From 15db6f17782812542873dafd8ea04b054c576d2a Mon Sep 17 00:00:00 2001 From: pasmant <78279234+pasmant@users.noreply.github.com> Date: Thu, 13 Mar 2025 14:44:13 +0200 Subject: [PATCH 1/6] feat: Update docs - with overview for App Protect DoS eBPF manager (#279) * feat: Update docs - with overview for App Protect DoS eBPF manager * Update content/nap-dos/deployment-guide/learn-about-deployment.md --------- Co-authored-by: Alan Dooley --- .../deployment-guide/learn-about-deployment.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index f2b35d160..51173d3c2 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -2442,3 +2442,21 @@ kubectl create ns appprotect-dos-wp-diff ${DIR}/appprotect-dos/install.sh ${DIR}/appprotect-dos-arb/install_appprotect-dos-arb.sh ``` + +--- + +## App Protect DoS eBPF manager + +### Overview +The eBPF Manager is a powerful and efficient tool designed to simplify and secure the deployment of eBPF (Extended Berkeley Packet Filter) programs for advanced networking use cases. +Its primary responsibilities include program installation and managing client interactions to enable real-time packet processing and mitigation solutions. + +### CLI Options for Flexible Configuration +The eBPF Manager comes with configurable command-line flags for ease of use and deployment customization. Key options include: + +* Interface Selection: + * -i, --interface [interfaces...]: Specify one or more network interfaces for eBPF XDP program deployment. If omitted, it defaults to all non-virtual, active network devices. +* gRPC UDS Ownership: + * -u, --user : Set the user ownership for the gRPC Unix Domain Socket (UDS). Defaults to nginx. + * -g, --group : Set the group ownership for the gRPC Unix Domain Socket (UDS). Defaults to nginx. + \ No newline at end of file From 8f1e1c846355fc228ebbaaeefe8e7c46f5f5407c Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Mon, 17 Mar 2025 12:28:00 +0200 Subject: [PATCH 2/6] Update learn-about-deployment.md --- .../learn-about-deployment.md | 182 +++++++++++++++++- 1 file changed, 180 insertions(+), 2 deletions(-) diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index 51173d3c2..515684462 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -33,8 +33,9 @@ NGINX App Protect DoS supports the following operating systems: - [Ubuntu 22.04 (Jammy)](#debian--ubuntu-installation) - [Ubuntu 24.04 (Noble)](#debian--ubuntu-installation) - [Alpine 3.15](#alpine-315x--317x--319x-installation) - (Deprecated starting from NGINX Plus R30) -- [Alpine 3.17](#alpine-315x--317x--319x-installation) +- [Alpine 3.17](#alpine-315x--317x--319x-installation) - (Deprecated starting from NGINX Plus R34) - [Alpine 3.19](#alpine-315x--317x--319x-installation) +- [AmazonLinux 2023](#amazonlinux-2023-installation) The NGINX App Protect DoS package has the following dependencies: @@ -1142,6 +1143,137 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s rc-service app-protect-dos-ebpf-manager start ``` +## AmazonLinux Linux 2023 Installation + +1. If you already have NGINX packages in your system, back up your configs and logs: + + ```shell + sudo cp -a /etc/nginx /etc/nginx-plus-backup + sudo cp -a /var/log/nginx /var/log/nginx-plus-backup + ``` + +2. Create the `/etc/ssl/nginx/` directory: + + ```shell + sudo mkdir -p /etc/ssl/nginx + ``` + +3. Log in to the NGINX [Customer Portal](https://my.f5.com) and download the following two files: + + ```shell + nginx-repo.key + nginx-repo.crt + ``` + +4. Copy the above two files to the CentOS server’s `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. + +5. Install prerequisite packages: + + ```shell + sudo dnf install ca-certificates wget + +6. Add NGINX Plus and NGINX App Protect DoS repository: + + ```shell + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo + sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo + ``` + +7. In case of fresh installation, update the repository and install the most recent version of the NGINX Plus App Protect DoS package (which includes NGINX Plus): + + ```shell + sudo dnf install app-protect-dos + ``` + + For L4 accelerated mitigation feature: + + ```shell + sudo dnf install app-protect-dos-ebpf-manager + ``` + + {{< note >}} + L4 accelerated mitigation feature: + - `app-protect-dos-ebpf-manager` run with root privileges. + {{< /note >}} + + Alternatively, you can use the following command to list available versions: + + ```shell + sudo dnf --showduplicates list app-protect-dos + ``` + + Then, install a specific version from the output of command above. For example: + + ```shell + sudo dnf install app-protect-dos-34+4.6.0 + ``` + +8. In case of upgrading from previously installed NGINX Plus App Protect DoS package (which includes NGINX Plus): + + ```shell + sudo dnf remove nginx-plus + sudo dnf install app-protect-dos + sudo systemctl start nginx + ``` + + {{< note >}} Make sure to restore configuration from `/etc/nginx-plus-backup` back to `/etc/nginx-plus`.