diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-alpine.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-alpine.md index 93c53ad58..5051f737b 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-alpine.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-alpine.md @@ -1,13 +1,15 @@ -1. Upload **nginx-repo.key** to **/etc/apk/cert.key** and **nginx-repo.crt** to **/etc/apk/cert.pem**. Make sure that files do not contain other certificates and keys: Alpine Linux does not support mixing client certificates for different repositories. +Move **nginx-repo.key** to **/etc/apk/cert.key** and **nginx-repo.crt** to **/etc/apk/cert.pem**. -2. Install prerequisite packages: +Make sure that files do not contain other certificates and keys: Alpine Linux does not support mixing client certificates for different repositories. - ```shell - sudo apk add openssl ca-certificates - ``` +Install prerequisite packages: -3. Put NGINX signing public key to directory `/etc/apk/keys`: +```shell +sudo apk add openssl ca-certificates +``` - ```shell - sudo wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub - ``` \ No newline at end of file +Add the NGINX signing public key to the directory `/etc/apk/keys`: + +```shell +sudo wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amazon.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amazon.md new file mode 100644 index 000000000..7a659678f --- /dev/null +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amazon.md @@ -0,0 +1,26 @@ +Create the `/etc/ssl/nginx/` directory: + +```shell +sudo mkdir -p /etc/ssl/nginx +``` + +Upload the **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. + +Remove any previously downloaded NGINX repository files from `/etc/yum.repos.d`: + +```shell +sudo rm /etc/yum.repos.d/nginx*.repo +sudo rm /etc/yum.repos.d/*app-protect*.repo +``` + +Install the required dependencies: + +```shell +sudo dnf install ca-certificates wget +``` + +Download the `dependencies.repo` file to `/etc/yum.repos.d`: + +```shell +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo +``` diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amzn2023.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amzn2023.md deleted file mode 100644 index e793ec2ed..000000000 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amzn2023.md +++ /dev/null @@ -1,26 +0,0 @@ -1. Create the `/etc/ssl/nginx` directory: - - ```shell - sudo mkdir -p /etc/ssl/nginx - ``` - -1. Upload the **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. - -1. Remove any previously downloaded NGINX repository files from `/etc/yum.repos.d`: - - ```shell - sudo rm /etc/yum.repos.d/nginx*.repo - sudo rm /etc/yum.repos.d/*app-protect*.repo - ``` - -1. Install the required dependencies: - - ```shell - sudo dnf install ca-certificates wget - ``` - -1. Download the `dependencies.repo` file to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo - ``` diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-debian.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-debian.md index 57392212e..9be871a4e 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-debian.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-debian.md @@ -1,50 +1,50 @@ -1. Create the `/etc/ssl/nginx/` directory: +Create the `/etc/ssl/nginx/` directory: - ```shell - sudo mkdir -p /etc/ssl/nginx - ``` +```shell +sudo mkdir -p /etc/ssl/nginx +``` -2. Upload **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. +Upload **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. -3. Remove any previous NGINX repository and apt configuration files: +Remove any previous NGINX repository and apt configuration files: - ```shell - sudo rm /etc/apt/sources.list.d/nginx*.list - sudo rm /etc/apt/sources.list.d/*app-protect*.list - sudo rm /etc/apt/apt.conf.d/90pkgs-nginx - ``` +```shell +sudo rm /etc/apt/sources.list.d/nginx*.list +sudo rm /etc/apt/sources.list.d/*app-protect*.list +sudo rm /etc/apt/apt.conf.d/90pkgs-nginx +``` -4. Install prerequisite packages: +Install prerequisite packages: - ```shell - sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring - ``` +```shell +sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring +``` -5. Download and add the NGINX signing key: +Download and add the NGINX signing key: - ```shell - wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \ - sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null - ``` +```shell +wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \ +sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null +``` -6. Download the apt configuration to `/etc/apt/apt.conf.d`: +Download the apt configuration to `/etc/apt/apt.conf.d`: - ```shell - sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx - ``` +```shell +sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx +``` -7. Verify that the downloaded file contains the proper key: +Verify that the downloaded file contains the proper key: - ```shell - gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg - ``` +```shell +gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg +``` - The output should contain the full fingerprint `573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62` as follows: +The output should contain the full fingerprint `573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62` as follows: - ```none - pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] - 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 - uid nginx signing key - ``` +```none +pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] + 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 +uid nginx signing key +``` - If the fingerprint is different, remove the file. +If the fingerprint is different, remove the file. diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-dnf.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-dnf.md index 864264358..1c65c4115 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-dnf.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-dnf.md @@ -1,26 +1,26 @@ -1. Create the `/etc/ssl/nginx` directory: +Create the `/etc/ssl/nginx/` directory: - ```shell - sudo mkdir -p /etc/ssl/nginx - ``` +```shell +sudo mkdir -p /etc/ssl/nginx +``` -2. Upload **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. +Upload **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. -3. Remove any previously downloaded NGINX repository files from `/etc/yum.repos.d`: +Remove any previously downloaded NGINX repository files from `/etc/yum.repos.d`: - ```shell - sudo rm /etc/yum.repos.d/nginx*.repo - sudo rm /etc/yum.repos.d/*app-protect*.repo - ``` +```shell +sudo rm /etc/yum.repos.d/nginx*.repo +sudo rm /etc/yum.repos.d/*app-protect*.repo +``` -4. Install required dependencies: +Install required dependencies: - ```shell - sudo dnf install ca-certificates wget - ``` +```shell +sudo dnf install ca-certificates wget +``` -5. Download the `dependencies.repo` file to `/etc/yum.repos.d`: +Download the `dependencies.repo` file to `/etc/yum.repos.d`: - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo - ``` \ No newline at end of file +```shell +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-rhel-cen-74.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-rhel-cen-74.md index bd2335229..4dc0436e9 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-rhel-cen-74.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-rhel-cen-74.md @@ -1,26 +1,26 @@ -1. Create the `/etc/ssl/nginx` directory: +Create the `/etc/ssl/nginx/` directory: - ```shell - sudo mkdir -p /etc/ssl/nginx - ``` +```shell +sudo mkdir -p /etc/ssl/nginx +``` -2. Upload **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. +Upload **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. -3. Remove any previously downloaded NGINX repository files from `/etc/yum.repos.d`: +Remove any previously downloaded NGINX repository files from `/etc/yum.repos.d`: - ```shell - sudo rm /etc/yum.repos.d/nginx*.repo - sudo rm /etc/yum.repos.d/*app-protect*.repo - ``` +```shell +sudo rm /etc/yum.repos.d/nginx*.repo +sudo rm /etc/yum.repos.d/*app-protect*.repo +``` -4. Install required dependencies: +Install required dependencies: - ```shell - sudo yum install ca-certificates wget - ``` +```shell +sudo yum install ca-certificates wget +``` -5. Download the `dependencies.repo` file to `/etc/yum.repos.d`: +Download the `dependencies.repo` file to `/etc/yum.repos.d`: - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo - ``` \ No newline at end of file +```shell +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-ubuntu.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-ubuntu.md index e1aface88..7252cf64a 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-ubuntu.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-ubuntu.md @@ -1,50 +1,50 @@ -1. Create the `/etc/ssl/nginx/` directory: +Create the `/etc/ssl/nginx/` directory: - ```shell - sudo mkdir -p /etc/ssl/nginx - ``` +```shell +sudo mkdir -p /etc/ssl/nginx +``` -2. Upload **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. +Upload **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. -3. Remove any previous NGINX repository and apt configuration files: +Remove any previous NGINX repository and apt configuration files: - ```shell - sudo rm /etc/apt/sources.list.d/nginx*.list - sudo rm /etc/apt/sources.list.d/*app-protect*.list - sudo rm /etc/apt/apt.conf.d/90pkgs-nginx - ``` +```shell +sudo rm /etc/apt/sources.list.d/nginx*.list +sudo rm /etc/apt/sources.list.d/*app-protect*.list +sudo rm /etc/apt/apt.conf.d/90pkgs-nginx +``` -4. Install prerequisite packages: +Install prerequisite packages: - ```shell - sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring - ``` +```shell +sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring +``` -5. Download and add the NGINX signing key: +Download and add the NGINX signing key: - ```shell - wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \ - sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null - ``` +```shell +wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \ +sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null +``` -6. Download the apt configuration to `/etc/apt/apt.conf.d`: +Download the apt configuration to `/etc/apt/apt.conf.d`: - ```shell - sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx - ``` +```shell +sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx +``` -7. Verify that the downloaded file contains the proper key: +Verify that the downloaded file contains the proper key: - ```shell - gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg - ``` +```shell +gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg +``` - The output should contain the full fingerprint `573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62` as follows: +The output should contain the full fingerprint `573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62` as follows: - ```none - pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] - 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 - uid nginx signing key - ``` +```none +pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] + 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 +uid nginx signing key +``` - If the fingerprint is different, remove the file. +If the fingerprint is different, remove the file. diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md index b36d4ae10..d0ded5c53 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md @@ -1,15 +1,21 @@ -1. Set up the apk repository for mainline nginx packages: +Set up the apk repository for mainline nginx packages: - ```shell - printf "%s%s%s\n" \ - "http://nginx.org/packages/mainline/alpine/v" \ - `egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` \ - "/main" \ - | sudo tee -a /etc/apk/repositories - ``` +```shell +printf "%s%s%s\n" \ +"http://nginx.org/packages/mainline/alpine/v" \ +`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` \ +"/main" \ +| sudo tee -a /etc/apk/repositories +``` -2. Add the NGINX App Protect WAF v5 apk repository: +Add the NGINX App Protect WAF v5 apk repository: - ```shell - printf "https://pkgs.nginx.com/app-protect-x-oss/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories - ``` \ No newline at end of file +```shell +printf "https://pkgs.nginx.com/app-protect-x-oss/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories +``` + +Install the NGINX App Protect WAF v5 package: + +```shell +sudo apk add app-protect-module-oss +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amazon.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amazon.md new file mode 100644 index 000000000..78a2f6ae1 --- /dev/null +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amazon.md @@ -0,0 +1,29 @@ +Create the file named `/etc/yum.repos.d/nginx.repo` with the following contents: + +```none +[nginx-mainline] +name=nginx mainline repo +baseurl=http://nginx.org/packages/mainline/amzn/2023/$basearch/ +gpgcheck=1 +enabled=1 +gpgkey=https://nginx.org/keys/nginx_signing.key +module_hotfixes=true +``` + +Create the NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-oss.repo` with the following contents: + +```none +[app-protect-x-oss] +name=nginx-app-protect repo +baseurl=https://pkgs.nginx.com/app-protect-x-oss/amzn/2023/$basearch/ +sslclientcert=/etc/ssl/nginx/nginx-repo.crt +sslclientkey=/etc/ssl/nginx/nginx-repo.key +gpgcheck=0 +enabled=1 +``` + +Install the NGINX App Protect WAF v5 package. + +```shell +sudo dnf install app-protect-module-oss +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amzn2023.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amzn2023.md deleted file mode 100644 index 306bb62c7..000000000 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amzn2023.md +++ /dev/null @@ -1,23 +0,0 @@ -1. Create the file named `/etc/yum.repos.d/nginx.repo` with the following contents: - - ```none - [nginx-mainline] - name=nginx mainline repo - baseurl=http://nginx.org/packages/mainline/amzn/2023/$basearch/ - gpgcheck=1 - enabled=1 - gpgkey=https://nginx.org/keys/nginx_signing.key - module_hotfixes=true - ``` - -1. Create the NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-oss.repo` with the following contents: - - ```none - [app-protect-x-oss] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-oss/amzn/2023/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-7.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-7.md deleted file mode 100644 index 959626186..000000000 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-7.md +++ /dev/null @@ -1,31 +0,0 @@ -1. Create the file named `/etc/yum.repos.d/nginx.repo` with the following contents: - - ```none - [nginx-mainline] - name=nginx mainline repo - baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ - gpgcheck=1 - enabled=1 - gpgkey=https://nginx.org/keys/nginx_signing.key - module_hotfixes=true - ``` - -2. Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-oss.repo` with the following contents: - - ```none - [app-protect-x-oss] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` - -3. Install the NGINX App Protect WAF v5 package. - - ```shell - sudo yum install app-protect-module-oss - ``` - - When prompted to accept the GPG key, verify that the fingerprint matches `573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62`, and if so, accept it. \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-8.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-8.md deleted file mode 100644 index 987b8246c..000000000 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-8.md +++ /dev/null @@ -1,23 +0,0 @@ -1. Create the file named `/etc/yum.repos.d/nginx.repo` with the following contents: - - ```none - [nginx-mainline] - name=nginx mainline repo - baseurl=http://nginx.org/packages/mainline/centos/8/$basearch/ - gpgcheck=1 - enabled=1 - gpgkey=https://nginx.org/keys/nginx_signing.key - module_hotfixes=true - ``` - -2. Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-oss.repo` with the following contents: - - ```none - [app-protect-x-oss] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/8/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-9.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-9.md deleted file mode 100644 index fc2bc0d92..000000000 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-9.md +++ /dev/null @@ -1,23 +0,0 @@ -1. Create the file named `/etc/yum.repos.d/nginx.repo` with the following contents: - - ```none - [nginx-mainline] - name=nginx mainline repo - baseurl=http://nginx.org/packages/mainline/centos/9/$basearch/ - gpgcheck=1 - enabled=1 - gpgkey=https://nginx.org/keys/nginx_signing.key - module_hotfixes=true - ``` - -2. Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-oss.repo` with the following contents: - - ```none - [app-protect-x-oss] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/9/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos.md new file mode 100644 index 000000000..a6a8611bf --- /dev/null +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos.md @@ -0,0 +1,31 @@ +Create the file named `/etc/yum.repos.d/nginx.repo` with the following contents: + +```none +[nginx-mainline] +name=nginx mainline repo +baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ +gpgcheck=1 +enabled=1 +gpgkey=https://nginx.org/keys/nginx_signing.key +module_hotfixes=true +``` + +Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-oss.repo` with the following contents: + +```none +[app-protect-x-oss] +name=nginx-app-protect repo +baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/ +sslclientcert=/etc/ssl/nginx/nginx-repo.crt +sslclientkey=/etc/ssl/nginx/nginx-repo.key +gpgcheck=0 +enabled=1 +``` + +Install the NGINX App Protect WAF v5 package. + +```shell +sudo yum install app-protect-module-oss +``` + +When prompted to accept the GPG key, verify that the fingerprint matches `573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62`, and if so, accept it. diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-debian.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-debian.md index e0cc660b9..ddd379b2d 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-debian.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-debian.md @@ -1,22 +1,29 @@ -1. Add the NGINX Open Source repository: +Add the NGINX Open Source repository: - ```shell - echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" | \ - sudo tee /etc/apt/sources.list.d/nginx.list - ``` +```shell +echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" | \ +sudo tee /etc/apt/sources.list.d/nginx.list +``` -2. Set up repository pinning to prefer our packages over distribution-provided ones: +Set up repository pinning to prefer our packages over distribution-provided ones: - ```shell - echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \ - sudo tee /etc/apt/preferences.d/99nginx - ``` +```shell +echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \ +sudo tee /etc/apt/preferences.d/99nginx +``` -3. Add the NGINX App Protect WAF v5 repository: +Add the NGINX App Protect WAF v5 repository: - ```shell - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/app-protect-x-oss/debian `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/nginx-app-protect.list - ``` +```shell +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/app-protect-x-oss/debian `lsb_release -cs` nginx-plus\n" | \ +sudo tee /etc/apt/sources.list.d/nginx-app-protect.list +``` + +Install the NGINX App Protect WAF v5 package: + +```shell +sudo apt-get update +sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-ubuntu.