Merge branch 'main' into fips-url

Author: y82

content/nap-dos/deployment-guide/learn-about-deployment.md

@@ -413,22 +413,28 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s
 
 6. Enable Yum repositories to pull NGINX App Protect DoS dependencies:
 
-    If you have a RHEL subscription:
+    For RHEL subscription:
 
     ```shell
     sudo subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms
     sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms
     sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
     ```
 
-7. Add NGINX Plus and NGINX App Protect DoS repository:
+    For RockyLinux:
+   
+    ```shell
+    sudo dnf -y install epel-release
+    ```
+
+8. Add NGINX Plus and NGINX App Protect DoS repository:
 
     ```shell
     sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo
     sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-dos-8.repo
     ```
 
-8. In case of fresh installation, update the repository and install the most recent version of the NGINX Plus App Protect DoS package (which includes NGINX Plus):
+9. In case of fresh installation, update the repository and install the most recent version of the NGINX Plus App Protect DoS package (which includes NGINX Plus):
 
     ```shell
     sudo dnf install app-protect-dos
@@ -457,7 +463,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s
     sudo dnf install app-protect-dos-27+2.4.0
     ```
 
-9. In case of upgrading from previously installed NGINX Plus App Protect DoS package (which includes NGINX Plus):
+10. In case of upgrading from previously installed NGINX Plus App Protect DoS package (which includes NGINX Plus):
 
     ```shell
     sudo dnf remove nginx-plus
@@ -621,14 +627,20 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s
 
 6. Enable the yum repositories to pull NGINX App Protect DoS dependencies:
 
-    If you have a RHEL subscription:
+    For RHEL subscription:
 
     ```shell
     sudo subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms
     sudo subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms
     sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
     ```
 
+    For RockyLinux:
+   
+    ```shell
+    sudo dnf -y install epel-release
+    ```
+
 7. Add the NGINX Plus and NGINX App Protect DoS repositories:
 
     ```shell

content/nginxaas-azure/changelog.md

@@ -14,6 +14,17 @@ To see a list of currently active issues, visit the [Known issues]({{< ref "/ngi
 To review older entries, visit the [Changelog archive]({{< ref "/nginxaas-azure/changelog-archive" >}}) section.
 
 
+## September 18, 2025
+
+- {{% icon-feature %}} **Notification on update to deployments using the Stable Upgrade Channel**
+
+   NGINXaaS for Azure deployments using the **Stable** [Upgrade Channel]({{< ref "/nginxaas-azure/quickstart/upgrade-channels.md" >}}) will be updated to [NGINX Plus Release 35 (R35)]({{< ref "/nginx/releases.md#nginxplusrelease-35-r35" >}}) during the week of Oct 06-10, 2025. This will also include updates to the following NGINX Plus modules:
+  - nginx-plus-module-njs
+
+   Please review the [NGINX Plus Release 35 (R35)]({{< ref "/nginx/releases.md#nginxplusrelease-35-r35" >}}) Release Notes carefully. If you have any concerns, it's recommended to validate your configuration against NGINX Plus R35 by setting up a test deployment using the **Preview** [Upgrade Channel]({{< ref "/nginxaas-azure/quickstart/upgrade-channels.md" >}}). See [these instructions]({{< ref "/nginxaas-azure/quickstart/recreate.md" >}}) on how to set up a deployment similar to your current one.
+
+   If you have any questions or concerns, please [contact us]({{< ref "/nginxaas-azure/get-help.md" >}}).
+
 ## August 18, 2025
 
 - {{% icon-feature %}} **Updates to NGINXaaS for Azure GitHub Action**

content/nginxaas-azure/getting-started/nginx-configuration/nginx-configuration-azure-cli.md

@@ -127,6 +127,15 @@ az nginx deployment configuration analyze --deployment-name $DEPLOYMENT_NAME \
       --package data="$TAR_DATA"
    ```
 
+   Upload a package with config files and protected files:
+
+   ```shell
+   az nginx deployment configuration create --deployment-name myDeployment \
+      --resource-group myResourceGroup --root-file nginx.conf --name default \
+      --package data="$TAR_DATA" \
+      protected-files="['nginx/servers/server1.conf','nginx/servers/server2.conf']"
+   ```
+
 - Multiple file configuration with protected files:
 
    ```shell

content/nginxaas-azure/getting-started/nginx-configuration/overview.md

@@ -25,17 +25,20 @@ The topics below provide information on NGINX configuration restrictions and dir
 NGINX configurations stored in GitHub can be applied to existing NGINXaaS for Azure deployments using custom GitHub Action workflows. See [NGINXaaS for Azure Deployment Action](https://github.com/nginxinc/nginx-for-azure-deploy-action) for documentation and examples on how to incorporate these workflows in your GitHub Actions CI/CD pipelines.
 
