 
         location /proxy {

From 7f479f83533e149d9f6f84f0e58279e8a2664945 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Wed, 3 Dec 2025 14:00:55 +0000
Subject: [PATCH 10/21] removed 4th level header

---
 content/waf/configure/nginx-features.md | 240 ++++++++++++------------
 1 file changed, 117 insertions(+), 123 deletions(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 99b3cc922..077ee2a93 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -28,114 +28,12 @@ F5 WAF for NGINX inspects direct client-facing requests, but does not inspect in
 
 Examples of subrequest-based modules:
 
-* njs 
-* Client authorization 
 * Slice 
+* Client authorization 
 * Mirror 
+* njs 
 
-### Example
-
-{{< tabs name="subrequest-example" >}}
-
-{{% tab name="nginx.conf" %}}
-
-```nginx
-user nginx;
-worker_processes  auto;
-
-events {
-    worker_connections  1024;
-}
-
-load_module modules/ngx_http_app_protect_module.so;
-load_module modules/ngx_http_js_module.so;
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-    sendfile        on;
-    keepalive_timeout  65;
-    js_import main from example.js;
-
-    server {
-        listen       80;
-        server_name  localhost;
-        proxy_http_version 1.1;
-        app_protect_enable on;
-
-        location / {
-            proxy_pass        http://127.0.0.1:8080/foo/$request_uri;
-        }
-    }
-    server {
-        listen       127.0.0.1:8080;
-        server_name  localhost;
-        proxy_http_version 1.1;
-
-        location /foo {
-            js_content main.fetch_subrequest;
-        }
-
-        location / {
-            internal;
-            return 200  "Hello! I got your URI request - $request_uri\n";
-        }
-    }
-}
-```
-
-{{% /tab %}}
-
-{{% tab name="example.js" %}}
-
-```js
-async function fetch_subrequest(r) {
-    let reply = await r.subrequest('/<script>');
-    let response = {
-        uri: reply.uri,
-        code: reply.status,
-        body: reply.responseText,
-    };
-    r.return(200, JSON.stringify(response));
-}
-
-export default {join};
-```
-
-{{% /tab %}}
-
-{{< /tabs >}}
-
-If the njs handler triggers an internal subrequest to `/<script>`, it is not inspected by F5 WAF for NGINX and succeeds: 
-
-```shell
-curl "localhost/"  
-```
-
-```text
-{"uri":"/<script>","code":200,"body":"Hello! I got your URI request - /foo//\n"}
-
-```
-
-However, if a direct, client-facing request attempts to trigger the same URL, it is inspected by F5 WAF for NGINX and is blocked according to the security policy.
-
-```shell
-curl "localhost/<script>"
-```
-
-```text
-<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.
-
-Your support ID is: 123456789
-
-<a href='javascript:history.back();'>[Go Back]</a></body></html>
-```
-
-### Additional subrequest-based examples
-
-These examples show other subrequest-based modules. In each case, internal subrequests are not inspected by WAF.
-
-#### Slice
+### Slice module example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -164,7 +62,7 @@ http {
 }
 ```
 
-#### Mirror
+### Mirror module example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -189,7 +87,38 @@ http {
 }
 ```
 
-#### njs
+### Client authorization module example
+
+```nginx
+load_module modules/ngx_http_app_protect_module.so;
+
+http {
+    server {
+        listen       127.0.0.1:8080;
+        server_name  localhost;
+
+        location / {
+            auth_request /scan;
+            proxy_pass        http://localhost:8888;
+        }
+        location /scan {
+            proxy_pass        http://localhost:8081$request_uri;
+       }
+    }
+
+    server {
+        listen       127.0.0.1:8081;
+        server_name  localhost;
+
+        location /scan {
+            app_protect_enable on;
+            proxy_pass        http://localhost:8888;
+        }
+    }
+}
+```
+
+### njs module example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -219,37 +148,104 @@ http {
 }
 ```
 
-#### Client authorization
+### General example (njs subrequest-based module)
+
+{{< tabs name="subrequest-example" >}}
+
+{{% tab name="nginx.conf" %}}
 