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-ubuntu.md index 532e1ba3b..88769ecdd 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-ubuntu.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-ubuntu.md @@ -1,22 +1,29 @@ -1. Add the NGINX Open Source repository: +Add the NGINX Open Source repository: - ```shell - echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | \ - sudo tee /etc/apt/sources.list.d/nginx.list - ``` +```shell +echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | \ +sudo tee /etc/apt/sources.list.d/nginx.list +``` -2. Set up repository pinning to prefer our packages over distribution-provided ones: +Set up repository pinning to prefer our packages over distribution-provided ones: - ```shell - echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \ - sudo tee /etc/apt/preferences.d/99nginx - ``` +```shell +echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \ +sudo tee /etc/apt/preferences.d/99nginx +``` -3. Add the NGINX App Protect WAF v5 repository: +Add the NGINX App Protect WAF v5 repository: - ```shell - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/app-protect-x-oss/ubuntu `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/nginx-app-protect.list - ``` \ No newline at end of file +```shell +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/app-protect-x-oss/ubuntu `lsb_release -cs` nginx-plus\n" | \ +sudo tee /etc/apt/sources.list.d/nginx-app-protect.list +``` + +Install the NGINX App Protect WAF v5 package: + +```shell +sudo apt-get update +sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-alpine.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-alpine.md index e3bc00e9e..b1a014052 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-alpine.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-alpine.md @@ -1,11 +1,17 @@ -1. Add the NGINX Plus apk repository to `/etc/apk/repositories` file: +Add the NGINX Plus apk repository to `/etc/apk/repositories` file: - ```shell - printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories - ``` +```shell +printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories +``` -2. Add the NGINX App Protect WAF v5 repository: +Add the NGINX App Protect WAF v5 repository: - ```shell - printf "https://pkgs.nginx.com/app-protect-x-plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories - ``` \ No newline at end of file +```shell +printf "https://pkgs.nginx.com/app-protect-x-plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories +``` + +Install the NGINX App Protect WAF v5 package: + +```shell +sudo apk add app-protect-module-plus +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amazon.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amazon.md new file mode 100644 index 000000000..25572401d --- /dev/null +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amazon.md @@ -0,0 +1,23 @@ +Download the NGINX Plus repository file [plus-amazonlinux2023.repo](https://cs.nginx.com/static/files/plus-amazonlinux2023.repo) to `/etc/yum.repos.d`: + +```shell +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo +``` + +Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-plus.repo` with the following contents: + +```none +[app-protect-x-plus] +name=nginx-app-protect repo +baseurl=https://pkgs.nginx.com/app-protect-x-plus/amzn/2023/$basearch/ +sslclientcert=/etc/ssl/nginx/nginx-repo.crt +sslclientkey=/etc/ssl/nginx/nginx-repo.key +gpgcheck=0 +enabled=1 +``` + +Install the NGINX App Protect WAF v5 package: + +```shell +sudo dnf install app-protect-module-plus +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amzn2023.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amzn2023.md deleted file mode 100644 index 4cff9fc71..000000000 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amzn2023.md +++ /dev/null @@ -1,17 +0,0 @@ -1. Download the NGINX Plus repository file [plus-amazonlinux2023.repo](https://cs.nginx.com/static/files/plus-amazonlinux2023.repo) to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo - ``` - -1. Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-plus.repo` with the following contents: - - ```none - [app-protect-x-plus] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-plus/amzn/2023/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-7.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-7.md deleted file mode 100644 index 34bc9e043..000000000 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-7.md +++ /dev/null @@ -1,23 +0,0 @@ -1. Download the NGINX Plus repository file [nginx-plus-amazon2.repo](https://cs.nginx.com/static/files/nginx-plus-amazon2.repo) to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-amazon2.repo - ``` - -2. Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-plus.repo` with the following contents: - - ```none - [app-protect-x-plus] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/7/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` - -3. Install the NGINX App Protect WAF v5 package. - - ```shell - sudo yum install app-protect-module-plus - ``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-8.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-8.md deleted file mode 100644 index 13964e17a..000000000 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-8.md +++ /dev/null @@ -1,17 +0,0 @@ -1. Download the NGINX Plus repository file [nginx-plus-8.repo](https://cs.nginx.com/static/files/nginx-plus-8.repo) to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo - ``` - -2. Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-plus.repo` with the following contents: - - ```none - [app-protect-x-plus] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-9.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-9.md deleted file mode 100644 index af39fe968..000000000 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-9.md +++ /dev/null @@ -1,17 +0,0 @@ -1. Download the NGINX Plus repository file [plus-9.repo](https://cs.nginx.com/static/files/plus-9.repo) to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repo - ``` - -2. Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-plus.repo` with the following contents: - - ```none - [app-protect-x-plus] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/9/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos.md new file mode 100644 index 000000000..62c9d71d4 --- /dev/null +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos.md @@ -0,0 +1,17 @@ +Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-plus.repo` with the following contents: + +```none +[app-protect-x-plus] +name=nginx-app-protect repo +baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/ +sslclientcert=/etc/ssl/nginx/nginx-repo.crt +sslclientkey=/etc/ssl/nginx/nginx-repo.key +gpgcheck=0 +enabled=1 +``` + +Install the NGINX App Protect WAF v5 package: + +```shell +sudo dnf install app-protect-module-plus +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-debian.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-debian.md index 3f1307456..d98c93484 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-debian.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-debian.md @@ -1,15 +1,22 @@ -1. Add the NGINX Plus repository: +Add the NGINX Plus repository: - ```shell - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/nginx-plus.list - ``` +```shell +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \ +sudo tee /etc/apt/sources.list.d/nginx-plus.list +``` -2. Add the NGINX App Protect WAF v5 repository: +Add the NGINX App Protect WAF v5 repository: - ```shell - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/app-protect-x-plus/debian `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/nginx-app-protect.list - ``` \ No newline at end of file +```shell +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/app-protect-x-plus/debian `lsb_release -cs` nginx-plus\n" | \ +sudo tee /etc/apt/sources.list.d/nginx-app-protect.list +``` + +Install the NGINX App Protect WAF v5 package: + +```shell +sudo apt-get update +sudo apt-get install app-protect-module-plus +``` \ No newline at end of file diff --git a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-ubuntu.md b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-ubuntu.md index eefabe0f5..1415de588 100644 --- a/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-ubuntu.md +++ b/content/includes/nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-ubuntu.md @@ -1,15 +1,22 @@ -1. Add the NGINX Plus repository: +Add the NGINX Plus repository: - ```shell - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/nginx-plus.list - ``` +```shell +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ +sudo tee /etc/apt/sources.list.d/nginx-plus.list +``` -2. Add the NGINX App Protect WAF v5 repository: +Add the NGINX App Protect WAF v5 repository: - ```shell - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/nginx-app-protect.list - ``` \ No newline at end of file +```shell +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ +sudo tee /etc/apt/sources.list.d/nginx-app-protect.list +``` + +Install the NGINX App Protect WAF v5 package: + +```shell +sudo apt-get update +sudo apt-get install app-protect-module-plus +``` \ No newline at end of file diff --git a/content/includes/nap-waf/nap-k8s-mtls-deployment.md b/content/includes/nap-waf/nap-k8s-mtls-deployment.md new file mode 100644 index 000000000..7a57b016d --- /dev/null +++ b/content/includes/nap-waf/nap-k8s-mtls-deployment.md @@ -0,0 +1,90 @@ +To secure traffic between NGINX and App Protect Enforcer using mTLS, follow the steps below: + +{{< note >}} Refer to the [Configuration Guide]({{< relref "/nap-waf/v5/configuration-guide/configuration.md#secure-traffic-between-nginx-and-app-protect-enforcer-using-mtls" >}}) to generate certificates and modify the `nginx.conf` for mTLS. +{{< /note >}} + +First, create a Kubernetes Secret that contains the certificate and key files: + +```shell + kubectl create secret generic enforcer-certificates \ + --from-file=app_protect_server.crt=/path/to/app_protect_server.crt \ + --from-file=app_protect_server.key=/path/to/app_protect_server.key \ + --from-file=app_protect_client_ca.crt=/path/to/app_protect_client_ca.crt +``` + +Next, update or create the `nap5-deployment.yaml` to mount the Secret as a volume and set the environment variables to point to the mounted files: + +```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + name: nap5-deployment + spec: + selector: + matchLabels: + app: nap5 + replicas: 2 + template: + metadata: + labels: + app: nap5 + spec: + imagePullSecrets: + - name: regcred + containers: + - name: nginx + image: /nginx-app-protect-5: + imagePullPolicy: IfNotPresent + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: certs + mountPath: /etc/ssl/certs + readOnly: true + - name: waf-enforcer + image: private-registry.nginx.com/nap/waf-enforcer: + imagePullPolicy: IfNotPresent + env: + - name: ENFORCER_PORT + value: "4431" + - name: ENFORCER_SERVER_CERT + value: "/etc/ssl/certs/app_protect_server.crt" + - name: ENFORCER_SERVER_KEY + value: "/etc/ssl/certs/app_protect_server.key" + - name: ENFORCER_CA_FILE + value: "/etc/ssl/certs/app_protect_client_ca.crt" + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: certs + mountPath: /etc/ssl/certs + readOnly: true + - name: waf-config-mgr + image: private-registry.nginx.com/nap/waf-config-mgr: + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles + volumes: + - name: app-protect-bd-config + emptyDir: {} + - name: app-protect-config + emptyDir: {} + - name: app-protect-bundles + persistentVolumeClaim: + claimName: nap5-bundles-pvc + - name: certs + secret: + secretName: enforcer-certificates +``` \ No newline at end of file diff --git a/content/includes/nap-waf/nap-k8s-readonly-context.md b/content/includes/nap-waf/nap-k8s-readonly-context.md new file mode 100644 index 000000000..af7be68a9 --- /dev/null +++ b/content/includes/nap-waf/nap-k8s-readonly-context.md @@ -0,0 +1,129 @@ +The first step is to add the `readOnlyRootFilesystem` value (as *true*) to your Kubernetes pod security context as follows: + +```yaml +containers: + - name: nginx + ... + securityContext: + readOnlyRootFilesystem: true + - name: waf-enforcer + ... + securityContext: + readOnlyRootFilesystem: true + - name: waf-config-mgr + ... + securityContext: + readOnlyRootFilesystem: true +``` + +With a read-only root file system, you will likely still require write access for certain directories, such as logs and temporary files. You can add these directories by mounting them as writable volumes in your Kubernetes deployment. + +In this example, `/tmp` and `/var/log/nginx` are writable directories, essential for NGINX and App Protect operations. + +```yaml +containers: + - name: nginx + ... + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: tmp-volume + mountPath: /tmp + - name: nginx-log + mountPath: /var/log/nginx + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles +... + +volumes: + - name: app-protect-bd-config + emptyDir: {} + - name: app-protect-config + emptyDir: {} + - name: nginx-log + emptyDir: {} + - name: tmp-volume + emptyDir: {} + - name: app-protect-bundles + persistentVolumeClaim: + claimName: nap5-bundles-pvc +``` + +A full example might look like the following: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nap5-deployment +spec: + selector: + matchLabels: + app: nap5 + replicas: 2 + template: + metadata: + labels: + app: nap5 + spec: + imagePullSecrets: + - name: regcred + containers: + - name: nginx + image: /nginx-app-protect-5: + imagePullPolicy: IfNotPresent + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: tmp-volume + mountPath: /tmp + - name: nginx-log + mountPath: /var/log/nginx + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles + - name: waf-enforcer + image: private-registry.nginx.com/nap/waf-enforcer: + imagePullPolicy: IfNotPresent + securityContext: + readOnlyRootFilesystem: true + env: + - name: ENFORCER_PORT + value: "50000" + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: waf-config-mgr + image: private-registry.nginx.com/nap/waf-config-mgr: + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles + volumes: + - name: app-protect-bd-config + emptyDir: {} + - name: app-protect-config + emptyDir: {} + - name: nginx-log + emptyDir: {} + - name: tmp-volume + emptyDir: {} + - name: app-protect-bundles + persistentVolumeClaim: + claimName: nap5-bundles-pvc +``` \ No newline at end of file diff --git a/content/includes/nap-waf/nap-k8s-readonly-introduction.md b/content/includes/nap-waf/nap-k8s-readonly-introduction.md new file mode 100644 index 000000000..09179d3c3 --- /dev/null +++ b/content/includes/nap-waf/nap-k8s-readonly-introduction.md @@ -0,0 +1,6 @@ +NGINX App Protect WAF v5 allows you to enable the `readOnlyRootFilesystem` option in your [Kubernetes Configuration]( +https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). This option restricts the root filesystem to read-only mode, which improves security by limiting potential write access in case of compromise. + +To enable this feature, you will need a Kubernetes cluster that supports read-only root file systems, and you access to the NGINX and NGINX App Protect WAF configurations. + +You may need to identify any extra paths that need to be writable by App Protect during runtime: the following steps assume you are using the defaults path. \ No newline at end of file diff --git a/content/includes/nap-waf/nap-k8s-readonly-issues.md b/content/includes/nap-waf/nap-k8s-readonly-issues.md new file mode 100644 index 000000000..1a0f24a12 --- /dev/null +++ b/content/includes/nap-waf/nap-k8s-readonly-issues.md @@ -0,0 +1,9 @@ +**Permission denied errors** + +If you encounter file permission issues, verify that the paths requiring write access are correctly configured as writable volumes in the pod manifest. + +**NGINX App Protect WAF initialization errors**: + +Check the NGINX and NGINX App Protect Logs to ensure that App Protect can write to necessary files like logs and temporary directories. + +For general issues, read the [Troubleshooting]({{< ref "/nap-waf/v5/troubleshooting-guide/troubleshooting.md" >}}) topic. \ No newline at end of file diff --git a/content/includes/nap-waf/nap-k8s-readonly-paths.md b/content/includes/nap-waf/nap-k8s-readonly-paths.md new file mode 100644 index 000000000..fe37cd434 --- /dev/null +++ b/content/includes/nap-waf/nap-k8s-readonly-paths.md @@ -0,0 +1,65 @@ +Once you have created writable paths in your Kubernetes cluster, you should update your NGINX configuration to use these paths. + +The following are fields in `nginx.conf` you should update, which correspond to writable volumes configured during the last step: + +```nginx +pid /tmp/nginx.pid; +... +http { +... + # Temporary directories for kubernetes "readonlyfilesystem" + client_body_temp_path /tmp/nginx-client-body; + proxy_temp_path /tmp/nginx-proxy; + fastcgi_temp_path /tmp/nginx-fastcgi; + uwsgi_temp_path /tmp/nginx-uwsgi; + scgi_temp_path /tmp/nginx-scgi; +... +} +``` + +A full example might look like the following: + +```nginx +user nginx; +worker_processes auto; + +# NGINX App Protect WAF +load_module modules/ngx_http_app_protect_module.so; + +error_log /var/log/nginx/error.log debug; +pid /tmp/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log; + + # Temporary directories for kubernetes "readonlyfilesystem" + client_body_temp_path /tmp/nginx-client-body; + proxy_temp_path /tmp/nginx-proxy; + fastcgi_temp_path /tmp/nginx-fastcgi; + uwsgi_temp_path /tmp/nginx-uwsgi; + scgi_temp_path /tmp/nginx-scgi; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + # NGINX App Protect WAF + app_protect_enforcer_address 127.0.0.1:50000; + + include /etc/nginx/conf.d/*.conf; +} +``` \ No newline at end of file diff --git a/content/includes/nap-waf/nap-k8s-use-compiled-bundles.md b/content/includes/nap-waf/nap-k8s-use-compiled-bundles.md new file mode 100644 index 000000000..ee7eb7348 --- /dev/null +++ b/content/includes/nap-waf/nap-k8s-use-compiled-bundles.md @@ -0,0 +1,7 @@ +In this setup, copy your compiled policy and logging profile bundles to `/mnt/nap5_bundles_pv_data` on a cluster node. Make sure that input files are accessible to UID 101. Then, in your NGINX configuration, refer to these files from `/etc/app_protect/bundles`. + +For example, to apply `custom_policy.tgz` that you've placed in `/mnt/nap5_bundles_pv_data/`, use: + +```nginx +app_protect_policy_file "/etc/app_protect/bundles/custom_policy.tgz"; +``` \ No newline at end of file diff --git a/content/includes/nap-waf/policy.html b/content/includes/nap-waf/policy.html index 6ad09bb82..de530f555 100644 --- a/content/includes/nap-waf/policy.html +++ b/content/includes/nap-waf/policy.html @@ -284,132 +284,139 @@

