feat: Add extra configuration pages

Author: ADubhlaoich

content/includes/waf/install-selinux-warning.md

@@ -0,0 +1,10 @@
+---
+---
+
+{{< call-out "caution" >}}
+
+Security mechanisms like SELinux or AppArmor may potentially block necessary file access for the NGINX process and any component containers.
+
+For more information, view the [Configure SELinux]({{< ref "/waf/configure/selinux.md" >}}) topic.
+
+{{< /call-out >}}

content/waf/configure/compiler.md

@@ -216,6 +216,22 @@ docker run \
  -dump -bundle $(pwd)/compiled_policy.tgz
 ```
 
+## Add a compiled bundle to Kubernetes
+
+To use compiled bundles with Kubernetes, copy them to _/mnt/nap5_bundles_pv_data_ on a cluster node.
+
+Ensure these files files are accessible to UID 101. 
+
+Then, in your NGINX configuration, refer to these files from _/etc/app_protect/bundles_.
+
+The following example applies the bundle `custom_policy.tgz` located in the folder _/mnt/nap5_bundles_pv_data/_
+
+```shell
+app_protect_policy_file "/etc/app_protect/bundles/custom_policy.tgz";
+```
+
+The NGINX configuration itself can be integrated using a ConfigMap mount.
+
 ## Global settings
 
 The global settings allows configuration of the following items:

content/waf/configure/kubernetes-read-only.md

@@ -0,0 +1,209 @@
+---
+# We use sentence case and present imperative tone
+title: "Add a read-only filesystem for Kubernetes  "
+# Weights are assigned in increments of 100: determines sorting order
+weight: 700
+# Creates a table of contents and sidebar, useful for large documents
+toc: true
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NAP-WAF
+---
+
+This page describes how to add a read-only filesystem when deploying F5 WAF for NGINX when using Kubernetes.
+
+It restricts the root filesystem to read-only mode, improving security by limiting potential write access in case of compromise.
+
+## Before you begin
+
+To complete this guide, you will need the following prerequisites:
+
+- A Kubernetes cluster that supports read-only root file systems
+- The cluster must have access to the NGINX and F5 WAF configuration files
+
+You may need to identify any extra paths that need to be writable by F5 WAF for NGINX during runtime: this document assumes you are using the default paths.
+
+## Enable readOnlyRootFilesystem and configure writable paths 
+
+The first step is to add the `readOnlyRootFilesystem` value (as true) to your Kubernetes pod security context as follows:
+
+```yaml
+containers:
+    - name: nginx
+      ...
+      securityContext:
+          readOnlyRootFilesystem: true
+    - name: waf-enforcer
+      ...
+      securityContext:
+          readOnlyRootFilesystem: true
+    - name: waf-config-mgr
+      ...
+      securityContext:
+          readOnlyRootFilesystem: true
+```
+
+With a read-only root file system, you will likely still require write access for certain directories, such as logs and temporary files. You can add these directories by mounting them as writable volumes in your Kubernetes deployment.
+
+In the following example, `/tmp` and `/var/log/nginx` are writable directories, essential for NGINX and F5 WAF operations.
+
+```yaml
+containers:
+    - name: nginx
+      ...
+      volumeMounts:
+           - name: app-protect-bd-config
+             mountPath: /opt/app_protect/bd_config
+           - name: app-protect-config
+             mountPath: /opt/app_protect/config
+           - name: tmp-volume
+             mountPath: /tmp
+           - name: nginx-log
+             mountPath: /var/log/nginx
+           - name: app-protect-bundles
+             mountPath: /etc/app_protect/bundles
+...
+
+volumes:
+        - name: app-protect-bd-config
+          emptyDir: {}
+        - name: app-protect-config
+          emptyDir: {}
+        - name: nginx-log
+          emptyDir: {}
+        - name: tmp-volume
+          emptyDir: {}
+        - name: app-protect-bundles
+          persistentVolumeClaim:
+            claimName: nap5-bundles-pvc
+```
+
+A full example could look like the following:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nap5-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nap5
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: nap5
+    spec:
+      imagePullSecrets:
+        - name: regcred
+      containers:
+        - name: nginx
+          image: <your-private-registry>/nginx-app-protect-5:<your-tag>
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+            - name: app-protect-config
+              mountPath: /opt/app_protect/config
+            - name: tmp-volume
+              mountPath: /tmp
+            - name: nginx-log
+              mountPath: /var/log/nginx
+            - name: app-protect-bundles
+              mountPath: /etc/app_protect/bundles
+        - name: waf-enforcer
+          image: private-registry.nginx.com/nap/waf-enforcer:<version-tag>
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
+          env:
+            - name: ENFORCER_PORT
+              value: "50000"
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+        - name: waf-config-mgr
+          image: private-registry.nginx.com/nap/waf-config-mgr:<version-tag>
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - all