 ```nginx
+user nginx;
+worker_processes  auto;
+
+events {
+    worker_connections  1024;
+}
+
 load_module modules/ngx_http_app_protect_module.so;
+load_module modules/ngx_http_js_module.so;
 
 http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+    sendfile        on;
+    keepalive_timeout  65;
+    js_import main from example.js;
+
     server {
-        listen       127.0.0.1:8080;
+        listen       80;
         server_name  localhost;
+        proxy_http_version 1.1;
+        app_protect_enable on;
 
         location / {
-            auth_request /scan;
-            proxy_pass        http://localhost:8888;
+            proxy_pass        http://127.0.0.1:8080/foo/$request_uri;
         }
-        location /scan {
-            proxy_pass        http://localhost:8081$request_uri;
-       }
     }
-
     server {
-        listen       127.0.0.1:8081;
+        listen       127.0.0.1:8080;
         server_name  localhost;
+        proxy_http_version 1.1;
 
-        location /scan {
-            app_protect_enable on;
-            proxy_pass        http://localhost:8888;
+        location /foo {
+            js_content main.fetch_subrequest;
+        }
+
+        location / {
+            internal;
+            return 200  "Hello! I got your URI request - $request_uri\n";
         }
     }
 }
 ```
 
+{{% /tab %}}
+
+{{% tab name="example.js" %}}
+
+```js
+async function fetch_subrequest(r) {
+    let reply = await r.subrequest('/<script>');
+    let response = {
+        uri: reply.uri,
+        code: reply.status,
+        body: reply.responseText,
+    };
+    r.return(200, JSON.stringify(response));
+}
+
+export default {join};
+```
+
+{{% /tab %}}
+
+{{< /tabs >}}
+
+If the njs handler triggers an internal subrequest to `/<script>`, it is not inspected by F5 WAF for NGINX and succeeds: 
+
+```shell
+curl "localhost/"  
+```
+
+```text
+{"uri":"/<script>","code":200,"body":"Hello! I got your URI request - /foo//\n"}
+
+```
+
+However, if a direct, client-facing request attempts to trigger the same URL, it is inspected by F5 WAF for NGINX and is blocked according to the security policy.
+
+```shell
+curl "localhost/<script>"
+```
+
+```text
+<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.
+
+Your support ID is: 123456789
+
+<a href='javascript:history.back();'>[Go Back]</a></body></html>
+```
+
 ## Range header–dependent modules
 
 Features that add or depend on the HTTP Range header are unsupported in the same scope as __app_protect_enable__ on. Place Range-dependent logic in a separate scope that does not enable F5 WAF for NGINX, and have the F5 WAF for NGINX enable frontend proxy to that backend.
@@ -259,9 +255,7 @@ Examples of Range-dependent features:
 - Static location
 - Range
 
-### Additional range-based examples
-
-#### Static location
+### Static location example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -284,7 +278,7 @@ http {
 }
 ```
 
-#### Range
+### Range example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;

From 9dd35f5106724c7610bf84322db54064624a0fdb Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Wed, 3 Dec 2025 14:14:37 +0000
Subject: [PATCH 11/21] switched order

---
 content/waf/configure/nginx-features.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 077ee2a93..9b09884aa 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -28,9 +28,9 @@ F5 WAF for NGINX inspects direct client-facing requests, but does not inspect in
 
 Examples of subrequest-based modules:
 
-* Slice 
-* Client authorization 
+* Slice  
 * Mirror 
+* Client authorization
 * njs 
 
 ### Slice module example

From d00d435e4cfa0a5b66aa31caa89874acd6b33362 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Thu, 4 Dec 2025 06:05:02 +0000
Subject: [PATCH 12/21] fixed bold

---
 content/waf/configure/nginx-features.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 9b09884aa..f3f65fbed 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -248,7 +248,7 @@ Your support ID is: 123456789
 
 ## Range header–dependent modules
 
-Features that add or depend on the HTTP Range header are unsupported in the same scope as __app_protect_enable__ on. Place Range-dependent logic in a separate scope that does not enable F5 WAF for NGINX, and have the F5 WAF for NGINX enable frontend proxy to that backend.
+Features that add or depend on the HTTP Range header are unsupported in the same scope as __app_protect_enable on__. Place Range-dependent logic in a separate scope that does not enable F5 WAF for NGINX, and have the F5 WAF for NGINX enable frontend proxy to that backend.
 
