feat: Clarify subrequest information for F5 WAF

[ADubhlaoich]

Proposed changes

This commit updates the Configure NGINX features with F5 WAF document by clarifying the language around subrequest limitations. The prior phrasing leads by suggesting they do not work at all.

The new phrasing explains that it works, but has a caveat. Further language has been clarified in the sentence following it, supporting the overall structure of the document.

Closes #1436

Checklist

Before sharing this pull request, I completed the following checklist:

• I read the Contributing guidelines
• My branch adheres to the Git conventions
• My content changes adhere to the F5 NGINX Documentation style guide
• If my changes involve potentially sensitive information¹, I have assessed the possible impact
• I have waited to ensure my changes pass tests, and addressed any discovered issues

Footnotes

1. Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content. ↩

[github-actions]

✅ Deploy Preview will be available once build job completes!

Name	Link
😎 Deploy Preview	https://frontdoor-test-docs.nginx.com/previews/docs/1445/

---

[ohad-perets]

Looks good, Daniel K is working on an example for the sub-request.

[dkleinF5]

Is it possible @ADubhlaoich to add this example in?
I was thinking about something around the lines like
1 Install NGINX Plus with NJS Module
2 Apply the Provided nginx.conf and example.js
nginx.conf

user nginx;
worker_processes  4;
#daemon off;

load_module modules/ngx_http_app_protect_module.so;
load_module modules/ngx_http_js_module.so;

error_log /var/log/nginx/error.log warn;

events {
    worker_connections  65536;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    js_import main from example.js;

    server {
        listen       80;
        server_name  localhost;
        proxy_http_version 1.1;
        app_protect_enable on;

        location / {
            proxy_pass    http://127.0.0.1:8080/foo/$request_uri;
        }
    }
    server {
        listen       127.0.0.1:8080;
        server_name  localhost;
        proxy_http_version 1.1;

        location /foo {
            js_content main.fetch_subrequest;
        }

        location / {
            internal;
            return 200  "Hello! I got your URI request - $request_uri\n";
        }
    }
}

example.js

async function fetch_subrequest(r) {
    let reply = await r.subrequest('/<script>');
    let response = {
        uri: reply.uri,
        code: reply.status,
        body: reply.responseText,
    };
    r.return(200, JSON.stringify(response));
}

export default {join};

3 Test App Protect Enforcement and Bypass
curl "localhost/"
{"uri":"/<script>>","code":200,"body":"Hello! I got your URI request - /foo//\n"}
This request goes to /, which is configured to use the NJS module. The NJS handler makes an internal subrequest to /<script>.
Even though a direct request to /<script> would be blocked by App Protect, the internal subrequest is not inspected or blocked by App Protect and is processed successfully.
curl "localhost/<script>"
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 123456789<br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>
The request to /<script> is client-facing and is inspected and blocked by App Protect according to your configured security policies.