--- title: Module configuration summary: null url: >- https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/module-config --- We provide the ability to configure the Next-Gen WAF module. The following attributes are set by default, but may need to be modified to provide support for different environments. In the majority of cases modifying module configuration is not necessary. **Contact [support](https://support.fastly.com) if you need assistance or have questions regarding modifying module configuration.** ## Apache To modify the Next-Gen WAF module configuration in Apache you will need to add directives to your Apache configuration file (e.g., for CentOS it is httpd.conf, for Debian or Ubuntu it is apache.conf or apache2.conf). Note, these directives must be set after the Next-Gen WAF module is loaded. Starting with release 1.6.0, the following directives replace any earlier ones. These directives are a renaming of the earlier ones but with the addition of the prefix `SigSci`. | Name | Description | Default value | | ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | | `SigSciAgentTimeout` | Agent socket timeout in milliseconds. | 100 | | `SigSciAgentPostLen` | Maximum POST body size in bytes. | 100000 | | `SigSciAgentInspection` | Enable or disable the module. | On | | `SigSciAgentPort` | The local port (when using TCP) that the agent listens on. If `SigSciAgentPort` is set, then `SigSciAgentHost` must be an IP or hostname. | Unix: None, Windows: `9999` | | `SigSciAgentHost` | Host or IP Address, otherwise use `SigSciAgentHost` to specify the domain socket file (e.g., `/foo/bar.sock`). | Unix: `/var/run/sigsci.sock`, Windows: `127.0.0.1` | | `SigSciEnableFixups` | Toggles Signal Sciences fixups priority over post-read request handling to allow the request to be seen before it’s modified. | Off | | `SigSciRunBeforeModulesList` | Next-Gen WAF module runs before the list of specified modules (e.g., `mod_example.c mod_something.c`). | None | | `SigSciRunAfterModulesList` | Next-Gen WAF module runs after the list of specified modules (e.g., `mod_example.c mod_something.c`). | None | | `SigSciExpectedContentTypes` | A space-delimited list of custom content-types to support. | None | | `SigSciExtendContentTypes` | Enables extended content inspection. | false | > **NOTE:** The `SigSciRunBeforeModulesList` and `SigSciRunAfterModulesList` directives are currently not supported on ARM64-based Linux distributions. The following directives will be deprecated in favor of the new ones above with the `SigSci` prefix but are backwards compatible and will continue to work. | Name | Description | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | `AgentTimeout` | Agent socket timeout (in milliseconds), default: `100`. | | `AgentPostLen` | Maximum POST body size in bytes, default: `100000` | | `AgentInspection` | Enable or disable the module, default: `On` | | `AgentPort` | The local port (when using TCP) that the agent listens on, default: none. Note, if AgentPort is set then `AgentHost` must be a IP or hostname. | | `AgentHost` | Host or IP Address, otherwise use `AgentHost` to specify the domain socket file. `/foo/bar.sock` | The following directives are deprecated and will be ignored. | Name | Description | | ------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | | `SigSciAltResponseCodes` | Specifying alternative codes on which to block is deprecated. Instead we now block on any response code within the range 300-599. | **Conditional Inspection Example** The Next-Gen WAF Apache Module can perform conditional inspection per `VirtualHost` by either disabling or enabling the module globally. This is useful for configurations that only require inspection to be performed, or not performed, on specific request conditions (e.g., path). To enable or disable the module globally add both the `SigSciAgentInspection` and `SigSciEnableFixups` directives to the global Apache configuration (httpd.conf, apache2.conf). For example to disable the Next-Gen WAF Apache Module globally, but enable inspection for a specific `VirtualHost`: > **IMPORTANT:** `SigSciEnableFixups` must be turned on for `SigSciAgentInspection` to conditionally work within Location directives. ```text SigSciAgentInspection Off SigSciEnableFixups On ``` Inside each corresponding `VirtualHost`, add the appropriate `SigSciAgentInspection` directive value. For example, to enable inspection with only the `VirtualHost` handling requests for `example.com`: ```text DocumentRoot "/www/example1" ServerName example.com ServerAlias www.example.com SigSciAgentInspection On ``` After restarting the appropriate Apache service, the module will log the following output to the Apache error log with the appropriate values (`1` for enabled, `0` for disabled) for each directive enabling or disabling the module applied in configuration: ```text [Fri Dec 12 11:56:31.329363 2025] [signalsciences:notice] [pid 3439:tid 123749635139456] SigSci: config: agent inspection flag: 0 [Fri Dec 12 11:56:31.329363 2025] [signalsciences:notice] [pid 3439:tid 123749635139456] SigSci: config: agent inspection flag: 1 ``` ## NGINX dynamic module Refer to [Installing the NGINX