Merge branch 'main' into agent/nms-46504

Author: JTorreG

.github/workflows/ossf_scorecard.yml

@@ -56,6 +56,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload SARIF results to code scanning
-        uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
         with:
           sarif_file: results.sarif

content/includes/nim/installation/optional-steps/install-configure-vault.md

@@ -11,6 +11,6 @@ NGINX Instance Manager can use [Vault](https://www.vaultproject.io/) as a datast
 
 To install and enable Vault, follow these steps:
 
-- Follow Vault's instructions to [install Vault 1.8.8 or later](https://www.vaultproject.io/docs/install) for your distribution.
+- Follow Vault's instructions to [install Vault 1.8.8 or later](https://developer.hashicorp.com/vault/install) for your operating system.
 - Ensure you're running Vault in a [production-hardened environment](https://learn.hashicorp.com/tutorials/vault/production-hardening).
 - After installing NGINX Instance Manager, follow the steps to [configure Vault for storing secrets]({{< ref "/nim/system-configuration/configure-vault.md" >}}).

content/includes/nim/tech-specs/nim-app-protect-support.md

@@ -8,7 +8,7 @@ NGINX Instance Manager supports the following versions of [NGINX App Protect WAF
 
 | NGINX Instance Manager | NGINX App Protect WAF              |
 |------------------------|------------------------------------|
-| 2.17.0–2.20.0          | Release 4.8.0–4.15.0, 5.1.0–5.7.0 |
+| 2.17.0–2.20.0          | Release 4.8.0–4.16.0, 5.1.0–5.8.0 |
 | 2.15.1–2.16.0          | Release 4.8.0–4.10.0              |
 | 2.14.1–2.15.0          | Release 4.4.0–4.7.0               |
 | 2.13.0–2.14.0          | Release 4.3.0–4.5.0               |

content/nginx/admin-guide/dynamic-modules/acme.md

@@ -198,25 +198,71 @@ In a text editor, open the NGINX Plus configuration file:
   - `/etc/nginx/nginx.conf` for Linux
   - `/usr/local/etc/nginx/nginx.conf` for FreeBSD
 
-For a complete list of directives, embedded variables, default span attributes, refer to the `ngx_http_acme_module` official documentation.
 
-List of directives:
+For a complete list of directives and variables refer to the `ngx_http_acme_module` [official documentation](https://nginx.org/en/docs/http/ngx_http_acme_module.html) and [NGINX ACME module GitHub project](https://github.com/nginx/nginx-acme).
 
-[`https://nginx.org/en/docs/http/ngx_http_acme_module.html#directives`](https://nginx.org/en/docs/ngx_otel_module.html#directives)
+1. To enable ACME functionality, specify the directory URL of the ACME server with the [`uri`](https://nginx.org/en/docs/http/ngx_http_acme_module.html#uri) directive.
 
-List of variables:
+   Additionally, you can provide information regarding how to contact the client in case of certificate-related issues or where to store module data with the [`contact`](https://nginx.org/en/docs/http/ngx_http_acme_module.html#contact) and [`state_path`](https://nginx.org/en/docs/http/ngx_http_acme_module.html#state_path) directives.
 
-[`https://nginx.org/en/docs/http/ngx_http_acme_module.html#variables`](https://nginx.org/en/docs/ngx_otel_module.html#variables)
+   ```nginx
+   acme_issuer letsencrypt {
+       uri         https://acme-v02.api.letsencrypt.org/directory;
+       # contact   [email protected];
+       state_path  /var/cache/nginx/acme-letsencrypt;
 
+       accept_terms_of_service;
+   }
+   ```
 
-## Usage example
+2. If necessary, you can increase the default shared memory zone that stores certificates, private keys, and challenge data for all the configured certificate issuers with the [`acme_shared_zone`](https://nginx.org/en/docs/http/ngx_http_acme_module.html#acme_shared_zone) directive. The default  zone size is `256k`.
 
