From 3df8439ef95a1c111d2d706f6f213e8cfa8e44cd Mon Sep 17 00:00:00 2001 From: Andrei Belov Date: Mon, 22 Sep 2025 15:21:24 -0600 Subject: [PATCH 01/58] feat: IPv6 connectivity support in NGINX One APIs (#1135) * feat: IPv6 connectivity support in NGINX One APIs * Also confirmed OK with NGINX Plus --------- Co-authored-by: Mike Jang <3287976+mjang@users.noreply.github.com> --- .../includes/nginx-one/how-to/install-nginx-agent.md | 11 ++++++----- content/nginx-one/changelog.md | 7 +++++++ content/nginx-one/getting-started.md | 9 +++++---- content/solutions/about-subscription-licenses.md | 9 +++++---- ...r33-pre-release-guidance-for-automatic-upgrades.md | 9 +++++---- 5 files changed, 28 insertions(+), 17 deletions(-) diff --git a/content/includes/nginx-one/how-to/install-nginx-agent.md b/content/includes/nginx-one/how-to/install-nginx-agent.md index 71f026612..3463861af 100644 --- a/content/includes/nginx-one/how-to/install-nginx-agent.md +++ b/content/includes/nginx-one/how-to/install-nginx-agent.md @@ -8,13 +8,14 @@ files: After entering your data plane key, you'll see a `curl` command to install NGINX Agent, similar to the one below. Copy and run this command on each NGINX instance. Once installed, NGINX Agent typically registers with NGINX One within a few seconds. {{}} - Ensure that any firewall rules you have in place for your NGINX hosts allows network traffic to port `443` for all of the following IPs: + Make sure your firewall rules for NGINX hosts allow traffic to port `443` from these IP address ranges: -- `3.135.72.139` -- `3.133.232.50` -- `52.14.85.249` +- `3.135.72.139/32` +- `3.133.232.50/32` +- `52.14.85.249/32` +- `2600:1f16:19c8:d400::/62` -NGINX Agent must be able to establish a connection to NGINX One Console's Agent endpoint (`agent.connect.nginx.com`). +NGINX Agent must be able to establish a connection to NGINX One Console's Agent endpoint (`agent.connect.nginx.com`). {{}} To install NGINX Agent on an NGINX instance: diff --git a/content/nginx-one/changelog.md b/content/nginx-one/changelog.md index e66dd29f8..78d1cbb51 100644 --- a/content/nginx-one/changelog.md +++ b/content/nginx-one/changelog.md @@ -30,6 +30,13 @@ h2 { Stay up-to-date with what's new and improved in the F5 NGINX One Console. +## September 16, 2025 + +### IPv6 endpoints for NGINX Agent and NGINX Plus usage reporting + +Your instances which run in dual-stack or IPv6-only environments can now communicate with NGINX One Console APIs through IPv6 addresses. +See the [Getting Started Guide]({{< ref "/nginx-one/getting-started.md#install-nginx-agent" >}}) for the IP address ranges you need to allow in your firewalls. + ## July 15, 2025 ### Set up F5 NGINX App Protect WAF security policies diff --git a/content/nginx-one/getting-started.md b/content/nginx-one/getting-started.md index c5f0cf60e..e21753600 100644 --- a/content/nginx-one/getting-started.md +++ b/content/nginx-one/getting-started.md @@ -126,11 +126,12 @@ Depending on whether this is your first time using NGINX One Console or you've u After entering your data plane key, you'll see a `curl` command similar to the one below. Copy and run this command on each NGINX instance to install NGINX Agent. Once installed, NGINX Agent typically registers with NGINX One within a few seconds. {{}} -NGINX Agent must be able to establish a connection to NGINX One Console's Agent endpoint (`agent.connect.nginx.com`). Ensure that any firewall rules you have in place for your NGINX hosts allows network traffic to port `443` for all of the following IPs: +NGINX Agent must be able to establish a connection to NGINX One Console's Agent endpoint (`agent.connect.nginx.com`). Ensure that any firewall rules you have in place for your NGINX hosts allows network traffic to port `443` for all of the following IP address ranges: -- `3.135.72.139` -- `3.133.232.50` -- `52.14.85.249` +- `3.135.72.139/32` +- `3.133.232.50/32` +- `52.14.85.249/32` +- `2600:1f16:19c8:d400::/62` {{}} To install NGINX Agent on an NGINX instance: diff --git a/content/solutions/about-subscription-licenses.md b/content/solutions/about-subscription-licenses.md index 8aba61588..2802112e3 100644 --- a/content/solutions/about-subscription-licenses.md +++ b/content/solutions/about-subscription-licenses.md @@ -100,11 +100,12 @@ To ensure NGINX Plus R33 or later can send usage reports, follow these steps bas ### For internet-connected environments -1. Allow outbound HTTPS traffic on TCP port `443` to communicate with F5's licensing endpoint (`product.connect.nginx.com`). Ensure that the following IP addresses are allowed: +1. Allow outbound HTTPS traffic on TCP port `443` to communicate with F5's licensing endpoint (`product.connect.nginx.com`). Ensure that the following IP address ranges are allowed: - - `3.135.72.139` - - `3.133.232.50` - - `52.14.85.249` + - `3.135.72.139/32` + - `3.133.232.50/32` + - `52.14.85.249/32` + - `2600:1f16:19c8:d400::/62` 2. (Optional, R34 and later) If your company enforces a strict outbound traffic policy, you can use an outbound proxy for establishing an end-to-end tunnel to the F5 licensing endpoint. On each NGINX Plus instance, update the [`proxy`](https://nginx.org/en/docs/ngx_mgmt_module.html#proxy) directive in the [`mgmt`](https://nginx.org/en/docs/ngx_mgmt_module.html) block of the NGINX configuration (`/etc/nginx/nginx.conf`) to point to the company's outbound proxy server: diff --git a/content/solutions/r33-pre-release-guidance-for-automatic-upgrades.md b/content/solutions/r33-pre-release-guidance-for-automatic-upgrades.md index 6d43d96bf..b3b09a6e7 100644 --- a/content/solutions/r33-pre-release-guidance-for-automatic-upgrades.md +++ b/content/solutions/r33-pre-release-guidance-for-automatic-upgrades.md @@ -73,11 +73,12 @@ To ensure NGINX Plus R33 can report telemetry data, follow these steps based on #### For internet-connected environments: 1. **Open port 443**: - Allow outbound HTTPS traffic on TCP port 443 to communicate with F5's licensing endpoint (`product.connect.nginx.com`). Ensure that the following IP addresses are allowed: + Allow outbound HTTPS traffic on TCP port 443 to communicate with F5's licensing endpoint (`product.connect.nginx.com`). Ensure that the following IP address ranges are allowed: - - `3.135.72.139` - - `3.133.232.50` - - `52.14.85.249` + - `3.135.72.139/32` + - `3.133.232.50/32` + - `52.14.85.249/32` + - `2600:1f16:19c8:d400::/62` #### For partially connected environments: From ffc517f397bcd4a9fbaf82020f3cc506052f328b Mon Sep 17 00:00:00 2001 From: kafeelhasan Date: Tue, 23 Sep 2025 16:01:40 +0530 Subject: [PATCH 02/58] Nlb 7008 update module changelog (#1151) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update NAP Docs This commit updates the NAP user facing documentation with the following change: Based on this issue : https://github.com/nginxinc/nalb-shared/issues/1695, updated the Configure App Protect WAF with the following text - The File path is not optional and is automatically generated in the portal, defaulting to the path “/etc/app_protect/conf/” plus the policy Name with a “.json” extension * Removed Extra Space * NLB-7008: Update Module Changelog Removed static content from Module Changelog Simplify API instreuctions and remove outdated module tables Enhanced readibility andf user experience for accessing module versions. * Add missing period * update module-changelog.md --- content/nginxaas-azure/module-changelog.md | 115 +++++---------------- 1 file changed, 28 insertions(+), 87 deletions(-) diff --git a/content/nginxaas-azure/module-changelog.md b/content/nginxaas-azure/module-changelog.md index 7bd572aab..76bc8c357 100644 --- a/content/nginxaas-azure/module-changelog.md +++ b/content/nginxaas-azure/module-changelog.md @@ -7,47 +7,25 @@ url: /nginxaas/azure/module-changelog/ Learn about the modules supported by the latest versions of F5 NGINXaaS for Azure. -## September 18, 2025 - -### Preview - - {{}} - -| Name | Version | Description | -|------------------------------------------|--------------------------|------------------------------------------------------------------------| -| nginx-plus | 1.29.0 (nginx-plus-r35) | NGINX Plus, provided by Nginx, Inc. | -| nginx-agent | 1.20.16-2026591880 | NGINX Agent - Management for NGINXaaS | -| Operating System | Ubuntu 22.04.5 | Jammy Jellyfish, provided by Canonical Ltd. | -| nginx-plus-module-geoip2 | 35+3.4-1 | NGINX Plus 3rd-party GeoIP2 dynamic modules | -| nginx-plus-module-headers-more | 35+0.37-1 | NGINX Plus 3rd-party headers-more dynamic module | -| nginx-plus-module-image-filter | 35-1 | NGINX Plus image filter dynamic module | -| nginx-plus-module-lua | 35+0.10.28-1 | NGINX Plus 3rd-party Lua dynamic modules | -| nginx-plus-module-ndk | 35+0.3.3-1 | NGINX Plus 3rd-party NDK dynamic module | -| nginx-plus-module-njs | 35+0.9.1-1 | NGINX Plus njs dynamic modules | -| nginx-plus-module-otel | 35+0.1.2-1 | NGINX Plus OpenTelemetry dynamic module | -| nginx-plus-module-xslt | 35-1 | NGINX Plus xslt dynamic module | -| nginx-plus-module-appprotect | 35+5.498.0-1 | NGINX Plus app protect dynamic module version 5.498.0 | -| app-protect-module-plus | 35+5.498.0-1 | App-Protect package for Nginx Plus, includes all of the default files and examples. NGINX App Protect provides web application firewall (WAF) security protection for your web applications, including OWASP Top 10 attacks. | -| app-protect-plugin | 6.20.0-1 | NGINX App Protect plugin | -{{}} - ## Access module versions using data plane API: -To access available module versions from the data plane API, follow these steps: -- View Your API Endpoints and Create an API Key - - Follow the [NGINXaaS data plane API endpoint]({{< ref "/nginxaas-azure/loadbalancer-kubernetes.md#nginxaas-data-plane-api-endpoint" >}}) and [Create an NGINXaaS data plane API key]({{< ref "/nginxaas-azure/loadbalancer-kubernetes.md#create-an-nginxaas-data-plane-api-key" >}}) to locate your dataplane API endpoint and create an API key. +To view the version of the NGINX Plus modules that are part of your deployment, follow these steps: +- Retrieve your [data plane API endpoint]({{< ref "/nginxaas-azure/loadbalancer-kubernetes.md#nginxaas-data-plane-api-endpoint" >}}). -- Construct the Request URL - - Add `/packages` to your data plane API endpoint, for example `https:///packages`. +- Create an [API key]({{< ref "/nginxaas-azure/loadbalancer-kubernetes.md#create-an-nginxaas-data-plane-api-key" >}}) if you do not already have one. -- Authenticate API requests - - Encode your API key to Base64 and add the prefix `ApiKey` to the encoded string. - - Set the `Authorization` HTTP header to: - `ApiKey ` +- Construct the package request URL. + - Add **/packages** to your data plane API endpoint. + - For example: `https://my-deployment-b7e43dfb7e26.eastus.nginxaas.net/packages` +- Authenticate the API requests using the **Authorization** HTTP header. + - Encode your API key to **base64** and add the prefix **ApiKey** to the encoded string. + - For example: + - Authorization: ApiKey ZjkzY2ZlYWItZjAxNS01MDAwLTgyM2UtNjBmNjY5ZTUwOWF2 +Request Example: ```shell - curl -H "Authorization: ApiKey " https:///packages + curl -H "Authorization: ApiKey " https:///packages ``` Response Example: @@ -55,63 +33,26 @@ Response Example: { "packages": [ { - "name": "nginx-plus-module-headers-more", - "version":"35+0.37-1~jammy" + "name": "nginx-plus", + "version": "33-4~jammy" + }, + { + "name": "nginx-agent", + "version": "1.20.15-2010533110" + }, + { + "name": "nginx-plus-module-appprotect", + "version": "33+5.264.0-1~jammy" + }, + { + "name": "nginx-plus-module-ndk", + "version": "33+0.3.3-1~jammy" }, { - "name": "nginx-plus-module-otel", - "version": "35+0.1.2-1~jammy" + "name": "nginx-plus-module-njs", + "version": "33+0.8.9-1~jammy" }, ... ] } ``` - - -## July 03, 2025 - -### Stable - - {{< table >}} - -| Name | Version | Description | -|------------------------------------------|--------------------------|------------------------------------------------------------------------| -| nginx-plus | 1.27.2 (nginx-plus-r33-p2) | NGINX Plus, provided by Nginx, Inc. | -| nginx-agent | 1.19.15-1795423089 | NGINX Agent - Management for NGINXaaS | -| Operating System | Ubuntu 22.04.5 | Jammy Jellyfish, provided by Canonical Ltd. | -| nginx-plus-module-geoip2 | 33+3.4-1 | NGINX Plus 3rd-party GeoIP2 dynamic modules | -| nginx-plus-module-headers-more | 33+0.37-1 | NGINX Plus 3rd-party headers-more dynamic module | -| nginx-plus-module-image-filter | 33-1 | NGINX Plus image filter dynamic module | -| nginx-plus-module-lua | 33+0.10.27-1 | NGINX Plus 3rd-party Lua dynamic modules | -| nginx-plus-module-ndk | 33+0.3.3-1 | NGINX Plus 3rd-party NDK dynamic module | -| nginx-plus-module-njs | 33+0.8.9-1 | NGINX Plus njs dynamic modules | -| nginx-plus-module-otel | 33+0.1.0-1 | NGINX Plus OpenTelemetry dynamic module | -| nginx-plus-module-xslt | 33-1 | NGINX Plus xslt dynamic module | -| nginx-plus-module-appprotect | 33+5.264.0-1 | NGINX Plus app protect dynamic module version 5.264.0 | -| app-protect-module-plus | 33+5.264.0-1 | App-Protect package for Nginx Plus, includes all of the default files and examples. NGINX App Protect provides web application firewall (WAF) security protection for your web applications, including OWASP Top 10 attacks. | -| app-protect-plugin | 6.9.0-1 | NGINX App Protect plugin | -{{< /table >}} - - - -### Preview - - {{< table >}} - -| Name | Version | Description | -|------------------------------------------|--------------------------|------------------------------------------------------------------------| -| nginx-plus | 1.27.2 (nginx-plus-r33-p2) | NGINX Plus, provided by Nginx, Inc. | -| nginx-agent | 1.19.15-1795423089 | NGINX Agent - Management for NGINXaaS | -| Operating System | Ubuntu 22.04.5 | Jammy Jellyfish, provided by Canonical Ltd. | -| nginx-plus-module-geoip2 | 33+3.4-1 | NGINX Plus 3rd-party GeoIP2 dynamic modules | -| nginx-plus-module-headers-more | 33+0.37-1 | NGINX Plus 3rd-party headers-more dynamic module | -| nginx-plus-module-image-filter | 33-1 | NGINX Plus image filter dynamic module | -| nginx-plus-module-lua | 33+0.10.27-1 | NGINX Plus 3rd-party Lua dynamic modules | -| nginx-plus-module-ndk | 33+0.3.3-1 | NGINX Plus 3rd-party NDK dynamic module | -| nginx-plus-module-njs | 33+0.8.9-1 | NGINX Plus njs dynamic modules | -| nginx-plus-module-otel | 33+0.1.0-1 | NGINX Plus OpenTelemetry dynamic module | -| nginx-plus-module-xslt | 33-1 | NGINX Plus xslt dynamic module | -| nginx-plus-module-appprotect | 33+5.264.0-1 | NGINX Plus app protect dynamic module version 5.264.0 | -| app-protect-module-plus | 33+5.264.0-1 | App-Protect package for Nginx Plus, includes all of the default files and examples. NGINX App Protect provides web application firewall (WAF) security protection for your web applications, including OWASP Top 10 attacks. | -| app-protect-plugin | 6.9.0-1 | NGINX App Protect plugin | -{{< /table >}} From b5839699e0aa55bbde30a3a5a84ae116670fc90f Mon Sep 17 00:00:00 2001 From: Daniel Edgar Date: Tue, 23 Sep 2025 12:06:07 -0400 Subject: [PATCH 03/58] Fix: markdown formatting issues on annotations table #1156 (#1157) * Fix: markdown formatting issues on annotations table #1156 Fixes #1156 * Fix typo in annotation description for redirect-to-https --- ...advanced-configuration-with-annotations.