policy

+login-enforcement +Yes +object + + + + login-pages Yes array of objects A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions. - + methods Yes array of objects - + name No string The unique user-given name of the policy. Policy names cannot contain spaces or special characters. Allowed characters are a-z, A-Z, 0-9, dot, dash (-), colon (:) and underscore (_). - + open-api-files Yes array of objects - + override-rules Yes array of objects This section defines policy override rules. - + parameters Yes array of objects This section defines parameters that the security policy permits in requests. - + performStaging No boolean Determines staging handling for all applicable entities in the policy, such as signatures, URLs, parameters, and cookies. If disabled, all entities will be enforced and any violations triggered will be considered illegal. - + response-pages Yes array of objects The Security Policy has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. You can change the way the system responds to blocked requests. All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page. - + sensitive-parameters Yes array of objects This section defines sensitive parameters. The contents of these parameters are not visible in logs nor in the user interfaces. Instead of actual values a string of asterisks is shown for these parameters. Use these parameters to protect sensitive user input, such as a password or a credit card number, in a validated request. A parameter name of "password" is always defined as sensitive by default. - + server-technologies Yes array of objects The server technology is a server-side application, framework, web server or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology. - + signature-requirements Yes array of objects - + signature-sets Yes array of objects Defines behavior when signatures found within a signature-set are detected in a request. Settings are culmulative, so if a signature is found in any set with block enabled, that signature will have block enabled. - + signature-settings Yes object - + signatures Yes array of objects This section defines the properties of a signature on the policy. - + template Yes object Specifies the template to populate the default attributes of a new policy. - + threat-campaigns Yes array of objects This section defines the enforcement state for the threat campaigns in the security policy. - + urls Yes array of objects In a security policy, you can manually specify the HTTP URLs that are allowed (or disallowed) in traffic to the web application being protected. When you create a security policy, wildcard URLs of * (representing all HTTP URLs) are added to the Allowed HTTP URLs lists. - + wafEngineVersion No string - + xml-profiles Yes array of objects @@ -859,6 +866,10 @@

loginA
  • alarm: The system will log the login attempt.
  • alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
    • +
  • alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
    • +
  • alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
    • +
  • alarm-and-drop: The system will log the login attempt and reset the TCP connection.
    • +
  • alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
    @@ -904,6 +915,8 @@

    logi
    • alarm: The system will log the login attempt.
      • +
    • alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
      • +
    • alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
      @@ -3231,6 +3244,86 @@

      json-validation-files

      +

      login-enforcement

      + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Field NameTypeDescriptionAllowed Values
      authenticatedUrlsarray of strings
      expirationTimePeriod
        +
      • integer minimum: 0 maximum: 99999
        • +
      • string
        • +
        +
      • Integer values
        • +
      • "disabled"
        • +
      logoutUrlsarray of objects
      +

      logoutUrls

      + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Field NameTypeDescriptionAllowed Values
      requestContainsstring
      requestOmitsstring
      urlobject