-```shell
+   ```nginx
+   acme_shared_zone zone=acme_shared:1M;
+   ```
+
+3. Configure Challenges by defining a listener on port 80 in the nginx configuration to process ACME HTTP-01 challenges:
+
+   ```nginx
+   server {
+       # listener on port 80 is required to process ACME HTTP-01 challenges
+       listen 80;
+
+       location / {
+           #Serve a basic 404 response while listening for challenges
+           return 404;
+        }
+   }
+   ```
+
+4. Automate the issuance or renewal of TLS certificates with the [`acme_certificate`](https://nginx.org/en/docs/http/ngx_http_acme_module.html#acme_certificate) directive in the respective [`server`](https://nginx.org/en/docs/http/ngx_http_core_module.html#server) block. The directive requires the list of identifiers (domains) for which the certificates need to be dynamically issued that can be defined with the [`server_name`](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name) directive. The [`$acme_certificate`](https://nginx.org/en/docs/http/ngx_http_core_module.html#var_acme_certificate_key) and [`$acme_certificate_key`](https://nginx.org/en/docs/http/ngx_http_core_module.html#var_acme_certificate_key) variables are used to pass the SSL certificate and key information for the associated domain:
+
+   ```nginx
+   server {
+
+       listen 443 ssl;
+
+       server_name  .example.com;
+
+       acme_certificate letsencrypt;
+
+       ssl_certificate       $acme_certificate;
+       ssl_certificate_key   $acme_certificate_key;
+       ssl_certificate_cache max=2;
+   }
+   ```
+
+   Note that not all values accepted by the [`server_name`](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name) directive are valid identifiers. Wildcards and regular expressions are not supported.
+
+
+## Full example
+
+```nginx
 resolver 127.0.0.1:53;
 
 acme_issuer example {
     uri         https://acme.example.com/directory;
-    # contact     [email protected];
+    # contact   [email protected];
     state_path  /var/cache/nginx/acme-example;
     accept_terms_of_service;
 }

content/nim/fundamentals/tech-specs.md

@@ -132,6 +132,9 @@ The table below shows the estimated storage requirements for **NGINX OSS**, base
 |                       | 250       | 14               | 4 GiB                            |
 {{</bootstrap-table>}}
 
+## ClickHouse tuning {#clickhouse-tuning}
+The default ClickHouse configuration works efficiently with NGINX Instance Manager. If you change the configuration and ClickHouse runs out of memory, see the [ClickHouse configuration guide]({{< ref "/nim/system-configuration/configure-clickhouse.md#clickhouse-tuning" >}}) to adjust the settings.
+
 ## Firewall ports {#firewall}
 
 NGINX Instance Manager and NGINX Agent use the Unix domain socket by default and proxy through the gateway on port `443`.

content/nim/nginx-app-protect/setup-waf-config-management.md

@@ -55,13 +55,15 @@ The table below shows which WAF compiler version to use for each version of NGIN
 
 | NGINX App Protect WAF version | WAF compiler version       |
 |-------------------------------|----------------------------|
+| 5.8.0                         | nms-nap-compiler-v5.498.0  |
 | 5.7.0                         | nms-nap-compiler-v5.442.0  |
 | 5.6.0                         | nms-nap-compiler-v5.342.0  |
 | 5.5.0                         | nms-nap-compiler-v5.264.0  |
 | 5.4.0                         | nms-nap-compiler-v5.210.0  |
 | 5.3.0                         | nms-nap-compiler-v5.144.0  |
 | 5.2.0                         | nms-nap-compiler-v5.48.0   |
 | 5.1.0                         | nms-nap-compiler-v5.17.0   |
+| 4.16.0                        | nms-nap-compiler-v5.498.0  |
 | 4.15.0                        | nms-nap-compiler-v5.442.0  |
 | 4.14.0                        | nms-nap-compiler-v5.342.0  |
 | 4.13.0                        | nms-nap-compiler-v5.264.0  |
@@ -88,13 +90,13 @@ The table below shows which WAF compiler version to use for each version of NGIN
 To install the WAF compiler on Debian or Ubuntu, run the following command:
 
 ```shell
-sudo apt-get install nms-nap-compiler-v5.442.0
+sudo apt-get install nms-nap-compiler-v5.498.0
 ```
 