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+            - name: app-protect-config
+              mountPath: /opt/app_protect/config
+            - name: app-protect-bundles
+              mountPath: /etc/app_protect/bundles
+      volumes:
+        - name: app-protect-bd-config
+          emptyDir: {}
+        - name: app-protect-config
+          emptyDir: {}
+        - name: nginx-log
+          emptyDir: {}
+        - name: tmp-volume
+          emptyDir: {}
+        - name: app-protect-bundles
+          persistentVolumeClaim:
+            claimName: nap5-bundles-pvc
+```
+
+## Update NGINX configuration with writable paths
+
+Once you have created writable paths in your Kubernetes cluster, you should update your NGINX configuration to use these paths.
+
+The following are fields in _nginx.conf_ you should update, which correspond to writable volumes configured during the last step:
+
+```nginx
+user  nginx;
+worker_processes  auto;
+
+# F5 WAF for NGINX
+load_module modules/ngx_http_app_protect_module.so;
+
+error_log  /var/log/nginx/error.log debug;
+pid        /tmp/nginx.pid; 
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log;
+
+    # Temporary directories for kubernetes "readonlyfilesystem"
+    client_body_temp_path /tmp/nginx-client-body;
+    proxy_temp_path       /tmp/nginx-proxy;
+    fastcgi_temp_path     /tmp/nginx-fastcgi;
+    uwsgi_temp_path       /tmp/nginx-uwsgi;
+    scgi_temp_path        /tmp/nginx-scgi;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    # F5 WAF for NGINX
+    app_protect_enforcer_address 127.0.0.1:50000;
+
+    include /etc/nginx/conf.d/*.conf;
+}
+```

content/waf/configure/secure-mtls.md

@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Secure traffic using mTLS"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 500
+weight: 600
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this

content/waf/configure/selinux.md

@@ -0,0 +1,44 @@
+---
+# We use sentence case and present imperative tone
+title: "Configure SELinux"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 500
+# Creates a table of contents and sidebar, useful for large documents
+toc: true
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NAP-WAF
+---
+
+The default settings for Security-Enhanced Linux (SELinux) on modern Red Hat Enterprise Linux (RHEL) and related distros can be very strict, erring on the side of security rather than convenience.
+
+To ensure F5 WAF for NGINX operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile. 
+
+For troubleshooting, you may use permissive (SELinux) or complain (AppArmor) mode to avoid these restrictions, but this is inadvisable for prolonged use.
+
+Although F5 WAF for NGINX provides an optional package with prebuilt SELinux policies (`app-protect-selinux`), your specific configuration might be blocked unless you adjust the policy or modify file labels.
+
+## Modifying file labels
+
+If you plan to store your security policy files in an alternative folder such as _/etc/security_policies_, you should change the default SELinux file context:
+
+```shell
+semanage fcontext -a -t nap-compiler_conf_t /etc/security_policies
+restorecon -Rv /etc/security_policies
+```
+
+## Redirecting syslog to a custom port
+
+If you want to send logs to a custom, unreserved port, you can use `semanage` to add the desired port to the syslogd_port_t type:
+
+```shell
+semanage port -a -t syslogd_port_t -p tcp <your-port>
+```
+
+Review the syslog ports by entering the following command:
+
+```shell
+semanage port -l | grep syslog
+```

content/waf/fundamentals/technical-specifications.md

@@ -55,7 +55,7 @@ The F5 WAF for NGINX package has the following dependencies:
 | app-protect-ip-intelligence (**1**, **2**) | Necessary for the IP intelligence feature |
 
 1. _Optional dependencies_
-2. _This package needs to be installed separately, and includes a client for downloading and updating the feature's database_
+2. _This module needs to be installed separately, and includes a client for downloading and updating the feature's database_
 
 ## Supported security policy features
 

content/waf/install/docker.md

@@ -25,15 +25,7 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md"
 
 To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic.
 
-{{< call-out "caution" >}}
-
-Security mechanisms like SELinux or AppArmor may potentially blocking necessary file access for the nginx process and component containers.
-
-To ensure F5 WAF for NGINX operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile. 
-
-For troubleshooting, you may use permissive (SELinux) or complain (AppArmor) mode to avoid these restrictions, but this is inadvisable for prolonged use.
-
-{{< /call-out >}}
+{{< include "waf/install-selinux-warning.md" >}}
 
 ## Docker deployment options
 

content/waf/install/kubernetes.md

@@ -28,6 +28,8 @@ You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-b
 
 You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately.
 
+There is another optional topic to [Add a read-only filesystem for Kubernetes]({{< ref "/waf/configure/kubernetes-read-only.md" >}})
+
 To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic.
 
 ## Download your subscription credentials