diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index f2b35d160..6254715b4 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -33,8 +33,9 @@ NGINX App Protect DoS supports the following operating systems: - [Ubuntu 22.04 (Jammy)](#debian--ubuntu-installation) - [Ubuntu 24.04 (Noble)](#debian--ubuntu-installation) - [Alpine 3.15](#alpine-315x--317x--319x-installation) - (Deprecated starting from NGINX Plus R30) -- [Alpine 3.17](#alpine-315x--317x--319x-installation) +- [Alpine 3.17](#alpine-315x--317x--319x-installation) - (Deprecated starting from NGINX Plus R34) - [Alpine 3.19](#alpine-315x--317x--319x-installation) +- [AmazonLinux 2023](amazonlinux-linux-2023-installation) The NGINX App Protect DoS package has the following dependencies: @@ -64,6 +65,10 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s ## CentOS 7.4+ Installation +{{< note >}} + +CentOS 7.4 and RHEL 7.4 are deprecated as of NGINX Plus Release 32 (R32) and are not supported in Release 33 (R33) or later. For the list of supported distributions, refer to the [NGINX Plus Tech Specs]({{< relref "nginx/technical-specs.md" >}}).{{< note >}} + 1. If you already have NGINX packages in your system, back up your configs and logs: ```shell @@ -210,6 +215,10 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s ## RHEL 7.4+ Installation +{{< note >}} + +CentOS 7.4 and RHEL 7.4 are deprecated as of NGINX Plus Release 32 (R32) and are not supported in Release 33 (R33) or later. For the list of supported distributions, refer to the [NGINX Plus Tech Specs]({{< relref "nginx/technical-specs.md" >}}).{{< note >}} + 1. If you already have NGINX packages in your system, back up your configs and logs: ```shell @@ -401,15 +410,9 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s ```shell sudo mkdir -p /etc/ssl/nginx ``` +3. {{< include "licensing-and-reporting/download-jwt-crt-from-myf5.md" >}} -3. Log in to the NGINX [Customer Portal](https://my.f5.com) and download the following two files: - - ```shell - nginx-repo.key - nginx-repo.crt - ``` - -4. Copy the above two files to the CentOS server’s `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. +4. Copy the above two files to the RHEL server’s `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. 5. Install prerequisite packages: @@ -1142,6 +1145,137 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s rc-service app-protect-dos-ebpf-manager start ``` +## AmazonLinux Linux 2023 Installation + +1. If you already have NGINX packages in your system, back up your configs and logs: + + ```shell + sudo cp -a /etc/nginx /etc/nginx-plus-backup + sudo cp -a /var/log/nginx /var/log/nginx-plus-backup + ``` + +2. Create the `/etc/ssl/nginx/` directory: + + ```shell + sudo mkdir -p /etc/ssl/nginx + ``` + +3. Log in to the NGINX [Customer Portal](https://my.f5.com) and download the following two files: + + ```shell + nginx-repo.key + nginx-repo.crt + ``` + +4. Copy the above two files to the CentOS server’s `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. + +5. Install prerequisite packages: + + ```shell + sudo dnf install ca-certificates wget + +6. Add NGINX Plus and NGINX App Protect DoS repository: + + ```shell + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo + ``` + +7. In case of fresh installation, update the repository and install the most recent version of the NGINX Plus App Protect DoS package (which includes NGINX Plus): + + ```shell + sudo dnf install app-protect-dos + ``` + + For L4 accelerated mitigation feature: + + ```shell + sudo dnf install app-protect-dos-ebpf-manager + ``` + + {{< note >}} + L4 accelerated mitigation feature: + - `app-protect-dos-ebpf-manager` run with root privileges. + {{< /note >}} + + Alternatively, you can use the following command to list available versions: + + ```shell + sudo dnf --showduplicates list app-protect-dos + ``` + + Then, install a specific version from the output of command above. For example: + + ```shell + sudo dnf install app-protect-dos-34+4.6.0 + ``` + +8. In case of upgrading from previously installed NGINX Plus App Protect DoS package (which includes NGINX Plus): + + ```shell + sudo dnf remove nginx-plus + sudo dnf install app-protect-dos + sudo systemctl start nginx + ``` + + {{< note >}} Make sure to restore configuration from `/etc/nginx-plus-backup` back to `/etc/nginx-plus`.{{< /note >}} + +9. Confirm the NGINX binary version to make sure that you have NGINX Plus installed correctly: + + ```shell + sudo nginx -v + ``` + +10. Check the App Protect DoS binary version to ensure that you have the right version installed correctly: + + ```shell + sudo admd -v + ``` + +11. Load the NGINX App Protect DoS module on the main context in the `nginx.conf` file: + + ```nginx + load_module modules/ngx_http_app_protect_dos_module.so; + ``` + +12. Enable NGINX App Protect DoS in an `http/server/location` context in the `nginx.conf` file: + + ```nginx + app_protect_dos_enable on; + app_protect_dos_name "App1"; + app_protect_dos_monitor uri=serv:80/; # Assuming server_name "serv" on port 80, with the root path "/" + ``` + +13. Enable the L4 accelerated mitigation feature in an `http` context in the `nginx.conf` file: + + ```nginx + app_protect_dos_accelerated_mitigation on; + ``` + +14. To enable the NGINX/App-Protect-DoS service to start at boot, run the command: + + ```shell + sudo systemctl enable nginx.service + ``` + +15. Start the NGINX service: + + ```shell + sudo systemctl start nginx + ``` + +16. L4 mitigation + + To enable the `app-protect-dos-ebpf-manager` service to start at boot, run the command: + ```shell + sudo systemctl enable nginx.service + ``` + Start the `app-protect-dos-ebpf-manager` service: + ``` + sudo systemctl start app-protect-dos-ebpf-manager + ``` + + ## Docker Deployment ### Docker Deployment Instructions @@ -1634,6 +1768,52 @@ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] ``` +### AmazonLinux 2023 Docker Deployment Example + +```Dockerfile +# For AmazonLinux 2023: +FROM registry.access.redhat.com/ubi9/ubi + +# Download certificate and key from the customer portal (https://my.f5.com) +# and copy to the build context: +COPY nginx-repo.crt nginx-repo.key /etc/ssl/nginx/ + +# Setup the Redhat subscription +RUN subscription-manager register --force --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} +RUN subscription-manager refresh +RUN subscription-manager attach --auto + +# Setup repos and Install dependencies +RUN subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms +RUN subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms +RUN dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm + +# Install prerequisite packages: +RUN dnf -y install wget ca-certificates + +# Add NGINX Plus repo to Yum: +RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repo + +# Add NGINX App-protect & dependencies repo to Yum: +RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-dos-9.repo +RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + # You can use either of the dependencies or epel repo + # && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ + && dnf clean all + +# Install NGINX App Protect DoS: +RUN dnf -y install app-protect-dos \ + && dnf clean all \ + && rm -rf /var/cache/yum \ + && rm -rf /etc/ssl/nginx + +# Copy configuration files: +COPY nginx.conf /etc/nginx/ +COPY entrypoint.sh /root/ + +CMD /root/entrypoint.sh && tail -f /dev/null +``` + ## Docker Deployment with NGINX App Protect @@ -2442,3 +2622,21 @@ kubectl create ns appprotect-dos-wp-diff ${DIR}/appprotect-dos/install.sh ${DIR}/appprotect-dos-arb/install_appprotect-dos-arb.sh ``` + +--- + +## App Protect DoS eBPF manager + +### Overview +The eBPF Manager is a powerful and efficient tool designed to simplify and secure the deployment of eBPF (Extended Berkeley Packet Filter) programs for advanced networking use cases. +Its primary responsibilities include program installation and managing client interactions to enable real-time packet processing and mitigation solutions. + +### CLI Options for Flexible Configuration +The eBPF Manager comes with configurable command-line flags for ease of use and deployment customization. Key options include: + +* Interface Selection: + * -i, --interface [interfaces...]: Specify one or more network interfaces for eBPF XDP program deployment. If omitted, it defaults to all non-virtual, active network devices. +* gRPC UDS Ownership: + * -u, --user : Set the user ownership for the gRPC Unix Domain Socket (UDS). Defaults to nginx. + * -g, --group : Set the group ownership for the gRPC Unix Domain Socket (UDS). Defaults to nginx. + diff --git a/content/nap-dos/releases/about-4.6.md b/content/nap-dos/releases/about-4.6.md new file mode 100644 index 000000000..2dc7866a2 --- /dev/null +++ b/content/nap-dos/releases/about-4.6.md @@ -0,0 +1,45 @@ +--- +title: NGINX App Protect DoS 4.6 +toc: true +weight: 60 +docs: DOCS-000 +--- + +Here you can find the release information for F5 NGINX App Protect DoS v4.6 + +NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. + +--- + +## Release 4.6 + +Mar 24, 2025 + +NGINX App Protect DoS 4.6 adds support for NGINX Plus R34. + +--- + +### New features + +- Support for NGINX Plus R34 +- Add support for AmazonLinux 2023 +- Remove support for Alpine 3.17 +- Telemetry Readiness - this feature enables periodic telemetry reporting for NGINX App Protect DoS, capturing key statistics and metrics. In the initial phase, telemetry data is temporarily logged to the NGINX error.log file every minute on DEBUG log level. +- Bug fixes + +--- + +### Supported packages + +| Distribution name | Package file | +|--------------------------|------------------------------------------------------| +| Alpine 3.19 | _app-protect-dos-34+4.6.0-r1.apk_ | +| AmaznoLinux 2023 | _app-protect-dos-34+4.6.0-1.amzn2023.ngx.x86_64.rpm_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-dos-34+4.6.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-dos-34+4.6.0-1.el9.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-dos_34+4.6.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-dos_34+4.6.0-1\~bookworm_amd64.deb_ | +| Ubuntu 20.04 | _app-protect-dos_34+4.6.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-dos_34+4.6.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-dos_34+4.6.0-1\~noble_amd64.deb_ | +| NGINX Plus | _NGINX Plus R34_ |