Skip to content

Raanan dos release 4.6 #303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 7 commits into from
Closed

Raanan dos release 4.6 #303

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
15db6f1
feat: Update docs - with overview for App Protect DoS eBPF manager (…
pasmant Mar 13, 2025
a7c2216
Merge branch 'main' into dos-release-4.6
ADubhlaoich Mar 13, 2025
8f1e1c8
Update learn-about-deployment.md
rnitzan Mar 17, 2025
ce5a421
nap-dos R34
rnitzan Mar 18, 2025
7f1f57b
Create about-4.6.md
rnitzan Mar 20, 2025
82debfb
Update about-4.6.md
rnitzan Mar 20, 2025
38fbf21
Update learn-about-deployment.md
rnitzan Mar 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
216 changes: 207 additions & 9 deletions content/nap-dos/deployment-guide/learn-about-deployment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,9 @@ NGINX App Protect DoS supports the following operating systems:
- [Ubuntu 22.04 (Jammy)](#debian--ubuntu-installation)
- [Ubuntu 24.04 (Noble)](#debian--ubuntu-installation)
- [Alpine 3.15](#alpine-315x--317x--319x-installation) - (Deprecated starting from NGINX Plus R30)
- [Alpine 3.17](#alpine-315x--317x--319x-installation)
- [Alpine 3.17](#alpine-315x--317x--319x-installation) - (Deprecated starting from NGINX Plus R34)
- [Alpine 3.19](#alpine-315x--317x--319x-installation)
- [AmazonLinux 2023](amazonlinux-linux-2023-installation)

The NGINX App Protect DoS package has the following dependencies:

Expand Down Expand Up @@ -64,6 +65,10 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s

## CentOS 7.4+ Installation

{{< note >}}

CentOS 7.4 and RHEL 7.4 are deprecated as of NGINX Plus Release 32 (R32) and are not supported in Release 33 (R33) or later. For the list of supported distributions, refer to the [NGINX Plus Tech Specs]({{< relref "nginx/technical-specs.md" >}}).{{< note >}}

1. If you already have NGINX packages in your system, back up your configs and logs:

```shell
Expand Down Expand Up @@ -210,6 +215,10 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s

## RHEL 7.4+ Installation

{{< note >}}

CentOS 7.4 and RHEL 7.4 are deprecated as of NGINX Plus Release 32 (R32) and are not supported in Release 33 (R33) or later. For the list of supported distributions, refer to the [NGINX Plus Tech Specs]({{< relref "nginx/technical-specs.md" >}}).{{< note >}}

1. If you already have NGINX packages in your system, back up your configs and logs:

```shell
Expand Down Expand Up @@ -401,15 +410,9 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s
```shell
sudo mkdir -p /etc/ssl/nginx
```
3. {{< include "licensing-and-reporting/download-jwt-crt-from-myf5.md" >}}

3. Log in to the NGINX [Customer Portal](https://my.f5.com) and download the following two files:

```shell
nginx-repo.key
nginx-repo.crt
```

4. Copy the above two files to the CentOS server’s `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task.
4. Copy the above two files to the RHEL server’s `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task.

5. Install prerequisite packages:

Expand Down Expand Up @@ -1142,6 +1145,137 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s
rc-service app-protect-dos-ebpf-manager start
```

## AmazonLinux Linux 2023 Installation

1. If you already have NGINX packages in your system, back up your configs and logs:

```shell
sudo cp -a /etc/nginx /etc/nginx-plus-backup
sudo cp -a /var/log/nginx /var/log/nginx-plus-backup
```

2. Create the `/etc/ssl/nginx/` directory:

```shell
sudo mkdir -p /etc/ssl/nginx
```

3. Log in to the NGINX [Customer Portal](https://my.f5.com) and download the following two files:

```shell
nginx-repo.key
nginx-repo.crt
```

4. Copy the above two files to the CentOS server’s `/etc/ssl/nginx/` directory. Use an SCP client or another secure file transfer tool to perform this task.

5. Install prerequisite packages:

```shell
sudo dnf install ca-certificates wget

6. Add NGINX Plus and NGINX App Protect DoS repository:

```shell
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo
```

7. In case of fresh installation, update the repository and install the most recent version of the NGINX Plus App Protect DoS package (which includes NGINX Plus):

```shell
sudo dnf install app-protect-dos
```

For L4 accelerated mitigation feature:

```shell
sudo dnf install app-protect-dos-ebpf-manager
```

{{< note >}}
L4 accelerated mitigation feature:
- `app-protect-dos-ebpf-manager` run with root privileges.
{{< /note >}}

Alternatively, you can use the following command to list available versions:

```shell
sudo dnf --showduplicates list app-protect-dos
```

Then, install a specific version from the output of command above. For example:

```shell
sudo dnf install app-protect-dos-34+4.6.0
```

8. In case of upgrading from previously installed NGINX Plus App Protect DoS package (which includes NGINX Plus):

```shell
sudo dnf remove nginx-plus
sudo dnf install app-protect-dos
sudo systemctl start nginx
```

{{< note >}} Make sure to restore configuration from `/etc/nginx-plus-backup` back to `/etc/nginx-plus`.{{< /note >}}

9. Confirm the NGINX binary version to make sure that you have NGINX Plus installed correctly:

```shell
sudo nginx -v
```

10. Check the App Protect DoS binary version to ensure that you have the right version installed correctly:

```shell
sudo admd -v
```

11. Load the NGINX App Protect DoS module on the main context in the `nginx.conf` file:

```nginx
load_module modules/ngx_http_app_protect_dos_module.so;
```