 Examples of Range-dependent features:
 

From 91abf0c71736dfc520357971e4ded19214d46faf Mon Sep 17 00:00:00 2001
From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com>
Date: Thu, 4 Dec 2025 14:24:25 +0200
Subject: [PATCH 13/21] Update content/waf/configure/nginx-features.md

Co-authored-by: Alan Dooley <a.dooley@f5.com>
---
 content/waf/configure/nginx-features.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index f3f65fbed..bd3341579 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -17,8 +17,8 @@ It is intended as a reference for small, self-contained examples of how F5 WAF f
 
 Important constraints when F5 WAF for NGINX is enabled:
 
-- Subrequest-based modules (NGINX modules that create internal HTTP subrequests) are not inspected in any scope block where __app_protect_enable on__ is set. F5 WAF for NGINX inspects only direct, client-facing HTTP requests.
-- Modules that require the HTTP Range header are not supported in the same configuration scope as __app_protect_enable on__. Place Range-dependent configuration in a server or location block without F5 WAF for NGINX enabled.
+- Subrequest-based modules (NGINX modules that create internal HTTP subrequests) are not inspected in any scope block where **app_protect_enable on** is set. F5 WAF for NGINX inspects only direct, client-facing HTTP requests.
+- Modules that require the HTTP Range header are not supported in the same configuration scope as **app_protect_enable on**. Place Range-dependent configuration in a server or location block without F5 WAF for NGINX enabled.
 
 For additional information on configuring NGINX, you should view the [NGINX documentation]({{< ref "/nginx/" >}}).
 

From e462a9428cda84e71aeb756a412e61bc1f7f258c Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Thu, 4 Dec 2025 13:31:23 +0000
Subject: [PATCH 14/21] change title and descriptions for njs example

---
 content/waf/configure/nginx-features.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index bd3341579..4d6799ae7 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -148,7 +148,9 @@ http {
 }
 ```
 
-### General example (njs subrequest-based module)
+### Enable WAF on an njs module using the subrequest mechanism
+
+This configuration example shows how to enable WAF on an njs module that relies on the subrequest mechanism.
 
 {{< tabs name="subrequest-example" >}}
 

From 656814c6ea88d7f5969152d6ab0ed462e829cee2 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Sun, 7 Dec 2025 14:21:09 +0000
Subject: [PATCH 15/21] change order

---
 content/waf/configure/apreload.md       | 2 +-
 content/waf/configure/nginx-features.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/waf/configure/apreload.md b/content/waf/configure/apreload.md
index 81f4670f5..784094f1a 100644
--- a/content/waf/configure/apreload.md
+++ b/content/waf/configure/apreload.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Use apreload to apply configuration updates"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 200
+weight: 100
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 4d6799ae7..bce331d97 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Configure NGINX features with F5 WAF"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 100
+weight: 200
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this

From d396502b0b713cd564fa2a812ad0fde09616d61d Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Sun, 7 Dec 2025 14:46:44 +0000
Subject: [PATCH 16/21] changed order of titles

---
 content/waf/configure/compiler.md             | 2 +-
 content/waf/configure/converters.md           | 2 +-
 content/waf/configure/kubernetes-read-only.md | 2 +-
 content/waf/configure/nginx-features.md       | 2 +-
 content/waf/configure/secure-mtls.md          | 2 +-
 content/waf/configure/selinux.md              | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md
index 2b609b586..7c5a56252 100644
--- a/content/waf/configure/compiler.md
+++ b/content/waf/configure/compiler.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Build and use the compiler tool"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 300
+weight: 200
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/converters.md b/content/waf/configure/converters.md
index 2b180499a..5d265b701 100644
--- a/content/waf/configure/converters.md
+++ b/content/waf/configure/converters.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Build and use the converter tools"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 400
+weight: 300
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/kubernetes-read-only.md b/content/waf/configure/kubernetes-read-only.md
index 4ba13c4ec..50d8b6bd9 100644
--- a/content/waf/configure/kubernetes-read-only.md
+++ b/content/waf/configure/kubernetes-read-only.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Add a read-only filesystem for Kubernetes  "
 # Weights are assigned in increments of 100: determines sorting order
-weight: 700
+weight: 600
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index bce331d97..bcf97ca64 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Configure NGINX features with F5 WAF"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 200
+weight: 700
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/secure-mtls.md b/content/waf/configure/secure-mtls.md
index bf8d42ce0..9b0c37da0 100644
--- a/content/waf/configure/secure-mtls.md
+++ b/content/waf/configure/secure-mtls.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Secure traffic using mTLS"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 600
+weight: 500
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/selinux.md b/content/waf/configure/selinux.md
index 776928985..38ed6897e 100644
--- a/content/waf/configure/selinux.md
+++ b/content/waf/configure/selinux.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Configure SELinux"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 500
+weight: 400
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this

From 62f2021611bfd0b983ad6c3ac3e63f93283920b7 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Sun, 7 Dec 2025 14:49:43 +0000
Subject: [PATCH 17/21] changed title name

---
 content/waf/configure/apreload.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/waf/configure/apreload.md b/content/waf/configure/apreload.md
index 784094f1a..7ef73d016 100644
--- a/content/waf/configure/apreload.md
+++ b/content/waf/configure/apreload.md
@@ -1,6 +1,6 @@
 ---
 # We use sentence case and present imperative tone
-title: "Use apreload to apply configuration updates"
+title: "Apply security policy update without NGINX reload using the apreload tool"
 # Weights are assigned in increments of 100: determines sorting order
 weight: 100
 # Creates a table of contents and sidebar, useful for large documents

From bc4580eeffa586058bd13416a49b2d2686fcf9e8 Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Mon, 8 Dec 2025 07:50:05 +0000
Subject: [PATCH 18/21] changed bullet

---
 content/waf/configure/nginx-features.md | 102 +-----------------------
 1 file changed, 1 insertion(+), 101 deletions(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index bcf97ca64..17004be63 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -17,7 +17,7 @@ It is intended as a reference for small, self-contained examples of how F5 WAF f
 
 Important constraints when F5 WAF for NGINX is enabled:
 
-- Subrequest-based modules (NGINX modules that create internal HTTP subrequests) are not inspected in any scope block where **app_protect_enable on** is set. F5 WAF for NGINX inspects only direct, client-facing HTTP requests.
+- Subrequest-based modules (modules that create internal HTTP subrequests) are not supported in the same configuration scope as **app_protect_enable on**. F5 WAF for NGINX inspects only the client-facing request in the scope where it is enabled; internal subrequests fall outside that scope and are not inspected.
 - Modules that require the HTTP Range header are not supported in the same configuration scope as **app_protect_enable on**. Place Range-dependent configuration in a server or location block without F5 WAF for NGINX enabled.
 
 For additional information on configuring NGINX, you should view the [NGINX documentation]({{< ref "/nginx/" >}}).
@@ -148,106 +148,6 @@ http {
 }
 ```
 