      login-pages

      @@ -6286,6 +6379,8 @@

      violations

    • VIOL_JSON_MALFORMED
    • VIOL_JSON_SCHEMA
    • VIOL_LOGIN
      • +
    • VIOL_LOGIN_URL_BYPASSED
      • +
    • VIOL_LOGIN_URL_EXPIRED
    • VIOL_MANDATORY_HEADER
    • VIOL_MANDATORY_PARAMETER
    • VIOL_MANDATORY_REQUEST_BODY
      • diff --git a/content/nap-waf/v4/admin-guide/install.md b/content/nap-waf/v4/admin-guide/install.md index fb38d41c1..3158ac9d3 100644 --- a/content/nap-waf/v4/admin-guide/install.md +++ b/content/nap-waf/v4/admin-guide/install.md @@ -17,7 +17,7 @@ This guide explains how to deploy NGINX App Protect WAF as well as upgrade App P ### Using NGINX App Protect with NGINX Instance Manager NGINX Instance Manager provides centralized configuration management and visibility for your NGINX App Protect WAF fleet. -After completing the NGINX App Protect WAF installation, refer to the [NGINX Instance Manager Installation Guide](https://docs.nginx.com/nginx-instance-manager/deploy/) for the deployment instructions.
      +After completing the NGINX App Protect WAF installation, refer to the [NGINX Instance Manager Installation Guide](https://docs.nginx.com/nginx-instance-manager/deploy/) for the deployment instructions. ## Prerequisites @@ -27,21 +27,13 @@ NGINX Plus Release 22 and later supports NGINX App Protect WAF. NGINX App Protect WAF supports the following operating systems: -- [CentOS/RHEL 7.4.x and above](#centos-74-installation) - (Deprecated starting from release 4.11) +- [Alpine 3.19](#alpine-installation) +- [Amazon Linux 2023](#amazon-linux-installation) +- [Debian 11 (Bullseye) & 12 (Bookworm)](#debian-10--debian-11--debian-12-installation) +- [Oracle Linux 8.1.x and above](#oracle-linux-81-installation) - [RHEL 8.1.x and above](#rhel-81-installation) - [RHEL 9 and above](#rhel-9-installation) -- [Oracle Linux 8.1.x and above](#oracle-linux-81-installation) -- [Amazon Linux 2](#amazon-linux-2-lts-installation) - (Deprecated starting from release 4.11) -- [Amazon Linux 2023](#amazon-linux-2023-installation) -- [Debian 10 (Buster)](#debian-10--debian-11--debian-12-installation) - (Deprecated starting from NGINX Plus R28) -- [Debian 11 (Bullseye)](#debian-10--debian-11--debian-12-installation) -- [Debian 12 (Bookworm)](#debian-10--debian-11--debian-12-installation) -- [Ubuntu 18.04 (Bionic)](#ubuntu-1804--ubuntu-2004--ubuntu-2204--ubuntu-2404-installation) - (Deprecated starting from NGINX Plus R30) -- [Ubuntu 20.04 (Focal)](#ubuntu-1804--ubuntu-2004--ubuntu-2204--ubuntu-2404-installation) -- [Ubuntu 22.04 (Jammy)](#ubuntu-1804--ubuntu-2004--ubuntu-2204--ubuntu-2404-installation) -- [Ubuntu 24.04 (Noble)](#ubuntu-1804--ubuntu-2004--ubuntu-2204--ubuntu-2404-installation) -- [Alpine 3.17](#alpine-316-317--319-installation) -- [Alpine 3.19](#alpine-316-317--319-installation) +- [Ubuntu 20.04 (Focal), 22.04 (Jammy) & 24.04 (Noble)](#ubuntu-installation) The NGINX App Protect WAF package has the following dependencies: @@ -117,71 +109,84 @@ If a user other than **nginx** is to be used, note the following: For [docker deployment](#general-docker-deployment-instructions), modify the `entrypoint.sh` script to use the correct user instead of **nginx** when starting up the `bd-socket-plugin` process. +## Alpine Installation -## CentOS 7.4+ Installation - -1. If you already have NGINX packages on your system, back up your configs and logs: +1. If you already have NGINX packages in your system, back up your configs and logs: ```shell sudo cp -a /etc/nginx /etc/nginx-plus-backup sudo cp -a /var/log/nginx /var/log/nginx-plus-backup ``` -2. Create the `/etc/ssl/nginx/` directory: +2. Log in to the [Customer Portal](https://my.f5.com) and download the following two files: ```shell - sudo mkdir -p /etc/ssl/nginx + nginx-repo.key + nginx-repo.crt ``` -3. Log in to the [Customer Portal](https://my.f5.com) and download the following two files: +3. Upload `nginx-repo.key` to `/etc/apk/cert.key` and `nginx-repo.crt` to `/etc/apk/cert.pem`. Make sure that files do not contain other certificates and keys, as Alpine Linux does not support mixing client certificates for different repositories. + +4. Add the NGINX public signing key to the directory `/etc/apk/keys`: ```shell - nginx-repo.key - nginx-repo.crt + sudo wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub + + sudo wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub ``` -4. Copy the above two files to the CentOS server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. +5. Remove any previously configured NGINX Plus repository: -5. Install prerequisite packages: + ```shell + sed "/plus-pkgs.nginx.com/d" /etc/apk/repositories + ``` + +6. Add the NGINX Plus repository to `/etc/apk/repositories` file: ```shell - sudo yum install ca-certificates epel-release wget + printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories ``` -6. Remove any previously downloaded NGINX Plus repository file from `/etc/yum.repos.d`: +7. Add the NGINX App Protect WAF repository to `/etc/apk/repositories` file: ```shell - sudo rm /etc/yum.repos.d/nginx-plus-*.repo + printf "https://pkgs.nginx.com/app-protect/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories + + printf "https://pkgs.nginx.com/app-protect-security-updates/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories ``` -7. Add NGINX Plus repository by downloading the file `nginx-plus-7.4.repo` to `/etc/yum.repos.d`: +8. We recommend removing all community-supported NGINX packages. Note that all NGINX modules will be removed as well. ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo + sudo apk del -r app-protect + sudo apk del -r nginx ``` -8. Add NGINX App Protect WAF repository by downloading the file `app-protect-7.repo` to `/etc/yum.repos.d`: +9. Update the repository and install the most recent version of the NGINX Plus and NGINX App Protect WAF: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo + sudo apk update + sudo apk add app-protect ``` -9. Install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): + Alternatively, use the following commands to install the most recent version of NGINX App Protect WAF for NGINX Plus R28: ```shell - sudo yum install app-protect + sudo apk update + sudo apk add app-protect ``` - Alternatively, you can use the following command to list available versions: + Alternatively, use the following commands to list available versions: ```shell - sudo yum --showduplicates list app-protect + sudo apk update + sudo apk info app-protect ``` - Then, install a specific version from the output of command above. For example: + Finally, install a specific version from the output of command above. For example: ```shell - sudo yum install app-protect-24+3.639.0 + sudo apk add app-protect=30.4.457.0-r1 ``` 10. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: @@ -190,169 +195,140 @@ If a user other than **nginx** is to be used, note the following: sudo nginx -v ``` -11. Load the NGINX App Protect WAF module on the main context in the `nginx.conf`: +11. Load the NGINX App Protect WAF module on the main context in the `nginx.conf` file: ```nginx load_module modules/ngx_http_app_protect_module.so; ``` -12. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` file: +12. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` via: ```nginx app_protect_enable on; ``` -13. Optionally, install a prebuilt SELinux policy module for NGINX App Protect WAF (or configure SELinux as appropriate per your organization's security policies): - - ```shell - sudo yum install app-protect-selinux - ``` - - If you encounter any issues, check the [Troubleshooting Guide]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting#selinux" >}}). - -14. To enable the NGINX/App Protect WAF service start at boot, run the command: +13. Start the App Protect and NGINX services: ```shell - sudo systemctl enable nginx.service + sudo service nginx-app-protect start + sudo service nginx start ``` -15. Start the NGINX service: - - ```shell - sudo systemctl start nginx - ``` +--- -## RHEL 7.4+ Installation +## Amazon Linux Installation -1. If you already have NGINX packages in your system, back up your configs and logs: +1. If you already have NGINX packages in your system, back up your configuration and log files: ```shell sudo cp -a /etc/nginx /etc/nginx-plus-backup sudo cp -a /var/log/nginx /var/log/nginx-plus-backup ``` -2. Create the `/etc/ssl/nginx/` directory: +1. Create the `/etc/ssl/nginx/` directory: ```shell sudo mkdir -p /etc/ssl/nginx ``` -3. Log in to the [Customer Portal](https://my.f5.com) and download the following two files: +1. Log into [MyF5](https://my.f5.com) and download the following two files: ```shell nginx-repo.key nginx-repo.crt ``` -4. Copy the above two files to the RHEL server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. - -5. Install prerequisite packages: - - ```shell - sudo yum install ca-certificates wget - ``` +1. Copy `nginx-repo.key` and `nginx-repo.crt` to the RHEL server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. -6. Remove any previously downloaded NGINX Plus repository file from `/etc/yum.repos.d`: +1. Install prerequisite packages: ```shell - sudo rm /etc/yum.repos.d/nginx-plus-*.repo + sudo dnf install ca-certificates wget ``` -7. Add NGINX Plus repository by downloading the file `nginx-plus-7.4.repo` to `/etc/yum.repos.d`: +1. Remove any previously downloaded NGINX Plus repository files from `/etc/yum.repos.d`: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo + sudo rm /etc/yum.repos.d/plus-*.repo ``` -8. Add NGINX App Protect WAF repository by downloading the file `app-protect-7.repo` to `/etc/yum.repos.d`: +1. Add the NGINX Plus repository by downloading the file `plus-amazonlinux2023.repo` to `/etc/yum.repos.d`: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo ``` -9. Enable Yum repositories to pull App Protect dependencies: - - Download the file `dependencies.repo` to `/etc/yum.repos.d`: +1. Add the NGINX App Protect WAF repository by downloading the file `app-protect-amazonlinux2023.repo` to `/etc/yum.repos.d`: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo ``` - If you have a RHEL subscription: - - ```shell - sudo yum-config-manager --enable rhui-REGION-rhel-server-optional rhui-REGION-rhel-server-releases rhel-7-server-optional-rpms - ``` +1. Enable Yum repositories to pull App Protect dependencies: - If you don't have a RHEL subscription, you can pull the dependencies from the CentOS repository: - Create a new repository `centos.repo` in `/etc/yum.repos.d/` with the content: + Download the file `dependencies.amazonlinux2023.repo` to `/etc/yum.repos.d`: ```shell - [centos] - name=CentOS-7 - baseurl=http://ftp.heanet.ie/pub/centos/7/os/x86_64/ - enabled=1 - gpgcheck=1 - gpgkey=http://ftp.heanet.ie/pub/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7 + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo ``` -10. Install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): +1. Install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): ```shell - sudo yum install app-protect + sudo dnf install app-protect ``` Alternatively, you can use the following command to list available versions: ```shell - sudo yum --showduplicates list app-protect + sudo dnf --showduplicates list app-protect ``` Then, install a specific version from the output of command above. For example: ```shell - sudo yum install app-protect-24+3.639.0 + sudo dnf install app-protect-31+4.641.0 ``` -11. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: +1. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: ```shell sudo nginx -v ``` -12. Load the NGINX App Protect WAF module on the main context in the `nginx.conf`: +1. Load the NGINX App Protect WAF module on the main context in the `nginx.conf`: ```nginx load_module modules/ngx_http_app_protect_module.so; ``` -13. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` file: +1. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` file: ```nginx app_protect_enable on; ``` -14. Optionally, install a prebuilt SELinux policy module for NGINX App Protect WAF (or configure SELinux as appropriate per your organization's security policies): +1. Optionally, install a prebuilt SELinux policy module for NGINX App Protect WAF (or configure SELinux as appropriate per your organization's security policies): ```shell - sudo yum install app-protect-selinux + sudo dnf install app-protect-selinux ``` If you encounter any issues, check the [Troubleshooting Guide]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting#selinux" >}}). -15. To enable the NGINX/App Protect WAF service start at boot, run the command: +1. To enable the NGINX/App Protect WAF service start at boot, run the command: ```shell sudo systemctl enable nginx.service ``` -16. Start the NGINX service: +1. Start the NGINX service: ```shell sudo systemctl start nginx ``` -## RHEL 8.1+ Installation +## Debian Installation 1. If you already have NGINX packages in your system, back up your configs and logs: @@ -361,10 +337,11 @@ If a user other than **nginx** is to be used, note the following: sudo cp -a /var/log/nginx /var/log/nginx-plus-backup ``` -2. Create the `/etc/ssl/nginx/` directory: +2. Create the `/etc/ssl/nginx/` directory and change the directory to the SSL certificate directory after creating the folder: ```shell sudo mkdir -p /etc/ssl/nginx + cd /etc/ssl/nginx ``` 3. Log in to the [Customer Portal](https://my.f5.com) and download the following two files: @@ -374,103 +351,126 @@ If a user other than **nginx** is to be used, note the following: nginx-repo.crt ``` -4. Copy the above two files to the RHEL server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. +4. Copy the above two files to the Debian server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. 5. Install prerequisite packages: ```shell - sudo dnf install ca-certificates wget + sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ``` -6. Remove any previously downloaded NGINX Plus repository file from `/etc/yum.repos.d`: + {{< note >}} In case the apt installation or database update fails due to release info change, run the below command before you install. {{< /note >}} ```shell - sudo rm /etc/yum.repos.d/nginx-plus-8.repo + sudo apt-get update --allow-releaseinfo-change ``` -7. Add NGINX Plus repository by downloading the file `nginx-plus-8.repo` to `/etc/yum.repos.d`: +6. Download and add the NGINX signing keys: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo + wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \ + sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null + + wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | \ + sudo tee /usr/share/keyrings/app-protect-security-updates.gpg >/dev/null ``` -8. Add NGINX App Protect WAF repository by downloading the file `app-protect-8.repo` to `/etc/yum.repos.d`: +7. Remove any previous NGINX Plus repository and apt configuration files: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-8.repo + sudo rm /etc/apt/sources.list.d/nginx-plus.list + sudo rm /etc/apt/sources.list.d/*app-protect*.list + sudo rm /etc/apt/apt.conf.d/90pkgs-nginx ``` -9. Enable Yum repositories to pull App Protect dependencies: - - Download the file `dependencies.repo` to `/etc/yum.repos.d`: +8. Add NGINX Plus repository: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo + printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \ + sudo tee /etc/apt/sources.list.d/nginx-plus.list ``` - Enable `codeready-builder` repository through subscription manager: +9. Add NGINX App Protect WAF repositories: ```shell - sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms + printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | \ + sudo tee /etc/apt/sources.list.d/nginx-app-protect.list + + printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] \ + https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | \ + sudo tee /etc/apt/sources.list.d/app-protect-security-updates.list ``` -10. Install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): +10. Download the apt configuration to `/etc/apt/apt.conf.d`: ```shell - sudo dnf install app-protect + sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx ``` - Alternatively, you can use the following command to list available versions: +11. Update the repository and install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): ```shell - sudo dnf --showduplicates list app-protect + sudo apt-get update + sudo apt-get install app-protect ``` - Then, install a specific version from the output of command above. For example: + Alternatively, to install a specific version, use the following commands to update and list available versions: ```shell - sudo dnf install app-protect-31+4.641.0 + sudo apt-get update + sudo apt-cache policy app-protect ``` -11. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: + {{< note >}} When installing an older version of NGINX App Protect WAF, the dependent packages have to be installed manually, as shown in the command above. The following script can be used to find out the dependent packages for a specific version of NGINX App Protect WAF.{{< /note >}} ```shell - sudo nginx -v + findDeps () { local pkgs=$(apt show $1 2>/dev/null | grep Depends: | grep -oE "(nginx-plus-module|app-protect)-[a-z]+ *\(= *[0-9\+\.-]+~`lsb_release -cs`\)" | tr -d ' ()'); for p in ${pkgs[@]}; do echo $p; findDeps $p; done; } + findDeps app-protect=24+3.639.0-1~[OS_CODENAME] ``` -12. Load the NGINX App Protect WAF module on the main context in the `nginx.conf`: + Finally, install a specific version from the output of command above. For example: - ```nginx - load_module modules/ngx_http_app_protect_module.so; + ```shell + sudo apt-get install -y app-protect-compiler=8.7.4-1~[OS_CODENAME] \ + app-protect-plugin=3.639.0-1~[OS_CODENAME] \ + nginx-plus-module-appprotect=24+3.639.0-1~[OS_CODENAME]\ + app-protect-engine=8.7.4-1~[OS_CODENAME] \ + app-protect=24+3.639.0-1~[OS_CODENAME] \ + app-protect-common=8.7.4-1~[OS_CODENAME] ``` -13. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` file: - - ```nginx - app_protect_enable on; - ``` + Replace the [OS_CODENAME] in the above example with **bullseye** for Debian 11 or **bookworm** for Debian 12. -14. Optionally, install a prebuilt SELinux policy module for NGINX App Protect WAF (or configure SELinux as appropriate per your organization's security policies): +12. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: ```shell - sudo dnf install app-protect-selinux + sudo nginx -v ``` - If you encounter any issues, check the [Troubleshooting Guide]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting#selinux" >}}). +13. Load the NGINX App Protect WAF module on the main context in the `nginx.conf` file: -15. To enable the NGINX/App Protect WAF service start at boot, run the command: + ```nginx + load_module modules/ngx_http_app_protect_module.so; + ``` - ```shell - sudo systemctl enable nginx.service +14. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` via: + + ```nginx + app_protect_enable on; ``` -16. Start the NGINX service: +15. Start the NGINX service: ```shell sudo systemctl start nginx ``` -## RHEL 9+ Installation +{{< warning >}} Debian enables **AppArmor** by default, but NGINX App Protect WAF will run in unconfined mode after being installed as it is shipped with no AppArmor profile. To benefit from AppArmor access control capabilities for NGINX App Protect WAF, you will have to write your own AppArmor profile for NGINX App Protect WAF executables found in `/opt/app_protect/bin` such that it best suits your environment. +{{< /warning >}} + +## Oracle Linux / RHEL 8.1+ Installation 1. If you already have NGINX packages in your system, back up your configs and logs: @@ -492,30 +492,30 @@ If a user other than **nginx** is to be used, note the following: nginx-repo.crt ``` -4. Copy the above two files to the RHEL server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. +4. Copy the above two files to the `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. 5. Install prerequisite packages: ```shell - sudo dnf install ca-certificates wget + sudo dnf install ca-certificates wget yum-utils ``` 6. Remove any previously downloaded NGINX Plus repository file from `/etc/yum.repos.d`: ```shell - sudo rm /etc/yum.repos.d/plus-*.repo + sudo rm /etc/yum.repos.d/nginx-plus-*.repo ``` -7. Add NGINX Plus repository by downloading the file `plus-9.repo` to `/etc/yum.repos.d`: +7. Add NGINX Plus repository by downloading the file `nginx-plus-8.repo` to `/etc/yum.repos.d`: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repo + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo ``` -8. Add NGINX App Protect WAF repository by downloading the file `app-protect-9.repo` to `/etc/yum.repos.d`: +8. Add NGINX App Protect WAF repository by downloading the file `app-protect-8.repo` to `/etc/yum.repos.d`: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-9.repo + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-8.repo ``` 9. Enable Yum repositories to pull App Protect dependencies: @@ -526,10 +526,10 @@ If a user other than **nginx** is to be used, note the following: sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo ``` - Enable `codeready-builder` repository through subscription manager: + Enable `ol8_codeready_builder` repository: ```shell - sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms + dnf config-manager --set-enabled ol8_codeready_builder ``` 10. Install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): @@ -547,7 +547,7 @@ If a user other than **nginx** is to be used, note the following: Then, install a specific version from the output of command above. For example: ```shell - sudo dnf install app-protect-31+4.641.0 + sudo dnf install app-protect-26+3.890.0 ``` 11. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: @@ -588,7 +588,9 @@ If a user other than **nginx** is to be used, note the following: sudo systemctl start nginx ``` -## Oracle Linux 8.1+ Installation +--- + +## RHEL 9+ Installation 1. If you already have NGINX packages in your system, back up your configs and logs: @@ -610,30 +612,30 @@ If a user other than **nginx** is to be used, note the following: nginx-repo.crt ``` -4. Copy the above two files to the Oracle Linux server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. +4. Copy the above two files to the RHEL server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. 5. Install prerequisite packages: ```shell - sudo dnf install ca-certificates wget yum-utils + sudo dnf install ca-certificates wget ``` 6. Remove any previously downloaded NGINX Plus repository file from `/etc/yum.repos.d`: ```shell - sudo rm /etc/yum.repos.d/nginx-plus-*.repo + sudo rm /etc/yum.repos.d/plus-*.repo ``` -7. Add NGINX Plus repository by downloading the file `nginx-plus-8.repo` to `/etc/yum.repos.d`: +7. Add NGINX Plus repository by downloading the file `plus-9.repo` to `/etc/yum.repos.d`: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repo ``` -8. Add NGINX App Protect WAF repository by downloading the file `app-protect-8.repo` to `/etc/yum.repos.d`: +8. Add NGINX App Protect WAF repository by downloading the file `app-protect-9.repo` to `/etc/yum.repos.d`: ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-8.repo + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-9.repo ``` 9. Enable Yum repositories to pull App Protect dependencies: @@ -644,10 +646,10 @@ If a user other than **nginx** is to be used, note the following: sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo ``` - Enable `ol8_codeready_builder` repository: + Enable `codeready-builder` repository through subscription manager: ```shell - dnf config-manager --set-enabled ol8_codeready_builder + sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms ``` 10. Install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): @@ -665,7 +667,7 @@ If a user other than **nginx** is to be used, note the following: Then, install a specific version from the output of command above. For example: ```shell - sudo dnf install app-protect-26+3.890.0 + sudo dnf install app-protect-31+4.641.0 ``` 11. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: @@ -706,370 +708,9 @@ If a user other than **nginx** is to be used, note the following: sudo systemctl start nginx ``` -## Amazon Linux 2 LTS Installation - -1. If you already have NGINX packages in your system, back up your configs and logs: - - ```shell - sudo cp -a /etc/nginx /etc/nginx-plus-backup - sudo cp -a /var/log/nginx /var/log/nginx-plus-backup - ``` - -2. Create the `/etc/ssl/nginx/` directory: - - ```shell - sudo mkdir -p /etc/ssl/nginx - ``` - -3. Log in to the [Customer Portal](https://my.f5.com) and download the following two files: - - ```shell - nginx-repo.key - nginx-repo.crt - ``` - -4. Copy the above two files to the Amazon Linux server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. - -5. Install prerequisite packages: - - ```shell - sudo amazon-linux-extras enable epel - sudo yum clean metadata - sudo yum install ca-certificates epel-release wget - ``` - -6. Remove any previously downloaded NGINX Plus repository file from `/etc/yum.repos.d`: - - ```shell - sudo rm /etc/yum.repos.d/nginx-plus-7.repo - ``` - -7. Add NGINX Plus repository by downloading the file `nginx-plus-7.4.repo` to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo - ``` - -8. Add NGINX App Protect WAF repository by downloading the file `app-protect-7.repo` to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo - ``` - -9. Install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): - - ```shell - sudo yum install app-protect - ``` - - Alternatively, you can use the following command to list available versions: - - ```shell - sudo yum --showduplicates list app-protect - ``` - - Then, install a specific version from the output of the command above. For example: - - ```shell - sudo yum install app-protect-24+3.639.0 - ``` - -10. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: - - ```shell - sudo nginx -v - ``` - -11. Load the NGINX App Protect WAF module on the main context in the `nginx.conf`: - - ```nginx - load_module modules/ngx_http_app_protect_module.so; - ``` - -12. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` file: - - ```nginx - app_protect_enable on; - ``` - -13. Optionally, install a prebuilt SELinux policy module for NGINX App Protect WAF (or configure SELinux as appropriate per your organization's security policies): - - ```shell - sudo yum install app-protect-selinux - ``` - - If you encounter any issues, check the [Troubleshooting Guide]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting#selinux" >}}). - -14. To enable the NGINX/App Protect WAF service start at boot, run the command: - - ```shell - sudo systemctl enable nginx.service - ``` - -15. Start the NGINX service: - - ```shell - sudo systemctl start nginx - ``` - ---- - -## Amazon Linux 2023 Installation - -1. If you already have NGINX packages in your system, back up your configuration and log files: - - ```shell - sudo cp -a /etc/nginx /etc/nginx-plus-backup - sudo cp -a /var/log/nginx /var/log/nginx-plus-backup - ``` - -1. Create the `/etc/ssl/nginx/` directory: - - ```shell - sudo mkdir -p /etc/ssl/nginx - ``` - -1. Log into [MyF5](https://my.f5.com) and download the following two files: - - ```shell - nginx-repo.key - nginx-repo.crt - ``` - -1. Copy `nginx-repo.key` and `nginx-repo.crt` to the RHEL server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. - -1. Install prerequisite packages: - - ```shell - sudo dnf install ca-certificates wget - ``` - -1. Remove any previously downloaded NGINX Plus repository files from `/etc/yum.repos.d`: - - ```shell - sudo rm /etc/yum.repos.d/plus-*.repo - ``` - -1. Add the NGINX Plus repository by downloading the file `plus-amazonlinux2023.repo` to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo - ``` - -1. Add the NGINX App Protect WAF repository by downloading the file `app-protect-amazonlinux2023.repo` to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo - ``` - -1. Enable Yum repositories to pull App Protect dependencies: - - Download the file `dependencies.amazonlinux2023.repo` to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo - ``` - -1. Install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): - - ```shell - sudo dnf install app-protect - ``` - - Alternatively, you can use the following command to list available versions: - - ```shell - sudo dnf --showduplicates list app-protect - ``` - - Then, install a specific version from the output of command above. For example: - - ```shell - sudo dnf install app-protect-31+4.641.0 - ``` - -1. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: - - ```shell - sudo nginx -v - ``` - -1. Load the NGINX App Protect WAF module on the main context in the `nginx.conf`: - - ```nginx - load_module modules/ngx_http_app_protect_module.so; - ``` - -1. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` file: - - ```nginx - app_protect_enable on; - ``` - -1. Optionally, install a prebuilt SELinux policy module for NGINX App Protect WAF (or configure SELinux as appropriate per your organization's security policies): - - ```shell - sudo dnf install app-protect-selinux - ``` - - If you encounter any issues, check the [Troubleshooting Guide]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting#selinux" >}}). - -1. To enable the NGINX/App Protect WAF service start at boot, run the command: - - ```shell - sudo systemctl enable nginx.service - ``` - -1. Start the NGINX service: - - ```shell - sudo systemctl start nginx - ``` - -## Debian 10 / Debian 11 / Debian 12 Installation - -1. If you already have NGINX packages in your system, back up your configs and logs: - - ```shell - sudo cp -a /etc/nginx /etc/nginx-plus-backup - sudo cp -a /var/log/nginx /var/log/nginx-plus-backup - ``` - -2. Create the `/etc/ssl/nginx/` directory and change the directory to the SSL certificate directory after creating the folder: - - ```shell - sudo mkdir -p /etc/ssl/nginx - cd /etc/ssl/nginx - ``` - -3. Log in to the [Customer Portal](https://my.f5.com) and download the following two files: - - ```shell - nginx-repo.key - nginx-repo.crt - ``` - -4. Copy the above two files to the Debian server's `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. - -5. Install prerequisite packages: - - ```shell - sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 - ``` - - {{< note >}} In case the apt installation or database update fails due to release info change, run the below command before you install. {{< /note >}} - - ```shell - sudo apt-get update --allow-releaseinfo-change - ``` - -6. Download and add the NGINX signing keys: - - ```shell - wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \ - sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null - - wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | \ - sudo tee /usr/share/keyrings/app-protect-security-updates.gpg >/dev/null - ``` - -7. Remove any previous NGINX Plus repository and apt configuration files: - - ```shell - sudo rm /etc/apt/sources.list.d/nginx-plus.list - sudo rm /etc/apt/sources.list.d/*app-protect*.list - sudo rm /etc/apt/apt.conf.d/90pkgs-nginx - ``` - -8. Add NGINX Plus repository: - - ```shell - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/nginx-plus.list - ``` - -9. Add NGINX App Protect WAF repositories: - - ```shell - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/nginx-app-protect.list - - printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] \ - https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/app-protect-security-updates.list - ``` - -10. Download the apt configuration to `/etc/apt/apt.conf.d`: - - ```shell - sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx - ``` - -11. Update the repository and install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): - - ```shell - sudo apt-get update - sudo apt-get install app-protect - ``` - - Alternatively, to install a specific version, use the following commands to update and list available versions: - - ```shell - sudo apt-get update - sudo apt-cache policy app-protect - ``` - - {{< note >}} When installing an older version of NGINX App Protect WAF, the dependent packages have to be installed manually, as shown in the command above. The following script can be used to find out the dependent packages for a specific version of NGINX App Protect WAF.{{< /note >}} - - ```shell - findDeps () { local pkgs=$(apt show $1 2>/dev/null | grep Depends: | grep -oE "(nginx-plus-module|app-protect)-[a-z]+ *\(= *[0-9\+\.-]+~`lsb_release -cs`\)" | tr -d ' ()'); for p in ${pkgs[@]}; do echo $p; findDeps $p; done; } - findDeps app-protect=24+3.639.0-1~[OS_CODENAME] - ``` - - Finally, install a specific version from the output of command above. For example: - - ```shell - sudo apt-get install -y app-protect-compiler=8.7.4-1~[OS_CODENAME] \ - app-protect-plugin=3.639.0-1~[OS_CODENAME] \ - nginx-plus-module-appprotect=24+3.639.0-1~[OS_CODENAME]\ - app-protect-engine=8.7.4-1~[OS_CODENAME] \ - app-protect=24+3.639.0-1~[OS_CODENAME] \ - app-protect-common=8.7.4-1~[OS_CODENAME] - ``` - - Replace the [OS_CODENAME] in the above example with: **buster** for Debian 10, **bullseye** for Debian 11 and **bookworm** for Debian 12. - -12. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: - - ```shell - sudo nginx -v - ``` - -13. Load the NGINX App Protect WAF module on the main context in the `nginx.conf` file: - - ```nginx - load_module modules/ngx_http_app_protect_module.so; - ``` - -14. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` via: - - ```nginx - app_protect_enable on; - ``` - -15. Start the NGINX service: - - ```shell - sudo systemctl start nginx - ``` - -{{< note >}} Debian 10 / Debian 11 / Debian 12 activates **AppArmor** by default, but NGINX App Protect WAF will run in unconfined mode after being installed as it is shipped with no AppArmor profile. To benefit from AppArmor access control capabilities for NGINX App Protect WAF, you will have to write your own AppArmor profile for NGINX App Protect WAF executables found in `/opt/app_protect/bin` such that it best suits your environment. -{{< /note >}} - - -## Ubuntu 18.04 / Ubuntu 20.04 / Ubuntu 22.04 / Ubuntu 24.04 Installation +--- + +## Ubuntu Installation 1. If you already have NGINX packages in your system, back up your configs and logs: @@ -1167,7 +808,7 @@ If a user other than **nginx** is to be used, note the following: app-protect=23+3.263.0-1~[OS_CODENAME] ``` - Replace the [OS_CODENAME] in above the example with: **bionic** for Ubuntu 18.04, **focal** for Ubuntu 20.04, **jammy** for Ubuntu 22.04 and **noble** for Ubuntu 24.04. + Replace the [OS_CODENAME] in above the example with **focal** for Ubuntu 20.04, **jammy** for Ubuntu 22.04 and **noble** for Ubuntu 24.04.

