You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This document describes how to use `apreload`, a tool for updating F5 WAF for NGINX configuration without reloading NGINX.
25
16
26
17
It interacts independently to NGINX, and can be used when any F5 WAF for NGINX files are modified, such as policies, logging profiles or global settings.
@@ -51,27 +42,31 @@ Optionally, using --help will issue this help message.
51
42
52
43
## Concurrent apreload executions
53
44
54
-
Concurrent NGINX reloads are enqueued and so are the entailed invocations to apreload by the NGINX App Protect WAF module.
45
+
Concurrent NGINX reloads are enqueued and so are calls to _apreload_ by the F5 NGINX for WAF.
46
+
47
+
When calling _apreload_ directly, it is possible to run it while the previous execution is still in progress. In this case, _apreload_ will wait until the current execution completes.
48
+
49
+
The new execution will will apply a new configuration, and the most recent configuration will only apply during during the execution period.
55
50
56
-
However, when invoking apreload directly, it is possible to invoke it while the previous invocation is still in progress. In this case, apreload will wait until the current invocation completes. The new invocation will bring a new configuration and the most recent configuration will only happen when the previous one is loaded.
51
+
In a scenario where an execution from an NGINX reload is followed by a direct _ap_reload_ call, the NGINX workers with the new NGINX configuration will be loaded as soon as the Enforcer finishes processing the existing configuration.
57
52
58
-
In a special scenario, when the first invocation comes from the NGINX reload followed immediately by a direct call to apreload. The NGINX workers with the new nginx.conf will be launched as soon as the Enforcer finishes the first configuration. Later, the most recent NGINX App Protect WAF configuration will be loaded (using with the same NGINX worker instances).
53
+
Once complete, the most recent F5 WAF for NGINX configuration will be loaded using with the same NGINX worker instances.
59
54
60
55
## Limitations with HTTP Header and XFF Modification
61
56
62
57
_apreload_ will not apply these two policy modifications:
63
58
64
-
- New userdefined HTTP headers, refer to User-defined HTTP Headers section. Note that modifications to existing user-defined headers will take effect in apreload.
65
-
- XFF trust modifications, refer to XFF Headers and Trust section for more details.
59
+
- New [user-defined HTTP headers](): it **will** apply changes to _existing_ user-defined headers.
60
+
-[XFF trust modifications]()
66
61
67
-
If you want to apply either of the above modifications, reload NGINX instead of using _apreload_.
62
+
If you want to apply either of the two, reload NGINX instead of using _apreload_.
68
63
69
64
## apreload events
70
65
71
66
_apreload_ events use the same format as operation log events written in the NGINX error log, reporting `configuration_load_success` or `configuration_load_failure` with JSON formatted details.
72
67
73
68
If any of the configuration files are invalid, _apreload_ will discover that and return the proper error message in the `configuration_load_failure event`.
74
69
75
-
The enforcer continues to run with the previous working configuration.
70
+
The enforcer will continue to run with the previous working configuration.
76
71
77
72
For more information, see the [Operation logs]({{< ref "/waf/logging/operation-logs.md">}}) topic.
0 commit comments