Merge branch 'main' into nic-release-5.1

Author: ADubhlaoich

.github/workflows/build-push.yml

@@ -58,7 +58,7 @@ jobs:
 
   call-docs-build-push:
     needs: prod-check-branch
-    uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@cc69def33942d819719164723b35b5163d838276 # v1.0.9
+    uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@285440f02d9967b62aeb1b7e0b5c2c70d4f950cf # v1.0.10
     with:
       production_url_path: ""
       preview_url_path: "${{ vars.PREVIEW_URL_PATH }}"

CONTRIBUTING.md

@@ -1,9 +1,10 @@
 # Contributing guidelines
 
-The following is a set of guidelines for community contributions to this
-project. We really appreciate your desire to contribute!
+The following is a set of guidelines for community contributions to this project. 
 
-If you are an F5 employee, see the following additional guidance [For F5 Employees](./F5-NGINX-team-notes.md).
+We really appreciate your desire to contribute!
+
+If you are an F5 employee, see the following additional guidance on [Maintainers etiquette](/documentation/maintainers-etiquette.md).
 
 ## Table of contents
 
@@ -12,8 +13,8 @@ If you are an F5 employee, see the following additional guidance [For F5 Employe
 - [Open a Discussion](#open-a-discussion)
 - [Submit a Pull Request](#submit-a-pull-request)
   - Review our [Git style guide](#git-style-guide)
-  - Review our Documentation [style guide](./templates/style-guide.md)
-  - Review our [Contributing guidelines for writers](./CONTRIBUTING_DOCS.md)
+  - Review the [Writing style guide](/documentation/style-guide.md)
+  - Review [Managing content with Hugo](/documentation/writing-hugo.md)
 - [Issue Lifecycle](#issue-lifecycle)
 - [Additional NGINX documentation](#additional-nginx-documentation)
 - [F5 Contributor License Agreement (CLA)](#f5-contributor-license-agreement)
@@ -51,6 +52,7 @@ our documentation as described in our [support](./SUPPORT.md) page.
 ### Git style guide
 
 - Keep a clean, concise and meaningful Git commit history on your branch, rebasing locally and squashing before you submit a PR
+- We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/#summary) formatting.
 - Follow the guidelines of writing a good commit message as described here <https://chris.beams.io/posts/git-commit/>
   and summarized in the next few points:
 

Makefile

@@ -1,16 +1,16 @@
 HUGO?=hugo
 HUGO_VERSION?=$(shell hugo version 2>/dev/null | awk '{print $$2}' | cut -d '.' -f 2)
-HUGO_IMG?=hugomods/hugo:std-go-git-0.134.3
+HUGO_IMG?=hugomods/hugo:std-go-git-0.147.8
 
 THEME_MODULE = github.com/nginxinc/nginx-hugo-theme
 
-ifeq ($(shell [ $(HUGO_VERSION) -gt 133 2>/dev/null ] && echo true || echo false), true)
-    $(info Hugo is available and has a version greater than 133. Proceeding with build.)
+ifeq ($(shell [ $(HUGO_VERSION) -gt 146 2>/dev/null ] && echo true || echo false), true)
+    $(info Hugo is available and has a version greater than 146. Proceeding with build.)
 else
-    $(warning Hugo is not available or using a version less than 134. Attempting to use docker. HUGO_VERSION=$(HUGO_VERSION))
+    $(warning Hugo is not available or using a version less than 147. Attempting to use docker. HUGO_VERSION=$(HUGO_VERSION))
     HUGO=docker run --rm -it -v ${CURDIR}:/src -p 1313:1313 ${HUGO_IMG} /src/hugo-entrypoint.sh
     ifeq (, $(shell docker version 2> /dev/null))
-        $(error Hugo (>0.134) or Docker are required to build the local previews.)
+        $(error Hugo (>0.147) or Docker are required to build the local previews.)
     endif
 endif
 

_banners/agent-v3-release.md

@@ -1,7 +1,7 @@
 {{< banner "notice" "NGINX Agent 3.0 is now available" >}}
 
 
-F5 NGINX One Console does not currently support Agent 3.x. If you are using NGINX One Console in your environment, upgrade to the latest Agent 2.x version by following the [Upgrade NGINX Agent](/nginx-agent/installation-upgrade/upgrade/) guide.
+F5 NGINX One Console and NGINX Instance Manager (NIM) do not currently support Agent 3.x. If you are using NGINX One Console or NGINX Instance Manager in your environment, upgrade to the latest Agent 2.x version by following the [Upgrade NGINX Agent](/nginx-agent/installation-upgrade/upgrade/) guide.
 
 Please see the [Technical specifications](/nginx-agent/technical-specifications/) for product compatibility.
 

content/agent/installation-upgrade/installation-unprivileged.md

@@ -4,6 +4,7 @@ weight: 450
 toc: true
 type: how-to
 product: Agent
+docs: DOCS-1781
 ---
 
 ## Overview

content/includes/config-snippets/enable-nplus-api-dashboard.md

@@ -0,0 +1,37 @@
+---
+docs:
+files:
+- content/nginx-one/workshops/lab5/upgrade-nginx-plus-to-latest-version.md
+- content/includes/use-cases/monitoring/enable-nginx-plus-api.md
+---
+
+```nginx
+# This block enables the NGINX Plus API and dashboard
+# For configuration and security recommendations, see:
+# https://docs.nginx.com/nginx/admin-guide/monitoring/live-activity-monitoring/#configuring-the-api
+server {
+    # Change the listen port if 9000 conflicts
+    # (8080 is the conventional API port)
+    listen 9000;
+
+    location /api/ {
+        # To restrict write methods (POST, PATCH, DELETE), uncomment:
+        # limit_except GET {
+        #     auth_basic "NGINX Plus API";
+        #     auth_basic_user_file /path/to/passwd/file;
+        # }
+
+        # Enable API in write mode
+        api write=on;
+
+        # To restrict access by network, uncomment and set your network:
+        # allow 192.0.2.0/24   # replace with your network
+        # deny  all;
+    }
+
+    # Serve the built-in dashboard at /dashboard.html
+    location = /dashboard.html {
+        root /usr/share/nginx/html;
+    }
+}
+```

content/includes/nap-waf/config/common/forward-proxy-conf.md

@@ -0,0 +1,20 @@
+Enable Forward Proxy Settings for IP Intelligence Client. 
+
+To configure proxy settings, edit the client configuration file:
+Path:
+```shell
+/etc/app_protect/tools/iprepd.cfg
+```
+Example configuration:
+```shell
+EnableProxy=True 
+ProxyHost=5.1.2.4
+ProxyPort=8080
+ProxyUsername=admin        # Optional
+ProxyPassword=admin        # Optional
+CACertPath=/etc/ssl/certs/ca-certificates.crt  # Optional 
+```
+After saving the changes, restart the client to apply the new settings.
+```shell
+/opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 &
+```

content/includes/nap-waf/config/common/ip-groups-override-rules.md

@@ -0,0 +1,62 @@
+#### IP-Address-Lists feature as part of Override Rules feature.
+
+The Override Rules feature allows you to override original or parent policy settings.
+
+Rules are defined using specific conditions, which can include an IP Address Lists based on the declarative policy JSON schema.
+
+When triggered, the rule is applied to the _clientIp_ attribute using the _matches_ function.
+
+'clientIp.matches(ipAddressLists["standalone"])'
+
+Here is a policy example:
+
+```json
+{ 
+  "policy": { 
+    "name": "ip_group_override_rule", 
+    "template": { 
+      "name": "POLICY_TEMPLATE_NGINX_BASE" 
+    }, 
+    "applicationLanguage": "utf-8", 
+    "caseInsensitive": false, 
+    "enforcementMode": "blocking", 
+    "ip-address-lists": [ 
+      { 
+        "name": "standalone", 
+        "ipAddresses": [ 
+          { 
+            "ipAddress": "1.1.1.1/32" 
+          } 
+        ] 
+      } 
+     ], 
+     "override-rules": [ 
+      { 
+        "name": "myRule1", 
+        "condition": "clientIp.matches(ipAddressLists['standalone'])", 
+        "actionType": "extend-policy",
+        "override": {
+          "policy": {
+            "enforcementMode": "transparent"
+          }
+        }  
+      }
+    ]
+  }
+}
+```
+
+The previous example policy contains an IP address lists with the name "standalone", used for the override rule condition "clientIp.matches(ipAddressLists['standalone'])".
+The condition means that the rule enforcement is applied and override base policy enforcement when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". 
+The value used for the override condition must exist and exactly match the name in "ip-address-lists".  
+
+#### Possible errors
+
+| Error text | Input          | Explanation |
+| -----------| ------------- | ------------ |
+| _Invalid field invalidList_ | _clientIp.matches(invalidList['standalone']);_ | An incorrect keyword was used instead of _ipAddressLists_ |
+| _Invalid value empty string_ | _clientIp.matches(ipAddressLists['']_ | An empty name was provided |
+| _Failed to compile policy - 'ipGroupOverridePolicy'_ | _uri.matches(ipAddressLists['standalone']);_ |  Used _ipAddressLists_ without the _clientIP_ attribute |
+
+
+ 

content/includes/nap-waf/config/common/ip-groups-overview.md

@@ -0,0 +1,81 @@
+IP address lists is a feature to organize lists of allowed and forbidden IP addresses across several lists with common attributes.
+
+This allows you to control unique policy settings for incoming requests based on specific IP addresses.
+
+Each IP address list contains a unique name, enforcement type (_always_, _never_ and _policy-default_), and list of IP addresses.
+
+
+An example of a declarative policy using IP address lists configuration: 
+
+```json
+{ 
+  "policy": { 
+    "name": "IpGroups_policy", 
+    "template": { 
+       "name": "POLICY_TEMPLATE_NGINX_BASE" 
+    }, 
+    "applicationLanguage": "utf-8", 
+    "caseInsensitive": false, 
+    "enforcementMode": "blocking", 
+    "ip-address-lists": [ 
+       { 
+         "name": "Standalone",
+         "description": "Optional Description",
+         "blockRequests": "policy-default",
+         "setGeolocation": "IN",
+         "ipAddresses": [
+          {
+             "ipAddress": "1.2.3.4/32"
+          },
+          {
+             "ipAddress": "1111:fc00:0:112::2"
+          }
+        ]
+      }
+    ]
+  }
+}
+
+```
+The example with IP-Group definition in external file external_ip_groups.json:
+
+```json
+{
+  "policy": { 
+    "name": "IpGroups_policy2", 
+    "template": { 
+       "name": "POLICY_TEMPLATE_NGINX_BASE" 
+    }, 
+    "applicationLanguage": "utf-8", 
+    "caseInsensitive": false, 
+    "enforcementMode": "blocking", 
+    "ip-address-lists": [
+      { 
+        "name": "external_ip_groups",
+        "description": "Optional Description",
+        "blockRequests": "always",
+        "setGeolocation": "IL",
+        "$ref": "file:///tmp/policy/external_ip_groups.json"
+      }
+    ]
+  }
+}
+```
+Example of the file external_ip_groups.json
+
+```json
+{ 
+    "name": "External IP address lists",
+    "description": "Optional Description",
+    "blockRequests": "always",
+    "setGeolocation": "IR",
+    "ipAddresses": [
+      {
+        "ipAddress": "66.51.41.21"
+      },
+      {
+        "ipAddress": "66.52.42.22"
+      }
+    ]
+}
+```