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index f378fdddf..8b9d313e1 100644 --- a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -120,10 +120,10 @@ The table below summarizes the available annotations. {{< table >}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -| *nginx.org/proxy-hide-headers* | *proxy-hide-headers* | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: ``"nginx.org/proxy-hide-headers": "header-a,header-b"* | N/A | | -| *nginx.org/proxy-pass-headers* | *proxy-pass-headers* | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: ``"nginx.org/proxy-pass-headers": "header-a,header-b"* | N/A | | +| *nginx.org/proxy-hide-headers* | *proxy-hide-headers* | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: `"nginx.org/proxy-hide-headers": "header-a,header-b"` | N/A | | +| *nginx.org/proxy-pass-headers* | *proxy-pass-headers* | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: `"nginx.org/proxy-pass-headers": "header-a,header-b"` | N/A | | | *nginx.org/rewrites* | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [rewrites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/rewrites) | -|*nginx.org/proxy-set-headers* | N/A | Enables customization of proxy headers and values using the [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) directive. Example: ``"nginx.org/proxy-set-headers": "header-a: valueA,header-b: valueB,header-c: valueC"`` | N/A | [Proxy Set Headers](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/proxy-set-headers). | +|*nginx.org/proxy-set-headers* | N/A | Enables customization of proxy headers and values using the [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) directive. Example: `"nginx.org/proxy-set-headers": "header-a: valueA,header-b: valueB,header-c: valueC"` | N/A | [Proxy Set Headers](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/proxy-set-headers). | {{< /table >}} ### Auth and SSL/TLS @@ -131,17 +131,17 @@ The table below summarizes the available annotations. {{< table >}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -| *nginx.org/redirect-to-https* | *redirect-to-https* | Sets the 301 redirect rule based on the value of the ``http_x_forwarded_proto* header on the server block to force incoming traffic to be over HTTPS. Useful when terminating SSL in a load balancer in front of NGINX Ingress Controller — see [115](https://github.com/nginx/kubernetes-ingress/issues/115) | *False* | | +| *nginx.org/redirect-to-https* | *redirect-to-https* | Sets the 301 redirect rule based on the value of the `http_x_forwarded_proto` header on the server block to force incoming traffic to be over HTTPS. Useful when terminating SSL in a load balancer in front of NGINX Ingress Controller — see [115](https://github.com/nginx/kubernetes-ingress/issues/115) | *False* | | | *ingress.kubernetes.io/ssl-redirect* | *ssl-redirect* | Sets an unconditional 301 redirect rule for all incoming HTTP traffic to force incoming traffic over HTTPS. | *True* | | -| *nginx.org/hsts* | *hsts* | Enables [HTTP Strict Transport Security (HSTS)](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/)\ : the HSTS header is added to the responses from backends. The ``preload* directive is included in the header. | *False* | | -| *nginx.org/hsts-max-age* | *hsts-max-age* | Sets the value of the ``max-age* directive of the HSTS header. | *2592000* (1 month) | | -| *nginx.org/hsts-include-subdomains* | *hsts-include-subdomains* | Adds the ``includeSubDomains* directive to the HSTS header. | *False* | | -| *nginx.org/hsts-behind-proxy* | *hsts-behind-proxy* | Enables HSTS based on the value of the ``http_x_forwarded_proto* request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of NGINX Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the ``nginx.org/redirect-to-https* annotation. | *False* | | +| *nginx.org/hsts* | *hsts* | Enables [HTTP Strict Transport Security (HSTS)](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/)\ : the HSTS header is added to the responses from backends. The `preload` directive is included in the header. | *False* | | +| *nginx.org/hsts-max-age* | *hsts-max-age* | Sets the value of the `max-age` directive of the HSTS header. | *2592000* (1 month) | | +| *nginx.org/hsts-include-subdomains* | *hsts-include-subdomains* | Adds the `includeSubDomains` directive to the HSTS header. | *False* | | +| *nginx.org/hsts-behind-proxy* | *hsts-behind-proxy* | Enables HSTS based on the value of the `http_x_forwarded_proto` request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of NGINX Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the `nginx.org/redirect-to-https` annotation. | *False* | | | *nginx.org/basic-auth-secret* | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | | | *nginx.org/basic-auth-realm* | N/A | Specifies a realm. | N/A | | | *nginx.com/jwt-key* | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-realm* | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | -| *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization* header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | +| *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the `Authorization` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-login-url* | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | {{< /table >}} @@ -157,21 +157,21 @@ The table below summarizes the available annotations. {{< table >}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -| *nginx.org/lb-method* | *lb-method* | Sets the [load balancing method]({{< ref "/nginx/admin-guide/load-balancer/http-load-balancer.md#choosing-a-load-balancing-method" >}}). To use the round-robin method, specify ``"round_robin"``. | *"random two least_conn"* | | +| *nginx.org/lb-method* | *lb-method* | Sets the [load balancing method]({{< ref "/nginx/admin-guide/load-balancer/http-load-balancer.md#choosing-a-load-balancing-method" >}}). To use the round-robin method, specify `"round_robin"`. | `"random two least_conn"` | | | *nginx.org/ssl-services* | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [ssl-services](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/ssl-services) | -| *nginx.org/grpc-services* | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2* ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [grpc-services](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/grpc-services) | +| *nginx.org/grpc-services* | N/A | Enables gRPC for services. Note: requires HTTP/2 (see `http2` ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [grpc-services](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/grpc-services) | | *nginx.org/websocket-services* | N/A | Enables WebSocket for services. | N/A | [websocket](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/websocket) | -| *nginx.org/max-fails* | *max-fails* | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the ``server* directive. | *1* | | -| *nginx.org/max-conns* | N\A | Sets the value of the [max_conns](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_conns) parameter of the ``server* directive. | *0* | | +| *nginx.org/max-fails* | *max-fails* | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the `server` directive. | *1* | | +| *nginx.org/max-conns* | N\A | Sets the value of the [max_conns](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_conns) parameter of the `server` directive. | *0* | | | *nginx.org/upstream-zone-size* | *upstream-zone-size* | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | *256K* | | -| *nginx.org/fail-timeout* | *fail-timeout* | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the ``server* directive. | *10s* | | +| *nginx.org/fail-timeout* | *fail-timeout* | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the `server` directive. | *10s* | | | *nginx.com/sticky-cookie-services* | N/A | Configures session persistence. | N/A | [session-persistence](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/session-persistence) | -| *nginx.org/keepalive* | *keepalive* | Sets the value of the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. Note that ``proxy_set_header Connection "";* is added to the generated configuration when the value > 0. | *0* | | +| *nginx.org/keepalive* | *keepalive* | Sets the value of the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. Note that `proxy_set_header Connection "";` is added to the generated configuration when the value > 0. | *0* | | | *nginx.com/health-checks* | N/A | Enables active health checks. | *False* | [health-checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks) | | *nginx.com/health-checks-mandatory* | N/A | Configures active health checks as mandatory. | *False* | [health-checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks) | | *nginx.com/health-checks-mandatory-queue* | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | *0* | [health-checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks) | | *nginx.com/slow-start* | N/A | Sets the upstream server [slow-start period]({{< ref "/nginx/admin-guide/load-balancer/http-load-balancer.md#server-slow-start" >}}). By default, slow-start is activated after a server becomes [available]({{< ref "/nginx/admin-guide/load-balancer/http-health-check.md#passive-health-checks" >}}) or [healthy]({{< ref "/nginx/admin-guide/load-balancer/http-health-check.md#active-health-checks" >}}). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks). | *"0s"* | | -| *nginx.org/use-cluster-ip* | N/A | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method* and ``next-upstream``) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | *False* | | +| *nginx.org/use-cluster-ip* | N/A | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like `lb-method` and `next-upstream`) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | *False* | | {{< /table >}} ### Rate limiting @@ -205,10 +205,10 @@ The table below summarizes the available annotations. {{< table >}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -| *appprotect.f5.com/app-protect-policy* | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable* is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | +| *appprotect.f5.com/app-protect-policy* | N/A | The name of the App Protect Policy for the Ingress Resource. Format is `namespace/name`. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but `appprotect.f5.com/app-protect-enable` is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | | *appprotect.f5.com/app-protect-enable* | N/A | Enable App Protect for the Ingress Resource. | *False* | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | | *appprotect.f5.com/app-protect-security-log-enable* | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | *False* | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | -| *appprotect.f5.com/app-protect-security-log* | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | +| *appprotect.f5.com/app-protect-security-log* | N/A | The App Protect log configuration for the Ingress Resource. Format is `namespace/name`. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: `illegal`, format: `default`. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | | *appprotect.f5.com/app-protect-security-log-destination* | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list. Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | *syslog:server=localhost:514* | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | {{< /table >}} From 0a4732b02412eb1fe828a893ec9435c359ec7308 Mon Sep 17 00:00:00 2001 From: kafeelhasan Date: Wed, 24 Sep 2025 00:12:57 +0530 Subject: [PATCH 04/58] docs: add new n4azure health panel docs: add new n4azure health panel --- content/nginxaas-azure/disaster-recovery.md | 2 +- content/nginxaas-azure/service-status.md | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 content/nginxaas-azure/service-status.md diff --git a/content/nginxaas-azure/disaster-recovery.md b/content/nginxaas-azure/disaster-recovery.md index eb378a3b2..afa5d8927 100644 --- a/content/nginxaas-azure/disaster-recovery.md +++ b/content/nginxaas-azure/disaster-recovery.md @@ -1,6 +1,6 @@ --- title: Disaster recovery -weight: 750 +weight: 650 toc: true url: /nginxaas/azure/disaster-recovery/ type: diff --git a/content/nginxaas-azure/service-status.md b/content/nginxaas-azure/service-status.md new file mode 100644 index 000000000..7f7cba6f2 --- /dev/null +++ b/content/nginxaas-azure/service-status.md @@ -0,0 +1,12 @@ +--- +title: Service status +weight: 710 +toc: true +url: /nginxaas/azure/service-status/ +type: +- how-to +--- + +You can monitor the health status of the F5 NGINXaaS service at the [F5 Cloud Status page](https://www.f5cloudstatus.com/history?filter=88pmy2nlbd01). The status page provides information related to service degradation and unscheduled downtime. When appropriate, we provide mitigations to minimize the impact to your deployments. + +You may also subscribe to receive emails, webhooks, and RSS feeds when an incident related to NGINXaaS is created, updated, or resolved. \ No newline at end of file From 1e0d279927888ea052b345fd24b5df44a8ea5233 Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Wed, 24 Sep 2025 10:26:30 +0100 Subject: [PATCH 05/58] Update OpenTelemetry wording on NIC 5.1.0 release notes (#1162) Co-authored-by: Alan Dooley --- content/nic/releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nic/releases.md b/content/nic/releases.md index 794b2868b..c57e73d39 100644 --- a/content/nic/releases.md +++ b/content/nic/releases.md @@ -74,7 +74,7 @@ This NGINX Ingress Controller release brings initial connectivity to the NGINX O This release also includes the ability to configure Rate Limiting for your APIs based on a specific NGINX variable and its value. This allows you more granular control over how frequently specific users access your resources. -Lastly, in our previous v5.0.0 release, we removed support for OpenTracing. This release replaces that observability capability with native [NGINX OpenTelemetry]({{< ref "/nic/logging-and-monitoring/opentelemetry.md" >}}) traces, allowing you to monitor the internal traffic of your applications. +Lastly, in our previous v5.0.0 release, we removed support for OpenTracing. This release replaces that observability capability with native [NGINX OpenTelemetry]({{< ref "/nic/logging-and-monitoring/opentelemetry.md" >}}) traces, allowing you to monitor the traffic of your applications. ### Features - [7642](https://github.com/nginx/kubernetes-ingress/pull/7642) Add [OpenTelemetry support]({{< ref "/nic/logging-and-monitoring/opentelemetry.md" >}}) From cce2ea05c421c31bab93943ed51449712bcb7919 Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Wed, 24 Sep 2025 11:26:36 +0100 Subject: [PATCH 06/58] docs: re-add agent config doc (#1161) --- .../configure-nginx-agent-features.md | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 content/agent/configuration/configure-nginx-agent-features.md diff --git a/content/agent/configuration/configure-nginx-agent-features.md b/content/agent/configuration/configure-nginx-agent-features.md new file mode 100644 index 000000000..6cf6068ca --- /dev/null +++ b/content/agent/configuration/configure-nginx-agent-features.md @@ -0,0 +1,88 @@ +--- +title: Features configuration +weight: 150 +toc: true +nd-docs: DOCS-000 +nd-content-type: how-to +--- + +## Overview + +This guide describes the F5 NGINX Agent features, and how to enable and disable features using the NGINX Agent configuration file. + +## Before you begin + +Before you start, make sure that you have: + +- [NGINX Agent installed]({{< ref "/agent/installation-upgrade/" >}}) in your system. +- Access to the NGINX Agent configuration file. + +## Features + +The following table lists the NGINX Agent features: + +{{< table "features" >}} +| Feature Name | Description | Default/Non-default | +| ---------------- | ----------------------------------------------------------------------- | ------------------- | +| registration | Registering the NGINX Agent with the management plane. | Default | +| nginx-config-async | Enable the publishing and uploading of NGINX configurations from the management plane. | Default | +| metrics | Enable collecting of NGINX metrics. | Default | +| metrics-throttle | Batch metrics before sending. | Non-default | +| metrics-sender | Reports metrics over the gRPC connection. | Non-default | +| dataplane-status | Report the health of the NGINX Instance. | Default | +| process-watcher | Observe changes to the NGINX process. | Default | +| file-watcher | Observe changes to the NGINX configuration or any changes to files on disk. | Default | +| activity-events | Send NGINX or NGINX Agent related events to the management plane. | Default | +| agent-api | Enable the NGINX Agent REST API. | Default | +{{< /table >}} + +## Use cases + +### Enable metrics only + +1. Access the NGINX instance: Connect using SSH to the VM or server where NGINX Agent is running. + + `ssh user@your-nginx-instance` + +1. Open the NGINX Agent configuration file in a text editor. + + `sudo vim /etc/nginx-agent/nginx-agent.conf` + +1. Add the features section: Add the following to the end of the configuration file if it doesn't already exist. + + ```nginx + features: + - metrics + - metrics-throttle + - dataplane-status + ``` + +1. Restart the NGINX Agent service to apply the changes. + + `sudo systemctl restart nginx-agent` + +Once the steps have been completed, users will be able to view metrics data being sent but will not have the capability to push NGINX configuration changes. + +### Enable the publishing of NGINX configurations and disable the collection of metrics + +1. Access the NGINX instance: Connect using SSH to the VM or server where NGINX Agent is running. + + `ssh user@your-nginx-instance` + +1. Open the NGINX Agent configuration file in a text editor. + + `sudo vim /etc/nginx-agent/nginx-agent.conf` + +1. Add the fetures section: Add the following to the end of the configuration file if it doesn't already exist. + + ```nginx + features: + - nginx-config-async + - dataplane-status + - file-watcher + +1. Restart the NGINX Agent service to apply the changes. + + `sudo systemctl restart nginx-agent` + +Once the steps have been completed, users will be able to publish NGINX configurations but metrics data will not be collected by the NGINX Agent. From 2f25dc87ea8189ecd835ed6f55ad3c6070a28583 Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Wed, 24 Sep 2025 15:03:36 +0100 Subject: [PATCH 07/58] fix: Update NIC NAP Helm guide to latest versions (#1166) * fix: Update NIC NAP Helm guide to latest versions * Apply suggestions from code review Co-authored-by: Alan Dooley --------- Co-authored-by: Alan Dooley --- .../installing-nic/deploy-with-nap-using-helm.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/content/nic/installation/installing-nic/deploy-with-nap-using-helm.md b/content/nic/installation/installing-nic/deploy-with-nap-using-helm.md index 054b4e887..0f395b363 100644 --- a/content/nic/installation/installing-nic/deploy-with-nap-using-helm.md +++ b/content/nic/installation/installing-nic/deploy-with-nap-using-helm.md @@ -35,12 +35,16 @@ This is accomplished with the following steps: --- +## Check compatibility between NGINX Ingress Controller and F5 WAF for NGINX versions + +{{< include "nic/compatibility-tables/nic-nap.md" >}} + ## Compile WAF Policy from JSON to Bundle Pull the `waf-compiler` image with: ```shell -docker pull private-registry.nginx.com/nap/waf-compiler:5.6.0 +docker pull private-registry.nginx.com/nap/waf-compiler:5.8.0 ``` Download the [provided WAF Policy JSON](https://raw.githubusercontent.com/nginx/kubernetes-ingress/main/tests/data/ap-waf-v5/wafv5.json): @@ -49,13 +53,13 @@ Download the [provided WAF Policy JSON](https://raw.githubusercontent.com/nginx/ curl -L https://raw.githubusercontent.com/nginx/kubernetes-ingress/main/tests/data/ap-waf-v5/wafv5.json -o /tmp/wafv5.json ``` -Use your pulled NAP Docker image (`private-registry.nginx.com/nap/waf-compiler:5.6.0`) to compile the policy bundle: +Use your pulled NAP Docker image (`private-registry.nginx.com/nap/waf-compiler:5.8.0`) to compile the policy bundle: ```shell # Using your newly created image docker run --rm \ -v /tmp:/tmp \ - private-registry.nginx.com/nap/waf-compiler:5.6.0 \ + private-registry.nginx.com/nap/waf-compiler:5.8.0 \ -p /tmp/wafv5.json \ -o /tmp/compiled_policy.tgz ``` @@ -157,7 +161,7 @@ kubectl create secret \ Install the required CRDs for NGINX Ingress Controller: ```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v5.0.0/deploy/crds.yaml +kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds.yaml ``` Using Helm, install NGINX Ingress Controller @@ -165,7 +169,7 @@ Using Helm, install NGINX Ingress Controller ```shell helm upgrade --install nic nginx-stable/nginx-ingress \ --set controller.image.repository="private-registry.nginx.com/nginx-ic-nap-v5/nginx-plus-ingress" \ - --set controller.image.tag="5.0.0-alpine-fips" \ + --set controller.image.tag="{{< nic-version >}}-alpine-fips" \ --set controller.nginxplus=true \ --set controller.appprotect.enable=true \ --set controller.appprotect.v5=true \ From 568ddf687f8840255e7cc0902002a09a8a26e260 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Thu, 25 Sep 2025 12:53:08 +0100 Subject: [PATCH 08/58] feat: Hide PLM in NAP-WAF folder (#1170) --- content/nap-waf/v5/admin-guide/overview.md | 8 -------- .../nap-waf/v5/admin-guide/policy-lifecycle-management.md | 1 + content/nap-waf/v5/configuration-guide/configuration.md | 1 - 3 files changed, 1 insertion(+), 9 deletions(-) diff --git a/content/nap-waf/v5/admin-guide/overview.md b/content/nap-waf/v5/admin-guide/overview.md index 71e040735..563b1e637 100644 --- a/content/nap-waf/v5/admin-guide/overview.md +++ b/content/nap-waf/v5/admin-guide/overview.md @@ -66,14 +66,6 @@ Use the [NGINX App Protect WAF Compiler]({{< ref "/nap-waf/v5/admin-guide/compil For signature updates, read the [Update App Protect Signatures]({{< ref "/nap-waf/v5/admin-guide/compiler.md#update-app-protect-signatures" >}}) section of the compiler documentation. -## Policy Lifecycle Management - -NGINX App Protect WAF v5 introduces Policy Lifecycle Management (PLM) as a comprehensive solution for automating the management, compilation, and deployment of security policies within Kubernetes environments. PLM extends the WAF compiler capabilities by providing a native Kubernetes operator-based approach to policy orchestration. - -The Policy Lifecycle Management system is architected around a **Policy Controller** that implements the Kubernetes operator pattern to manage the complete lifecycle of WAF security artifacts. The system addresses the fundamental challenge of policy distribution at scale by eliminating manual intervention points and providing a declarative configuration model through Custom Resource Definitions (CRDs) for policies, logging profiles, signatures, and user-defined signatures. - -For detailed information about PLM architecture, functional components, and deployment procedures, see [Policy Lifecycle Management Guide]({{< ref "/nap-waf/v5/admin-guide/policy-lifecycle-management.md" >}}). - --- ## Transitioning from NGINX App Protect WAF v4 to v5 diff --git a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md index d650bf4cc..04a8e44b9 100644 --- a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md +++ b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md @@ -2,6 +2,7 @@ title: Policy Lifecycle Management weight: 200 toc: true +draft: true type: how-to product: NAP-WAF --- diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index 552bd64dc..7b01bac9e 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -1048,7 +1048,6 @@ This table summarizes the nginx.conf directives for NGINX App Protect WAF functi |load_module | load_module | NGINX directive to load the App Protect module. It must be invoked with the App Protect library path | Global | load_module modules/ngx_http_app_protect_module.so | |app_protect_enforcer_address | : | The Enforcer service address. | HTTP | app_protect_enforcer_address 127.0.0.1:50000; | |app_protect_enable | app_protect_enable on | off | Whether to enable App Protect at the respective context. If not present, inherits from the parent context | HTTP, Server, Location | app_protect_enable on | -|app_protect_default_config_source | app_protect_default_config_source | Directive to specify custom resource for policy/logging profile bundles. Currently, only "custom-resource" is supported, and it enables Policy Lifecycle Management functionality. See [Policy Lifecycle Management]({{< ref "/nap-waf/v5/admin-guide/policy-lifecycle-management.md" >}}) for more details. | HTTP | app_protect_default_config_source "custom-resource" | |app_protect_policy_file | app_protect_policy_file | Set a App Protect policy configuring behavior for the respective context. | HTTP, Server, Location | app_protect_policy_file /config/waf/strict_policy.tgz | |app_protect_security_log_enable | app_protect_security_log_enable on | off | Whether to enable the App Protect per-request log at the respective context. | HTTP, Server, Location | app_protect_security_log_enable on | |app_protect_security_log | app_protect_security_log | Specifies the per-request logging: what to log and where | HTTP, Server, Location | app_protect_security_log /config/waf/log_illegal.tgz syslog:localhost:522 | From b185359339d771acb169514d5c777c5478d1dd4e Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Thu, 25 Sep 2025 17:12:58 +0100 Subject: [PATCH 09/58] docs: Update rate limit policy conditions explanation (#1172) Clarified the conditions for rate limiting in policies, specifying that conditions are optional and detailing the behavior of default policies. --- content/nic/configuration/policy-resource.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/nic/configuration/policy-resource.md b/content/nic/configuration/policy-resource.md index d92a3894e..3a79ec019 100644 --- a/content/nic/configuration/policy-resource.md +++ b/content/nic/configuration/policy-resource.md @@ -180,10 +180,10 @@ condition: |``variables`` | defines a Variable condition to rate limit against. | [ratelimit.condition.variables](#ratelimitconditionvariables) | No | |``default`` | sets the rate limit in this policy to be the default if no conditions are met. In a group of policies with the same condition, only one policy can be the default. | ``bool`` | No | {{% /table %}} -{{< call-out "note" >}} - -One condition of type `jwt` or `variables` is required. Each Policy supports only one condition. +{{< call-out "note" >}} +Conditions (`jwt` or `variables`) are optional, but each policy can only have one. +If conditions are used, a request doesn't match any, and a `default` has been defined, the `default` policy applies. Otherwise, if no `default` is set, the request isn't rate limited. {{< /call-out >}} The rate limit policy with condition is designed to be used in combination with one or more rate limit policies. For example, multiple rate limit policies with [RateLimit.Condition.JWT](#ratelimitconditionjwt) can be used to apply different tiers of rate limit based on the value of a JWT claim. For a practical example of tiered rate limiting by the value of a JWT claim, see the example in our [GitHub repository](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/rate-limit-tiered-jwt-claim/README.md). From ae37c869330444f7448d331dde495a826da0a5d4 Mon Sep 17 00:00:00 2001 From: Saloni Choudhary <146118978+salonichf5@users.noreply.github.com> Date: Fri, 26 Sep 2025 01:52:36 +0530 Subject: [PATCH 10/58] NGF: Update release version 2.1.2 (#1173) Update release version to 2.1.2 --- layouts/shortcodes/version-ngf.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/layouts/shortcodes/version-ngf.html b/layouts/shortcodes/version-ngf.html index 7c3272873..8f9174b4d 100644 --- a/layouts/shortcodes/version-ngf.html +++ b/layouts/shortcodes/version-ngf.html @@ -1 +1 @@ -2.1.1 \ No newline at end of file +2.1.2 \ No newline at end of file From 8efe7181142f484beb49f9f9897067befabb2c76 Mon Sep 17 00:00:00 2001 From: Alex Russell <91080557+arussellf5@users.noreply.github.com> Date: Thu, 25 Sep 2025 15:19:53 -0600 Subject: [PATCH 11/58] NLB-6992 NGINXaaS for Azure connectivity tool (#1164) * Updated NGINXaaS Load Balancer for Kubernetes version to latest * NLB-6992 Added documentation for the NGINXaaS connectivity tool Added a get-help section and added the existing get-help doc to it as "support". Grouped the connectivity tool with it. --- content/nginxaas-azure/get-help/_index.md | 6 +++++ .../nginxaas-azure/get-help/connectivity.md | 26 +++++++++++++++++++ .../{get-help.md => get-help/support.md} | 6 ++--- .../nginxaas-azure/loadbalancer-kubernetes.md | 2 +- 4 files changed, 36 insertions(+), 4 deletions(-) create mode 100644 content/nginxaas-azure/get-help/_index.md create mode 100644 content/nginxaas-azure/get-help/connectivity.md rename content/nginxaas-azure/{get-help.md => get-help/support.md} (97%) diff --git a/content/nginxaas-azure/get-help/_index.md b/content/nginxaas-azure/get-help/_index.md new file mode 100644 index 000000000..9d16e2f3b --- /dev/null +++ b/content/nginxaas-azure/get-help/_index.md @@ -0,0 +1,6 @@ +--- +title: Get help +weight: 700 +draft: false +url: /nginxaas/azure/get-help/ +--- diff --git a/content/nginxaas-azure/get-help/connectivity.md b/content/nginxaas-azure/get-help/connectivity.md new file mode 100644 index 000000000..9ba00ec85 --- /dev/null +++ b/content/nginxaas-azure/get-help/connectivity.md @@ -0,0 +1,26 @@ +--- +title: Connectivity test tool +weight: 200 +toc: true +url: /nginxaas/azure/get-help/connectivity +type: +- how-to +--- + +Use the connectivity test tool to determine whether a specific IP address is accessible from your deployment's dataplane. The connectivity test tool accepts an IP address and a port number. It uses [`netcat`](https://nc110.sourceforge.io/) to open a TCP connection with the given address, without sending any data to the address. The tool returns `netcat`'s output to the user. This is useful for debugging connectivity issues and determining if a problem is in NGINX configuration or Azure network configuration. + +To use the tool: + +- Retrieve your [data plane API endpoint]({{< ref "/nginxaas-azure/loadbalancer-kubernetes.md#nginxaas-data-plane-api-endpoint" >}}). + +- Create an [API key]({{< ref "/nginxaas-azure/loadbalancer-kubernetes.md#create-an-nginxaas-data-plane-api-key" >}}) if you do not already have one. + +- Append the `/connectivity` suffix to your deployment's data plane API endpoint, e.g. https://my-deployment.my-region.nginxaas.net/connectivity. Use a browser to navigate to this URL. + +- The browser will prompt you for a username and password. The username is optional. Please enter your API key in the password field. + +- You will then be able to use the connectivity tool through the browser. + +{{< call-out "note" >}} +The connectivity test tool will not accept loopback or multicast IP addresses. +{{< /call-out >}} diff --git a/content/nginxaas-azure/get-help.md b/content/nginxaas-azure/get-help/support.md similarity index 97% rename from content/nginxaas-azure/get-help.md rename to content/nginxaas-azure/get-help/support.md index 63e29842a..2af0d397f 100644 --- a/content/nginxaas-azure/get-help.md +++ b/content/nginxaas-azure/get-help/support.md @@ -1,9 +1,9 @@ --- -title: Get help -weight: 750 +title: Support +weight: 100 toc: true nd-docs: DOCS-882 -url: /nginxaas/azure/get-help/ +url: /nginxaas/azure/get-help/support type: - how-to --- diff --git a/content/nginxaas-azure/loadbalancer-kubernetes.md b/content/nginxaas-azure/loadbalancer-kubernetes.md index a76032ef9..e3fbb88bd 100644 --- a/content/nginxaas-azure/loadbalancer-kubernetes.md +++ b/content/nginxaas-azure/loadbalancer-kubernetes.md @@ -148,7 +148,7 @@ The NLK controller can be installed in your Kubernetes cluster using either Helm Install the NLK controller using `helm install`. Be sure your kubectl context is pointed at the desired cluster. ```shell -helm install nlk oci://registry-1.docker.io/nginxcharts/nginxaas-loadbalancer-kubernetes --version 1.1.1 \ +helm install nlk oci://registry-1.docker.io/nginxcharts/nginxaas-loadbalancer-kubernetes --version 1.2.3 \ --set "nlk.dataplaneApiKey=${keyValue}" \ --set "nlk.config.nginxHosts=${dataplaneAPIEndpoint}nplus" \ --set "nlk.config.tls.mode=ca-tls" From 2e9dc3fab7bf0a2dd6474c188ad8b1c712ef67ac Mon Sep 17 00:00:00 2001 From: Alex Russell <91080557+arussellf5@users.noreply.github.com> Date: Fri, 26 Sep 2025 10:05:36 -0600 Subject: [PATCH 12/58] Update NGINXaaS for Azure's changelog to mention connectivity tool (#1177) --- content/nginxaas-azure/changelog.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/nginxaas-azure/changelog.md b/content/nginxaas-azure/changelog.md index 6f88bcebf..14d46dc12 100644 --- a/content/nginxaas-azure/changelog.md +++ b/content/nginxaas-azure/changelog.md @@ -13,6 +13,11 @@ To see a list of currently active issues, visit the [Known issues]({{< ref "/ngi To review older entries, visit the [Changelog archive]({{< ref "/nginxaas-azure/changelog-archive" >}}) section. +## September 26, 2025 + +- {{% icon-feature %}} **Connectivity test tool** + +Users can now test the availability of specific IP addresses from their deployment's dataplane. This is useful for debugging connectivity issues and determining if a problem is in NGINX configuration or Azure network configuration. Please see the docs for the [connectivity test tool]({{< ref "/nginxaas-azure/get-help/connectivity.md" >}}) for further details. ## September 18, 2025 @@ -30,6 +35,7 @@ To review older entries, visit the [Changelog archive]({{< ref "/nginxaas-azure/ - {{% icon-feature %}} **Updates to NGINXaaS for Azure GitHub Action** - Users can now specify files in their configuration directory to be marked as protected using a new optional Action input called `protected-files`. This new input accepts comma-separated list of file paths relative to the NGINX configuration directory that should be marked as protected. For more information, please visit [NGINXaaS for Azure Deployment Action](https://github.com/marketplace/actions/nginx-configuration-sync) on GitHub actions marketplace. Example: + ```yaml - name: Sync NGINX Config to Azure uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0 From 7cb4d338722a3811e18323496397cd9bcac9d45b Mon Sep 17 00:00:00 2001 From: Arpith Varghese <127259427+arpith-f5@users.noreply.github.com> Date: Fri, 26 Sep 2025 09:35:17 -0700 Subject: [PATCH 13/58] feat: NGINXaaS - Certificate Fetch via Private Endpoint support (#1137) This commit updates the NGINXaaS documentation to add instructions for fetching certificates via private endpoints. --- .../nginxaas-azure/ssl-tls-prerequisites.md | 4 +- content/nginxaas-azure/changelog.md | 4 + .../ssl-tls-certificates/overview.md | 147 ++++++++++++++++-- content/nginxaas-azure/known-issues.md | 8 + .../security-controls/certificates.md | 53 ++++++- 5 files changed, 196 insertions(+), 20 deletions(-) diff --git a/content/includes/nginxaas-azure/ssl-tls-prerequisites.md b/content/includes/nginxaas-azure/ssl-tls-prerequisites.md index def7a9e97..5663d6f42 100644 --- a/content/includes/nginxaas-azure/ssl-tls-prerequisites.md +++ b/content/includes/nginxaas-azure/ssl-tls-prerequisites.md @@ -12,12 +12,14 @@ NGINXaaS natively integrates with [Azure Key Vault (AKV)](https://azure.microsof - If using Access Policies for AKV, ensure that your MI has *GET secrets* or higher permissions. +- Access to AKV through a public or private endpoint. If public access to AKV needs to be restricted, refer to [Restrict Public Access to Key Vault]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#restrict-public-access-to-key-vault" >}}). + - In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have read access to list certificates inside the Key Vault: - If using Azure RBAC for AKV, ensure that you have [Key Vault Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-reader) or higher permissions. - If using Access Policies for AKV, ensure that you have *LIST certificates* or higher permissions. - - If public access is disabled on your key vault, [configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) and add an inbound access rule to allow your client IP address. + - If public access is disabled on your key vault, add an inbound access rule to allow your client IP address. - If you're unfamiliar with Azure Key Vault, check out the [Azure Key Vault concepts](https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts) documentation from Microsoft. \ No newline at end of file diff --git a/content/nginxaas-azure/changelog.md b/content/nginxaas-azure/changelog.md index 14d46dc12..acbcb7a04 100644 --- a/content/nginxaas-azure/changelog.md +++ b/content/nginxaas-azure/changelog.md @@ -19,6 +19,10 @@ To review older entries, visit the [Changelog archive]({{< ref "/nginxaas-azure/ Users can now test the availability of specific IP addresses from their deployment's dataplane. This is useful for debugging connectivity issues and determining if a problem is in NGINX configuration or Azure network configuration. Please see the docs for the [connectivity test tool]({{< ref "/nginxaas-azure/get-help/connectivity.md" >}}) for further details. +- {{% icon-feature %}} **Support for downloading AKV certificates via Private Endpoints** + +NGINXaaS now supports downloading certificate from Azure Key Vault via Private Endpoints. This will allow users to increase network security by disabling public access on their Key Vault. For more information, please visit [Integrate with Private Endpoint]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#integrate-with-private-endpoint" >}}) + ## September 18, 2025 - {{% icon-feature %}} **Notification on update to deployments using the Stable Upgrade Channel** diff --git a/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md b/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md index 4e1d1800a..f4b4a0693 100644 --- a/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md +++ b/content/nginxaas-azure/getting-started/ssl-tls-certificates/overview.md @@ -95,7 +95,7 @@ The following section describes common errors you might encounter while adding S - **User assigned managed identity** - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `MI_NAME`: the name of the managed identity - `MI_RESOURCE_GROUP`: the name of the resource group the managed identity is in ```shell @@ -106,7 +106,7 @@ The following section describes common errors you might encounter while adding S - **System assigned managed identity** - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `DEP_NAME`: the name of the NGINXaaS deployment - `DEP_RESOURCE_GROUP`: the name of the resource group the NGINXaaS deployment is in ```shell @@ -116,7 +116,7 @@ The following section describes common errors you might encounter while adding S ``` 1. Get the resource ID of the key vault. - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `KV_NAME`: the name of the key vault - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in ```shell @@ -145,7 +145,7 @@ The following section describes common errors you might encounter while adding S - **User assigned managed identity** - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `MI_NAME`: the name of the managed identity - `MI_RESOURCE_GROUP`: the name of the resource group the managed identity is in ```shell @@ -156,7 +156,7 @@ The following section describes common errors you might encounter while adding S - **System assigned managed identity** - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `DEP_NAME`: the name of the NGINXaaS deployment - `DEP_RESOURCE_GROUP`: the name of the resource group the NGINXaaS deployment is in ```shell @@ -167,7 +167,7 @@ The following section describes common errors you might encounter while adding S 1. Create the access policy. - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `KV_NAME`: the name of the key vault - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in ```shell @@ -178,18 +178,21 @@ The following section describes common errors you might encounter while adding S ``` -#### Error code: `ForbiddenByFirewall` +#### Error code: `ForbiddenByFirewall` or `ForbiddenByConnection` **Description:** The key vault's firewall is enabled and NGINXaaS is not authorized to fetch certificates. -**Resolution:** [Configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) to allow the subscription of the NGINXaaS deployment to access the key vault. +**Resolution:** +Allow NGINXaaS to access the key vault through one of these mechanisms: + +1. [Configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) to allow the subscription of the NGINXaaS deployment to access the key vault.
Create a network security perimeter - Azure CLI 1. Create a network security perimeter. - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `NSP_NAME`: the name of the network security perimeter - `NSP_RESOURCE_GROUP`: the name of the resource group the network security perimeter will be in ```shell @@ -197,7 +200,7 @@ The following section describes common errors you might encounter while adding S ``` 1. Create a profile for the network security perimeter. - Please ensure the following environment variable is set before copying the below Azure CLI command. + Set the following environment variable is set before copying the below Azure CLI command. - `PROFILE_NAME`: the name of the network security perimeter profile ```shell az network perimeter profile create --name $PROFILE_NAME \ @@ -206,7 +209,7 @@ The following section describes common errors you might encounter while adding S ``` 1. Get the resource ID of the key vault. - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `KV_NAME`: the name of the key vault - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in ```shell @@ -230,7 +233,7 @@ The following section describes common errors you might encounter while adding S ``` 1. Add an inbound access rule to allow the NGINXaaS deployment's subscription. - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `RULE_NAME`: the name of the access rule - `DEP_SUBSCRIPTION_ID`: the subscription ID of the NGINXaaS deployment ```shell @@ -242,6 +245,118 @@ The following section describes common errors you might encounter while adding S ```
+2. Integrate with a Private Endpoint to allow NGINXaaS to fetch certificates via Azure Private Link. +
+Create a Private Link - Azure CLI + +1. Get the resource ID of the key vault. + + Set the following environment variables before copying the below Azure CLI command. + - `KV_NAME`: the name of the key vault + - `KV_RESOURCE_GROUP`: the name of tshe resource group the key vault is in + ```shell + key_vault_id=$(az keyvault show --name $KV_NAME \ + --resource-group $KV_RESOURCE_GROUP \ + --query id --output tsv) + ``` + +1. Create a private endpoint. + + Set the following environment variables before copying the below Azure CLI command. + - `PE_NAME`: the name of the private endpoint + - `PE_RESOURCE_GROUP`: the name of the resource group the private endpoint will be in + - `VNET_NAME`: the name of the virtual network that is delegated to NGINXaaS + - `VNET_RESOURCE_GROUP`: the name of the resource group the virtual network is in + - `SUBNET_NAME`: the name of the subnet for private endpoints + - `PE_CONNECTION_NAME`: the name of the private endpoint connection + - `LOCATION`: the location of the virtual network + ```shell + az network private-endpoint create --name $PE_NAME \ + --resource-group $PE_RESOURCE_GROUP \ + --vnet-name $VNET_NAME \ + --subnet $SUBNET_NAME \ + --private-connection-resource-id $key_vault_id \ + --group-id vault \ + --connection-name $PE_CONNECTION_NAME \ + --location $LOCATION + ``` + +1. Create a private DNS zone and link VNet. + + Set the following environment variables before copying the below Azure CLI command. + - `ZONE_RESOURCE_GROUP`: the name of the resource group for the DNS zone + - `ZONE_NAME`: the name of the DNS zone + - `DNS_LINK_NAME`: the name of the DNS zone link + ```shell + vnet_id=$(az network vnet show --name $VNET_NAME \ + --resource-group $VNET_RESOURCE_GROUP \ + --query id --output tsv) + ``` + ```shell + az network private-dns zone create --resource-group $ZONE_RESOURCE_GROUP \ + --name $ZONE_NAME + az network private-dns link vnet create --resource-group $ZONE_RESOURCE_GROUP \ + --zone-name $ZONE_NAME \ + --name $DNS_LINK_NAME \ + --virtual-network $vnet_id \ + --registration-enabled false + ``` + +1. Add DNS zone group to the private endpoint. + + Set the following environment variables before copying the below Azure CLI command. + - `DNS_ZONE_GROUP_NAME`: the name of the resource group for the DNS zone + ```shell + az network private-endpoint dns-zone-group create \ + --resource-group $PE_RESOURCE_GROUP \ + --endpoint-name $PE_NAME \ + --name $DNS_ZONE_GROUP_NAME \ + --private-dns-zone $ZONE_NAME \ + --zone-name $ZONE_NAME + ``` +
+ +3. Allow access from Virtual Network delegated to NGINXaaS. + +
+Allow Virtual Network access - Azure CLI + +1. Get the resource ID of the virtual network. + + Set the following environment variables before copying the below Azure CLI command. + - `VNET_NAME`: the name of the virtual network that is delegated to NGINXaaS + - `VNET_RESOURCE_GROUP`: the name of the resource group the virtual network is in + ```shell + vnet_id=$(az network vnet show --name $VNET_NAME \ + --resource-group $VNET_RESOURCE_GROUP \ + --query id --output tsv) + ``` + +1. Get the resource ID of the subnet. + + Set the following environment variable before copying the below Azure CLI command. + - `SUBNET_NAME`: the name of the subnet that is delegated to NGINXaaS + ```shell + subnet_id=$(az network vnet subnet show --name $SUBNET_NAME \ + --vnet-name $VNET_NAME \ + --resource-group $VNET_RESOURCE_GROUP \ + --query id --output tsv) + ``` + +1. Add the virtual network rule to the key vault. + + Set the following environment variables before copying the below Azure CLI command. + - `KV_NAME`: the name of the key vault + - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in + ```shell + az keyvault network-rule add --name $KV_NAME \ + --resource-group $KV_RESOURCE_GROUP \ + --subnet $subnet_id + ``` + +{{< call-out "note" >}} Ensure that the Network Security Group on the subnet delegated to the NGINXaaS deployment allows outbound traffic to the internet{{< /call-out >}} +
+ #### Error code: `AnotherOperationInProgress` **Description:** Another operation on this, or a dependent resource, is in progress. @@ -273,7 +388,7 @@ The following section describes common errors you might encounter while adding S - **User assigned managed identity** - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `MI_NAME`: the name of the managed identity - `MI_RESOURCE_GROUP`: the name of the resource group the managed identity is in ```shell @@ -284,7 +399,7 @@ The following section describes common errors you might encounter while adding S - **System assigned managed identity** - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `DEP_NAME`: the name of the NGINXaaS deployment - `DEP_RESOURCE_GROUP`: the name of the resource group the NGINXaaS deployment is in ```shell @@ -295,7 +410,7 @@ The following section describes common errors you might encounter while adding S 1. Create the access policy. - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `KV_NAME`: the name of the key vault - `KV_RESOURCE_GROUP`: the name of the resource group the key vault is in ```shell @@ -323,7 +438,7 @@ The following section describes common errors you might encounter while adding S 1. Get the resource ID of the certificate. - Please ensure the following environment variables are set before copying the below Azure CLI command. + Set the following environment variables before copying the below Azure CLI command. - `CERT_NAME`: the name of the certificate - `KV_NAME`: the name of the key vault ```shell diff --git a/content/nginxaas-azure/known-issues.md b/content/nginxaas-azure/known-issues.md index e307fbdf5..c57541432 100644 --- a/content/nginxaas-azure/known-issues.md +++ b/content/nginxaas-azure/known-issues.md @@ -9,6 +9,14 @@ url: /nginxaas/azure/known-issues/ List of known issues in the latest release of F5 NGINXaaS for Azure (NGINXaaS). +### {{% icon-bug %}} Certificate failures when managed identities with access is added after deployment creation + +This issue occurs when public access is disabled on Azure Key Vault (AKV) and the managed identity that has access to AKV is added to the NGINXaaS deployment after creation. + +Updating managed identities on an NGINXaaS deployment after creation may result in the managed identity not being correctly delegated to the dataplane, which can cause certificate fetch failures. + +**Workaround**: To avoid this issue, when you create an NGINXaaS deployment, make sure that the managed identity with access to AKV is assigned during initial creation. If managed identities need to be updated after creation, enable public access to AKV or [configure Network Security Perimeter]({{< ref "/nginxaas-azure/quickstart/security-controls/certificates.md#configure-network-security-perimeter-nsp" >}}) + ### {{% icon-bug %}} Custom and precompiled security policies cannot both be referenced in an NGINX configuration When using NGINX App Protect WAF, you can only reference default or custom security policies in your NGINX configuration, not both. diff --git a/content/nginxaas-azure/quickstart/security-controls/certificates.md b/content/nginxaas-azure/quickstart/security-controls/certificates.md index cfce20494..dc2645e61 100644 --- a/content/nginxaas-azure/quickstart/security-controls/certificates.md +++ b/content/nginxaas-azure/quickstart/security-controls/certificates.md @@ -160,9 +160,18 @@ http { For more information on using NGINX to secure traffic to upstream servers, refer to [Securing HTTP Traffic to Upstream Servers](https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/) and [Securing TCP Traffic to Upstream Servers](https://docs.nginx.com/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream/). -## Configure Network Security Perimeter (NSP) -If you want to disable public access to your key vault, you can configure a [Network Security Perimeter (NSP)](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts). This will allow you to configure access rules to allow NGINXaaS to fetch certificates from your key vault while ensuring all other public access is denied. +## Restrict Public Access to Key Vault + +If you want to restrict public access to your key vault, you can configure: + +- a [Network Security Perimeter (NSP)](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts). This will allow you to configure access rules to allow NGINXaaS to fetch certificates from your key vault while ensuring all other public access is denied. + +- Allow access from a Virtual Network. This will allow you to configure access from the Virtual Network that is delegated to NGINXaaS while ensuring all other public access is denied. + +- Integrate Azure Key Vault with [Azure Private Link](https://learn.microsoft.com/en-us/azure/private-link/private-link-overview). To enhance network security, you can configure your vault to only allow connections through private endpoints. Traffic between NGINXaaS and AKV traverses over the Microsoft backbone network. + +### Configure Network Security Perimeter (NSP) 1. Follow [Azure's documentation on prerequisites](https://learn.microsoft.com/en-us/azure/private-link/create-network-security-perimeter-portal#prerequisites) to ensure you are registed to create an NSP. 1. In the Search box, enter **Network Security Perimeters** and select **Network Security Perimeters** from the search results. @@ -174,7 +183,7 @@ If you want to disable public access to your key vault, you can configure a [Net | Subscription | Select the appropriate Azure subscription that you have access to. | | Resource group | Specify whether you want to create a new resource group or use an existing one.
For more information, see [Azure Resource Group overview](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview). | | Name | Provide a unique name for your network security perimeter. For this tutorial, we use `nginxaas-nsp`. | - | Region | Select the region you want to deploy to. Refer to any [regional limitations](https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts#regional-limitations) NSP has while in public preview. | + | Region | Select the region you want to deploy to. | | Profile name | Leave the profile name as the default `defaultProfile`. | {{< /table >}} 1. In the **Resources** tab, select {{< icon "plus">}}**Add**. @@ -197,3 +206,41 @@ By default, the key vault will be associated to the NSP in [Learning mode](https 1. Select **Change access mode**, set to **Enforced**, and select **Apply**. {{< call-out "note" >}} If you are using the Azure portal to add certificates, you will also need to add an inbound access rule to allow your IP address, so the portal can list the certificates in your key vault. {{< /call-out >}} + +### Integrate with Private Endpoint + +1. Go to your key vault, `nginxaas-kv`. +1. Select **Settings** followed by **Networking** in the left menu. +1. Select the **Private endpoint connections** tab. +1. Select {{< icon "plus">}} **Create** +1. In the **Basics** tab, provide the following information: + {{< table >}} + | Field | Description | + |---------------------------- | ---------------------------- | + | Subscription | Select the appropriate Azure subscription that you have access to. | + | Resource group | Specify whether you want to create a new resource group or use an existing one.
For more information, see [Azure Resource Group overview](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview). | + | Name | Provide a unique name for your private link. For this tutorial, we use `nginxaas-pl`. | + | Region | Select the region you want to deploy to. + {{< /table >}} + +1. In the **Resources** tab, select **Resource Type** as `Microsoft.KeyVault/vaults` and **Resource** as `nginxaas-kv` +1. In the **Virtual Network** tab, provide the following information + {{< table >}} + | Field | Description | + |---------------------------- | ---------------------------- | + | Virtual network | Select the virtual network delegated to your NGINXaaS deployment. | + | Subnet | Select a subnet from your virtual network that is not being used. + {{< /table >}} +1. In the **DNS** tab, use the default settings to integrate your private endpoint with a private DNS zone. +1. Select **Review + Create** and then **Create**. + +Once a private link is configured and public access is disabled on Azure Key Vault, any certificates added to the NGINXaaS deployment will be fetched over the private link. + +### Allow access from a Virtual Network + +1. Go to your key vault, `nginxaas-kv`. +1. Select **Networking** in the left menu. +1. Select {{< icon "plus">}} **Add existing virtual network**. +1. Select the virtual network and subnet that is delegated to the NGINXaaS deployment. + +{{< call-out "note" >}} Ensure that the Network Security Group on the subnet delegated to the NGINXaaS deployment allows outbound traffic to the internet{{< /call-out >}} From 1b8cc6f4b3f622f76a1fe6f8d381681817559391 Mon Sep 17 00:00:00 2001 From: yar Date: Fri, 26 Sep 2025 21:52:42 +0100 Subject: [PATCH 14/58] fix: links reported by QE LinkChecker (#1169) --- .../admin-guide/installing-nginx/installing-nginx-docker.md | 4 ++-- .../installing-nginx-plus-amazon-web-services.md | 2 +- .../configuring-http-basic-authentication.md | 2 +- content/nginx/admin-guide/web-server/reverse-proxy.md | 2 +- .../high-availability-network-load-balancer.md | 2 +- .../load-balance-third-party/oracle-weblogic-server.md | 6 +++--- .../migrate-hardware-adc/f5-big-ip-configuration.md | 4 ++-- content/nginx/releases.md | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/content/nginx/admin-guide/installing-nginx/installing-nginx-docker.md b/content/nginx/admin-guide/installing-nginx/installing-nginx-docker.md index a7024b1e4..f89f8748d 100644 --- a/content/nginx/admin-guide/installing-nginx/installing-nginx-docker.md +++ b/content/nginx/admin-guide/installing-nginx/installing-nginx-docker.md @@ -202,8 +202,8 @@ where: - `NGINX_LICENSE_JWT` is your JWT license file from MyF5. The file name should be `license.jwt`. - `NGINX_AGENT_SERVER_GRPCPORT` sets a GRPC port used by NGINX Agent to communicate with NGINX Instance Manager. - `NGINX_AGENT_SERVER_HOST` sets the domain name or IP address of NGINX Instance Manager. Note that for production environments it is not recommended to expose NGINX Instance Manager to public networks. - - `NGINX_AGENT_SERVER_TOKEN` sets NGINX One data plane key. See [Create and manage data plane keys](https://docs.nginx.com/nginx-one/how-to/data-plane-keys/create-manage-data-plane-keys/) for details. - - `NGINX_AGENT_TLS_ENABLE` enables mutual TLS, server-side TLS, or insecure mode (not recommended for production environments). See [Encrypt communication](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for details. + - `NGINX_AGENT_SERVER_TOKEN` sets NGINX One data plane key. See [Create and manage data plane keys]({{< ref "nginx-one/connect-instances/create-manage-data-plane-keys.md" >}}) for details. + - `NGINX_AGENT_TLS_ENABLE` enables mutual TLS, server-side TLS, or insecure mode (not recommended for production environments). See [Encrypt communication]({{< ref "agent/configuration/encrypt-communication.md" >}}) for details. - `YOUR_REGISTRY` is the path to your private registry. - `VERSION_TAG` is the tag assigned when pushing to your registry. diff --git a/content/nginx/admin-guide/installing-nginx/installing-nginx-plus-amazon-web-services.md b/content/nginx/admin-guide/installing-nginx/installing-nginx-plus-amazon-web-services.md index a16e00a16..d2bb4f734 100644 --- a/content/nginx/admin-guide/installing-nginx/installing-nginx-plus-amazon-web-services.md +++ b/content/nginx/admin-guide/installing-nginx/installing-nginx-plus-amazon-web-services.md @@ -38,7 +38,7 @@ To quickly set up an NGINX Plus environment on AWS: /etc/init.d/nginx status ``` -See [NGINX Plus on the AWS Cloud Quick Start](https://aws.amazon.com/blogs/apn/introducing-a-new-aws-quick-start-nginx-plus-on-the-aws-cloud-in-15-minutes/) deployment guide for details. +See [NGINX Plus on the AWS Cloud Quick Start](https://aws.amazon.com/about-aws/whats-new/2017/08/quick-start-update-deploy-nginx-plus-on-the-aws-cloud/) deployment guide for details. ## What If I Need Help? diff --git a/content/nginx/admin-guide/security-controls/configuring-http-basic-authentication.md b/content/nginx/admin-guide/security-controls/configuring-http-basic-authentication.md index b55e58db1..e466907fa 100644 --- a/content/nginx/admin-guide/security-controls/configuring-http-basic-authentication.md +++ b/content/nginx/admin-guide/security-controls/configuring-http-basic-authentication.md @@ -155,6 +155,6 @@ http { When you access your status page, you are prompted to log in: -[![auth_required](https://cdn.wp.nginx.com/wp-content/uploads/2016/10/auth_required.png)](https://cdn.wp.nginx.com/wp-content/uploads/2016/10/auth_required.png) +![The "Authentication Required" prompt](/nginx/images/auth-required.png) If the provided name and password do not match the password file, you get the `401 (Authorization Required)` error. diff --git a/content/nginx/admin-guide/web-server/reverse-proxy.md b/content/nginx/admin-guide/web-server/reverse-proxy.md index 144f9e82c..9fc992412 100644 --- a/content/nginx/admin-guide/web-server/reverse-proxy.md +++ b/content/nginx/admin-guide/web-server/reverse-proxy.md @@ -116,7 +116,7 @@ location /some/path/ { In this case NGINX uses only the buffer configured by [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) to store the current part of a response. -A common use of a reverse proxy is to provide load balancing. Learn how to improve power, performance, and focus on your apps with rapid deployment in the free [Five Reasons to Choose a Software Load Balancer](https://www.nginx.com/resources/library/five-reasons-choose-software-load-balancer/) ebook. +A common use of a reverse proxy is to provide load balancing. See [HTTP Load Balancing]({{< ref "nginx/admin-guide/load-balancer/http-load-balancer.md" >}}) and [TCP and UDP Load Balancing]({{< ref "nginx/admin-guide/load-balancer/tcp-udp-load-balancer.md" >}}). ## Choosing an Outgoing IP Address diff --git a/content/nginx/deployment-guides/amazon-web-services/high-availability-network-load-balancer.md b/content/nginx/deployment-guides/amazon-web-services/high-availability-network-load-balancer.md index c8ec870c7..b829809ef 100644 --- a/content/nginx/deployment-guides/amazon-web-services/high-availability-network-load-balancer.md +++ b/content/nginx/deployment-guides/amazon-web-services/high-availability-network-load-balancer.md @@ -35,7 +35,7 @@ NGINX Plus also provides reverse‑proxy and load balancing features, including - [Intelligent session persistence](https://www.nginx.com/products/nginx/load-balancing/#session-persistence) - [High‑performance reverse proxy]({{< ref "nginx/admin-guide/web-server/reverse-proxy.md" >}}) - [Caching and offload of dynamic and static content]({{< ref "nginx/admin-guide/content-cache/content-caching.md" >}}) -- [Adaptive streaming to deliver audio and video to any device](https://www.nginx.com/products/nginx/streaming-media/) +- Adaptive streaming to deliver audio and video to any device - [Application-aware health checks](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/) and [high availability](https://docs.nginx.com/nginx/admin-guide/high-availability/) - [Advanced activity monitoring available via a dashboard or API](https://www.nginx.com/products/nginx/live-activity-monitoring/) - [Management and real‑time configuration changes with DevOps‑friendly tools](https://www.nginx.com/products/nginx/load-balancing/#load-balancing-api) diff --git a/content/nginx/deployment-guides/load-balance-third-party/oracle-weblogic-server.md b/content/nginx/deployment-guides/load-balance-third-party/oracle-weblogic-server.md index 6b1381cc5..cf780f94e 100644 --- a/content/nginx/deployment-guides/load-balance-third-party/oracle-weblogic-server.md +++ b/content/nginx/deployment-guides/load-balance-third-party/oracle-weblogic-server.md @@ -23,9 +23,9 @@ This deployment guide explains how to use NGINX Open Source and F5 NGINX Plus to - [Intelligent session persistence](https://www.nginx.com/products/nginx/load-balancing/#session-persistence) - [High‑performance reverse proxy]({{< ref "nginx/admin-guide/web-server/reverse-proxy.md" >}}) - [Caching and offload of dynamic and static content]({{< ref "nginx/admin-guide/content-cache/content-caching.md" >}}) -- [Adaptive streaming to deliver audio and video to any device](https://www.nginx.com/products/nginx/streaming-media/) +- Adaptive streaming to deliver audio and video to any device - [Application-aware health checks](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/) and [high availability](https://docs.nginx.com/nginx/admin-guide/high-availability/) -- [Advanced activity monitoring available via a dashboard or API](https://www.nginx.com/products/nginx/live-activity-monitoring/) +- [Advanced activity monitoring available via a dashboard or API]({{< ref "nginx/admin-guide/monitoring/live-activity-monitoring.md" >}}) - [Management and real‑time configuration changes with DevOps‑friendly tools](https://www.nginx.com/products/nginx/load-balancing/#load-balancing-api) @@ -39,7 +39,7 @@ Oracle WebLogic Server is also available on [Oracle Cloud](https://www.oracle.co You can use the WebLogic Server Administration Control graphical user interface to deploy and undeploy an application to an Oracle Java Cloud Service instance, just as you would deploy and undeploy the application to an on‑premises service instance. -For more information about deploying a Java application on Oracle Java Cloud Service, see [Administering Oracle Java Cloud Service](https://docs.oracle.com/en/cloud/paas/java-cloud/jscug/toc.htm). +For more information about deploying a Java application on Oracle Java Cloud Service, see [Administering Oracle Java Cloud Service](https://docs.oracle.com/cloud/131/developer_services/CSJSU/java-admin.htm). ## Prerequisites and System Requirements diff --git a/content/nginx/deployment-guides/migrate-hardware-adc/f5-big-ip-configuration.md b/content/nginx/deployment-guides/migrate-hardware-adc/f5-big-ip-configuration.md index 69cffc949..c371fe0c1 100644 --- a/content/nginx/deployment-guides/migrate-hardware-adc/f5-big-ip-configuration.md +++ b/content/nginx/deployment-guides/migrate-hardware-adc/f5-big-ip-configuration.md @@ -9,7 +9,7 @@ type: - how-to --- -F5 NGINX Plus provides a flexible replacement for traditional hardware‑based [application delivery controllers](https://www.nginx.com/resources/glossary/application-delivery-controller/) (ADCs). NGINX Plus is a small software package that can be installed just about anywhere – on bare metal, a virtual machine, or a container, and on‑premises or in public, private, and hybrid clouds – while providing the same level of application delivery, high availability, and security offered by legacy ADCs. This guide explains how to migrate an F5 BIG-IP Local Traffic Manager (LTM) configuration to the NGINX Plus software application delivery platform, and covers the most commonly used features and configurations to get you started quickly on your migration. +F5 NGINX Plus provides a flexible replacement for traditional hardware‑based [application delivery controllers](https://www.f5.com/glossary/application-delivery-controller) (ADCs). NGINX Plus is a small software package that can be installed just about anywhere – on bare metal, a virtual machine, or a container, and on‑premises or in public, private, and hybrid clouds – while providing the same level of application delivery, high availability, and security offered by legacy ADCs. This guide explains how to migrate an F5 BIG-IP Local Traffic Manager (LTM) configuration to the NGINX Plus software application delivery platform, and covers the most commonly used features and configurations to get you started quickly on your migration. NGINX Plus and BIG-IP LTM both act as a full reverse proxy and load balancer, so that the client sees the load balancer as the application and the backend servers see the load balancer as the client. This allows for great control and fine‑grained manipulation of the traffic. This guide focuses on basic load balancing. For information on extending the configuration with Layer 7 logic and scripting, see the post about [migrating Layer 7 logic](https://www.nginx.com/blog/migrating-layer7-logic-f5-irules-citrix-policies-nginx-plus/) on the NGINX blog. It covers features such as content switching and request routing, rewriting, and redirection. @@ -444,7 +444,7 @@ The following configuration includes three additional directives which weren't d - The [proxy_http_version](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version) directive sets the HTTP version to 1.1 for the connection to the backend server. - The `proxy_set_header Connection ""` directive clears the `Connection` header sent by the client, enabling NGINX Plus to keep encrypted keepalive connections open to the upstream servers. -We are also enabling [live activity monitoring](https://www.nginx.com/products/nginx/live-activity-monitoring) in the final `server` block. Live activity monitoring is implemented in the [NGINX Plus API](https://nginx.org/en/docs/http/ngx_http_api_module.html) module and is exclusive to NGINX Plus. The wide range of statistics reported by the API is displayed on the built‑in dashboard and can also be exported to any application performance management (APM) or monitoring tool that can consume JSON‑formatted messages. For more detail on logging and monitoring see the [NGINX Plus Admin Guide]({{< ref "/nginx/admin-guide/monitoring/_index.md" >}}). +We are also enabling [live activity monitoring]({{< ref "nginx/admin-guide/monitoring/live-activity-monitoring.md" >}} in the final `server` block. Live activity monitoring is implemented in the [NGINX Plus API](https://nginx.org/en/docs/http/ngx_http_api_module.html) module and is exclusive to NGINX Plus. The wide range of statistics reported by the API is displayed on the built‑in dashboard and can also be exported to any application performance management (APM) or monitoring tool that can consume JSON‑formatted messages. For more detail on logging and monitoring see the [NGINX Plus Admin Guide]({{< ref "nginx/admin-guide/monitoring/live-activity-monitoring.md" >}}). ```nginx upstream test_pool { diff --git a/content/nginx/releases.md b/content/nginx/releases.md index 749e8ff2b..00b8ac285 100644 --- a/content/nginx/releases.md +++ b/content/nginx/releases.md @@ -1470,7 +1470,7 @@ NGINX Plus R13 is a feature release: - Ability to gracefully shut down all live client connections when restarting NGINX Plus (the [worker_shutdown_timeout](https://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout) directive) - Support for adding HTTP trailers (the [add_trailer](https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_trailer) directive) - Improvement to session persistence: quicker establishment of sticky sessions between clients and upstream groups (the `header` parameter to the [sticky learn](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#sticky) directive) -- Support for the third‑party [HTTP Substitutions Filter](https://github.com/yaoweibin/ngx_http_substitutions_filter_module) module, distributed in NGINX Plus packages and available on the [Dynamic Modules](https://www.nginx.com/products/modules/) page +- Support for the third‑party [HTTP Substitutions Filter](https://github.com/yaoweibin/ngx_http_substitutions_filter_module) module, distributed in NGINX Plus packages and available on the [Dynamic Modules]({{< ref "/nginx/admin-guide/dynamic-modules/dynamic-modules.md" >}}) page NGINX Plus R13 is supported on: From 764e98962f2cc32c613482f549f12c3be1064809 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 13:31:22 +0100 Subject: [PATCH 15/58] build(deps): bump azure/cli from 2.1.0 to 2.2.0 (#1180) Bumps [azure/cli](https://github.com/azure/cli) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/azure/cli/releases) - [Changelog](https://github.com/Azure/cli/blob/master/ReleaseProcess.md) - [Commits](https://github.com/azure/cli/compare/089eac9d8cc39f5d003e94f8b65efc51076c9cbd...9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956) --- updated-dependencies: - dependency-name: azure/cli dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/coveo.yml | 2 +- .github/workflows/linkchecker.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coveo.yml b/.github/workflows/coveo.yml index b9d52f99c..c8f849c8f 100644 --- a/.github/workflows/coveo.yml +++ b/.github/workflows/coveo.yml @@ -84,7 +84,7 @@ jobs: - name: Retrieve secrets from Keyvault id: keyvault - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd + uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 with: inlineScript: | secrets_get=(productionHostname previewHostname resourceGroupName cdnProfileName cdnName accountName) diff --git a/.github/workflows/linkchecker.yml b/.github/workflows/linkchecker.yml index 4114412f7..293a4bcc9 100644 --- a/.github/workflows/linkchecker.yml +++ b/.github/workflows/linkchecker.yml @@ -84,7 +84,7 @@ jobs: - name: Retrieve secrets from Keyvault if: env.isProduction != 'true' id: keyvault - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd + uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 with: inlineScript: | secrets_get=(frontdoorUsername frontdoorPassword) From f182b6f111d92c9c0809e570915b7728a319c551 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 13:31:48 +0100 Subject: [PATCH 16/58] build(deps): bump github/codeql-action from 3.30.3 to 3.30.5 (#1179) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.3 to 3.30.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/192325c86100d080feab897ff886c34abd4c83a3...3599b3baa15b485a2e49ef411a7a4bb2452e7f93) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ossf_scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ossf_scorecard.yml b/.github/workflows/ossf_scorecard.yml index f01d4a00c..1abc40809 100644 --- a/.github/workflows/ossf_scorecard.yml +++ b/.github/workflows/ossf_scorecard.yml @@ -56,6 +56,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: Upload SARIF results to code scanning - uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5 + uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 with: sarif_file: results.sarif From 5e56256e1b3d36bae5ced5e6f746444da0e72615 Mon Sep 17 00:00:00 2001 From: Shaun Date: Mon, 29 Sep 2025 14:07:27 +0100 Subject: [PATCH 17/58] docs: Update references to Gateway API spec in NGF docs (#1182) --- content/ngf/traffic-management/basic-routing.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/ngf/traffic-management/basic-routing.md b/content/ngf/traffic-management/basic-routing.md index bae0147fc..e121c8935 100644 --- a/content/ngf/traffic-management/basic-routing.md +++ b/content/ngf/traffic-management/basic-routing.md @@ -39,7 +39,7 @@ graph TB Using this architecture, the **coffee** application is not accessible outside the cluster. We want to expose this application on the hostname "cafe.example.com" so that clients outside the cluster can access it. -Install NGINX Gateway Fabric and create two Gateway API resources: a [gateway](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.Gateway) and an [HTTPRoute](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRoute). +Install NGINX Gateway Fabric and create two Gateway API resources: a [gateway](https://gateway-api.sigs.k8s.io/reference/spec/#gateway) and an [HTTPRoute](https://gateway-api.sigs.k8s.io/reference/spec/#httproute). Using these resources we will configure a simple routing rule to match all HTTP traffic with the hostname "cafe.example.com" and route it to the **coffee** service. @@ -240,10 +240,10 @@ In a production environment, you should have a DNS record for the external IP ad This Gateway is associated with NGINX Gateway Fabric through the **gatewayClassName** field. The default installation of NGINX Gateway Fabric creates a GatewayClass with the name **nginx**. NGINX Gateway Fabric will only configure Gateways with a **gatewayClassName** of **nginx** unless you change the name via the `--gatewayclass` [command-line flag]({{< ref "/ngf/reference/cli-help.md#controller" >}}). -We specify a [listener](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.Listener) on the Gateway to open an entry point on the cluster. In this case, since the coffee application accepts HTTP requests, we create an HTTP listener, named **http**, that listens on port 80. +We specify a [listener](https://gateway-api.sigs.k8s.io/reference/spec/#listener) on the Gateway to open an entry point on the cluster. In this case, since the coffee application accepts HTTP requests, we create an HTTP listener, named **http**, that listens on port 80. By default, Gateways only allow routes (such as HTTPRoutes) to attach if they are in the same namespace as the Gateway. If you want to change this behavior, you can set -the [**allowedRoutes**](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.AllowedRoutes) field. +the [**allowedRoutes**](https://gateway-api.sigs.k8s.io/reference/spec/#allowedroutes) field. Next you will create the HTTPRoute by copying and pasting the following into your terminal: @@ -269,11 +269,11 @@ spec: EOF ``` -To attach the **coffee** HTTPRoute to the **cafe** Gateway, we specify the Gateway name in the [**parentRefs**](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.CommonRouteSpec) field. The attachment will succeed if the hostnames and protocol in the HTTPRoute are allowed by at least one of the Gateway's listeners. +To attach the **coffee** HTTPRoute to the **cafe** Gateway, we specify the Gateway name in the [**parentRefs**](https://gateway-api.sigs.k8s.io/reference/spec/#parentreference) field. The attachment will succeed if the hostnames and protocol in the HTTPRoute are allowed by at least one of the Gateway's listeners. -The [**hostnames**](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec) field allows you to list the hostnames that the HTTPRoute matches. In this case, incoming requests handled by the **http** listener with the HTTP host header "cafe.example.com" will match this HTTPRoute and will be routed according to the rules in the spec. +The [**hostnames**](https://gateway-api.sigs.k8s.io/reference/spec/#hostname) field allows you to list the hostnames that the HTTPRoute matches. In this case, incoming requests handled by the **http** listener with the HTTP host header "cafe.example.com" will match this HTTPRoute and will be routed according to the rules in the spec. -The [**rules**](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule) field defines routing rules for the HTTPRoute. A rule is selected if the request satisfies one of the rule's **matches**. To forward traffic for all paths to the coffee service we specify a match with the PathPrefix "/" and target the coffee service using the **backendRef** field. +The [**rules**](https://gateway-api.sigs.k8s.io/reference/spec/#httprouterule) field defines routing rules for the HTTPRoute. A rule is selected if the request satisfies one of the rule's **matches**. To forward traffic for all paths to the coffee service we specify a match with the PathPrefix "/" and target the coffee service using the **backendRef** field. --- From b75a78d233547e9a9f0bebdbc7c4002feb862f37 Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Mon, 29 Sep 2025 15:23:18 +0100 Subject: [PATCH 18/58] docs: Fix path formatting for green tea route (#1185) --- .../virtualserver-and-virtualserverroute-resources.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md index 670599c36..4899b0fdb 100644 --- a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -51,7 +51,7 @@ spec: - path: ~ ^/decaf/.*\\.jpg$ action: pass: coffee - - path: = /green/tea + - path: =/green/tea action: pass: tea ``` From 9fd163c4a0a1e7c906acbed4b59ee26f7be2a704 Mon Sep 17 00:00:00 2001 From: John David White <127981157+john-david3@users.noreply.github.com> Date: Mon, 29 Sep 2025 15:47:08 +0100 Subject: [PATCH 19/58] Fix: agent container migration path (#940) --- content/includes/agent/installation/update-container.