dynamic module](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/nginx-module/installing-the-nginx-dynamic-module) for instructions on installing and configuring the NGINX dynamic module. ## NGINX Lua Module > **IMPORTANT:** We strongly recommend that you use the more performant NGINX dynamic module if possible. The NGINX Lua module takes advantage of OpenResty and has more installation dependencies as a result. To modify the Next-Gen WAF Lua module for NGINX, changes can be made in the Next-Gen WAF Lua script, which by default is at `/opt/sigsci/nginx/sigsci.conf`. | Name | Description | | ----------- | ---------------------------------------------------------------------------------------------------------------------------- | | `agenthost` | The IP address or path to Unix domain socket the SignalSciences Agent is listening on, default: `unix:/var/run/sigsci.sock`. | | `agentport` | The local port (when using TCP) that the agent listens on, default: `12345` | | `timeout` | Agent socket timeout (in milliseconds), default: `100`. | | `maxpost` | Maximum POST body size in bytes, default: `100000` | **Example configuration** ```text sigsci.agenthost = "unix:/var/run/sigsci.sock" sigsci.agentport = 12345 sigsci.timeout = 100 sigsci.maxpost = 1000000 ``` ## HAProxy Configuration changes are typically not required for the HAProxy module to work. However, it is possible to override the default settings if needed. To do so, you must create an `override.lua` file in which to add these configuration directives. Then, update the `global` section of your HAProxy config file (`/usr/local/etc/haproxy/haproxy.cfg`) to load this over-ride config file. ### Example of configuration ```text global ... lua-load /path/to/override.lua ... ``` ### Over-ride Directives These directives may be used in your over-ride config file. | Name | Description | | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | | `sigsci.agenthost` | The IP address or path to unix domain socket the SignalSciences Agent is listening on, default: `/var/run/sigsci.sock` (unix domain socket). | | `sigsci.agentport` | The local port (when using TCP) that the agent listens on, default: `nil` | | `sigsci.log_debug` | Enable verbose logging, default: `false` | | `sigsci.log_network_errors` | Enable logging of socket connection errors, default: `false` | | `sigsci.timeout` | Agent socket timeout (in seconds), default: `1` (`0` means off). | | `sigsci.maxpost` | Maximum POST body size in bytes, default: `100000` | | `sigsci.extra_blocking_resp_hdr` | User may supply a response header to be added upon 406 responses, default: "" | | `sigsci.expected_content_types` | A list of custom content-types to support | | `sigsci.extend_content_types` | Enables extended content inspection. Default value is `false`. | ### Example of over-ride configuration ```text sigsci.agenthost = "192.0.2.243" sigsci.agentport = 9090 sigsci.extra_blocking_resp_hdr = "Access-Control-Allow-Origin: https://example.com" ``` ## IIS You can set the configuration for the IIS module using the MSI installer, the `SigsciCtl.exe` utility in v2.0.0+, IIS Manager UI, PowerShell, or the `appcmd.exe` utility. See [Configuration Usage](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/iis#configure) for more information on configuring the IIS module. | Name | Default Value | Description | | ----------------------- | ------------- | ----------------------------------------------------------------------------------- | | `agentHost` | 127.0.0.1 | | | `agentPort` | 737 | | | `Debug` | False | Enable Module debugging; sends to event-viewer. | | `ReuseConnections` | False | Use a socket pool with the maximum number of sockets based on hardware concurrency. | | `MaxPostSize` | 100000 | | | `AnomalySize` | 524288 | | | `AnomalyDurationMillis` | 1000 | | | `TimeoutMillis` | 200 | Agent socket timeout in milliseconds. | | `ExpectedContentTypes` | | A space delimited list of custom content-types to support. | | `ExtendContentTypes` | false | This can be set to true to enable extended content inspection. | ## Language Modules See language specific module pages for configuration details. - Java - [As a Servlet filter](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/java-module/java-module-servlet-filter#module-configuration) - [As a Jetty handler](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/java-module/java-module-jetty/) - [As a Netty handler](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/java-module/java-module-netty/) - [With Dropwizard](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/java-module/java-module-dropwizard/) - [On WebLogic servers](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/java-module/java-module-weblogic#module-configuration) - [Node.js](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/nodejs-module#configuration) - [.NET](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/dotnet#net-module-configuration) ## Related content - [About module-agent deployment](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/about-module-agent-deployment) - [Using an API with the Next-Gen WAF](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf)