feat: Add NAP-WAF Refactor POC

Author: ADubhlaoich

_banners/waf-v4-warning.md

@@ -0,0 +1,5 @@
+{{< banner "caution" "This page is for NGINX App Protect v4.xx" >}}
+  This documentation is intended for NGINX App Protect v4.xx.
+
+  For an NGINX App Protect v5.xx installation, see [Install NGINX App Protect and NGINX Ingress Controller with Docker and Helm]({{< ref "/waf/kubernetes/install-nic.md">}})
+{{</ banner >}}

_banners/waf-v5-warning.md

@@ -0,0 +1,5 @@
+{{< banner "caution" "This page is for NGINX App Protect v5.xx" >}}
+  This documentation is intended for NGINX App Protect v5.xx.
+
+  For an NGINX App Protect v4.xx installation, see [Deploy NGINX App Protect WAF in a virtual environment]({{< ref "/waf/install/virtual-environment.md">}})
+{{</ banner >}}

content/waf/_index.md

@@ -0,0 +1,45 @@
+---
+# The title is the product name
+title: F5 NGINX App Protect WAF
+# The URL is the base of the deployed path, becoming "docs.nginx.com/<url>/<other-pages>"
+url: /app-protect-waf/
+# The cascade directive applies its nested parameters down the page tree until overwritten
+cascade:
+  # The logo file is resolved from the theme, in the folder /static/images/icons/
+  logo: NGINX-App-Protect-WAF-product-icon.svg
+# The subtitle displays directly underneath the heading of a given page
+nd-subtitle: A lightweight, high-performance web application firewall for protecting APIs and applications
+# Indicates that this is a custom landing page
+nd-landing-page: true
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: landing-page
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NAP-WAF
+---
+
+## About
+
+Defend your applications and APIs with a software security solution that seamlessly integrates into DevOps environments as a lightweight web application firewall (WAF), layer 7 denial-of-service (DoS) protection, bot protection, API security, and threat intelligence services.
+
+## Featured content
+[//]: # "You can add a maximum of three cards: any extra will not display."
+[//]: # "One card will take full width page: two will take half width each. Three will stack like an inverse pyramid."
+[//]: # "Some examples of content could be the latest release note, the most common install path, and a popular new feature."
+
+{{<card-layout>}}
+  {{<card-section showAsCards="true" isFeaturedSection="true">}}
+    {{<card title="Install NGINX App Protect WAF" titleUrl="/waf/install" icon="chevrons-right" >}}
+      Explore the methods available to deploy NGINX App Protect WAF in your environment.
+    {{</card>}}
+    <!-- The titleURL and icon are both optional -->
+    <!-- Lucide icon names can be found at https://lucide.dev/icons/ -->
+    {{<card title="Changelog" titleUrl="/waf/changelog" icon="archive">}}
+      Review the latest changes and improvements to NGINX App Protect WAF.
+    {{</card>}}
+  {{</card-section>}}
+{{</card-layout>}}
+
+<!-- ## Other content 
+
+[//]: # "You can add any extra content for the page here, such as additional cards, diagrams or text." -->

content/waf/changelog.md

@@ -0,0 +1,159 @@
+---
+# We use sentence case and present imperative tone
+title: "Changelog"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 800
+# Creates a table of contents and sidebar, useful for large documents
+toc: true
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: reference
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NAP-WAF
+---
+
+{{< call-out "warning" "Information architecture note" >}}
+
+The design intention for this page is to act as a single reference point for changes between each release. "Changelog" is the term being adopted across the entire NGINX product ecosystem.
+
+Since both versions of NGINX App Protect WAF are released at the same time, they can be stored in the same note. Change items for only one specific version are explicitly annotated when necessary.
+
+Updating the content of this page will likely be automated in the future, following some procedural changes to how tickets are managed within JIRA.
+
+{{</ call-out>}}
+
+This changelog lists all of the information for F5 NGINX App Protect WAF releases in 2025.
+
+For older releases, check the changelogs for previous years: [2024](), [2023]().
+
+## NGINX App Protect WAF 5.7 / 4.15
+
+### New features
+
+- Added support for Rocky Linux 9
+- Added support for IP Intelligence
+- Added support for Override rules for IP Address Lists
+
+### Important notes
+
+- Ubuntu 20.04 is no longer supported
+- (12447) Upgrade libk5crypto3 package
+- (12520) Upgrade Go compiler to 1.23.8
+
+### Resolved issues
+
+- (12527) Remove CPAN - installed certs and source files
+- (11112) Remove systemd/init.d leftovers in NAP WAF v5 pkgs
+- (12400) Cookie attributes are not added to a TS cookie when there is more than one TS cookie
+- (12498) Undefined behavior when using huge XFF
+- (12731) Multiple clean_resp_reset internal error messages in logs when loading NAP
+
+### 5.7 packages
+
+#### NGINX Open Source
+
+| Distribution name        | Package file                                                      |
+|--------------------------|-------------------------------------------------------------------|
+| Alpine 3.19              | _app-protect-module-oss-1.27.4+5.442.0-r1.apk_                    |
+| Amazon Linux 2023        | _app-protect-module-oss-1.27.4+5.442.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11                | _app-protect-module-oss_1.27.4+5.442.0-1\~bullseye_amd64.deb_     |
+| Debian 12                | _app-protect-module-oss_1.27.4+5.442.0-1\~bookworm_amd64.deb_     |
+| Oracle Linux 8.1         | _app-protect-module-oss-1.27.4+5.442.0-1.el8.ngx.x86_64.rpm_      |
+| Ubuntu 22.04             | _app-protect-module-oss_1.27.4+5.442.0-1\~jammy_amd64.deb_        |
+| Ubuntu 24.04             | _app-protect-module-oss_1.27.4+5.442.0-1\~noble_amd64.deb_        |
+| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.442.0-1.el8.ngx.x86_64.rpm_      |
+| RHEL 9 and Rocky Linux 9 | _app-protect-module-oss-1.27.4+5.442.0-1.el9.ngx.x86_64.rpm_      |
+
+#### NGINX Plus
+
+| Distribution name        | Package file                                                   |
+|--------------------------|----------------------------------------------------------------|
+| Alpine 3.19              | _app-protect-module-plus-34+5.442.0-r1.apk_                    |
+| Amazon Linux 2023        | _app-protect-module-plus-34+5.442.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11                | _app-protect-module-plus_34+5.442.0-1\~bullseye_amd64.deb_     |
+| Debian 12                | _app-protect-module-plus_34+5.442.0-1\~bookworm_amd64.deb_     |
+| Oracle Linux 8.1         | _app-protect-module-plus-34+5.442.0-1.el8.ngx.x86_64.rpm_      |
+| Ubuntu 22.04             | _app-protect-module-plus_34+5.442.0-1\~jammy_amd64.deb_        |
+| Ubuntu 24.04             | _app-protect-module-plus_34+5.442.0-1\~noble_amd64.deb_        |
+| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-34+5.442.0-1.el8.ngx.x86_64.rpm_      |
+| RHEL 9 and Rocky Linux 9 | _app-protect-module-plus-34+5.442.0-1.el9.ngx.x86_64.rpm_      |
+
+### 4.15 packages
+
+| Distribution name        | Package file                                       |
+|--------------------------|----------------------------------------------------|
+| Alpine 3.19              | _app-protect-34.5.442.0-r1.apk_                    |
+| Amazon Linux 2023        | _app-protect-34+5.442.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11                | _app-protect_34+5.442.0-1\~bullseye_amd64.deb_     |
+| Debian 12                | _app-protect_34+5.442.0-1\~bookworm_amd64.deb_     |
+| Oracle Linux 8.1         | _app-protect-34+5.442.0-1.el8.ngx.x86_64.rpm_      |
+| Ubuntu 22.04             | _app-protect_34+5.442.0-1\~jammy_amd64.deb_        |
+| Ubuntu 24.04             | _app-protect_34+5.442.0-1\~noble_amd64.deb_        |
+| RHEL 8 and Rocky Linux 8 | _app-protect-34+5.442.0-1.el8.ngx.x86_64.rpm_      |
+| RHEL 9 and Rocky Linux 9 | _app-protect-34+5.442.0-1.el9.ngx.x86_64.rpm_      |
+
+## NGINX App Protect WAF 5.6 / 4.14
+
+### New features
+
+- Added support for NGINX Plus R34
+- **5.6 Only:** You can now [deploy NGINX App Protect WAF 5+ using a Helm chart]({{< ref "/nap-waf/v5/admin-guide/deploy-with-helm.md">}})
+
+### Important notes
+
+- Alpine 3.17 is no longer supported
+
+### Resolved issues
+
+- Upgraded the Go compiler to 1.23.7
+- (12140) Changed the maximum memory of the XML processing engine to 8GB
+- (12254) A modified YAML file referenced by a JSON policy file causes a reload error when running `nginx -t`
+- (12296) "Violation Bad Unescape" is not enabled by default
+- (12297) "Violation Encoding" is not enabled by default
+
+### 5.6 packages
+
+#### NGINX Open Source
+
+| Distribution name        | Package file                                                      |
+|--------------------------|-------------------------------------------------------------------|
+| Alpine 3.19              | _app-protect-module-oss-1.27.4+5.342.0-r1.apk_                    |
+| Amazon Linux 2023        | _app-protect-module-oss-1.27.4+5.342.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11                | _app-protect-module-oss_1.27.4+5.342.0-1\~bullseye_amd64.deb_     |
+| Debian 12                | _app-protect-module-oss_1.27.4+5.342.0-1\~bookworm_amd64.deb_     |
+| Oracle Linux 8.1         | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_      |
+| Ubuntu 20.04             | _app-protect-module-oss_1.27.4+5.342.0-1\~focal_amd64.deb_        |
+| Ubuntu 22.04             | _app-protect-module-oss_1.27.4+5.342.0-1\~jammy_amd64.deb_        |
+| Ubuntu 24.04             | _app-protect-module-oss_1.27.4+5.342.0-1\~noble_amd64.deb_        |
+| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_      |
+| RHEL 9                   | _app-protect-module-oss-1.27.4+5.342.0-1.el9.ngx.x86_64.rpm_      |
+
+#### NGINX Plus
+
+| Distribution name        | Package file                                                   |
+|--------------------------|----------------------------------------------------------------|
+| Alpine 3.19              | _app-protect-module-plus-34+5.342.0-r1.apk_                    |
+| Amazon Linux 2023        | _app-protect-module-plus-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11                | _app-protect-module-plus_34+5.342.0-1\~bullseye_amd64.deb_     |
+| Debian 12                | _app-protect-module-plus_34+5.342.0-1\~bookworm_amd64.deb_     |
+| Oracle Linux 8.1         | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_      |
+| Ubuntu 20.04             | _app-protect-module-plus_34+5.342.0-1\~focal_amd64.deb_        |
+| Ubuntu 22.04             | _app-protect-module-plus_34+5.342.0-1\~jammy_amd64.deb_        |
+| Ubuntu 24.04             | _app-protect-module-plus_34+5.342.0-1\~noble_amd64.deb_        |
+| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_      |
+| RHEL 9                   | _app-protect-module-plus-34+5.342.0-1.el9.ngx.x86_64.rpm_      |
+
+### 4.14 packages
+
+| Distribution name        | Package file                                       |
+|--------------------------|----------------------------------------------------|
+| Alpine 3.19              | _app-protect-34.5.342.0-r1.apk_                    |
+| Amazon Linux 2023        | _app-protect-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11                | _app-protect_34+5.342.0-1\~bullseye_amd64.deb_     |
+| Debian 12                | _app-protect_34+5.342.0-1\~bookworm_amd64.deb_     |
+| Oracle Linux 8.1         | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_      |
+| Ubuntu 20.04             | _app-protect_34+5.342.0-1\~focal_amd64.deb_        |
+| Ubuntu 22.04             | _app-protect_34+5.342.0-1\~jammy_amd64.deb_        |
+| Ubuntu 24.04             | _app-protect_34+5.342.0-1\~noble_amd64.deb_        |
+| RHEL 8 and Rocky Linux 8 | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_      |
+| RHEL 9                   | _app-protect-34+5.342.0-1.el9.ngx.x86_64.rpm_      |

