nginx · JTorreG · Feb 17, 2025 · Feb 17, 2025 · Feb 17, 2025 · Feb 17, 2025
@@ -72,7 +72,7 @@ jobs:
         uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
         with:
           creds: ${{secrets.AZURE_CREDENTIALS_DOCS}}
- 
+
       - name: Retrieve secrets from Keyvault
         if: env.isProduction != 'true'
         id: keyvault

@@ -16,7 +16,9 @@ enableGitInfo = true
   ngf = '/nginx-gateway-fabric/:sections[1:]/:filename'
   nim = '/nginx-instance-manager/:sections[1:]/:filename'
   nms = '/nginx-management-suite/:sections[1:]/:filename'
+  unit = '/nginx-unit/:sections[1:]/:filename'
   agent = '/nginx-agent/:sections[1:]/:filename'
+  nginxaas = '/nginxaas/azure/:sections[1:]/:filename'
 
 [caches]
   [caches.modules]

@@ -0,0 +1,48 @@
+---
+docs: "DOCS-000"
+---
+
+If the diagnostic setting destination details included a storage account, logs show up in the storage container "insights-logs-nginxlogs" with the following format: `resourceID=/<NGINXaaS-resourceID>/y=<YYYY>/m=<MM>/d=<DD>/h=<HH>/PT1H.json`
+
+{{<bootstrap-table "table table-striped table-bordered">}}
+| **Attribute**               | **Description** |
+|-----------------------------|-----------------|
+| `<NGINXaaS-resourceID>`     | The resourceID of the NGINXaaS deployment in upper case.|
+| `<YYYY>`                    | The four-digit year when the log batch was generated.|
+| `<MM>`                      | The two-digit month when the log batch was generated.|
+| `<DD>`                      | The two-digit day when the log batch was generated.|
+| `<HH>`                      | The two-digit hour value that indicates the starting hour for the log batch, in 24 hour UTC format|
+{{</bootstrap-table>}}
+
+{{<note>}}It can take up to 90 minutes after adding diagnostic settings for logs to appear in the provided Azure Storage container.{{</note>}}
+
+Each log event in the "PT1H.json" file is written in a new line delimited JSON text format. The properties that show up in each log line are described in the [Top Level Common Schema](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-schema#top-level-common-schema) documentation.
+
+For instance, an access log event logging to a particular file path will have attributes similar to this example:
+
+```yaml
+{
+	"category": "NginxLogs",
+	"location": "westcentralus",
+	"operationName": "NGINX.NGINXPLUS/NGINXDEPLOYMENTS/LOG",
+	"properties": {
+		"message": "172.92.129.50 - \"-\" [18/Jan/2024:17:59:00 +0000] \"GET / HTTP/1.1\" 200 11232 \"-\" \"curl/8.4.0\" \"-\" \"20.69.58.179\" sn=\"localhost\" rt=0.000 ua=\"-\" us=\"-\" ut=\"-\" ul=\"-\" cs=\"-\" ",
+		"filePath": "/var/log/nginx/access.log"
+	},
+	"resourceId": "/SUBSCRIPTIONS/FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF/RESOURCEGROUPS/RESOURCEGROUP1/PROVIDERS/NGINX.NGINXPLUS/NGINXDEPLOYMENTS/TEST1",
+	"time": "2024-01-18T17:59:00.363956795Z"
+}
+```
+
+If [syslog-based](#logging-to-syslog) logs are used, the log event entry has different **properties** sub-fields:
+
+```yaml
+#...
+"properties": {
+		"message": "172.92.129.50 - - [16/Jan/2024:18:00:00 +0000] \"GET / HTTP/1.1\" 200 11232 \"-\" \"curl/8.4.0\"",
+		"tag": "nginx",
+		"severity": "info",
+		"facility": "local7"
+	},
+#...
