doc: change the format

dkleinF5 · dkleinF5 · commit 87cbd1445a8a · 2025-12-03T09:48:10.000Z
diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
@@ -11,27 +11,29 @@ nd-content-type: reference
 # Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
 nd-product: NAP-WAF
 ---
-
-This document shows example of how to modify your NGINX configuration to enable F5 WAF for NGINX features. 
+This document shows examples of how to modify your NGINX configuration to enable F5 WAF for NGINX features. 
 
 It is intended as a reference for small, self-contained examples of how F5 WAF for NGINX can be configured. 
 
-Modules requiring the _Range_ header (Such as _Slice_) are unsupported in a scope which enables F5 WAF for NGINX. The examples below work around the contraints of these modules.
+Important constraints when F5 WAF for NGINX is enabled:
+
+- Subrequest-based modules (NGINX modules that create internal HTTP subrequests) are not inspected in any scope block where __app_protect_enable on__ is set. F5 WAF for NGINX inspects only direct, client-facing HTTP requests.
+- Modules that require the HTTP Range header are not supported in the same configuration scope as __app_protect_enable on__. Place Range-dependent configuration in a server or location block without F5 WAF for NGINX enabled.
 
 For additional information on configuring NGINX, you should view the [NGINX documentation]({{< ref "/nginx/" >}}).
 
-## Internal subrequests
+## Subrequest-based modules
 
-F5 WAF for NGINX will secure and inspect direct client-facing requests, but will not inspect internal subrequests triggered by modules.
+F5 WAF for NGINX inspects direct client-facing requests, but does not inspect internal subrequests generated by subrequest-based modules. 
 
-This applies to:
+Examples of subrequest-based modules:
 
 * njs (r.subrequest)
 * Client authorization (auth_request)
 * Mirror (mirror)
 * SSI (virtual include)
 
-The following example demonstrates the general rule:
+### Example
 
 {{< tabs name="subrequest-example" >}}
 
@@ -41,6 +43,10 @@ The following example demonstrates the general rule:
 user nginx;
 worker_processes  auto;
 
+events {
+    worker_connections  1024;
+}
+
 load_module modules/ngx_http_app_protect_module.so;
 load_module modules/ngx_http_js_module.so;
 
@@ -125,59 +131,11 @@ Your support ID is: 123456789
 <a href='javascript:history.back();'>[Go Back]</a></body></html>
 ```
 
-## Static location
-
-```nginx
-load_module modules/ngx_http_app_protect_module.so;
-
-http {
-    server {
-        listen       127.0.0.1:8080;
-        server_name  localhost;
-
-        location / {
-            app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8080/proxy/$request_uri;
-        }
-
-        location /proxy {
-            default_type text/html;
-            return 200 "Hello! I got your URI request - $request_uri\n";
-        }
-    }
-}
-```
-
-## Range
-
-```nginx
-load_module modules/ngx_http_app_protect_module.so;
-
-http {
+### Additional subrequest-based examples
 
-    server {
-        listen       127.0.0.1:8080;
-        server_name  localhost;
+These examples show other subrequest-based modules. In each case, internal subrequests are not inspected by WAF.
 
-        location / {
-            app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8081$request_uri;
-        }
-    }
-
-    server {
-        listen       127.0.0.1:8081;
-        server_name  localhost;
-
-        location / {
-            proxy_pass http://1.2.3.4$request_uri;
-            proxy_force_ranges on;
-        }
-    }
-}
-```
-
-## Slice
+#### Slice
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -206,7 +164,7 @@ http {
 }
 ```
 
-## Mirror
+#### Mirror
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -231,7 +189,7 @@ http {
 }
 ```
 
-## njs
+#### njs
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -261,7 +219,7 @@ http {
 }
 ```
 
-## Client authorization
+#### Client authorization
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
@@ -290,4 +248,67 @@ http {
         }
     }
 }
+```
+
+## Range header–dependent modules
+
+Features that add or depend on the HTTP Range header are unsupported in the same scope as __app_protect_enable__ on. Place Range-dependent logic in a separate scope that does not enable F5 WAF for NGINX, and have the F5 WAF for NGINX enable frontend proxy to that backend.
+
+Examples of Range-dependent features:
+
+- Static location
+- Range
+
+### Additional range-based examples
+
+### Static location
+
+```nginx
+load_module modules/ngx_http_app_protect_module.so;
+
+http {
+    server {
+        listen       127.0.0.1:8080;
+        server_name  localhost;
+
+        location / {
+            app_protect_enable on;
+            proxy_pass    http://127.0.0.1:8080/proxy/$request_uri;
+        }
+
+        location /proxy {
+            default_type text/html;
+            return 200 "Hello! I got your URI request - $request_uri\n";
+        }
+    }
+}
+```
+
+### Range
+
+```nginx
+load_module modules/ngx_http_app_protect_module.so;
+
+http {
+
+    server {
+        listen       127.0.0.1:8080;
+        server_name  localhost;
+
+        location / {
+            app_protect_enable on;
+            proxy_pass    http://127.0.0.1:8081$request_uri;
+        }
+    }
+
+    server {
+        listen       127.0.0.1:8081;
+        server_name  localhost;
+
+        location / {
+            proxy_pass http://1.2.3.4$request_uri;
+            proxy_force_ranges on;
+        }
+    }
+}
 ```