content/waf/features/_index.md

@@ -0,0 +1,6 @@
+---
+title: "Features"
+url: /app-protect-waf/features/
+weight: 700
+draft: true
+---

content/waf/fundamentals/_index.md

@@ -0,0 +1,5 @@
+---
+title: "Fundamentals"
+url: /app-protect-waf/fundamentals/
+weight: 100
+---

content/waf/fundamentals/overview.md

@@ -0,0 +1,23 @@
+---
+# We use sentence case and present imperative tone
+title: "Overview"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 100
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NAP-WAF
+---
+
+{{< call-out "warning" "Information architecture note" >}}
+
+The design intention for this page is to describing what NGINX App Protect is, expanding on the detail from the [landing page]({{< ref "/waf/" >}}).
+
+It is also an opportunity to explain the difference between NGINX App Protect versions, and how integrates with other products in the NGINX ecosystem.
+
+The text here will likely be synthesized from the Overview descriptions at the top of the [Administration Guides]({{< ref "/nap-waf/v4/admin-guide/install.md#overview" >}}), but there's also detail from [F5.com](https://www.f5.com/products/nginx/nginx-app-protect) that can be added.
+
+{{</ call-out>}}

content/waf/fundamentals/technical-specifications.md

@@ -0,0 +1,27 @@
+---
+# We use sentence case and present imperative tone
+title: "Technical specifications"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 200
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NAP-WAF
+---
+
+{{< call-out "warning" "Information architecture note" >}}
+
+The design intention for this page is to act as a single source of truth for supported operating systems and version compatibility.
+
+It follows a design pattern set by other NGINX product sets, showing various compatibility matrices:
+
+- [NGINX Plus]({{< ref "/nginx/technical-specs.md" >}})
+- [NGINX Instance Manager]({{< ref "/nim/fundamentals/tech-specs.md" >}})
+- [NGINX Ingress Controller]({{< ref "/nic/technical-specifications.md" >}})
+
+It is also where information about the [Supported Security Policy Features]({{< ref "/nap-waf/v4/configuration-guide/configuration.md#supported-security-policy-features" >}}) could be referenced, though most of that detail will instead be kept in the new top-level "Policies" section.
+
+{{</ call-out>}}

content/waf/install/_index.md

@@ -0,0 +1,5 @@
+---
+title: "Install"
+url: /app-protect-waf/install/
+weight: 200
+---

content/waf/install/disconnect-environment.md

@@ -0,0 +1,32 @@
+---
+# We use sentence case and present imperative tone
+title: "Deploy NGINX App Protect WAF in a disconnected environment"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 200
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NAP-WAF
+---
+
+{{< call-out "warning" "Information architecture note" >}}
+
+The term _disconnected environment_ has become the more commmon synonym for an air-gapped or offline installation. It follows the precedent set by NGINX Instance Manager: [Deploy in a disconnected environment -> Install the latest NGINX Instance Manager with a script (disconnected)]({{< ref "/nim/disconnected/offline-install-guide.md" >}}).
+
+The design intention for this page is as a standalone page for the operating system specific installation use cases:
+
+- [v4]({{< ref "/nap-waf/v4/admin-guide/install.md#offline-installation" >}})
+- [v5]({{< ref "/nap-waf/v5/admin-guide/install.md#air-gap-install-secure-offline-installation" >}})
+
+Instead of having separate top level folders, differences between v4 and v5 will be denoted with whole page sections, tabs, or other unique signifiers.
+
+This reduces the amount of duplicate content, which makes maintainability much simpler and the text more uniform.
+
+With the full context of this section, the page is shorter, being concerned only with one specific method of installation.
+
+This makes it easier to link to specific instructions, and ensures that the customer sees only the critical information they need.
+
+{{</ call-out>}}