 ## NGINX filesystem restrictions
-NGINXaaS for Azure places restrictions on the instance's filesystem; only a specific set of directories are allowed to be read from and written to. Below is a table describing what directories the NGINX worker process can read and write to and what directories files can be written to. These files include certificate files and any files uploaded to the deployment, excluding NGINX configuration files.
 
-  {{< table >}}
-  | Allowed Directory | NGINX worker process can read/write to | Files can be written to |
-  |------------------ | ----------------- | ----------------- |
-  | /etc/nginx        |                   | &check;           |
-  | /opt              | &check;           | &check;           |
-  | /srv              | &check;           | &check;           |
-  | /tmp              | &check;           |                   |
-  | /var/cache/nginx  | &check;           |                   |
-  | /var/www          | &check;           | &check;           |
+NGINXaaS for Azure places restrictions on the instance’s filesystem; only a specific set of directories are allowed to be read from and written to. Below is a table describing what directories the NGINX worker process can read and write to and what directories files can be written to. These files include certificate files and any files uploaded to the deployment, excluding NGINX configuration files.
+
+ {{< table >}}
+
+| Directory         | Master Read | Master Write | Worker Read | Worker Write | Recommended Use                  |
+|-------------------|:-----------:|:------------:|:-----------:|:------------:|----------------------------------|
+| /etc/nginx/       |     ✔️      |      ✔️      |     ❌      |      ❌      | NGINX configuration, certificates, keys, application files (e.g. Lua or njs scripts)  |
+| /opt/             |     ✔️      |      ✔️      |     ✔️      |      ❌      | Application files (e.g. Lua scripts) |
+| /srv/             |     ✔️      |      ✔️      |     ✔️      |      ❌      | Application files                |
+| /var/www/         |     ✔️      |      ✔️      |     ✔️      |      ❌      | Static files (e.g. index.html)   |
+| /tmp/             |     ✔️      |      ✔️      |     ✔️      |      ✔️      | Temporary files                  |
+| /var/cache/nginx/ |     ✔️      |      ✔️      |     ✔️      |      ✔️      | Cache data                       |
+
 {{< /table >}}
 
 Attempts to access other directories will be denied and result in a `5xx` error.

content/nginxaas-azure/module-changelog.md

@@ -7,6 +7,29 @@ url: /nginxaas/azure/module-changelog/
 
 Learn about the modules supported by the latest versions of F5 NGINXaaS for Azure.
 
+## September 18, 2025 
+
+### Preview
+
+ {{<bootstrap-table "table table-bordered table-striped table-responsive table-sm">}}
+
+| Name                                     | Version                  | Description                                                            |
+|------------------------------------------|--------------------------|------------------------------------------------------------------------|
+| nginx-plus                               | 1.29.0 (nginx-plus-r35)    | NGINX Plus, provided by Nginx, Inc.                          |
+| nginx-agent                              | 1.20.16-2026591880  | NGINX Agent - Management for NGINXaaS                                  |
+| Operating System                         | Ubuntu 22.04.5      | Jammy Jellyfish, provided by Canonical Ltd.                            |
+| nginx-plus-module-geoip2                 | 35+3.4-1            | NGINX Plus 3rd-party GeoIP2 dynamic modules                            |
+| nginx-plus-module-headers-more           | 35+0.37-1           | NGINX Plus 3rd-party headers-more dynamic module                       |
+| nginx-plus-module-image-filter           | 35-1                | NGINX Plus image filter dynamic module                                 |
+| nginx-plus-module-lua                    | 35+0.10.28-1        | NGINX Plus 3rd-party Lua dynamic modules                               |
+| nginx-plus-module-ndk                    | 35+0.3.3-1          | NGINX Plus 3rd-party NDK dynamic module                                |
+| nginx-plus-module-njs                    | 35+0.9.1-1          | NGINX Plus njs dynamic modules                                         |
+| nginx-plus-module-otel                   | 35+0.1.2-1          | NGINX Plus OpenTelemetry dynamic module                                |
+| nginx-plus-module-xslt                   | 35-1                | NGINX Plus xslt dynamic module                                         |
+| nginx-plus-module-appprotect             | 35+5.498.0-1        | NGINX Plus app protect dynamic module version 5.498.0                  |
+| app-protect-module-plus                  | 35+5.498.0-1        | App-Protect package for Nginx Plus, includes all of the default files and examples. NGINX App Protect provides web application firewall (WAF) security protection for your web applications, including OWASP Top 10 attacks. |
+| app-protect-plugin                       | 6.20.0-1            | NGINX App Protect plugin |
+{{</bootstrap-table>}}
 