 If you want to install more than one version of the WAF compiler on the same system, append the `--force-overwrite` option to the install command after the first installation:
 
 ```shell
-sudo apt-get install nms-nap-compiler-v5.442.0 -o Dpkg::Options::="--force-overwrite"
+sudo apt-get install nms-nap-compiler-v5.498.0 -o Dpkg::Options::="--force-overwrite"
 ```
 
 {{< include "nim/nap-waf/restart-nms-integrations.md" >}}
@@ -118,7 +120,7 @@ To install the WAF compiler on RHEL 8.1 :
 3. Install the WAF compiler:
 
    ```shell
-   sudo yum install nms-nap-compiler-v5.442.0
+   sudo yum install nms-nap-compiler-v5.498.0
    ```
 
 ### RHEL 9
@@ -140,7 +142,7 @@ To install the WAF compiler on RHEL 9:
 3. Install the WAF compiler:
 
    ```shell
-   sudo yum install nms-nap-compiler-v5.442.0
+   sudo yum install nms-nap-compiler-v5.498.0
    ```
 
 4. {{< include "nim/nap-waf/restart-nms-integrations.md" >}}
@@ -164,7 +166,7 @@ To install the WAF compiler on Oracle Linux 8.1:
 3. Install the WAF compiler:
 
     ```shell
-    sudo yum install nms-nap-compiler-v5.442.0
+    sudo yum install nms-nap-compiler-v5.498.0
     ```
 
 4. {{< include "nim/nap-waf/restart-nms-integrations.md" >}}
@@ -240,20 +242,23 @@ error when creating the nginx repo retriever - NGINX repo certificates not found
 
 If needed, you can also [install the WAF compiler manually](#install-the-waf-compiler).
 
+
 ## Install or update the WAF compiler in a disconnected environment
 
 To install the WAF compiler on a system without internet access, complete these steps:
 
 - **Step 1:** Generate the WAF compiler package on a system that has internet access.  
 - **Step 2:** Move the generated package to the offline target system and install it.
 
+
 Note : Version of NAP compiler can be referred from the table at the top of this page. 
-Current latest version 5.442.0 at the point of writing this document is used in below commands.
+Current latest version 5.498.0 at the point of writing this document is used in below commands.
 
 {{<tabs name="WAF compiler installation in offline environment">}}
 
 {{%tab name="Ubuntu"%}}
 
+
 ### Install on Ubuntu 24.04, 22.04
 
 #### Step 1: On a system with internet access
@@ -276,10 +281,12 @@ sudo tee /etc/apt/sources.list.d/nms.list
 sudo wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx
 mkdir -p compiler && cd compiler
 sudo apt-get update
-sudo apt-get download nms-nap-compiler-v5.442.0
+
+sudo apt-get download nms-nap-compiler-v5.498.0
 cd ../
 mkdir -p compiler/compiler.deps
-sudo apt-get install --download-only --reinstall --yes --print-uris nms-nap-compiler-v5.442.0 | grep ^\' | cut -d\' -f2 | xargs -n 1 wget -P ./compiler/compiler.deps
+sudo apt-get install --download-only --reinstall --yes --print-uris nms-nap-compiler-v5.498.0 | grep ^\' | cut -d\' -f2 | xargs -n 1 wget -P ./compiler/compiler.deps
+
 tar -czvf compiler.tar.gz compiler/
 ```
 
@@ -320,10 +327,12 @@ sudo tee /etc/apt/sources.list.d/nms.list
 sudo wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx
 mkdir -p compiler && cd compiler
 sudo apt-get update
-sudo apt-get download nms-nap-compiler-v5.442.0
+
+sudo apt-get download nms-nap-compiler-v5.498.0
+
 cd ../
 mkdir -p compiler/compiler.deps
-sudo apt-get install --download-only --reinstall --yes --print-uris nms-nap-compiler-v5.442.0 | grep ^\' | cut -d\' -f2 | xargs -n 1 wget -P ./compiler/compiler.deps
+sudo apt-get install --download-only --reinstall --yes --print-uris nms-nap-compiler-v5.498.0 | grep ^\' | cut -d\' -f2 | xargs -n 1 wget -P ./compiler/compiler.deps
 tar -czvf compiler.tar.gz compiler/
 ```
 
@@ -340,6 +349,7 @@ sudo dpkg -i ./compiler/*.deb
 
 {{%/tab%}}
 
+
 {{%tab name="RHEL9, Oracle-9 "%}}
 
 ### Install on RHEL 9 or Oracle Linux 9
@@ -359,7 +369,8 @@ sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nms.repo
 sudo yum-config-manager --disable rhel-9-appstream-rhui-rpms
 sudo yum update -y
 sudo mkdir -p nms-nap-compiler
-sudo yumdownloader --resolve --destdir=nms-nap-compiler nms-nap-compiler-v5.442.0
+
+sudo yumdownloader --resolve --destdir=nms-nap-compiler nms-nap-compiler-v5.498.0
 tar -czvf compiler.tar.gz nms-nap-compiler/
 ```
 
@@ -376,6 +387,7 @@ sudo dnf install *.rpm --disablerepo=*
 
 {{%/tab%}}
 
+
 {{%tab name="Redhat-8, Oracle-8"%}}
 
 ### Install on RHEL-8 or Oracle Linux 8
@@ -401,7 +413,8 @@ EOF
 
 sudo yum update -y
 sudo mkdir -p nms-nap-compiler
-sudo yumdownloader --resolve --destdir=nms-nap-compiler nms-nap-compiler-v5.442.0
+
+sudo yumdownloader --resolve --destdir=nms-nap-compiler nms-nap-compiler-v5.498.0
 tar -czvf compiler.tar.gz nms-nap-compiler/
 ```
 
@@ -1194,21 +1207,21 @@ sudo /opt/nms-nap-compiler/app_protect-<version>/bin/apcompile -h
 **Example:**
 
 ```shell
-sudo /opt/nms-nap-compiler/app_protect-5.442.0/bin/apcompile -h
+sudo /opt/nms-nap-compiler/app_protect-5.498.0/bin/apcompile -h
 ```
 
 **Expected output:**
 
 ```text
 USAGE:
-    /opt/nms-nap-compiler/app_protect-5.442.0/bin/apcompile <options>
+    /opt/nms-nap-compiler/app_protect-5.498.0/bin/apcompile <options>
 
 Examples:
-    /opt/nms-nap-compiler/app_protect-5.442.0/bin/apcompile -p /path/to/policy.json -o mypolicy.tgz
-    /opt/nms-nap-compiler/app_protect-5.442.0/bin/apcompile -p policyA.json -g myglobal.json -o /path/to/policyA_bundle.tgz
-    /opt/nms-nap-compiler/app_protect-5.442.0/bin/apcompile -g myglobalsettings.json --global-state-outfile /path/to/myglobalstate.tgz
-    /opt/nms-nap-compiler/app_protect-5.442.0/bin/apcompile -b /path/to/policy_bundle.tgz --dump
-    /opt/nms-nap-compiler/app_protect-5.442.0/bin/apcompile -l logprofA.json -o /path/to/logprofA_bundle.tgz
+    /opt/nms-nap-compiler/app_protect-5.498.0/bin/apcompile -p /path/to/policy.json -o mypolicy.tgz
+    /opt/nms-nap-compiler/app_protect-5.498.0/bin/apcompile -p policyA.json -g myglobal.json -o /path/to/policyA_bundle.tgz
+    /opt/nms-nap-compiler/app_protect-5.498.0/bin/apcompile -g myglobalsettings.json --global-state-outfile /path/to/myglobalstate.tgz
+    /opt/nms-nap-compiler/app_protect-5.498.0/bin/apcompile -b /path/to/policy_bundle.tgz --dump
+    /opt/nms-nap-compiler/app_protect-5.498.0/bin/apcompile -l logprofA.json -o /path/to/logprofA_bundle.tgz
 ```
 
 ### Confirm NGINX Agent configuration on the NGINX App Protect WAF instance