{{< /note >}} + +9. Confirm the NGINX binary version to make sure that you have NGINX Plus installed correctly: + + ```shell + sudo nginx -v + ``` + +10. Check the App Protect DoS binary version to ensure that you have the right version installed correctly: + + ```shell + sudo admd -v + ``` + +11. Load the NGINX App Protect DoS module on the main context in the `nginx.conf` file: + + ```nginx + load_module modules/ngx_http_app_protect_dos_module.so; + ``` + +12. Enable NGINX App Protect DoS in an `http/server/location` context in the `nginx.conf` file: + + ```nginx + app_protect_dos_enable on; + app_protect_dos_name "App1"; + app_protect_dos_monitor uri=serv:80/; # Assuming server_name "serv" on port 80, with the root path "/" + ``` + +13. Enable the L4 accelerated mitigation feature in an `http` context in the `nginx.conf` file: + + ```nginx + app_protect_dos_accelerated_mitigation on; + ``` + +14. To enable the NGINX/App-Protect-DoS service to start at boot, run the command: + + ```shell + sudo systemctl enable nginx.service + ``` + +15. Start the NGINX service: + + ```shell + sudo systemctl start nginx + ``` + +16. L4 mitigation + + To enable the `app-protect-dos-ebpf-manager` service to start at boot, run the command: + ```shell + sudo systemctl enable nginx.service + ``` + Start the `app-protect-dos-ebpf-manager` service: + ``` + sudo systemctl start app-protect-dos-ebpf-manager + ``` + + ## Docker Deployment ### Docker Deployment Instructions @@ -1634,6 +1766,52 @@ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] ``` +### AmazonLinux 2023 Docker Deployment Example + +```Dockerfile +# For AmazonLinux 2023: +FROM registry.access.redhat.com/ubi9/ubi + +# Download certificate and key from the customer portal (https://my.f5.com) +# and copy to the build context: +COPY nginx-repo.crt nginx-repo.key /etc/ssl/nginx/ + +# Setup the Redhat subscription +RUN subscription-manager register --force --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} +RUN subscription-manager refresh +RUN subscription-manager attach --auto + +# Setup repos and Install dependencies +RUN subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms +RUN subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms +RUN dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm + +# Install prerequisite packages: +RUN dnf -y install wget ca-certificates + +# Add NGINX Plus repo to Yum: +RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repo + +# Add NGINX App-protect & dependencies repo to Yum: +RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-dos-9.repo +RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + # You can use either of the dependencies or epel repo + # && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ + && dnf clean all + +# Install NGINX App Protect DoS: +RUN dnf -y install app-protect-dos \ + && dnf clean all \ + && rm -rf /var/cache/yum \ + && rm -rf /etc/ssl/nginx + +# Copy configuration files: +COPY nginx.conf /etc/nginx/ +COPY entrypoint.sh /root/ + +CMD /root/entrypoint.sh && tail -f /dev/null +``` + ## Docker Deployment with NGINX App Protect @@ -2459,4 +2637,4 @@ The eBPF Manager comes with configurable command-line flags for ease of use and * gRPC UDS Ownership: * -u, --user : Set the user ownership for the gRPC Unix Domain Socket (UDS). Defaults to nginx. * -g, --group : Set the group ownership for the gRPC Unix Domain Socket (UDS). Defaults to nginx. - \ No newline at end of file + From ce5a421fa6491531082c1935c1177b4ac09399b1 Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Tue, 18 Mar 2025 14:25:47 +0200 Subject: [PATCH 3/6] nap-dos R34 --- content/nap-dos/deployment-guide/learn-about-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index 515684462..f1ab9e3e2 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -35,7 +35,7 @@ NGINX App Protect DoS supports the following operating systems: - [Alpine 3.15](#alpine-315x--317x--319x-installation) - (Deprecated starting from NGINX Plus R30) - [Alpine 3.17](#alpine-315x--317x--319x-installation) - (Deprecated starting from NGINX Plus R34) - [Alpine 3.19](#alpine-315x--317x--319x-installation) -- [AmazonLinux 2023](#amazonlinux-2023-installation) +- [AmazonLinux 2023](amazonlinux-linux-2023-installation) The NGINX App Protect DoS package has the following dependencies: From 7f1f57bed9505a9b0db3e3c008a3c67398277e2e Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Thu, 20 Mar 2025 10:14:22 +0200 Subject: [PATCH 4/6] Create about-4.6.md --- content/nap-dos/releases/about-4.6.md | 45 +++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 content/nap-dos/releases/about-4.6.md diff --git a/content/nap-dos/releases/about-4.6.md b/content/nap-dos/releases/about-4.6.md new file mode 100644 index 000000000..659d6a658 --- /dev/null +++ b/content/nap-dos/releases/about-4.6.md @@ -0,0 +1,45 @@ +--- +title: NGINX App Protect DoS 4.6 +toc: true +weight: 70 +docs: DOCS-000 +--- + +Here you can find the release information for F5 NGINX App Protect DoS v4.5 + +NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. + +--- + +## Release 4.6 + +Mar 24, 2025 + +NGINX App Protect DoS 4.6 adds support for NGINX Plus R34. + +--- + +### New features + +- Support for NGINX Plus R34 +- Add support for AmazonLinux 2023 +- Remove support for Alpine 3.17 +- Telemetry Readiness +- Bug fixes + +--- + +### Supported packages + +| Distribution name | Package file | +|--------------------------|------------------------------------------------------| +| Alpine 3.19 | _app-protect-dos-34+4.6.0-r1.apk_ | +| AmaznoLinux 2023 | _app-protect-dos-34+4.6.0-1.amzn2023.ngx.x86_64.rpm_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-dos-34+4.6.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-dos-34+4.6.0-1.el9.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-dos_34+4.6.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-dos_34+4.6.0-1\~bookworm_amd64.deb_ | +| Ubuntu 20.04 | _app-protect-dos_34+4.6.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-dos_34+4.6.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-dos_34+4.6.0-1\~noble_amd64.deb_ | +| NGINX Plus | _NGINX Plus R34_ | From 82debfbc39c949ae93ff124da8df23e57e45b833 Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Thu, 20 Mar 2025 10:22:08 +0200 Subject: [PATCH 5/6] Update about-4.6.md --- content/nap-dos/releases/about-4.6.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/nap-dos/releases/about-4.6.md b/content/nap-dos/releases/about-4.6.md index 659d6a658..2dc7866a2 100644 --- a/content/nap-dos/releases/about-4.6.md +++ b/content/nap-dos/releases/about-4.6.md @@ -1,11 +1,11 @@ --- title: NGINX App Protect DoS 4.6 toc: true -weight: 70 +weight: 60 docs: DOCS-000 --- -Here you can find the release information for F5 NGINX App Protect DoS v4.5 +Here you can find the release information for F5 NGINX App Protect DoS v4.6 NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications. @@ -24,7 +24,7 @@ NGINX App Protect DoS 4.6 adds support for NGINX Plus R34. - Support for NGINX Plus R34 - Add support for AmazonLinux 2023 - Remove support for Alpine 3.17 -- Telemetry Readiness +- Telemetry Readiness - this feature enables periodic telemetry reporting for NGINX App Protect DoS, capturing key statistics and metrics. In the initial phase, telemetry data is temporarily logged to the NGINX error.log file every minute on DEBUG log level. - Bug fixes --- From 38fbf21f4dcb773b40e8a369a8e6344176afb14f Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Thu, 20 Mar 2025 11:16:11 +0200 Subject: [PATCH 6/6] Update learn-about-deployment.md --- .../deployment-guide/learn-about-deployment.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index f1ab9e3e2..6254715b4 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -65,6 +65,10 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s ## CentOS 7.4+ Installation +{{< note >}} + +CentOS 7.4 and RHEL 7.4 are deprecated as of NGINX Plus Release 32 (R32) and are not supported in Release 33 (R33) or later. For the list of supported distributions, refer to the [NGINX Plus Tech Specs]({{< relref "nginx/technical-specs.md" >}}).{{< note >}} + 1. If you already have NGINX packages in your system, back up your configs and logs: ```shell @@ -211,6 +215,10 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s ## RHEL 7.4+ Installation +{{< note >}} + +CentOS 7.4 and RHEL 7.4 are deprecated as of NGINX Plus Release 32 (R32) and are not supported in Release 33 (R33) or later. For the list of supported distributions, refer to the [NGINX Plus Tech Specs]({{< relref "nginx/technical-specs.md" >}}).{{< note >}} + 1. If you already have NGINX packages in your system, back up your configs and logs: ```shell @@ -402,15 +410,9 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s ```shell sudo mkdir -p /etc/ssl/nginx ``` +3. {{< include "licensing-and-reporting/download-jwt-crt-from-myf5.md" >}} -3. Log in to the NGINX [Customer Portal](https://my.f5.com) and download the following two files: - - ```shell - nginx-repo.key - nginx-repo.crt - ``` - -4. Copy the above two files to the CentOS server’s `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. +4. Copy the above two files to the RHEL server’s `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task. 5. Install prerequisite packages: