diff --git a/content/waf/policies/external-references.md b/content/waf/policies/external-references.md index 0cdace680..5d003242b 100644 --- a/content/waf/policies/external-references.md +++ b/content/waf/policies/external-references.md @@ -30,6 +30,14 @@ To use external references, replace the direct property in the policy file with For example, a `modifications` section could be replaced by `modificationsReference` and `data-guard` could be replaced by `dataGuardReference`. +{{< call-out "note" >}} +Not all policy fields support external references. +To see which fields allow external references, visit the [Parameter Reference]({{< ref "/waf/policies/parameter-reference.md" >}}) page. +On that page, each table of policy fields includes a **Reference** column. +If a field has **Yes** in the Reference column (for example, `filetypes`, `bot-defense`, or `signature-sets`), you can replace it in your policy file with its corresponding external reference property (e.g., `filetypeReference`, `botDefenseReference`, `signatureSetsReference`). +If the Reference column is marked **No**, the field cannot be referenced externally and must be defined directly in your policy file. +{{< /call-out >}} + ## External reference types There are different implementations based on the type of references that are being made. @@ -540,4 +548,29 @@ The following request will trigger an `Illegal repeated parameter name` violatio http://localhost/query?a=true&a=false ``` -The request will _not be blocked_ because this violation is set to alarm in the default policy. \ No newline at end of file +The request will _not be blocked_ because this violation is set to alarm in the default policy. + +## Authenticating External References with Basic Auth + +For any type of external reference in your policy that uses an HTTP or HTTPS link—including simple URL references and OpenAPI references—you can include a `basicAuth` object, which specifies the username (user) and base64-encoded password (passwordBase64) for HTTP Basic Authentication. + +**Example:** +This example uses `responsePageReference`, but the same `basicAuth` configuration applies to any supported external reference (such as OpenAPI or other URL references) that uses an HTTP/HTTPS link. + +```json +{ + "name": "external_references_custom_response", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "responsePageReference": { + "link": "https://securedomain.com:8081/response-pages.txt", + "basicAuth": { + "user": "", + "passwordBase64": "" + } + } +} +``` \ No newline at end of file diff --git a/content/waf/policies/parameter-reference.md b/content/waf/policies/parameter-reference.md index 9e2ee88d7..bcc4dfdb0 100644 --- a/content/waf/policies/parameter-reference.md +++ b/content/waf/policies/parameter-reference.md @@ -4,4 +4,4 @@ toc: true weight: 300 --- -{{< include "waf/policy.html" >}} +{{< include "waf/policy.html" >}} \ No newline at end of file