12. Enable NGINX App Protect DoS in an `http/server/location` context in the `nginx.conf` file:

```nginx
app_protect_dos_enable on;
app_protect_dos_name "App1";
app_protect_dos_monitor uri=serv:80/; # Assuming server_name "serv" on port 80, with the root path "/"
```

13. Enable the L4 accelerated mitigation feature in an `http` context in the `nginx.conf` file:

```nginx
app_protect_dos_accelerated_mitigation on;
```

14. To enable the NGINX/App-Protect-DoS service to start at boot, run the command:

```shell
sudo systemctl enable nginx.service
```

15. Start the NGINX service:

```shell
sudo systemctl start nginx
```

16. L4 mitigation

To enable the `app-protect-dos-ebpf-manager` service to start at boot, run the command:
```shell
sudo systemctl enable nginx.service
```
Start the `app-protect-dos-ebpf-manager` service:
```
sudo systemctl start app-protect-dos-ebpf-manager
```


## Docker Deployment

### Docker Deployment Instructions
Expand Down Expand Up @@ -1634,6 +1768,52 @@ COPY entrypoint.sh /root/
CMD ["sh", "/root/entrypoint.sh"]
```

### AmazonLinux 2023 Docker Deployment Example

```Dockerfile
# For AmazonLinux 2023:
FROM registry.access.redhat.com/ubi9/ubi

# Download certificate and key from the customer portal (https://my.f5.com)
# and copy to the build context:
COPY nginx-repo.crt nginx-repo.key /etc/ssl/nginx/

# Setup the Redhat subscription
RUN subscription-manager register --force --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY}
RUN subscription-manager refresh
RUN subscription-manager attach --auto

# Setup repos and Install dependencies
RUN subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms
RUN subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms
RUN dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

# Install prerequisite packages:
RUN dnf -y install wget ca-certificates

# Add NGINX Plus repo to Yum:
RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repo

# Add NGINX App-protect & dependencies repo to Yum:
RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-dos-9.repo
RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \
# You can use either of the dependencies or epel repo
# && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
&& dnf clean all

# Install NGINX App Protect DoS:
RUN dnf -y install app-protect-dos \
&& dnf clean all \
&& rm -rf /var/cache/yum \
&& rm -rf /etc/ssl/nginx

# Copy configuration files:
COPY nginx.conf /etc/nginx/
COPY entrypoint.sh /root/

CMD /root/entrypoint.sh && tail -f /dev/null
```


## Docker Deployment with NGINX App Protect

Expand Down Expand Up @@ -2442,3 +2622,21 @@ kubectl create ns appprotect-dos-wp-diff
${DIR}/appprotect-dos/install.sh
${DIR}/appprotect-dos-arb/install_appprotect-dos-arb.sh
```

---

## App Protect DoS eBPF manager

### Overview
The eBPF Manager is a powerful and efficient tool designed to simplify and secure the deployment of eBPF (Extended Berkeley Packet Filter) programs for advanced networking use cases.
Its primary responsibilities include program installation and managing client interactions to enable real-time packet processing and mitigation solutions.

### CLI Options for Flexible Configuration
The eBPF Manager comes with configurable command-line flags for ease of use and deployment customization. Key options include:

* Interface Selection:
* -i, --interface [interfaces...]: Specify one or more network interfaces for eBPF XDP program deployment. If omitted, it defaults to all non-virtual, active network devices.
* gRPC UDS Ownership:
* -u, --user <user_name>: Set the user ownership for the gRPC Unix Domain Socket (UDS). Defaults to nginx.
* -g, --group <group_name>: Set the group ownership for the gRPC Unix Domain Socket (UDS). Defaults to nginx.

45 changes: 45 additions & 0 deletions content/nap-dos/releases/about-4.6.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
title: NGINX App Protect DoS 4.6
toc: true
weight: 60
docs: DOCS-000
---

Here you can find the release information for F5 NGINX App Protect DoS v4.6

NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications.

---

## Release 4.6

Mar 24, 2025

NGINX App Protect DoS 4.6 adds support for NGINX Plus R34.

---

### New features

- Support for NGINX Plus R34
- Add support for AmazonLinux 2023
- Remove support for Alpine 3.17
- Telemetry Readiness - this feature enables periodic telemetry reporting for NGINX App Protect DoS, capturing key statistics and metrics. In the initial phase, telemetry data is temporarily logged to the NGINX error.log file every minute on DEBUG log level.
- Bug fixes

---

### Supported packages

| Distribution name | Package file |
|--------------------------|------------------------------------------------------|
| Alpine 3.19 | _app-protect-dos-34+4.6.0-r1.apk_ |
| AmaznoLinux 2023 | _app-protect-dos-34+4.6.0-1.amzn2023.ngx.x86_64.rpm_ |
| RHEL 8 and Rocky Linux 8 | _app-protect-dos-34+4.6.0-1.el8.ngx.x86_64.rpm_ |
| RHEL 9 | _app-protect-dos-34+4.6.0-1.el9.ngx.x86_64.rpm_ |
| Debian 11 | _app-protect-dos_34+4.6.0-1\~bullseye_amd64.deb_ |
| Debian 12 | _app-protect-dos_34+4.6.0-1\~bookworm_amd64.deb_ |
| Ubuntu 20.04 | _app-protect-dos_34+4.6.0-1\~focal_amd64.deb_ |
| Ubuntu 22.04 | _app-protect-dos_34+4.6.0-1\~jammy_amd64.deb_ |
| Ubuntu 24.04 | _app-protect-dos_34+4.6.0-1\~noble_amd64.deb_ |
| NGINX Plus | _NGINX Plus R34_ |
Loading