-### Enable WAF on an njs module using the subrequest mechanism
-
-This configuration example shows how to enable WAF on an njs module that relies on the subrequest mechanism.
-
-{{< tabs name="subrequest-example" >}}
-
-{{% tab name="nginx.conf" %}}
-
-```nginx
-user nginx;
-worker_processes  auto;
-
-events {
-    worker_connections  1024;
-}
-
-load_module modules/ngx_http_app_protect_module.so;
-load_module modules/ngx_http_js_module.so;
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-    sendfile        on;
-    keepalive_timeout  65;
-    js_import main from example.js;
-
-    server {
-        listen       80;
-        server_name  localhost;
-        proxy_http_version 1.1;
-        app_protect_enable on;
-
-        location / {
-            proxy_pass        http://127.0.0.1:8080/foo/$request_uri;
-        }
-    }
-    server {
-        listen       127.0.0.1:8080;
-        server_name  localhost;
-        proxy_http_version 1.1;
-
-        location /foo {
-            js_content main.fetch_subrequest;
-        }
-
-        location / {
-            internal;
-            return 200  "Hello! I got your URI request - $request_uri\n";
-        }
-    }
-}
-```
-
-{{% /tab %}}
-
-{{% tab name="example.js" %}}
-
-```js
-async function fetch_subrequest(r) {
-    let reply = await r.subrequest('/<script>');
-    let response = {
-        uri: reply.uri,
-        code: reply.status,
-        body: reply.responseText,
-    };
-    r.return(200, JSON.stringify(response));
-}
-
-export default {join};
-```
-
-{{% /tab %}}
-
-{{< /tabs >}}
-
-If the njs handler triggers an internal subrequest to `/<script>`, it is not inspected by F5 WAF for NGINX and succeeds: 
-
-```shell
-curl "localhost/"  
-```
-
-```text
-{"uri":"/<script>","code":200,"body":"Hello! I got your URI request - /foo//\n"}
-
-```
-
-However, if a direct, client-facing request attempts to trigger the same URL, it is inspected by F5 WAF for NGINX and is blocked according to the security policy.
-
-```shell
-curl "localhost/<script>"
-```
-
-```text
-<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.
-
-Your support ID is: 123456789
-
-<a href='javascript:history.back();'>[Go Back]</a></body></html>
-```
-
 ## Range header–dependent modules
 
 Features that add or depend on the HTTP Range header are unsupported in the same scope as __app_protect_enable on__. Place Range-dependent logic in a separate scope that does not enable F5 WAF for NGINX, and have the F5 WAF for NGINX enable frontend proxy to that backend.

From 626c2302ffff7e5885bb733efdefea6ad6799f3d Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Mon, 8 Dec 2025 12:45:39 +0000
Subject: [PATCH 19/21] new suggestion

---
 content/waf/configure/nginx-features.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 17004be63..22acaabbe 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -17,7 +17,7 @@ It is intended as a reference for small, self-contained examples of how F5 WAF f
 
 Important constraints when F5 WAF for NGINX is enabled:
 
-- Subrequest-based modules (modules that create internal HTTP subrequests) are not supported in the same configuration scope as **app_protect_enable on**. F5 WAF for NGINX inspects only the client-facing request in the scope where it is enabled; internal subrequests fall outside that scope and are not inspected.
+- Subrequest-based modules (modules that create internal HTTP subrequests) are not supported in the same scope as **app_protect_enable on**. F5 WAF for NGINX inspects request in the scope where it is enabled; internal subrequests fall outside that scope and are not inspected.
 - Modules that require the HTTP Range header are not supported in the same configuration scope as **app_protect_enable on**. Place Range-dependent configuration in a server or location block without F5 WAF for NGINX enabled.
 
 For additional information on configuring NGINX, you should view the [NGINX documentation]({{< ref "/nginx/" >}}).

From 57565ca5fd29a213792ca52c4f9bd1bf27f6c31e Mon Sep 17 00:00:00 2001
From: Daniel Klein <d.klein@f5.com>
Date: Tue, 9 Dec 2025 12:07:23 +0000
Subject: [PATCH 20/21] change name

---
 content/waf/configure/nginx-features.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 22acaabbe..ba1a5012c 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -17,7 +17,7 @@ It is intended as a reference for small, self-contained examples of how F5 WAF f
 
 Important constraints when F5 WAF for NGINX is enabled:
 
-- Subrequest-based modules (modules that create internal HTTP subrequests) are not supported in the same scope as **app_protect_enable on**. F5 WAF for NGINX inspects request in the scope where it is enabled; internal subrequests fall outside that scope and are not inspected.
+- Subrequest-based modules (modules that generate internal HTTP subrequests) are not supported when F5 WAF for NGINX (app_protect_enable) is applied to the same scope. As an alternative, it is recommended to enable F5 WAF for NGINX at an additional scope. In this configuration, F5 WAF for NGINX inspects only direct, client-facing HTTP requests, while internal subrequests fall outside that scope and are not inspected.
 - Modules that require the HTTP Range header are not supported in the same configuration scope as **app_protect_enable on**. Place Range-dependent configuration in a server or location block without F5 WAF for NGINX enabled.
 
 For additional information on configuring NGINX, you should view the [NGINX documentation]({{< ref "/nginx/" >}}).

From 91b18e7b24dbf261be0611b7df3e0946d1235bc3 Mon Sep 17 00:00:00 2001
From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com>
Date: Wed, 10 Dec 2025 08:28:27 +0200
Subject: [PATCH 21/21] Update content/waf/configure/apreload.md

Co-authored-by: Alan Dooley <a.dooley@f5.com>
---
 content/waf/configure/apreload.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/waf/configure/apreload.md b/content/waf/configure/apreload.md
index 7ef73d016..7f6dfe1f7 100644
--- a/content/waf/configure/apreload.md
+++ b/content/waf/configure/apreload.md
@@ -1,6 +1,6 @@
 ---
 # We use sentence case and present imperative tone
-title: "Apply security policy update without NGINX reload using the apreload tool"
+title: "Apply security policy updates without reloading NGINX using apreload"
 # Weights are assigned in increments of 100: determines sorting order
 weight: 100
 # Creates a table of contents and sidebar, useful for large documents