 ## Access module versions using data plane API:
 

content/nic/configuration/policy-resource.md

@@ -793,29 +793,6 @@ The feature is implemented using the NGINX [ngx_http_proxy_module](https://nginx
 
 A VirtualServer/VirtualServerRoute can reference multiple cache policies. However, only one can be applied: every subsequent reference will be ignored.
 
-## Using Policy
-
-You can use the usual `kubectl` commands to work with Policy resources, just as with built-in Kubernetes resources.
-
-For example, the following command creates a Policy resource defined in `access-control-policy-allow.yaml` with the name `webapp-policy`:
-
-```shell
-kubectl apply -f access-control-policy-allow.yaml
-
-policy.k8s.nginx.org/webapp-policy configured
-```
-
-You can get the resource by running:
-
-```shell
-kubectl get policy webapp-policy
-
-NAME            AGE
-webapp-policy   27m
-```
-
-For `kubectl get` and similar commands, you can also use the short name `pol` instead of `policy`.
-
 ### WAF
 
 {{< call-out "note" >}} The feature is implemented using the NGINX Plus [NGINX App Protect WAF Module]({{< ref "/nap-waf/" >}}). {{< /call-out >}}
@@ -863,6 +840,29 @@ policies:
 
 In this example NGINX Ingress Controller will use the configuration from the first policy reference `waf-policy-one`, and ignores `waf-policy-two`.
 
+## Using Policy
+
+You can use the usual `kubectl` commands to work with Policy resources, just as with built-in Kubernetes resources.
+
+For example, the following command creates a Policy resource defined in `access-control-policy-allow.yaml` with the name `webapp-policy`:
+
+```shell
+kubectl apply -f access-control-policy-allow.yaml
+
+policy.k8s.nginx.org/webapp-policy configured
+```
+
+You can get the resource by running:
+
+```shell
+kubectl get policy webapp-policy
+
+NAME            AGE
+webapp-policy   27m
+```
+
+For `kubectl get` and similar commands, you can also use the short name `pol` instead of `policy`.
+
 ### Applying Policies
 
 You can apply policies to both VirtualServer and VirtualServerRoute resources. For example:

content/nic/tutorials/security-monitoring.md

@@ -82,13 +82,24 @@ If you use custom container images, NGINX Agent must be installed along with NGI
 
 {{< call-out "note" >}} The `features` list must not contain `nginx-config-async` or `nginx-ssl-config` as these features can cause conflicts with NGINX Ingress Controller.{{< /call-out >}}
 
-3. Make sure that the ConfigMap is mounted to the NGINX Ingress Controller pod at `/etc/nginx-agent/nginx-agent.conf` by adding the following to the NGINX Ingress Controller deployment manifest:
+3. Make sure that the ConfigMap is mounted to the NGINX Ingress Controller pod at `/etc/nginx-agent/nginx-agent.conf` and the dynamic agent config is mounted at `/var/lib/nginx-agent` by adding the following volumes and volumeMounts to the NGINX Ingress Controller deployment manifest:
 
    ```yaml
-    volumeMounts:
-    - name: agent-conf
-      mountPath: /etc/nginx-agent/nginx-agent.conf
-      subPath: nginx-agent.conf
+   volumes:
+     - name: agent-conf
+       configMap:
+         name: agent-conf
+     - name: agent-dynamic
+       emptyDir: {}
+   ```
+
+   ```yaml
+   volumeMounts:
+     - name: agent-conf
+       mountPath: /etc/nginx-agent/nginx-agent.conf
+       subPath: nginx-agent.conf
+     - name: agent-dynamic
+       mountPath: /var/lib/nginx-agent
    ```
 
 4. Follow the [Installation with Manifests]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md" >}}) instructions to deploy NGINX Ingress Controller with custom resources enabled.