+```
@@ -0,0 +1,30 @@
+---
+docs: "DOCS-000"
+---
+
+If the diagnostic setting destination details included a Logs Analytics workspace, logs show up in the table "NGXOperationLogs" with the following non-standard attributes:
+
+{{<bootstrap-table "table table-striped table-bordered">}}
+| **Attribute**               | **Description** |
+|-----------------------------|-----------------|
+| **Location**                  | The location of the NGINXaaS resource.|
+| **Message**                 | The generated NGINX log line. |
+| **FilePath**                 | The path to which NGINX logs were configured to be logged to if the nginx config used file-based logs. |
+| **Tag**                 | The tag with which NGINX logs were generated if syslog-based log configuration is used. By default this is nginx |
+| **Facility**                 | The syslog facility with which NGINX logs were generated if syslog-based log configuration is used. |
+| **Severity**                | The syslog severity with which NGINX logs were generated if syslog-based log configuration is used. |
+
+{{</bootstrap-table>}}
+
+Using a [KQL](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/), a custom query can be run to view the logs:
+
+```
+NGXOperationLogs
+| where Location contains "eastus"
+```
+
+For more information on the standard attributes that appear in Logs Analytics,see the [Standard columns in Azure Monitor Logs](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-standard-columns) documentation.
+
+For more information on using [KQL](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) see [Queries in Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/queries?tabs=groupby).
+
+{{<note>}}It can take up to 90 minutes after adding diagnostic settings for logs to appear in the provided Logs Analytics Workspace.{{</note>}}
@@ -0,0 +1,39 @@
+---
+docs: "DOCS-000"
+---
+
+NGINX access logs are disabled by default. You can enable access logs by adding **access_log** directives to your NGINX configuration to specify the location of the logs and formats. The log path should always be configured to be inside **/var/log/nginx**.
+
+```nginx
+http {
+	log_format myfmt '$remote_addr - $remote_user [$time_local] '
+						   '"$request" $status $body_bytes_sent '
+						   '"$http_referer" "$http_user_agent" "$gzip_ratio"';
+
+	access_log /var/log/nginx/nginx-access.log myfmt;
+	# ...
+}
+```
+
+{{<note>}} The **$time_local** variable includes the date and time for each log. It helps with ordering logs after export. {{</note>}}
+
+To explicitly disable access logs, apply the following config:
+
+```nginx
+http {
+	access_log off;
+}
+```
+
+or
+
+```nginx
+http {
+	access_log /dev/null;
+}
+```
+
+To learn more about how to specify `access__log` in different configuration levels and their effect, see [access_log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log)
+
+{{<warning>}}Unless you use **syslog**, keep NGINX logs in the **/var/log/nginx** directory. Otherwise, you may lose data from your logs.
+{{</warning>}}
@@ -0,0 +1,19 @@
+---
+docs: "DOCS-000"
+---
+
+By default, NGINXaaS for Azure puts the error log at **/var/log/nginx/error.log**. It includes messages with severity **error** and above.
+
+While you should configure log files in the **/var/log/nginx** directory, you can change the filename and severity level. For example, the following line in the NGINX configuration sends errors to the `nginx-error.log` file, and limits messages to a severity level of **emerg**:
+
+```nginx
+error_log /var/log/nginx/nginx-error.log emerg;
+```
+
+Alternatively, you can disable error logs completely with the following line:
+
+```nginx
+error_log /dev/null;
+```
+
+To learn more about how to specify `error_log` in different configuration levels, see the documentation of the [error_log](https://nginx.org/en/docs/ngx_core_module.html?#error_log) directive.
@@ -0,0 +1,8 @@
+---
+docs: "DOCS-000"
+---
+
+1. File-based logs must be configured to use the path **/var/log/nginx**.
+1. The **gzip** parameter for the **access_log** directive is not supported, and uploading a config with this parameter will cause an error.
+1. Logging **error_log** to a cyclic memory buffer using the **memory:** prefix is not allowed and will cause a config upload error.
+1. Egress Networking charges apply for traffic sent from the NGINX deployment to a syslog server present in a different VNet.
@@ -0,0 +1,11 @@
+---
+docs: "DOCS-1476"
+---
+
+An NGINX Capacity Unit (NCU) quantifies the capacity of an NGINX instance based on the underlying compute resources. This abstraction allows you to specify the desired capacity in NCUs without having to consider the regional hardware differences.
+
+An NGINX Capacity Unit consists of the following parameters:
+
+* CPU: an NCU provides 20 [Azure Compute Units](https://learn.microsoft.com/en-us/azure/virtual-machines/acu) (ACUs)
+* Bandwidth: an NCU provides 60 Mbps of network throughput
+* Concurrent connections: an NCU provides 400 concurrent connections. This performance is not guaranteed when NGINX App Protect WAF is used with NGINXaaS
@@ -0,0 +1,21 @@
+---
+docs: "DOCS-000"
+---
+
+- AKV to store certificates that you want to add to the deployment.
+
+- A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your managed identity (MI) has read access to secrets stored in AKV:
+
+  - If using Azure RBAC for AKV, ensure that your MI has [Key Vault Secrets User](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-secrets-user) or higher permissions.
+
+  - If using Access Policies for AKV, ensure that your MI has *GET secrets* or higher permissions.
+
+- In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have read access to list certificates inside the Key Vault:
+
+  - If using Azure RBAC for AKV, ensure that you have [Key Vault Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-reader) or higher permissions.
+
+  - If using Access Policies for AKV, ensure that you have *LIST certificates* or higher permissions.
+
+  - If public access is disabled on your key vault, [configure Network Security Perimeter]({{< relref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) and add an inbound access rule to allow your client IP address.
+
+- If you're unfamiliar with Azure Key Vault, check out the [Azure Key Vault concepts](https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts) documentation from Microsoft.
@@ -0,0 +1,9 @@
+---
+docs: "DOCS-000"
+---
+
+- Confirm that you meet the [NGINXaaS Prerequisites]({{< relref "/nginxaas-azure/getting-started/prerequisites.md" >}}).
+- [Authenticate Terraform to Azure](https://learn.microsoft.com/en-us/azure/developer/terraform/authenticate-to-azure)
+- [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install)
+
+{{< caution >}} The examples in the NGINXaaS for Azure Snippets GitHub repository use the prerequisites module [available in the same repository](https://github.com/nginxinc/nginxaas-for-azure-snippets/tree/main/terraform/prerequisites). {{< /caution >}}
@@ -0,0 +1,6 @@
+---
+docs: "DOCS-000"
+---
+
+- [NGINXaaS Managed Identity Documentation]({{< relref "/nginxaas-azure/getting-started/managed-identity-portal.md" >}})
+- [NGINXaaS Azure Monitor Documentation]({{< relref "/nginxaas-azure/monitoring/enable-monitoring.md" >}})
@@ -392,7 +392,7 @@ In this example, the IP address will be checked in the `GeoLite2-Country.mmdb` d
 <span id="info"></span>
 ## More Info
 
-- [GeoIP2 Dynamic Module Installation Instructions]({{< relref "geoip2.md" >}})
+- [GeoIP2 Dynamic Module Installation Instructions]({{< relref "/nginx/admin-guide/dynamic-modules/geoip2.md" >}})
 
 - [MaxMind GeoIP2 Databases](https://www.maxmind.com/en/geoip2-databases)
 

@@ -0,0 +1,10 @@
+---
+title: "NGINXaaS for Azure"
+description: |
+  NGINX as a Service for Azure is an IaaS offering that is tightly integrated into Microsoft Azure public cloud and its ecosystem, making applications fast, efficient, and reliable with full lifecycle management of advanced NGINX traffic services.
+linkTitle: "NGINXaaS for Azure"
+menu: docs
+url: /nginxaas/azure/
+cascade:
+   logo: NGINX-for-Azure-icon.svg
+---
@@ -0,0 +1,8 @@
+---
+title: NGINX App Protect WAF (Preview)
+weight: 200
+url: /nginxaas/azure/app-protect/
+menu:
+  docs:
+    parent: NGINXaaS for Azure
+---
@@ -0,0 +1,107 @@
+---
+title: "Configure App Protect WAF"
+weight: 300
+categories: ["tasks"]
+toc: true
+url: /nginxaas/azure/app-protect/configure-waf/
+---
+
+## Overview
+
+This guide explains how to configure the F5 NGINX App Protect WAF security features.
+
+## Configure
+
+To use NGINX App Protect apply the following changes to the NGINX config file.