      @@ -1205,116 +846,9 @@ If a user other than **nginx** is to be used, note the following: {{< note >}} Ubuntu 20.04 / Ubuntu 22.04 / Ubuntu 24.04 activates **AppArmor** by default, but NGINX App Protect WAF will run in unconfined mode after being installed as it is shipped with no AppArmor profile. To benefit from AppArmor access control capabilities for NGINX App Protect WAF, you will have to write your own AppArmor profile for NGINX App Protect WAF executables found in `/opt/app_protect/bin` such that it best suits your environment. {{< /note >}} +## Docker Deployments -## Alpine 3.16, 3.17 & 3.19 Installation - -1. If you already have NGINX packages in your system, back up your configs and logs: - - ```shell - sudo cp -a /etc/nginx /etc/nginx-plus-backup - sudo cp -a /var/log/nginx /var/log/nginx-plus-backup - ``` - -2. Log in to the [Customer Portal](https://my.f5.com) and download the following two files: - - ```shell - nginx-repo.key - nginx-repo.crt - ``` - -3. Upload `nginx-repo.key` to `/etc/apk/cert.key` and `nginx-repo.crt` to `/etc/apk/cert.pem`. Make sure that files do not contain other certificates and keys, as Alpine Linux does not support mixing client certificates for different repositories. - -4. Add the NGINX public signing key to the directory `/etc/apk/keys`: - - ```shell - sudo wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub - - sudo wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub - ``` - -5. Remove any previously configured NGINX Plus repository: - - ```shell - sed "/plus-pkgs.nginx.com/d" /etc/apk/repositories - ``` - -6. Add the NGINX Plus repository to `/etc/apk/repositories` file: - - ```shell - printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories - ``` - -7. Add the NGINX App Protect WAF repository to `/etc/apk/repositories` file: - - ```shell - printf "https://pkgs.nginx.com/app-protect/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories - - printf "https://pkgs.nginx.com/app-protect-security-updates/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories - ``` - -8. We recommend removing all community-supported NGINX packages. Note that all NGINX modules will be removed as well. - - ```shell - sudo apk del -r app-protect - sudo apk del -r nginx - ``` - -9. Update the repository and install the most recent version of the NGINX Plus and NGINX App Protect WAF: - - ```shell - sudo apk update - sudo apk add app-protect - ``` - - Alternatively, use the following commands to install the most recent version of NGINX App Protect WAF for NGINX Plus R28: - - ```shell - sudo apk update - sudo apk add app-protect - ``` - - Alternatively, use the following commands to list available versions: - - ```shell - sudo apk update - sudo apk info app-protect - ``` - - Finally, install a specific version from the output of command above. For example: - - ```shell - sudo apk add app-protect=30.4.457.0-r1 - ``` - -10. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly: - - ```shell - sudo nginx -v - ``` - -11. Load the NGINX App Protect WAF module on the main context in the `nginx.conf` file: - - ```nginx - load_module modules/ngx_http_app_protect_module.so; - ``` - -12. Enable NGINX App Protect WAF on an `http/server/location` context in the `nginx.conf` via: - - ```nginx - app_protect_enable on; - ``` - -13. Start the App Protect and NGINX services: - - ```shell - sudo service nginx-app-protect start - sudo service nginx start - ``` - - -## Docker Deployment - -### General Docker Deployment Instructions +### Common instructions 1. Create a Dockerfile (see examples below) which copies the following files into the docker image: @@ -1402,7 +936,7 @@ If a user other than **nginx** is to be used, note the following: 7. Create a Docker image: - - For CentOS/Oracle Linux/Debian/Ubuntu/Alpine/Amazon Linux: + - For Oracle Linux/Debian/Ubuntu/Alpine/Amazon Linux: ```shell DOCKER_BUILDKIT=1 docker build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect . @@ -1439,27 +973,64 @@ If a user other than **nginx** is to be used, note the following: docker ps ``` -### CentOS 7.4 Docker Deployment Example +### Alpine Dockerfile example + +```dockerfile +# syntax=docker/dockerfile:1 +# For Alpine 3.19: +FROM alpine:3.19 + +# Download and add the NGINX signing keys: +RUN wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ + && wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub + +# Add NGINX Plus repository: +RUN printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories + +# Add NGINX App Protect repository: +RUN printf "https://pkgs.nginx.com/app-protect/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories \ + && printf "https://pkgs.nginx.com/app-protect-security-updates/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories + +# Update the repository and install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): +RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ + apk update && apk add app-protect + +# Forward request logs to Docker log collector: +RUN ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Copy configuration files: +COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY entrypoint.sh /root/ + +CMD ["sh", "/root/entrypoint.sh"] +``` + +### Amazon Linux Dockerfile example ```dockerfile # syntax=docker/dockerfile:1 -# For CentOS 7: -FROM centos:7.4.1708 +# For Amazon Linux 2023: +FROM amazonlinux:2023 # Install prerequisite packages: -RUN yum -y install wget ca-certificates epel-release +RUN dnf -y install wget ca-certificates -# Add NGINX Plus repo to Yum: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo +# Add NGINX Plus repo: +RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo -# Add NGINX App-protect repo to Yum: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo +# Add NAP dependencies repo: +RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo + +# Add NGINX App-protect repo: +RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo # Install NGINX App Protect WAF: RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - yum -y install app-protect \ - && yum clean all \ + dnf -y install app-protect \ + && dnf clean all \ && rm -rf /var/cache/yum # Forward request logs to Docker log collector: @@ -1473,32 +1044,46 @@ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] ``` -### RHEL UBI7 Docker Deployment Example +--- + +### Debian Dockerfile example ```dockerfile +ARG OS_CODENAME +# Where OS_CODENAME can be: buster/bullseye/bookworm # syntax=docker/dockerfile:1 -# For RHEL ubi7: -FROM registry.access.redhat.com/ubi7/ubi +# For Debian 11 / 12: +FROM debian:${OS_CODENAME} # Install prerequisite packages: -RUN yum -y install wget ca-certificates +RUN apt-get update && apt-get install -y apt-transport-https lsb-release ca-certificates wget gnupg2 -# Add NGINX Plus repo to Yum: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo +# Download and add the NGINX signing keys: +RUN wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | \ + gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null +RUN wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | \ + gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg >/dev/null -# Add NGINX App-protect & dependencies repo to Yum: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ - # You can use either of the dependencies or epel repo - # && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \ - && yum clean all +# Add NGINX Plus repository: +RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-plus.list -# Install NGINX App Protect WAF: +# Add NGINX App Protect WAF repositories: +RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-app-protect.list +RUN printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] \ + https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/app-protect-security-updates.list + +# Download the apt configuration to `/etc/apt/apt.conf.d`: +RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx + +# Update the repository and install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - yum install --enablerepo=rhel-7-server-extras-rpms --enablerepo=rhel-7-server-optional-rpms --enablerepo=rhel-7-server-rpms -y app-protect \ - && yum clean all \ - && rm -rf /var/cache/yum + apt-get update && apt-get install -y app-protect # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ @@ -1511,7 +1096,9 @@ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] ``` -### RHEL UBI8 Docker Deployment Example +--- + +### RHEL UBI8 Dockerfile example ```dockerfile # syntax=docker/dockerfile:1 @@ -1549,7 +1136,7 @@ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] ``` -### RHEL UBI9 Docker Deployment Example +### RHEL UBI9 Dockerfile example ```dockerfile # syntax=docker/dockerfile:1 @@ -1587,7 +1174,7 @@ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] ``` -### Oracle Linux 8 Docker Deployment Example +### Oracle Linux Dockerfile example ```dockerfile # syntax=docker/dockerfile:1 @@ -1628,137 +1215,15 @@ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] ``` -### Amazon Linux 2 Docker Deployment Example - -```dockerfile -# syntax=docker/dockerfile:1 -# For Amazon Linux 2: -FROM amazonlinux:2 - -# Install prerequisite packages: -RUN amazon-linux-extras enable epel -RUN yum clean metadata -RUN yum -y install wget ca-certificates epel-release shadow-utils - -# Add NGINX Plus repo to Yum: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo - -# Add NGINX App-protect repo to Yum: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo - -# Install NGINX App Protect WAF: -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - yum -y install app-protect \ - && yum clean all \ - && rm -rf /var/cache/yum - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ - -CMD ["sh", "/root/entrypoint.sh"] -``` - -### Amazon Linux 2023 Docker Deployment Example - -```dockerfile -# syntax=docker/dockerfile:1 -# For Amazon Linux 2023: -FROM amazonlinux:2023 - -# Install prerequisite packages: -RUN dnf -y install wget ca-certificates - -# Add NGINX Plus repo: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo - -# Add NAP dependencies repo: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo - -# Add NGINX App-protect repo: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo - -# Install NGINX App Protect WAF: -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - dnf -y install app-protect \ - && dnf clean all \ - && rm -rf /var/cache/yum - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ - -CMD ["sh", "/root/entrypoint.sh"] -``` - -### Debian 10 (Buster) / 11 (Bullseye) / 12 (Bookworm) Docker Deployment Example - -```dockerfile -ARG OS_CODENAME -# Where OS_CODENAME can be: buster/bullseye/bookworm -# syntax=docker/dockerfile:1 -# For Debian 10 / 11 / 12: -FROM debian:${OS_CODENAME} - -# Install prerequisite packages: -RUN apt-get update && apt-get install -y apt-transport-https lsb-release ca-certificates wget gnupg2 - -# Download and add the NGINX signing keys: -RUN wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | \ - gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null -RUN wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | \ - gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg >/dev/null - -# Add NGINX Plus repository: -RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \ - tee /etc/apt/sources.list.d/nginx-plus.list - -# Add NGINX App Protect WAF repositories: -RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ - https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | \ - tee /etc/apt/sources.list.d/nginx-app-protect.list -RUN printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] \ - https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | \ - tee /etc/apt/sources.list.d/app-protect-security-updates.list - -# Download the apt configuration to `/etc/apt/apt.conf.d`: -RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx - -# Update the repository and install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - apt-get update && apt-get install -y app-protect - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ - -CMD ["sh", "/root/entrypoint.sh"] -``` - +--- -### Ubuntu 18.04 (Bionic) / 20.04 (Focal) / 22.04 (Jammy) / 24.04 (Noble) Docker Deployment Example +### Ubuntu Dockerfile example ```dockerfile ARG OS_CODENAME -# Where OS_CODENAME can be: bionic/focal/jammy/noble +# Where OS_CODENAME can be: focal/jammy/noble # syntax=docker/dockerfile:1 -# For Ubuntu 18.04 / 20.04 /22.04 / 24.04: +# For Ubuntu 20.04 / 22.04 / 24.04: FROM ubuntu:${OS_CODENAME} # Install prerequisite packages: @@ -1802,41 +1267,6 @@ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] ``` -### Alpine 3.16 / Alpine 3.17 / Alpine 3.19 Docker Deployment Example - -```dockerfile -# syntax=docker/dockerfile:1 -# For Alpine 3.16/3.17/3.19: -FROM alpine:3.19 - -# Download and add the NGINX signing keys: -RUN wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ - && wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub - -# Add NGINX Plus repository: -RUN printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories - -# Add NGINX App Protect repository: -RUN printf "https://pkgs.nginx.com/app-protect/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories \ - && printf "https://pkgs.nginx.com/app-protect-security-updates/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories - -# Update the repository and install the most recent version of the NGINX App Protect WAF package (which includes NGINX Plus): -RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ - apk update && apk add app-protect - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ - -CMD ["sh", "/root/entrypoint.sh"] -``` - - ## Converter Tool Docker Image This section explains how to build a Docker image for the purpose of converting policy files from other F5 WAF products to NGINX App Protect WAF JSON declarative format. @@ -1856,7 +1286,7 @@ You need root permissions to execute the following steps. 3. Create a Docker image: - - For CentOS/Oracle Linux/Debian/Ubuntu/Alpine/Amazon Linux: + - For Oracle Linux/Debian/Ubuntu/Alpine/Amazon Linux: ```shell DOCKER_BUILDKIT=1 docker build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect-converter . @@ -1958,27 +1388,7 @@ You need root permissions to execute the following steps. -rw-r--r-- 1 root root 841818 Dec 20 11:10 policy.xml # Original XML policy file ``` - -### CentOS 7 Converter Docker Deployment Example - -```dockerfile -# syntax=docker/dockerfile:1 -# For CentOS 7: -FROM centos:7 - -# Install prerequisite packages: -RUN yum -y install wget ca-certificates epel-release - -# Add NGINX Plus repo to Yum: -RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo - -# Update the repository and install the most recent version of the NGINX App Protect WAF Compiler package: -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - yum -y install app-protect-compiler \ - && yum clean all \ - && rm -rf /var/cache/yum -``` +--- ### RHEL UBI7 Converter Docker Deployment Example @@ -2101,38 +1511,9 @@ RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.rep # Install NGINX App Protect WAF: RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - yum -y install app-protect-compiler \ - && yum clean all \ - && rm -rf /var/cache/yum -``` - -### Debian 10 Converter Docker Deployment Example - -```dockerfile -# syntax=docker/dockerfile:1 -# For Debian 10: -FROM debian:buster - -# Install prerequisite packages: -RUN apt-get update && apt-get install -y apt-transport-https lsb-release ca-certificates wget gnupg2 - -# Download and add the NGINX signing keys: -RUN wget https://cs.nginx.com/static/keys/nginx_signing.key && apt-key add nginx_signing.key \ - && wget https://cs.nginx.com/static/keys/app-protect-security-updates.key && apt-key add app-protect-security-updates.key - -# Add NGINX App Protect WAF repositories: -RUN printf "deb https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list \ - && printf "deb https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/app-protect-security-updates.list - -# Download the apt configuration to `/etc/apt/apt.conf.d`: -RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90nginx - -# Update the repository and install the most recent version of the NGINX App Protect WAF Compiler package: -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - apt-get update && apt-get install -y app-protect-compiler - -CMD ["sh"] + yum -y install app-protect-compiler \ + && yum clean all \ + && rm -rf /var/cache/yum ``` ### Debian 11 / Debian 12 Converter Docker Deployment Example @@ -2168,13 +1549,13 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-compiler ``` -### Ubuntu 18.04 / Ubuntu 20.04 / Ubuntu 22.04 / Ubuntu 24.04 Converter Docker Deployment Example +### Ubuntu 20.04 / Ubuntu 22.04 / Ubuntu 24.04 Converter Docker Deployment Example ```dockerfile ARG OS_CODENAME # Where OS_CODENAME can be: bionic/focal/jammy/noble # syntax=docker/dockerfile:1 -# For Ubuntu 18.04 / 20.04 /22.04 / 24.04: +# For Ubuntu 20.04 /22.04 / 24.04: FROM ubuntu:${OS_CODENAME} # Install prerequisite packages: @@ -2228,7 +1609,7 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ To perform an offline installation of NGINX App Protect WAF you can use a host with access to the NGINX repository to download all the packages (including dependencies) to your local repository. -### Example Deployment for CentOS/RHEL +### Example Deployment for RHEL #### Add the NGINX App Protect WAF Packages to an Internal Repository @@ -2249,29 +1630,17 @@ On a host with access to the NGINX App Protect WAF repository: 3. Download the `epel-release` dependency package: - For CentOS: - - ```shell - yum install --downloadonly --downloaddir=/etc/packages/ epel-release - ``` - - For RHEL 7: - - ```shell - wget -P /etc/packages https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - ``` +For RHEL 8.1+ / Oracle Linux 8.1+: - For RHEL 8.1+ / Oracle Linux 8.1+: - - ```shell - wget -P /etc/packages https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm - ``` +```shell +wget -P /etc/packages https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm +``` - For RHEL 9+: +For RHEL 9+: - ```shell - wget -P /etc/packages https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm - ``` +```shell +wget -P /etc/packages https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm +``` 4. Add the packages in `/etc/packages` to your local repository. @@ -2421,39 +1790,6 @@ Attack Signatures updates are released at higher frequency than App Protect, the After having updated the Attack Signature package you have to reload the configuration in order for the new version of the Signatures to take effect. Until then App Protect will run with the old version. That is useful when creating an environment with a specific tested version of the Attack Signatures. - -### CentOS / RHEL 7.4+ / Amazon Linux 2 - -1. To add NGINX App Protect WAF Security Updates repository, download the file `app-protect-7.repo` to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo - ``` - -2. Update the attack signatures to the latest: - - ```shell - sudo yum install app-protect-attack-signatures - ``` - -3. To install a specific version, list the available versions: - - ```shell - sudo yum --showduplicates list app-protect-attack-signatures - ``` - - To upgrade to a specific version: - - ```shell - sudo yum install app-protect-attack-signatures-2020.04.30 - ``` - - To downgrade to a specific version: - - ```shell - sudo yum downgrade app-protect-attack-signatures-2019.07.16 - ``` - ### RHEL 8.1+ / Oracle Linux 8.1+ 1. To add NGINX App Protect WAF Security Updates repository, download the file `app-protect-8.repo` to `/etc/yum.repos.d`: @@ -2518,62 +1854,54 @@ After having updated the Attack Signature package you have to reload the configu sudo dnf downgrade app-protect-attack-signatures-2023.12.11 ``` -### Debian 10 / Debian 11 / Debian 12 +### Debian 11 / Debian 12 1. Add NGINX App Protect WAF Security Updates repository: - ```shell - printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] \ - https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | \ - sudo tee /etc/apt/sources.list.d/app-protect-security-updates.list - ``` +```shell +printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] \ +https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | \ +sudo tee /etc/apt/sources.list.d/app-protect-security-updates.list +``` 2. Download and add the NGINX App Protect WAF signatures signing key: - ```shell - sudo wget https://cs.nginx.com/static/keys/app-protect-security-updates.key | \ - gpg --dearmor | sudo tee /usr/share/keyrings/app-protect-security-updates.gpg >/dev/null - ``` +```shell +sudo wget https://cs.nginx.com/static/keys/app-protect-security-updates.key | \ +gpg --dearmor | sudo tee /usr/share/keyrings/app-protect-security-updates.gpg >/dev/null +``` 3. Download the apt configuration to `/etc/apt/apt.conf.d`: - ```shell - sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx - ``` +```shell +sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx +``` 4. Update the attack signatures to the latest: - ```shell - sudo apt-get update && sudo apt-get install app-protect-attack-signatures - ``` +```shell +sudo apt-get update && sudo apt-get install app-protect-attack-signatures +``` 5. To install a specific version, list the available versions: - ```shell - sudo apt-cache policy app-protect-attack-signatures - ``` - - Install a specific version: +```shell +sudo apt-cache policy app-protect-attack-signatures +``` - For Debian 10: +For Debian 11: ```shell - sudo apt-get install app-protect-attack-signatures=2020.04.30-1~buster - ``` - - For Debian 11: - - ```shell - sudo apt-get install app-protect-attack-signatures=2020.04.30-1~bulleye - ``` +sudo apt-get install app-protect-attack-signatures=2020.04.30-1~bulleye +``` - For Debian 12: +For Debian 12: - ```shell - sudo apt-get install app-protect-attack-signatures=2020.04.30-1~bookworm - ``` + ```shell +sudo apt-get install app-protect-attack-signatures=2020.04.30-1~bookworm +``` -### Ubuntu 18.04 / Ubuntu 20.04 / Ubuntu 22.04 +### Ubuntu 20.04 / Ubuntu 22.04 1. Add NGINX App Protect WAF Security Updates repository: @@ -2604,37 +1932,29 @@ After having updated the Attack Signature package you have to reload the configu 5. To install a specific version, list the available versions: - ```shell - sudo apt-cache policy app-protect-attack-signatures - ``` - - Install a specific version: - - For Ubuntu 18.04: - - ```shell - sudo apt-get install app-protect-attack-signatures=2020.07.16-1~bionic - ``` +```shell +sudo apt-cache policy app-protect-attack-signatures +``` - For Ubuntu 20.04: +For Ubuntu 20.04: - ```shell - sudo apt-get install app-protect-attack-signatures=2020.07.16-1~focal - ``` +```shell +sudo apt-get install app-protect-attack-signatures=2020.07.16-1~focal +``` - For Ubuntu 22.04: +For Ubuntu 22.04: - ```shell - sudo apt-get install app-protect-attack-signatures=2020.07.16-1~jammy - ``` +```shell +sudo apt-get install app-protect-attack-signatures=2020.07.16-1~jammy +``` - For Ubuntu 24.04: +For Ubuntu 24.04: - ```shell - sudo apt-get install app-protect-attack-signatures=2020.07.16-1~noble - ``` +```shell +sudo apt-get install app-protect-attack-signatures=2020.07.16-1~noble +``` -### Alpine 3.16 / Alpine 3.17 / Alpine 3.19 +### Alpine 3.19 1. If not already configured, add the NGINX App Protect WAF Security Updates repository: @@ -2703,33 +2023,6 @@ The Threat Campaigns package is named: app-protect-threat-campaigns-2022.07.21. Example: app-protect-threat-campaigns-2022.07.21 - -### CentOS / RHEL 7.4+ / Amazon Linux 2 - -1. If not already configured, add NGINX App Protect WAF Security Updates repository by downloading the file `app-protect-7.repo` to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo - ``` - -2. Update Threat Campaigns to the latest: - - ```shell - sudo yum install app-protect-threat-campaigns - ``` - -3. To install a specific version, list the available versions: - - ```shell - sudo yum --showduplicates list app-protect-threat-campaigns - ``` - - To upgrade to a specific version: - - ```shell - sudo yum install app-protect-threat-campaigns-2022.07.21 - ``` - ### RHEL 8.1+ / Oracle Linux 8.1+ 1. If not already configured, add NGINX App Protect WAF Security Updates repository by downloading the file `app-protect-8.repo` to `/etc/yum.repos.d`: @@ -2814,7 +2107,7 @@ Example: app-protect-threat-campaigns-2022.07.21 sudo apk add app-protect-threat-campaigns=2023.08.09-r1 ``` -### Debian 10 / Debian 11 / Debian 12 +### Debian 11 / Debian 12 1. If not already configured, add the NGINX App Protect WAF Security Updates repository: @@ -2845,31 +2138,23 @@ Example: app-protect-threat-campaigns-2022.07.21 5. To install a specific version, list the available versions: - ```shell - sudo apt-cache policy app-protect-threat-campaigns - ``` - - Install a specific version: - - For Debian 10: - - ```shell - sudo apt-get install app-protect-threat-campaigns=2020.06.25-1~buster - ``` +```shell +sudo apt-cache policy app-protect-threat-campaigns +``` - For Debian 11: +For Debian 11: - ```shell - sudo apt-get install app-protect-threat-campaigns=2020.06.25-1~bullseye - ``` +```shell +sudo apt-get install app-protect-threat-campaigns=2020.06.25-1~bullseye +``` - For Debian 12: + For Debian 12: - ```shell - sudo apt-get install app-protect-threat-campaigns=2020.06.25-1~bookworm - ``` +```shell +sudo apt-get install app-protect-threat-campaigns=2020.06.25-1~bookworm +``` -### Ubuntu 18.04 / Ubuntu 20.04 / Ubuntu 22.04 +### Ubuntu 20.04 / Ubuntu 22.04 1. If not already configured, add the NGINX App Protect WAF Security Updates repository: @@ -2900,35 +2185,27 @@ Example: app-protect-threat-campaigns-2022.07.21 5. To install a specific version, list the available versions: - ```shell - sudo apt-cache policy app-protect-threat-campaigns - ``` - - Install a specific version: - - For Ubuntu 18.04: - - ```shell - sudo apt-get install app-protect-threat-campaigns=2020.08.05-1~bionic - ``` +```shell +sudo apt-cache policy app-protect-threat-campaigns +``` - For Ubuntu 20.04: +For Ubuntu 20.04: - ```shell - sudo apt-get install app-protect-threat-campaigns=2020.08.05-1~focal - ``` +```shell +sudo apt-get install app-protect-threat-campaigns=2020.08.05-1~focal +``` - For Ubuntu 22.04: +For Ubuntu 22.04: - ```shell - sudo apt-get install app-protect-threat-campaigns=2020.08.05-1~jammy - ``` +```shell +sudo apt-get install app-protect-threat-campaigns=2020.08.05-1~jammy +``` - For Ubuntu 24.04: +For Ubuntu 24.04: - ```shell - sudo apt-get install app-protect-attack-signatures=2024.06.26-1~noble - ``` +```shell +sudo apt-get install app-protect-attack-signatures=2024.06.26-1~noble +``` ## Updating App Protect Bot Signatures @@ -2936,39 +2213,6 @@ The App Protect Bot Signatures feature is described [here]({{< ref "/nap-waf/v4/ The App Protect Bot Signatures is named: app-protect-bot-signatures and it is a dependency similar to attack signatures and threat campaigns and can be updated more often. The version number for this package reflects the date the package was released. For example: app-protect-bot-signatures-2023.11.14, where the format for app protect bot signatures is: YYYY.MM.DD. - -### CentOS / RHEL 7.4+ / Amazon Linux 2 - -1. If not already configured, add NGINX App Protect WAF Security Updates repository by downloading the file `app-protect-7.repo` to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo - ``` - -2. Update bot signatures to the latest: - - ```shell - sudo yum install app-protect-bot-signatures - ``` - -3. To install a specific version, list the available versions: - - ```shell - sudo yum --showduplicates list app-protect-bot-signatures - ``` - - To upgrade to a specific version: - - ```shell - sudo yum install app-protect-bot-signatures-2023.11.14 - ``` - - To downgrade to a specific version: - - ```shell - sudo yum downgrade app-protect-bot-signatures-2023.11.14 - ``` - ### RHEL 8.1+ / Oracle Linux 8.1+ 1. If not already configured, add NGINX App Protect WAF Security Updates repository by downloading the file `app-protect-8.repo` to `/etc/yum.repos.d`: @@ -3188,22 +2432,6 @@ In case of using the prebuilt SELinux policy module for NGINX App Protect WAF (a You can uninstall the App Protect in below Operating Systems by using the following commands: -### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2 - -```shell -sudo yum remove app-protect \ -app-protect-compiler \ -app-protect-plugin \ -app-protect-engine \ -app-protect-graphql \ -app-protect-geoip \ -app-protect-common \ -app-protect-attack-signatures \ -app-protect-threat-campaigns \ -app-protect-bot-signatures \ -app-protect-selinux -``` - ### RHEL 8.1+ / Oracle Linux 8.1+ / RHEL 9+ ```shell @@ -3242,15 +2470,7 @@ app-protect-bot-signatures ## Upgrading App Protect to a Specific Version -### CentOS / RHEL 7.4.x / Amazon Linux 2 - -1. Upgrade the NGINX App Protect WAF to the specific version: - - ```shell - sudo yum -y update app-protect-27+3.1088.0-1 - ``` - -### RHEL 8.1+ / Oracle Linux 8.1+ / Rhel 9+ +### RHEL 8.1+ / Oracle Linux 8.1+ / RHEL 9+ 1. Upgrade the NGINX App Protect WAF to the specific version: @@ -3258,29 +2478,29 @@ app-protect-bot-signatures sudo dnf -y update app-protect-27+3.1088.0-1 ``` -### Debian 10 / Debian 11 / Debian 12 +### Debian 11 / Debian 12 1. Get the dependencies and their versions to be upgraded to by using the command: - ```shell - findDeps () { local pkgs=$(apt show $1 2>/dev/null | grep Depends: | grep -oE "(nginx-plus-module|app-protect)-[a-z]+ *\(= *[0-9\+\.-]+~`lsb_release -cs`\)" | tr -d ' ()'); for p in ${pkgs[@]}; do echo $p; findDeps $p; done; } - findDeps app-protect=27+3.1088.2-1~[OS_CODENAME] - ``` +```shell +findDeps () { local pkgs=$(apt show $1 2>/dev/null | grep Depends: | grep -oE "(nginx-plus-module|app-protect)-[a-z]+ *\(= *[0-9\+\.-]+~`lsb_release -cs`\)" | tr -d ' ()'); for p in ${pkgs[@]}; do echo $p; findDeps $p; done; } +findDeps app-protect=27+3.1088.2-1~[OS_CODENAME] +``` 2. Upgrade the NGINX App Protect WAF to the specific version: - ```shell - sudo apt-get update && apt-get install -y app-protect-common=10.139.2-1~[OS_CODENAME] - app-protect-compiler=10.139.2-1~[OS_CODENAME] \ - app-protect-plugin=3.1088.2-1~[OS_CODENAME] \ - nginx-plus-module-appprotect=27+3.1088.2-1~[OS_CODENAME] \ - app-protect-engine=10.139.2-1~[OS_CODENAME] \ - app-protect=27+3.1088.2-1~[OS_CODENAME] - ``` +```shell +sudo apt-get update && apt-get install -y app-protect-common=10.139.2-1~[OS_CODENAME] +app-protect-compiler=10.139.2-1~[OS_CODENAME] \ +app-protect-plugin=3.1088.2-1~[OS_CODENAME] \ +nginx-plus-module-appprotect=27+3.1088.2-1~[OS_CODENAME] \ +app-protect-engine=10.139.2-1~[OS_CODENAME] \ +app-protect=27+3.1088.2-1~[OS_CODENAME] +``` - **Note**: Replace the [OS_CODENAME] in the above command with: **buster** for Debian 10, **bullseye** for Debian 11 and **bookworm** for Debian 12. +**Note**: Replace the [OS_CODENAME] in the above command with **bullseye** for Debian 11 and **bookworm** for Debian 12. -### Ubuntu 18.04 / Ubuntu 20.04 / Ubuntu 22.04 +### Ubuntu 20.04 / Ubuntu 22.04 1. Get the dependencies and their versions to be upgraded to by using the command: @@ -3300,34 +2520,25 @@ app-protect-bot-signatures app-protect=27+3.1088.2-1~[OS_CODENAME] ``` - **Note**: Replace the [OS_CODENAME] in the above command with: **bionic** for Ubuntu 18.04, **focal** for Ubuntu 20.04, **jammy** for Ubuntu 22.04 and **noble** for Ubuntu 24.04. - +**Note**: Replace the [OS_CODENAME] in the above command with **focal** for Ubuntu 20.04, **jammy** for Ubuntu 22.04, and **noble** for Ubuntu 24.04. ## Upgrading App Protect to the latest version -### CentOS / RHEL 7.4.x / Amazon Linux 2 - -- Upgrade the NGINX App Protect WAF to the latest 4.x version: - - ```shell - sudo yum -y update app-protect - ``` - -### RHEL 8.1+ / Oracle Linux 8.1+ / RHEL 9+ +### RHEL 8.1+ / RHEL 9+ / Oracle Linux 8.1+ -- Upgrade the NGINX App Protect WAF to the latest 4.x version: +Upgrade the NGINX App Protect WAF to the latest 4.x version: - ```shell - sudo dnf -y update app-protect - ``` +```shell +sudo dnf -y update app-protect +``` -### Debian 10 / Debian 11 / Debian 12 / Ubuntu 18.04 / Ubuntu 20.04 / Ubuntu 22.04 +### Debian 11 / Debian 12 / Ubuntu 20.04 / Ubuntu 22.04 -- Upgrade the NGINX App Protect WAF to the latest 4.x version: +Upgrade the NGINX App Protect WAF to the latest 4.x version: - ```shell - sudo apt-get update && apt-get install -y app-protect - ``` +```shell +sudo apt-get update && apt-get install -y app-protect +``` ## SELinux Configuration diff --git a/content/nap-waf/v4/releases/about-4.14.md b/content/nap-waf/v4/releases/about-4.14.md new file mode 100644 index 000000000..a51087cba --- /dev/null +++ b/content/nap-waf/v4/releases/about-4.14.md @@ -0,0 +1,49 @@ +--- +title: NGINX App Protect WAF 4.14 +weight: 90 +toc: true +type: reference +product: NAP-WAF +docs: DOCS-000 +--- + +April 1st, 2025 + +--- + +## New features + +- Added support for NGINX Plus R34 + +--- + +## Important notes + +- Alpine 3.17 is no longer supported + +--- + +## Resolved issues + +- Upgraded the Go compiler to 1.23.7 +- (12140) Changed the maximum memory of the XML processing engine to 8GB +- (12254) A modified YAML file referenced by a JSON policy file causes a reload error when running `nginx -t` +- (12296) "Violation Bad Unescape" is not enabled by default +- (12297) "Violation Encoding" is not enabled by default + +--- + +## Supported packages + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------| +| Alpine 3.19 | _app-protect-33.5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-33+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect_33+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect_33+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-33+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect_33+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect_33+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect_33+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-33+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-33+5.342.0-1.el9.ngx.x86_64.rpm_ | diff --git a/content/nap-waf/v5/admin-guide/deploy-on-docker.md b/content/nap-waf/v5/admin-guide/deploy-on-docker.md index c5e2a563d..c84be71f5 100644 --- a/content/nap-waf/v5/admin-guide/deploy-on-docker.md +++ b/content/nap-waf/v5/admin-guide/deploy-on-docker.md @@ -1,6 +1,6 @@ --- -title: Deploying NGINX App Protect WAF on Docker -weight: 400 +title: Deploy NGINX App Protect WAF with Docker +weight: 500 toc: true type: how-to product: NAP-WAF @@ -52,7 +52,7 @@ FROM amazonlinux:2023 # Install NGINX OSS and NGINX App Protect WAF v5 module RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - && yum -y install wget ca-certificates shadow-utils yum-utils \ + yum -y install wget ca-certificates shadow-utils yum-utils \ && echo "[nginx-mainline]" > /etc/yum.repos.d/nginx.repo \ && echo "name=nginx mainline repo" >> /etc/yum.repos.d/nginx.repo \ && echo "baseurl=http://nginx.org/packages/mainline/amzn/2023/\$basearch/" >> /etc/yum.repos.d/nginx.repo \ @@ -138,7 +138,7 @@ FROM amazonlinux:2023 # Install NGINX Plus and NGINX App Protect WAF v5 module RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - && yum -y install wget ca-certificates shadow-utils \ + yum -y install wget ca-certificates shadow-utils \ && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo \ && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-plus.repo \ && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-plus.repo \ diff --git a/content/nap-waf/v5/admin-guide/deploy-with-helm.md b/content/nap-waf/v5/admin-guide/deploy-with-helm.md new file mode 100644 index 000000000..32b3105be --- /dev/null +++ b/content/nap-waf/v5/admin-guide/deploy-with-helm.md @@ -0,0 +1,275 @@ +--- +title: Deploy NGINX App Protect WAF with Helm +weight: 300 +toc: true +type: how-to +product: NAP-WAF +--- + +## Overview + +This document explains how to install F5 NGINX App Protect WAF with Helm. + +--- + +## Prerequisites + +- Kubernetes cluster +- Helm installed +- NGINX Docker image +- NGINX JWT license (if NGINX Plus is used) +- Docker registry credentials for private-registry.nginx.com + +## Build the NGINX Image + +Follow the instructions below to build a Docker image containing the NGINX and the NGINX App Protect module. + +### Download certificates + +{{< include "nap-waf/download-certificates.md" >}} + +Next, create a `Dockerfile` using one of the examples provided below. + +### Official NGINX Dockerfile + +{{< include "nap-waf/build-from-official-nginx-image.md" >}} + +### NGINX Open Source Dockerfile + +{{}} +{{%tab name="Alpine Linux"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-oss/build-alpine.md" >}} + +{{%/tab%}} +{{%tab name="Amazon Linux 2"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-oss/build-amazon.md" >}} + +{{%/tab%}} +{{%tab name="CentOS"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-oss/build-centos.md" >}} + +{{%/tab%}} +{{%tab name="Debian"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-oss/build-debian.md" >}} + +{{%/tab%}} +{{%tab name="Oracle Linux 8"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-oss/build-oracle.md" >}} + +{{%/tab%}} +{{%tab name="RHEL"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-oss/build-rhel.md" >}} + +{{%/tab%}} +{{%tab name="Ubuntu"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-oss/build-ubuntu.md" >}} + +{{%/tab%}} +{{}} + +You are ready to [Build the image](#build-image). + +### NGINX Plus Dockerfile + +{{}} +{{%tab name="Alpine Linux"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-plus/build-alpine.md" >}} + +{{%/tab%}} +{{%tab name="Amazon Linux 2"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-plus/build-amazon.md" >}} + +{{%/tab%}} +{{%tab name="CentOS"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-plus/build-centos.md" >}} + +{{%/tab%}} +{{%tab name="Debian"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-plus/build-debian.md" >}} + +{{%/tab%}} +{{%tab name="Oracle Linux 8"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-plus/build-oracle.md" >}} + +{{%/tab%}} +{{%tab name="RHEL"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-plus/build-rhel.md" >}} + +{{%/tab%}} +{{%tab name="Ubuntu"%}} + +{{< include "nap-waf/config/v5/build-nginx-image-plus/build-ubuntu.md" >}} + +{{%/tab%}} +{{}} + +### Build Image + +{{< include "nap-waf/build-nginx-image-cmd.md" >}} + +Next, push it to your private image repository, ensuring it's accessible to your Kubernetes cluster. + +--- + +## Pull the chart + +Login to the registry: + +```shell +helm registry login --username= --password=none private-registry.nginx.com +``` + +Pull the chart: + +```shell +helm pull oci://private-registry.nginx.com/nap/nginx-app-protect --version --untar +``` + +Change your working directory to nginx-app-protect: + +```shell +cd nginx-app-protect +``` + +--- + +## Deployment + +1. Set NGINX Docker Image and Tag + + Update the appprotect.nginx.image.repository and appprotect.nginx.image.tag in values.yaml with your built NGINX image. + +1. Set NGINX JWT License + + Update the appprotect.config.nginxJWT in values.yaml with your JWT License Token. + +1. Set Docker Registry Credentials + + In values.yaml, update the dockerConfigJson to contain the base64 encoded Docker registration credentials + ``` + echo '{ + "auths": { + "private-registry.nginx.com": { + "username": "", + "password": "none" + } + } + }' | base64 -w 0 + ``` + OR create the secret using the following command: + ``` + kubectl create secret docker-registry regcred -n \ + --docker-server=private-registry.nginx.com \ + --docker-username= \ + --docker-password=none + ``` + +1. Deploy the Helm Chart + + Use the following command to deploy the Helm chart: + ``` + helm install . + ``` + Replace `` with your desired release name. + +1. Verify the Deployment + + Use the following commands to verify the deployment: + ``` + kubectl get pods -n + kubectl get svc -n + ``` + Replace with the namespace specified in the values.yaml. + +--- + +## Use compiled Policy and Logging Profile bundles in NGINX + +{{< include "/nap-waf/nap-k8s-use-compiled-bundles.md" >}} + +The NGINX configuration is found in the values.yaml file `appprotect.config.nginxConf`. +The bundles path and the host path can be configured in `appprotect.storage`. + +## Configuration + +This table lists the configurable parameters of the NGINX App Protect chart and their default values. + +It should help you quickly understand the referenced configuration settings in the `values.yaml` file. + +To use the *mTLS Configuration* options, read the [Secure Traffic Between NGINX and App Protect Enforcer using mTLS]({{< ref "/nap-waf//v5/configuration-guide/configuration.md#secure-traffic-between-nginx-and-app-protect-enforcer-using-mtls" >}}) topic. + +{{< bootstrap-table "table table-striped table-bordered" >}} +| **Section** | **Key** | **Description** | **Default Value** | +|-------------|---------|-----------------|-------------------| +| **Namespace** | _namespace_ | The target Kubernetes namespace where the Helm chart will be deployed. | N/A | +| **App Protect Configuration** | _appprotect.replicas_ | The number of replicas of the Nginx App Protect deployment. | 1 | +| | _appprotect.readOnlyRootFilesystem_ | Specifies if the root filesystem is read-only. | false | +| | _appprotect.annotations_ | Custom annotations for the deployment. | {} | +| **NGINX Configuration** | _appprotect.nginx.image.repository_ | Docker image repository for NGINX. | \/nginx-app-protect-5 | +| | _appprotect.nginx.image.tag_ | Docker image tag for NGINX. | latest | +| | _appprotect.nginx.imagePullPolicy_ | Image pull policy. | IfNotPresent | +| | _appprotect.nginx.resources_ | The resources of the NGINX container. | requests: cpu=10m,memory=16Mi | +| **WAF Config Manager** | _appprotect.wafConfigMgr.image.repository_ | Docker image repository for the WAF Configuration Manager. | private-registry.nginx.com/nap/waf-config-mgr | +| | _appprotect.wafConfigMgr.image.tag_ | Docker image tag for the WAF Configuration Manager. | 5.6.0 | +| | _appprotect.wafConfigMgr.imagePullPolicy_ | Image pull policy. | IfNotPresent | +| | _appprotect.wafConfigMgr.resources_ | The resources of the WAF Config Manager container. | requests: cpu=10m,memory=16Mi | +| **WAF Enforcer** | _appprotect.wafEnforcer.image.repository_ | Docker image repository for the WAF Enforcer. | private-registry.nginx.com/nap/waf-enforcer | +| | _appprotect.wafEnforcer.image.tag_ | Docker image tag for the WAF Enforcer. | 5.6.0 | +| | _appprotect.wafEnforcer.imagePullPolicy_ | Image pull policy. | IfNotPresent | +| | _appprotect.wafEnforcer.env.enforcerPort_ | Port for the WAF Enforcer. | 50000 | +| | _appprotect.wafEnforcer.resources_ | The resources of the WAF Enforcer container. | requests: cpu=20m,memory=256Mi | +| **Config** | _appprotect.config.name_ | The name of the ConfigMap used by the NGINX container. | nginx-config | +| | _appprotect.config.annotations_ | The annotations of the ConfigMap. | {} | +| | _appprotect.config.nginxJWT_ | JWT license for NGINX. | "" | +| | _appprotect.config.nginxConf_ | NGINX configuration file content. | See _values.yaml_ | +| | _appprotect.config.nginxDefault_ | Default server block configuration for NGINX. | {} | +| | _appprotect.config.entries_ | Extra entries of the ConfigMap for customizing NGINX configuration. | {} | +| **mTLS Configuration** | _appprotect.mTLS.serverCert_ | The base64-encoded TLS certificate for the App Protect Enforcer (server). | "" | +| | _appprotect.mTLS.serverKey_ | The base64-encoded TLS key for the App Protect Enforcer (server). | "" | +| | _appprotect.mTLS.serverCACert_ | The base64-encoded TLS CA certificate for the App Protect Enforcer (server). | "" | +| | _appprotect.mTLS.clientCert_ | The base64-encoded TLS certificate for the NGINX (client). | "" | +| | _appprotect.mTLS.clientKey_ | The base64-encoded TLS key for the NGINX (client). | "" | +| | _appprotect.mTLS.clientCACert_ | The base64-encoded TLS CA certificate for the NGINX (client). | "" | +| **Extra Volumes** | _appprotect.volumes_ | The extra volumes of the NGINX container. | [] | +| **Extra Volume Mounts** | _appprotect.volumeMounts_ | The extra volume mounts of the NGINX container. | [] | +| **Service** | _appprotect.service.nginx.ports.port_ | Service port. | 80 | +| | _appprotect.service.nginx.ports.protocol_ | Protocol used. | TCP | +| | _appprotect.service.nginx.ports.targetPort_ | Target port inside the container. | 80 | +| | _appprotect.service.nginx.type_ | Service type. | NodePort | +| **Storage Configuration** | _appprotect.storage.bundlesPath.name_ | Bundles volume name used by WAF Config Manager container for storing policy bundles | app-protect-bundles | +| | _appprotect.storage.bundlesPath.mountPath_ | Bundles mount path used by WAF Config Manager container, which is the path to the app_protect_policy_file in nginx.conf. | /etc/app_protect/bundles | +| | _appprotect.storage.pv.hostPath_ | Host path for persistent volume. | /mnt/nap5_bundles_pv_data | +| | _appprotect.storage.pvc.bundlesPvc.storageClass_ | Storage class for PVC. | manual | +| | _appprotect.storage.pvc.bundlesPvc.storageRequest_ | Storage request size. | 2Gi | +| **Docker Configuration** | _dockerConfigJson_ | A base64-encoded string representing the Docker registry credentials in JSON format. | N/A | +{{< /bootstrap-table >}} + +--- + +## Upgrade the chart + +To upgrade the release ``: +``` +helm upgrade . +``` + +## Uninstall the chart + +To uninstall/delete the release ``: + +```shell +helm uninstall +``` diff --git a/content/nap-waf/v5/admin-guide/deploy-on-kubernetes.md b/content/nap-waf/v5/admin-guide/deploy-with-manifests.md similarity index 64% rename from content/nap-waf/v5/admin-guide/deploy-on-kubernetes.md rename to content/nap-waf/v5/admin-guide/deploy-with-manifests.md index 9e1257ef7..310d5400b 100644 --- a/content/nap-waf/v5/admin-guide/deploy-on-kubernetes.md +++ b/content/nap-waf/v5/admin-guide/deploy-with-manifests.md @@ -1,6 +1,6 @@ --- -title: Deploying NGINX App Protect WAF on Kubernetes -weight: 300 +title: Deploy NGINX App Protect WAF with Manifests +weight: 400 toc: true type: how-to product: NAP-WAF @@ -356,334 +356,40 @@ spec: ``` ## Configure read only file systems -NGINX App Protect WAF v5 allows you to enable the `readOnlyRootFilesystem` option in your [Kubernetes Configuration]( -https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). This option restricts the root filesystem to read-only mode, which improves security by limiting potential write access in case of compromise. -To enable this feature, you will need a Kubernetes cluster that supports read-only root file systems, and you access to the NGINX and NGINX App Protect WAF configurations. - -You may need to identify any extra paths that need to be writable by App Protect during runtime: the following steps assume you are using the defaults path. +{{< include "/nap-waf/nap-k8s-readonly-introduction.md" >}} --- ### Enable `readOnlyRootFilesystem` and configure writable paths -The first step is to add the `readOnlyRootFilesystem` value (as *true*) to your Kubernetes pod security context as follows: - -```yaml -containers: - - name: nginx - ... - securityContext: - readOnlyRootFilesystem: true - - name: waf-enforcer - ... - securityContext: - readOnlyRootFilesystem: true - - name: waf-config-mgr - ... - securityContext: - readOnlyRootFilesystem: true -``` - -With a read-only root file system, you will likely still require write access for certain directories, such as logs and temporary files. You can add these directories by mounting them as writable volumes in your Kubernetes deployment. - -In this example, `/tmp` and `/var/log/nginx` are writable directories, essential for NGINX and App Protect operations. - -```yaml -containers: - - name: nginx - ... - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: tmp-volume - mountPath: /tmp - - name: nginx-log - mountPath: /var/log/nginx - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles -... - -volumes: - - name: app-protect-bd-config - emptyDir: {} - - name: app-protect-config - emptyDir: {} - - name: nginx-log - emptyDir: {} - - name: tmp-volume - emptyDir: {} - - name: app-protect-bundles - persistentVolumeClaim: - claimName: nap5-bundles-pvc -``` - -A full example might look like the following: - -```yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nap5-deployment -spec: - selector: - matchLabels: - app: nap5 - replicas: 2 - template: - metadata: - labels: - app: nap5 - spec: - imagePullSecrets: - - name: regcred - containers: - - name: nginx - image: /nginx-app-protect-5: - imagePullPolicy: IfNotPresent - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: tmp-volume - mountPath: /tmp - - name: nginx-log - mountPath: /var/log/nginx - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles - - name: waf-enforcer - image: private-registry.nginx.com/nap/waf-enforcer: - imagePullPolicy: IfNotPresent - securityContext: - readOnlyRootFilesystem: true - env: - - name: ENFORCER_PORT - value: "50000" - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: waf-config-mgr - image: private-registry.nginx.com/nap/waf-config-mgr: - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - all - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles - volumes: - - name: app-protect-bd-config - emptyDir: {} - - name: app-protect-config - emptyDir: {} - - name: nginx-log - emptyDir: {} - - name: tmp-volume - emptyDir: {} - - name: app-protect-bundles - persistentVolumeClaim: - claimName: nap5-bundles-pvc -``` +{{< include "/nap-waf/nap-k8s-readonly-context.md" >}} --- ### Update NGINX configuration with writable paths -Once you have created writable paths in your Kubernetes cluster, you should update your NGINX configuration to use these paths. - -The following are fields in `nginx.conf` you should update, which correspond to writable volumes configured during the last step: - -```nginx -pid /tmp/nginx.pid; -... -http { -... - # Temporary directories for kubernetes "readonlyfilesystem" - client_body_temp_path /tmp/nginx-client-body; - proxy_temp_path /tmp/nginx-proxy; - fastcgi_temp_path /tmp/nginx-fastcgi; - uwsgi_temp_path /tmp/nginx-uwsgi; - scgi_temp_path /tmp/nginx-scgi; -... -} -``` +{{< include "/nap-waf/nap-k8s-readonly-paths.md" >}} -A full example might look like the following: +--- + +### Possible issues -```nginx -user nginx; -worker_processes auto; - -# NGINX App Protect WAF -load_module modules/ngx_http_app_protect_module.so; - -error_log /var/log/nginx/error.log debug; -pid /tmp/nginx.pid; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log; - - # Temporary directories for kubernetes "readonlyfilesystem" - client_body_temp_path /tmp/nginx-client-body; - proxy_temp_path /tmp/nginx-proxy; - fastcgi_temp_path /tmp/nginx-fastcgi; - uwsgi_temp_path /tmp/nginx-uwsgi; - scgi_temp_path /tmp/nginx-scgi; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - # NGINX App Protect WAF - app_protect_enforcer_address 127.0.0.1:50000; - - include /etc/nginx/conf.d/*.conf; -} -``` +{{< include "/nap-waf/nap-k8s-readonly-issues.md" >}} --- -### Remediate possible issues +## Enable mTLS -- **Permission denied errors**: - If you encounter file permission issues, verify that the paths requiring write access are correctly configured as writable volumes in the pod manifest. -- **NGINX App Protect WAF initialization errors**: - Check the NGINX and NGINX App Protect Logs to ensure that App Protect can write to necessary files like logs and temporary directories. - -For general issues, read the [Troubleshooting]({{< ref "/nap-waf/v5/troubleshooting-guide/troubleshooting.md" >}}) topic. +{{< include "/nap-waf/nap-k8s-mtls-deployment.md" >}} --- -## mTLS Deployment - -To secure traffic between NGINX and App Protect Enforcer using mTLS, follow the steps below: - -{{< note >}} Refer to the [Configuration Guide]({{< ref "/nap-waf/v5/configuration-guide/configuration.md#secure-traffic-between-nginx-and-app-protect-enforcer-using-mtls" >}}) to generate certificates and modify the `nginx.conf` for mTLS. -{{< /note >}} - -First, create a Kubernetes Secret that contains the certificate and key files: - -```shell - kubectl create secret generic enforcer-certificates \ - --from-file=app_protect_server.crt=/path/to/app_protect_server.crt \ - --from-file=app_protect_server.key=/path/to/app_protect_server.key \ - --from-file=app_protect_client_ca.crt=/path/to/app_protect_client_ca.crt -``` - -Next, update or create the `nap5-deployment.yaml` to mount the Secret as a volume and set the environment variables to point to the mounted files: - -```yaml - apiVersion: apps/v1 - kind: Deployment - metadata: - name: nap5-deployment - spec: - selector: - matchLabels: - app: nap5 - replicas: 2 - template: - metadata: - labels: - app: nap5 - spec: - imagePullSecrets: - - name: regcred - containers: - - name: nginx - image: /nginx-app-protect-5: - imagePullPolicy: IfNotPresent - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: certs - mountPath: /etc/ssl/certs - readOnly: true - - name: waf-enforcer - image: private-registry.nginx.com/nap/waf-enforcer: - imagePullPolicy: IfNotPresent - env: - - name: ENFORCER_PORT - value: "4431" - - name: ENFORCER_SERVER_CERT - value: "/etc/ssl/certs/app_protect_server.crt" - - name: ENFORCER_SERVER_KEY - value: "/etc/ssl/certs/app_protect_server.key" - - name: ENFORCER_CA_FILE - value: "/etc/ssl/certs/app_protect_client_ca.crt" - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: certs - mountPath: /etc/ssl/certs - readOnly: true - - name: waf-config-mgr - image: private-registry.nginx.com/nap/waf-config-mgr: - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles - volumes: - - name: app-protect-bd-config - emptyDir: {} - - name: app-protect-config - emptyDir: {} - - name: app-protect-bundles - persistentVolumeClaim: - claimName: nap5-bundles-pvc - - name: certs - secret: - secretName: enforcer-certificates -``` - -## Using Compiled Policy and Logging Profile Bundles in NGINX - -In this setup, copy your compiled policy and logging profile bundles to `/mnt/nap5_bundles_pv_data` on a cluster node. Then, in your NGINX configuration, refer to these files from `/etc/app_protect/bundles`. - -For example, to apply `custom_policy.tgz` that you've placed in `/mnt/nap5_bundles_pv_data/`, use: +## Use compiled Policy and Logging Profile bundles in NGINX - ```nginx - app_protect_policy_file "/etc/app_protect/bundles/custom_policy.tgz"; - ``` +{{< include "/nap-waf/nap-k8s-use-compiled-bundles.md" >}} -The NGINX configuration can be integrated using a configmap mount. +The NGINX configuration can be integrated using a ConfigMap mount. ## Air-Gap Install: Secure Offline Deployment diff --git a/content/nap-waf/v5/admin-guide/install.md b/content/nap-waf/v5/admin-guide/install.md index a687f89a0..3a125b0a9 100644 --- a/content/nap-waf/v5/admin-guide/install.md +++ b/content/nap-waf/v5/admin-guide/install.md @@ -15,18 +15,18 @@ docs: DOCS-1363 ## Install NGINX and NGINX App Protect WAF Module -1. If you already have NGINX packages in your system, back up your configs and logs: +If you already have NGINX packages in your system, back up your configuration and log files: - ```shell - sudo cp -a /etc/nginx /etc/nginx-plus-backup - sudo cp -a /var/log/nginx /var/log/nginx-plus-backup - ``` +```shell +sudo cp -a /etc/nginx /etc/nginx-plus-backup +sudo cp -a /var/log/nginx /var/log/nginx-plus-backup +``` -2. Log in to [MyF5 Customer Portal](https://account.f5.com/myf5) and download your **nginx-repo.crt** and **nginx-repo.key** files. +1. Log in to [MyF5 Customer Portal](https://account.f5.com/myf5) and download your **nginx-repo.crt** and **nginx-repo.key** files. -3. If any old NGINX App Protect packages are installed, make sure to remove them. +1. If any old NGINX App Protect packages are installed, make sure to remove them. -4. Follow the steps below for the operating system you are working with. +1. Follow the steps below for the operating system you are working with. {{< note >}} If not already installed, `nginx` or `nginx-plus` will be installed automatically as a dependency. @@ -38,428 +38,156 @@ Please follow these steps before you install either NGINX Open Source or NGINX P {{}} -{{%tab name="Alpine Linux 3.16/3.17/3.19"%}} - +{{%tab name="Alpine Linux"%}} + {{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-alpine" >}} {{%/tab%}} -{{%tab name="Amazon Linux 2"%}} - -1. Create the `/etc/ssl/nginx` directory: +{{%tab name="Amazon Linux"%}} - ```shell - sudo mkdir -p /etc/ssl/nginx - ``` - -2. Upload **nginx-repo.crt** and **nginx-repo.key** files to the `/etc/ssl/nginx/` directory. - -3. Install required dependencies: - - ```shell - sudo yum install ca-certificates wget - ``` - -4. Remove any previously downloaded NGINX repository files from `/etc/yum.repos.d`: - - ```shell - sudo rm /etc/yum.repos.d/nginx*.repo - sudo rm /etc/yum.repos.d/*app-protect*.repo - ``` +{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amazon.md" >}} {{%/tab%}} -{{%tab name="Amazon Linux 2023"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amzn2023.md" >}} - -{{%/tab%}} -{{%tab name="Centos 7.4+"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-rhel-cen-74.md" >}} - -{{%/tab%}} -{{%tab name="Debian 11"%}} +{{%tab name="Debian"%}} {{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-debian" >}} {{%/tab%}} -{{%tab name="Debian 12"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-debian" >}} - -{{%/tab%}} -{{%tab name="Oracle Linux 8.1+"%}} +{{%tab name="Oracle Linux"%}} {{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-dnf.md" >}} {{%/tab%}} -{{%tab name="RHEL 7.4+"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-rhel-cen-74.md" >}} - -{{%/tab%}} -{{%tab name="RHEL 8.1+"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-dnf.md" >}} - -{{%/tab%}} -{{%tab name="RHEL 9"%}} +{{%tab name="RHEL"%}} {{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-dnf.md" >}} {{%/tab%}} -{{%tab name="Ubuntu 20.04"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-ubuntu.md" >}} - -{{%/tab%}} -{{%tab name="Ubuntu 22.04"%}} +{{%tab name="Ubuntu"%}} {{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-ubuntu.md" >}} - {{%/tab%}} -{{%tab name="Ubuntu 24.04"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-ubuntu.md" >}} -{{%/tab%}} {{}} ### For NGINX Open Source {{}} -{{%tab name="Alpine Linux 3.16/3.17/3.19"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md" >}} - -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo apk add app-protect-module-oss - ``` - -{{%/tab%}} - -{{%tab name="Amazon Linux 2"%}} - -1. Create the file named `/etc/yum.repos.d/nginx.repo` with the following contents: - - ```none - [nginx-mainline] - name=nginx mainline repo - baseurl=http://nginx.org/packages/mainline/amzn2/$releasever/$basearch/ - gpgcheck=1 - enabled=1 - gpgkey=https://nginx.org/keys/nginx_signing.key - module_hotfixes=true - ``` - -2. Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-oss.repo` with the following contents: - ```none - [app-protect-x-oss] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` +{{%tab name="Amazon Linux"%}} -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo yum install app-protect-module-oss - ``` - - When prompted to accept the GPG key, verify that the fingerprint matches `573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62`, and if so, accept it. +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amazon.md" >}} {{%/tab%}} -{{%tab name="Amazon Linux 2023"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amzn2023.md" >}} -3. Install the NGINX App Protect WAF v5 package. - - ```shell - sudo dnf install app-protect-module-oss - ``` - -{{%/tab%}} -{{%tab name="Centos 7.4+"%}} +{{%tab name="Alpine Linux"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-7.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-alpine.md" >}} {{%/tab%}} -{{%tab name="Debian 11"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-debian.md" >}} - -4. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo apt-get update - sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss - ``` -{{%/tab%}} -{{%tab name="Debian 12"%}} +{{%tab name="Debian"%}} {{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-debian.md" >}} -4. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo apt-get update - sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss - ``` - {{%/tab%}} -{{%tab name="Oracle Linux 8.1+"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-8.md" >}} +{{%tab name="Oracle Linux"%}} -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo dnf install app-protect-module-oss - ``` - - When prompted to accept the GPG key, verify that the fingerprint matches `573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62`, and if so, accept it. +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos.md" >}} {{%/tab%}} -{{%tab name="RHEL 7.4+"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-7.md" >}} +{{%tab name="RHEL"%}} -{{%/tab%}} -{{%tab name="RHEL 8.1+"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-8.md" >}} - -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo dnf install app-protect-module-oss - ``` - - When prompted to accept the GPG key, verify that the fingerprint matches `573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62`, and if so, accept it. +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos.md" >}} {{%/tab%}} -{{%tab name="RHEL 9"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-9.md" >}} - -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo dnf install app-protect-module-oss - ``` - - When prompted to accept the GPG key, verify that the fingerprint matches `573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62`, and if so, accept it. - -{{%/tab%}} -{{%tab name="Ubuntu 20.04"%}} +{{%tab name="Ubuntu"%}} {{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-ubuntu.md" >}} -4. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo apt-get update - sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss - ``` - {{%/tab%}} -{{%tab name="Ubuntu 22.04"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-ubuntu.md" >}} +{{}} -4. Install the NGINX App Protect WAF v5 package: +--- - ```shell - sudo apt-get update - sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss - ``` +### For NGINX Plus +To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: -{{%/tab%}} -{{%tab name="Ubuntu 24.04"%}} +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-ubuntu.md" >}} +Once you have the license file: -4. Install the NGINX App Protect WAF v5 package: +{{< include "licensing-and-reporting/apply-jwt.md" >}} - ```shell - sudo apt-get update - sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss - ``` +Then you can move onto the next step, depending on your chosen operating system. -{{%/tab%}} -{{}} - -### For NGINX Plus {{}} -{{%tab name="Alpine Linux 3.16/3.17/3.19"%}} +{{%tab name="Alpine Linux"%}} {{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-alpine.md" >}} -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo apk add app-protect-module-plus - ``` - -{{%/tab%}} - -{{%tab name="Amazon Linux 2"%}} - -1. Download the NGINX Plus repository file [nginx-plus-amazon2.repo](https://cs.nginx.com/static/files/nginx-plus-amazon2.repo) to `/etc/yum.repos.d`: - - ```shell - sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-amazon2.repo - ``` - -2. Create NGINX App Protect WAF v5 repository file, named `/etc/yum.repos.d/app-protect-x-plus.repo` with the following contents: - - ```none - [app-protect-x-plus] - name=nginx-app-protect repo - baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/7/$basearch/ - sslclientcert=/etc/ssl/nginx/nginx-repo.crt - sslclientkey=/etc/ssl/nginx/nginx-repo.key - gpgcheck=0 - enabled=1 - ``` - -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo yum install app-protect-module-plus - ``` - {{%/tab%}} -{{%tab name="Amazon Linux 2023"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amzn2023.md" >}} +{{%tab name="Amazon Linux"%}} -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo dnf install app-protect-module-plus - ``` +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amazon.md" >}} {{%/tab%}} -{{%tab name="Centos 7.4+"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-7.md" >}} - -{{%/tab%}} -{{%tab name="Debian 11"%}} +{{%tab name="Debian"%}} {{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-debian.md" >}} -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo apt-get update - sudo apt-get install app-protect-module-plus - ``` - {{%/tab%}} -{{%tab name="Debian 12"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-debian.md" >}} +{{%tab name="Oracle Linux / RHEL 8.1+"%}} -3. Install the NGINX App Protect WAF v5 package: +Download the NGINX Plus repository file [nginx-plus-8.repo](https://cs.nginx.com/static/files/nginx-plus-8.repo) to `/etc/yum.repos.d`: - ```shell - sudo apt-get update - sudo apt-get install app-protect-module-plus - ``` - -{{%/tab%}} -{{%tab name="Oracle Linux 8.1+"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-8.md" >}} - -3. Install the NGINX App Protect WAF v5 package: +```shell +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo +``` - ```shell - sudo dnf install app-protect-module-plus - ``` +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos.md" >}} -{{%/tab%}} -{{%tab name="RHEL 7.4+"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-7.md" >}} {{%/tab%}} -{{%tab name="RHEL 8.1+"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-8.md" >}} -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo dnf install app-protect-module-plus - ``` - -{{%/tab%}} {{%tab name="RHEL 9"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-9.md" >}} +Download the NGINX Plus repository file [plus-9.repo](https://cs.nginx.com/static/files/plus-9.repo) to `/etc/yum.repos.d`: -3. Install the NGINX App Protect WAF v5 package: +```shell +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repo +``` - ```shell - sudo dnf install app-protect-module-plus - ``` +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos.md" >}} {{%/tab%}} -{{%tab name="Ubuntu 20.04"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-ubuntu.md" >}} - -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo apt-get update - sudo apt-get install app-protect-module-plus - ``` - -{{%/tab%}} -{{%tab name="Ubuntu 22.04"%}} +{{%tab name="Ubuntu"%}} {{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-ubuntu.md" >}} -3. Install the NGINX App Protect WAF v5 package: - - ```shell - sudo apt-get update - sudo apt-get install app-protect-module-plus - ``` - - {{%/tab%}} -{{%tab name="Ubuntu 24.04"%}} - -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-ubuntu.md" >}} - -3. Install the NGINX App Protect WAF v5 package: - ```shell - sudo apt-get update - sudo apt-get install app-protect-module-plus - ``` - - -{{%/tab%}} {{}} +--- + ## NGINX Configuration In your nginx configuration: @@ -608,7 +336,7 @@ If not already installed, `nginx` or `nginx-plus` will be installed automaticall ### Common Steps for NGINX Open Source and NGINX Plus -Please follow these steps before you install either NGINX Open Source or NGINX Plus. +Follow these steps before you install NGINX Open Source or NGINX Plus. {{}} @@ -620,7 +348,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P {{%tab name="Amazon Linux 2023"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amzn2023.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/common-steps-with-amazon.md" >}} {{%/tab%}} {{%tab name="Debian 11"%}} @@ -749,7 +477,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P {{%/tab%}} {{%tab name="Amazon Linux 2023"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amzn2023.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-amazon.md" >}} 3. Download all NGINX Open Source packages, including all dependencies: We used `repotrack` for example: @@ -794,9 +522,11 @@ Please follow these steps before you install either NGINX Open Source or NGINX P ``` {{%/tab%}} + {{%tab name="Oracle Linux 8.1+"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-8.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos.md" >}} + 3. Download all NGINX Open Source packages, including all dependencies: We used `repotrack` for example: @@ -813,9 +543,10 @@ Please follow these steps before you install either NGINX Open Source or NGINX P ``` {{%/tab%}} + {{%tab name="RHEL 8.1+"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-8.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos.md" >}} 3. Download all NGINX Open Source packages, including all dependencies: We used `repotrack` for example: @@ -834,7 +565,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P {{%/tab%}} {{%tab name="RHEL 9"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos-9.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-oss-centos.md" >}} 3. Download all NGINX Open Source packages, including all dependencies: We used `repotrack` for example: @@ -897,6 +628,16 @@ Please follow these steps before you install either NGINX Open Source or NGINX P ### For NGINX Plus +To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: + +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} + +Once you have the license file: + +{{< include "licensing-and-reporting/apply-jwt.md" >}} + +Then you can move onto the next step, depending on your chosen operating system. + {{}} {{%tab name="Alpine Linux 3.16/3.17/3.19"%}} @@ -915,7 +656,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P {{%tab name="Amazon Linux 2023"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amzn2023.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-amazon.md" >}} 3. Download all NGINX Plus packages, including all dependencies: We used repotrack for example: @@ -962,7 +703,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P {{%/tab%}} {{%tab name="Oracle Linux 8.1+"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-8.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos.md" >}} 3. Download all NGINX Plus packages, including all dependencies: We used repotrack for example: @@ -981,7 +722,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P {{%/tab%}} {{%tab name="RHEL 8.1+"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-8.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos.md" >}} 3. Download all NGINX Plus packages, including all dependencies: We used repotrack for example: @@ -1000,7 +741,7 @@ Please follow these steps before you install either NGINX Open Source or NGINX P {{%/tab%}} {{%tab name="RHEL 9"%}} -{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos-9.md" >}} +{{< include "nap-waf/config/v5/host-based-nginx-instructions/nginx-plus-centos.md" >}} 3. Download all NGINX Plus packages, including all dependencies: We used repotrack for example: diff --git a/content/nap-waf/v5/admin-guide/overview.md b/content/nap-waf/v5/admin-guide/overview.md index af232059e..a4b65917d 100644 --- a/content/nap-waf/v5/admin-guide/overview.md +++ b/content/nap-waf/v5/admin-guide/overview.md @@ -34,7 +34,7 @@ NGINX App Protect WAF v5 supports the following operating systems: | Distribution | Version | | ------------ | ------------------- | -| Alpine | 3.17, 3.19 | +| Alpine | 3.19 | | Debian | 11, 12 | | Ubuntu | 20.04, 22.04, 24.04 | | Amazon Linux | 2023 | @@ -50,7 +50,7 @@ NGINX App Protect WAF v5 supports a range of deployment scenarios to meet variou - Deploys both NGINX and WAF components within containers. - Suitable for environments across development, testing, and production stages. -2. [Kubernetes Deployment]({{< ref "/nap-waf/v5/admin-guide/deploy-on-kubernetes.md" >}}) +2. [Kubernetes Deployment]({{< ref "/nap-waf/v5/admin-guide/deploy-with-helm.md" >}}) - Integrates both NGINX and WAF components in a single pod. - Ideal for scalable, cloud-native environments. @@ -81,7 +81,7 @@ We recommend that you deploy the NGINX App Protect WAF v5 in a staging environme 1. Install NGINX App Protect WAF 5 (using either nginx OSS or nginx-plus based on the need of customer's application). - [Installing NGINX App Protect WAF]({{}}) - [Deploying NGINX App Protect WAF on Docker]({{}}) - - [Deploying NGINX App Protect WAF on Kubernetes]({{}}) + - [Deploying NGINX App Protect WAF on Kubernetes]({{}}) 1. Compile your `.json` policies and logging profiles to `.tgz` bundles using [compiler-image]({{}}) because NGINX App Protect WAF v5 supports policies and logging profiles in a compiled bundle format only. diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index 33d97dffe..a17322367 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -787,7 +787,7 @@ To enable mTLS in NGINX, you need to perform the following steps: - ENFORCER_SERVER_KEY - ENFORCER_CA_FILE - Refer to the example for mTLS deployment in the admin guide, whether you're using [Docker]({{< ref "/nap-waf/v5/admin-guide/deploy-on-docker.md#docker-compose-file-with-mtls" >}}) or [Kubernetes]({{< ref "/nap-waf/v5/admin-guide/deploy-on-kubernetes.md#mtls-deployment" >}}). + Refer to the example for mTLS deployment in the admin guide, whether you're using [Docker]({{< ref "/nap-waf/v5/admin-guide/deploy-on-docker.md#docker-compose-file-with-mtls" >}}) or [Kubernetes]({{< ref "/nap-waf/v5/admin-guide/deploy-with-helm.md#mtls-deployment" >}}). ## Brute Force Attack Preventions diff --git a/content/nap-waf/v5/releases/about-5.4.md b/content/nap-waf/v5/releases/about-5.4.md index 326be4d66..4417b6781 100644 --- a/content/nap-waf/v5/releases/about-5.4.md +++ b/content/nap-waf/v5/releases/about-5.4.md @@ -16,7 +16,7 @@ November 19th, 2024 ## New features - Added support for Amazon Linux 2023 -- Added support for [readOnlyFileSystem in Kubernetes deployments]({{< ref "/nap-waf/v5/admin-guide/deploy-on-kubernetes.md#configure-read-only-file-systems" >}}) +- Added support for [readOnlyFileSystem in Kubernetes deployments]({{< ref "/nap-waf/v5/admin-guide/deploy-with-manifests.md#configure-read-only-file-systems" >}}) - Added a [a policy converter to the compiler]({{< ref "/nap-waf/v5/configuration-guide/configuration.md#policy-converter">}}) - NGINX App Protect WAF now supports NGINX Plus R33 diff --git a/content/nap-waf/v5/releases/about-5.6.md b/content/nap-waf/v5/releases/about-5.6.md new file mode 100644 index 000000000..fb8f057a0 --- /dev/null +++ b/content/nap-waf/v5/releases/about-5.6.md @@ -0,0 +1,67 @@ +--- +title: NGINX App Protect WAF 5.6 +weight: 850 +toc: true +type: reference +product: NAP-WAF +docs: DOCS-000 +--- + +April 1st, 2025 + +--- + +## New features + +- Added support for NGINX Plus R34 +- You can now [deploy NGINX App Protect WAF 5+ using a Helm chart]({{< ref "/nap-waf/v5/admin-guide/deploy-with-helm.md">}}) + +--- + +## Important notes + +- Alpine 3.17 is no longer supported + +--- + +## Resolved issues + +- Upgraded the Go compiler to 1.23.7 +- (12140) Changed the maximum memory of the XML processing engine to 8GB +- (12254) A modified YAML file referenced by a JSON policy file causes a reload error when running `nginx -t` +- (12296) "Violation Bad Unescape" is not enabled by default +- (12297) "Violation Encoding" is not enabled by default + +--- + +## Supported packages + +### NGINX Open Source + +| Distribution name | Package file | +|--------------------------|-------------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.4+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.4+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.27.4+5.342.0-1.el9.ngx.x86_64.rpm_ | + +### NGINX Plus + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-plus-34+5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-plus-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-plus_34+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-plus_34+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-plus_34+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-plus_34+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-plus_34+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-plus-34+5.342.0-1.el9.ngx.x86_64.rpm_ | diff --git a/data/nap-waf/schema/policy.json b/data/nap-waf/schema/policy.json index d833d8442..66234108d 100644 --- a/data/nap-waf/schema/policy.json +++ b/data/nap-waf/schema/policy.json @@ -399,6 +399,8 @@ "VIOL_JSON_MALFORMED", "VIOL_JSON_SCHEMA", "VIOL_LOGIN", + "VIOL_LOGIN_URL_BYPASSED", + "VIOL_LOGIN_URL_EXPIRED", "VIOL_MANDATORY_HEADER", "VIOL_MANDATORY_PARAMETER", "VIOL_MANDATORY_REQUEST_BODY", @@ -727,154 +729,6 @@ "description" : "When enabled, enables Brute Force Protection for all configured login URLs.\nWhen disabled, only brute force configurations for specific login pages are applied in case they exist.", "type" : "boolean" }, - "captchaBypassCriteria" : { - "description" : "Specifies configuration for CAPTCHA Bypass Mitigation.", - "properties" : { - "action" : { - "default" : "alarm-and-drop", - "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.", - "enum" : [ - "alarm-and-blocking-page", - "alarm-and-drop", - "alarm-and-honeypot-page" - ], - "type" : "string" - }, - "enabled" : { - "default" : true, - "description" : "When enabled, the system counts successful CAPTCHA challenges with failed logins from IP Address / Device ID.", - "type" : "boolean" - }, - "threshold" : { - "default" : 5, - "description" : "After configured threshold (number of successful CAPTCHA challenges with failed logins from IP Address / Device ID) defined action will be applied for the next login attempt", - "maximum" : 100, - "minimum" : 1, - "type" : "integer" - } - }, - "type" : "object" - }, - "clientSideIntegrityBypassCriteria" : { - "description" : "Specifies configuration for Client Side Integrity Bypass Mitigation.", - "properties" : { - "action" : { - "default" : "alarm-and-captcha", - "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.", - "enum" : [ - "alarm-and-captcha" - ], - "type" : "string" - }, - "enabled" : { - "default" : false, - "description" : "When enabled, the system counts successful challenges with failed logins from IP Address / Device ID / Username.\nLegitimate users who have disabled JavaScripting on their browsers for security reasons will fail a client side integrity challenge.", - "type" : "boolean" - }, - "threshold" : { - "default" : 3, - "description" : "After configured threshold (number of successful challenges with failed logins from IP Address / Device ID / Username) defined action will be applied for the next login attempt", - "maximum" : 100, - "minimum" : 1, - "type" : "integer" - } - }, - "type" : "object" - }, - "detectionCriteria" : { - "description" : "Specifies configuration for detecting distributed brute force attacks.", - "properties" : { - "action" : { - "default" : "alarm", - "description" : "Specifies action that is applied when one of the defined thresholds (credentialsStuffingMatchesReached, failedLoginAttemptsRateReached) is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-client-side-integrity-captcha**: The system sends a Client Side Integrity challenge upon the first failed login attempt from a source and a CAPTCHA challenge upon second and all subsequent failed login attempts. A login attempt is logged if client successfully passes the challenge. This enforcement action should be chosen if CAPTCHA is considered intrusive. Benign users who mistype their password will likely get only the Client Side Integrity challenge, while an attacker will eventually get the CAPTCHA challenge.", - "enum" : [ - "alarm", - "alarm-and-captcha", - "alarm-and-client-side-integrity", - "alarm-and-client-side-integrity-captcha" - ], - "type" : "string" - }, - "credentialsStuffingMatchesReached" : { - "default" : 100, - "description" : "After configured threshold (number of detected login attempts that match known leaked credentials library) defined action will be applied for the next login attempt.", - "maximum" : 10000, - "minimum" : 1, - "type" : "integer" - }, - "detectCredentialsStuffingAttack" : { - "default" : true, - "description" : "When enabled, the system detects login attempts that match known leaked credentials library.", - "type" : "boolean" - }, - "detectDistributedBruteForceAttack" : { - "default" : true, - "description" : "When enabled, the system detects distributed brute force attacks.", - "type" : "boolean" - }, - "failedLoginAttemptsRateReached" : { - "default" : 100, - "description" : "After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt. ", - "maximum" : 10000, - "minimum" : 1, - "type" : "integer" - } - }, - "type" : "object" - }, - "leakedCredentialsCriteria" : { - "description" : "Specifies configuration for Leaked Credentials Detection.", - "properties" : { - "action" : { - "default" : "alarm-and-blocking-page", - "description" : "Specifies action when leaked credentials detected.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.\n- **alarm-and-leaked-credentials-response-page**: The default response page warns the user that the username and password have been leaked and the password should be changed.", - "enum" : [ - "alarm", - "alarm-and-blocking-page", - "alarm-and-honeypot-page", - "alarm-and-leaked-credentials-response-page" - ], - "type" : "string" - }, - "enabled" : { - "default" : false, - "description" : "When enabled, the system can match presented credentials to those in the credentials dictionary to detect leaked credentials.", - "type" : "boolean" - } - }, - "type" : "object" - }, - "loginAttemptsFromTheSameDeviceId" : { - "description" : "Specifies configuration for detecting brute force attacks for Device ID.", - "properties" : { - "action" : { - "default" : "alarm", - "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.", - "enum" : [ - "alarm", - "alarm-and-blocking-page", - "alarm-and-captcha", - "alarm-and-client-side-integrity", - "alarm-and-drop", - "alarm-and-honeypot-page" - ], - "type" : "string" - }, - "enabled" : { - "default" : false, - "description" : "When enabled, the system counts failed login attempts for Device ID.", - "type" : "boolean" - }, - "threshold" : { - "default" : 3, - "description" : "After configured threshold (number of failed login attempts for Device ID) defined action will be applied for the next login attempt.", - "maximum" : 100, - "minimum" : 1, - "type" : "integer" - } - }, - "type" : "object" - }, "loginAttemptsFromTheSameIp" : { "description" : "Specifies configuration for detecting brute force attacks from IP Address.", "properties" : { @@ -883,11 +737,7 @@ "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.", "enum" : [ "alarm", - "alarm-and-blocking-page", - "alarm-and-captcha", - "alarm-and-client-side-integrity", - "alarm-and-drop", - "alarm-and-honeypot-page" + "alarm-and-blocking-page" ], "type" : "string" }, @@ -913,9 +763,7 @@ "default" : "alarm", "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.", "enum" : [ - "alarm", - "alarm-and-captcha", - "alarm-and-client-side-integrity" + "alarm" ], "type" : "string" }, @@ -934,34 +782,6 @@ }, "type" : "object" }, - "measurementPeriod" : { - "default" : 900, - "description" : "Defines detection period (measured in seconds) for distributed brute force attacks.", - "maximum" : 90000, - "minimum" : 60, - "type" : "integer" - }, - "preventionDuration" : { - "default" : "3600", - "description" : "Defines prevention period (measured in seconds) for distributed brute force attacks.", - "oneOf" : [ - { - "maximum" : 90000, - "minimum" : 60, - "type" : "integer" - }, - { - "enum" : [ - "unlimited" - ], - "type" : "string" - }, - { - "pattern" : "\\d+$", - "type" : "string" - } - ] - }, "reEnableLoginAfter" : { "default" : 3600, "description" : "Defines prevention period (measured in seconds) for source-based brute force attacks.", @@ -2897,6 +2717,66 @@ } ] }, + "login-enforcement" : { + "oneOf" : [ + { + "properties" : { + "authenticatedUrls" : { + "default" : [], + "items" : { + "type" : "string" + }, + "type" : "array" + }, + "expirationTimePeriod" : { + "default" : "disabled", + "oneOf" : [ + { + "maximum" : 99999, + "minimum" : 0, + "type" : "integer" + }, + { + "enum" : [ + "disabled" + ], + "type" : "string" + }, + { + "pattern" : "\\d+$", + "type" : "string" + } + ] + }, + "logoutUrls" : { + "items" : { + "properties" : { + "requestContains" : { + "type" : "string" + }, + "requestOmits" : { + "type" : "string" + }, + "url" : { + "$ref" : "#/properties/policy/properties/urls/oneOf/0/items", + "type" : "object" + } + }, + "required" : [ + "url" + ], + "type" : "object" + }, + "type" : "array" + } + }, + "type" : "object" + }, + { + "$ref" : "#/definitions/reference" + } + ] + }, "login-pages" : { "oneOf" : [ {