+
+1. Load the NGINX App Protect WAF module on the main context:
+
+```nginx
+load_module modules/ngx_http_app_protect_module.so;
+```
+
+2. Set the enforcer address:
+
+```nginx
+app_protect_enforcer_address 127.0.0.1:50000;
+```
+
+{{<note>}} The app_protect_enforcer_address directive is a required directive for Nginx App Protect to work and must match 127.0.0.1:50000{{</note>}}
+
+
+3. Enable NGINX App Protect WAF with the `app_protect_enable` directives in the appropriate scope. The `app_protect_enable` directive may be set in the `http`, `server`, and `location` contexts.
+
+It is recommended to have a basic policy enabled in the `http` or `server` context to process malicious requests in a more complete manner.
+
+```nginx
+app_protect_enable on;
+```
+
+4. Configure the path of the pre-compiled policy file to the `app_protect_policy_file` directive. You can find the list of supported policies and their paths under the [Precompiled Policies](#precompiled-policies) section.
+
+```nginx
+app_protect_policy_file /etc/app_protect/conf/NginxDefaultPolicy.json;
+```
+
+Sample Config with App Protect configured:
+
+```nginx
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 8192;
+pid /run/nginx/nginx.pid;
+
+load_module modules/ngx_http_app_protect_module.so;
+
+events {
+    worker_connections 4000;
+}
+
+error_log /var/log/nginx/error.log debug;
+
+http {
+    access_log off;
+    server_tokens "";
+
+    app_protect_enforcer_address 127.0.0.1:50000;
+
+    server {
+        listen 80 default_server;
+
+        location / {
+            app_protect_enable on;
+            app_protect_policy_file /etc/app_protect/conf/NginxDefaultPolicy.tgz;
+            proxy_pass http://127.0.0.1:80/proxy/$request_uri;
+        }
+
+        location /proxy {
+            default_type text/html;
+            return 200 "Hello World\n";
+        }
+    }
+}
+```
+
+## Precompiled Policies
+
+NGINXaaS for Azure ships with the two reference policies (Default and Strict) supported in NGINX App Protect. These policies are supported in both the blocking and transparent enforcement modes.
+For more information on these policies refer the NGINX App Protect [configuration guide](https://docs.nginx.com/nginx-app-protect-waf/v5/configuration-guide/configuration/).
+
+The following table shows the path to the precompiled policy file that needs to be used with the `app_protect_policy_file` directive:
+
+{{<bootstrap-table "table table-striped table-bordered">}}
+  | Policy                      | Enforcement Mode             | Path                                         |
+  |---------------------------- | ---------------------------- | -------------------------------------------- |
+  | Default                     | Strict                       | /etc/app_protect/conf/NginxDefaultPolicy.json |
+  | Default                     | Transparent                  | /etc/app_protect/conf/NginxDefaultPolicy_transparent.json |
+  | Strict                      | Strict                       | /etc/app_protect/conf/NginxStrictPolicy.json |
+  | Strict                      | Transparent                  | /etc/app_protect/conf/NginxStrictPolicy_transparent.json |
+{{</bootstrap-table>}}
+
+To view the contents of the available security policies, navigate to the azure portal and select the **Security Policies** tab in the App Protect section.
+
+{{<note>}}Custom policies are not supported at this time.{{</note>}}
+
+## What's next
+
+[Enable App Protect WAF Logs]({{< relref "/nginxaas-azure/app-protect/enable-logging.md" >}})
@@ -0,0 +1,25 @@
+---
+title: "Disable App Protect WAF"
+weight: 400
+categories: ["tasks"]
+toc: true
+url: /nginxaas/azure/app-protect/disable-waf/
+---
+
+## Overview
+This guide explains how to disable F5 NGINX App Protect WAF on an NGINX as a Service for Azure (NGINXaaS) deployment.
+
+## Before you start
+You must remove the WAF directives from your NGINX config file before attempting to disable WAF.
+
+## Disable App Protect WAF
+
+### Using the Microsoft Azure Portal
+
+Access the [Microsoft Azure portal](https://portal.azure.com)
+
+1. Go to your NGINXaaS for Azure deployment.
+
+2. Select NGINX app protect in the left menu.
+
+3. Select **Disable**.