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/agent/installation/update-container.md b/content/includes/agent/installation/update-container.md index f5d3fe10a..8e62e603c 100644 --- a/content/includes/agent/installation/update-container.md +++ b/content/includes/agent/installation/update-container.md @@ -10,7 +10,7 @@ To migrate NGINX Agent containers, we provide a script to convert NGINX Agent v2 To upgrade the configuration, you can follow this example: ```shell -wget https://raw.githubusercontent.com/nginx/agent/refs/heads/v3/scripts/packages/upgrade-agent-config.sh +wget https://raw.githubusercontent.com/nginx/agent/refs/heads/main/scripts/packages/upgrade-agent-config.sh ./upgrade-agent-config.sh --v2-config-file=./nginx-agent-v2.conf --v3-config-file=nginx-agent-v3.conf ``` From 9e80d0a0db89a4adf35aa2bf6d1ff76665f7486b Mon Sep 17 00:00:00 2001 From: Lam <150060045+lamATnginx@users.noreply.github.com> Date: Mon, 29 Sep 2025 10:39:08 -0700 Subject: [PATCH 20/58] chore: Bump hugo theme version to v1.0.8 (#1187) chore: Bump hugo theme version to v1.0.8 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2c30be622..8e5052f41 100644 --- a/go.mod +++ b/go.mod @@ -2,4 +2,4 @@ module github.com/nginxinc/docs go 1.19 -require github.com/nginxinc/nginx-hugo-theme v1.0.0 // indirect +require github.com/nginxinc/nginx-hugo-theme v1.0.8 // indirect diff --git a/go.sum b/go.sum index 65e845dc7..e81b144b1 100644 --- a/go.sum +++ b/go.sum @@ -1,2 +1,2 @@ -github.com/nginxinc/nginx-hugo-theme v1.0.0 h1:ufoXHaOcFUMAl6DSFgSeU+FKM5Oz+KCgxjPNhDJywu4= -github.com/nginxinc/nginx-hugo-theme v1.0.0/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M= +github.com/nginxinc/nginx-hugo-theme v1.0.8 h1:+ytApSF1FjZFajFO47sQ+ZNu4mgNlb2O4423Mmdcjwc= +github.com/nginxinc/nginx-hugo-theme v1.0.8/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M= From 6788c9837caec6208681fc432780f0d51f7d447f Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Mon, 29 Sep 2025 22:00:57 +0100 Subject: [PATCH 21/58] feat: F5 WAF for NGINX 5.9 Refactor (#949) * feat: F5 WAF for NGINX 5.9 Refactor (#949) This pull request represents a large amount of documentation changes for F5 WAF for NGINX. It is the creation of a new documentation set on the path /waf/, replacing /nap-waf: this reflects the change from the product name of NGINX App Protect WAF to F5 WAF for NGINX. The product name itself has also been changed across the entire NGINX documentation website. Instructions and reference material have been grouped together into high-level use case sections, making it easier for users to navigate and find relevant information. All content moved this way has been rewritten to some extent to match contemporary NGINX writing standards. The other major change to how documentation is written and structured reflects the new uniform naming conventions for versions, and abolishment of V4 and V5 distinction, instead focusing framing of content and structure of pages around the use case permutation for a deployment. The historic release notes (Now named the "Changelog" like other NGINX products) have been kept in their previous state for reference. The totality of these changes also include the F5 WAF for NGINX 5.9 release, which has early availability features. --- .github/CODEOWNERS | 4 +- _banners/waf-early-availability.md | 5 + _banners/waf-unification-notice.md | 7 + _banners/waf-virtual-restriction.md | 7 + cloudcannon.config.yml | 8 +- config/_default/config.toml | 1 + content/_index.md | 6 +- .../install/install-for-controller.md | 52 +- .../controller/app-delivery/about-snippets.md | 2 +- .../concepts/bring-your-own-policy.md | 16 +- .../concepts/extend-app-security-snippets.md | 10 +- .../security/concepts/what-is-waf.md | 6 +- .../tutorials/add-app-security-with-waf.md | 12 +- .../releases/adc/adc-release-notes-3.20.md | 4 +- .../includes/acm/about/api-proxy-policies.md | 2 +- .../build-from-official-nginx-image.md | 2 +- .../includes/nap-waf/build-nginx-image-cmd.md | 2 +- content/includes/nap-waf/concept/apreload.md | 2 +- .../nap-waf/concept/global-directives.md | 2 +- .../includes/nap-waf/concept/grpc-logging.md | 2 +- .../nap-waf/config/common/anti-automation.md | 4 +- .../config/common/clickjacking-protection.md | 6 +- .../nap-waf/config/common/csrf-protection.md | 2 +- .../config/common/custom-log-overview.md | 2 +- .../common/deny-allow-never-log-lists.md | 2 +- .../common/detect-base64-string-values.md | 2 +- .../nap-waf/config/common/detect-base64.md | 2 +- .../config/common/enforcer-cookie-settings.md | 2 +- .../evasion-techniques-subviolations.md | 2 +- .../config/common/filetypes-and-responses.md | 2 +- .../config/common/geolocation-overview.md | 2 +- .../nap-waf/config/common/graphql-security.md | 2 +- .../config/common/graphql-violations.md | 2 +- .../common/grpc-protection-unary-traffic.md | 2 +- .../common/http-compliance-subviolations.md | 2 +- .../config/common/ip-intelligence-conf.md | 2 +- .../config/common/json-web-token-overview.md | 6 +- .../common/json-web-tokens-violations.md | 2 +- .../nginx-app-protect-waf-terminology.md | 18 +- .../parameters-and-user-defined-urls.md | 2 +- .../config/common/policy-configuration.md | 2 +- .../nap-waf/config/common/signature-sets.md | 4 +- .../config/common/signature-settings.md | 2 +- .../config/common/supported-violations.md | 6 +- .../common/types-of-openapi-references.md | 2 +- .../common/unsupported-configuration.md | 2 +- .../common/user-defined-signature-sets.md | 2 +- .../config/common/user-defined-signatures.md | 2 +- .../v5/build-nginx-image-oss/build-alpine.md | 2 +- .../v5/build-nginx-image-oss/build-amazon.md | 2 +- .../v5/build-nginx-image-oss/build-centos.md | 2 +- .../v5/build-nginx-image-oss/build-debian.md | 2 +- .../v5/build-nginx-image-oss/build-oracle.md | 2 +- .../v5/build-nginx-image-oss/build-rhel.md | 2 +- .../v5/build-nginx-image-oss/build-rocky.md | 2 +- .../v5/build-nginx-image-oss/build-ubuntu.md | 2 +- .../v5/build-nginx-image-plus/build-alpine.md | 2 +- .../v5/build-nginx-image-plus/build-amazon.md | 2 +- .../v5/build-nginx-image-plus/build-centos.md | 2 +- .../v5/build-nginx-image-plus/build-debian.md | 2 +- .../v5/build-nginx-image-plus/build-oracle.md | 2 +- .../v5/build-nginx-image-plus/build-rhel.md | 2 +- .../v5/build-nginx-image-plus/build-rocky.md | 2 +- .../v5/build-nginx-image-plus/build-ubuntu.md | 2 +- .../nginx-oss-alpine.md | 4 +- .../nginx-oss-amazon.md | 4 +- .../nginx-oss-centos.md | 4 +- .../nginx-oss-debian.md | 4 +- .../nginx-oss-ubuntu.md | 4 +- .../nginx-plus-alpine.md | 4 +- .../nginx-plus-amazon.md | 4 +- .../nginx-plus-centos-8.md | 4 +- .../nginx-plus-centos-9.md | 4 +- .../nginx-plus-debian.md | 4 +- .../nginx-plus-ubuntu.md | 4 +- .../includes/nap-waf/default-conf-hostname.md | 2 +- .../nap-waf/default-conf-localhost.md | 2 +- .../includes/nap-waf/download-certificates.md | 2 +- .../includes/nap-waf/how-to/enable-graphql.md | 4 +- .../nap-waf/nap-k8s-readonly-introduction.md | 4 +- .../nap-waf/nap-k8s-readonly-issues.md | 2 +- .../nap-waf/nap-k8s-readonly-paths.md | 4 +- .../nap-waf/nginx-conf-hostname-docker.md | 4 +- .../includes/nap-waf/nginx-conf-localhost.md | 4 +- .../nginxaas-azure/ncu-description.md | 2 +- .../nic/compatibility-tables/nic-nap.md | 2 +- ...advanced-configuration-with-annotations.md | 4 +- .../nic/configuration/policy-resource.md | 20 +- .../includes/nic/configuration/security.md | 4 +- content/includes/nic/rbac/set-up-rbac.md | 4 +- .../nim/tech-specs/nim-app-protect-support.md | 4 +- .../security-data-plane-dependencies.md | 4 +- .../nms/services/platform-services.md | 2 +- .../includes/waf/dockerfiles/alpine-oss.md | 39 + .../includes/waf/dockerfiles/alpine-plus.md | 35 + .../includes/waf/dockerfiles/amazon-oss.md | 43 + .../includes/waf/dockerfiles/amazon-plus.md | 36 + .../includes/waf/dockerfiles/debian-oss.md | 52 + .../includes/waf/dockerfiles/debian-plus.md | 49 + .../includes/waf/dockerfiles/official-oss.md | 31 + .../includes/waf/dockerfiles/oracle-oss.md | 43 + .../includes/waf/dockerfiles/oracle-plus.md | 37 + content/includes/waf/dockerfiles/rhel8-oss.md | 54 + .../includes/waf/dockerfiles/rhel8-plus.md | 53 + content/includes/waf/dockerfiles/rhel9-oss.md | 54 + .../includes/waf/dockerfiles/rhel9-plus.md | 38 + .../includes/waf/dockerfiles/rocky9-oss.md | 44 + .../includes/waf/dockerfiles/rocky9-plus.md | 38 + .../includes/waf/dockerfiles/ubuntu-oss.md | 52 + .../includes/waf/dockerfiles/ubuntu-plus.md | 49 + content/includes/waf/install-build-image.md | 47 + .../waf/install-create-configuration.md | 18 + content/includes/waf/install-next-steps.md | 10 + content/includes/waf/install-post-checks.md | 63 + .../includes/waf/install-selinux-warning.md | 10 + .../includes/waf/install-services-compose.md | 44 + .../includes/waf/install-services-docker.md | 15 + .../includes/waf/install-services-images.md | 12 + .../includes/waf/install-services-registry.md | 11 + .../waf/install-update-configuration.md | 29 + content/includes/waf/policy.html | 6788 +++++++++++++++++ content/includes/waf/table-policy-features.md | 29 + content/nap-dos/_index.md | 11 +- content/nap-dos/deployment-guide/_index.md | 2 +- ...with-dos-and-waf-on-amazon-web-services.md | 68 +- .../learn-about-deployment.md | 154 +- .../nap-dos/directives-and-policy/_index.md | 2 +- .../learn-about-directives-and-policy.md | 40 +- content/nap-dos/monitoring/_index.md | 2 +- content/nap-dos/monitoring/access-log.md | 4 +- .../monitoring/live-activity-monitoring.md | 14 +- content/nap-dos/monitoring/operation-log.md | 8 +- content/nap-dos/monitoring/security-log.md | 10 +- content/nap-dos/monitoring/types-of-logs.md | 24 +- content/nap-dos/releases/_index.md | 2 +- content/nap-dos/releases/about-1.0.md | 4 +- content/nap-dos/releases/about-1.1.0.md | 10 +- content/nap-dos/releases/about-1.1.1.md | 4 +- content/nap-dos/releases/about-1.2.0.md | 4 +- content/nap-dos/releases/about-2.0.md | 8 +- content/nap-dos/releases/about-2.1.md | 4 +- content/nap-dos/releases/about-2.2.md | 8 +- content/nap-dos/releases/about-2.3.md | 4 +- content/nap-dos/releases/about-2.4.md | 8 +- content/nap-dos/releases/about-3.0.md | 12 +- content/nap-dos/releases/about-3.1.md | 14 +- content/nap-dos/releases/about-4.0.md | 6 +- content/nap-dos/releases/about-4.1.md | 10 +- content/nap-dos/releases/about-4.2.md | 10 +- content/nap-dos/releases/about-4.3.md | 6 +- content/nap-dos/releases/about-4.4.md | 6 +- content/nap-dos/releases/about-4.5.md | 8 +- content/nap-dos/releases/about-4.6.md | 6 +- content/nap-dos/releases/about-4.7.md | 6 +- .../nap-dos/troubleshooting-guide/_index.md | 2 +- .../how-to-troubleshoot.md | 20 +- .../policy-lifecycle-management.md | 6 +- .../v5/configuration-guide/configuration.md | 1 - content/nginx-one/_index.md | 4 +- content/nginx-one/changelog.md | 4 +- content/nginx-one/glossary.md | 2 +- .../nap-integration/configure-policy.md | 6 +- content/nginx-one/nap-integration/overview.md | 8 +- .../nap-integration/review-policy.md | 2 +- content/nginxaas-azure/app-protect/_index.md | 2 +- .../app-protect/configure-waf.md | 14 +- .../nginxaas-azure/app-protect/disable-waf.md | 6 +- .../app-protect/enable-logging.md | 2 +- .../nginxaas-azure/app-protect/enable-waf.md | 8 +- content/nginxaas-azure/billing/overview.md | 2 +- .../changelog-archive/changelog-2024.md | 6 +- content/nginxaas-azure/changelog.md | 8 +- content/nginxaas-azure/get-help/support.md | 4 +- .../getting-started/migrate-from-standard.md | 2 +- content/nginxaas-azure/known-issues.md | 2 +- .../overview/feature-comparison.md | 2 +- ...advanced-configuration-with-annotations.md | 4 +- content/nic/configuration/policy-resource.md | 14 +- content/nic/configuration/security.md | 4 +- .../build-nginx-ingress-controller.md | 18 +- .../deploy-with-nap-using-helm.md | 8 +- .../installing-nic/installation-with-helm.md | 30 +- .../installation-with-manifests.md | 26 +- .../integrations/app-protect-dos/_index.md | 4 +- .../app-protect-dos/configuration.md | 2 +- .../app-protect-dos/dos-protected.md | 10 +- .../app-protect-dos/installation.md | 29 +- .../troubleshoot-app-protect-dos.md | 2 +- .../integrations/app-protect-waf-v5/_index.md | 2 +- .../compile-waf-policies.md | 8 +- .../app-protect-waf-v5/configuration.md | 22 +- .../app-protect-waf-v5/installation.md | 42 +- .../troubleshoot-app-protect-waf.md | 14 +- .../integrations/app-protect-waf/_index.md | 2 +- .../app-protect-waf/configuration.md | 46 +- .../app-protect-waf/installation.md | 32 +- .../nic-images/registry-download.md | 16 +- .../nic/logging-and-monitoring/status-page.md | 2 +- content/nic/releases.md | 18 +- content/nic/technical-specifications.md | 20 +- content/nic/tutorials/security-monitoring.md | 10 +- content/nim/_index.md | 6 +- content/nim/fundamentals/tech-specs.md | 2 +- content/nim/nginx-app-protect/_index.md | 2 +- .../manage-waf-security-policies.md | 16 +- .../overview-nap-waf-config-management.md | 18 +- ...ccess-to-security-monitoring-dashboards.md | 2 +- .../set-up-app-protect-instances.md | 34 +- .../security-monitoring/update-geo-db.md | 2 +- .../security-monitoring/update-signatures.md | 4 +- .../setup-waf-config-management.md | 124 +- content/nim/releases/known-issues.md | 8 +- content/nim/releases/release-notes.md | 46 +- content/nms/about.md | 2 +- .../acm/how-to/policies/advanced-security.md | 6 +- .../nms/nginx-agent/install-nginx-agent.md | 10 +- .../getting-started/waf-config-management.md | 4 +- .../solutions/about-subscription-licenses.md | 12 +- content/waf/_index.md | 41 + content/waf/changelog.md | 190 + content/waf/configure/_index.md | 5 + content/waf/configure/apreload.md | 86 + content/waf/configure/compiler.md | 279 + content/waf/configure/converters.md | 457 ++ content/waf/configure/kubernetes-read-only.md | 209 + content/waf/configure/nginx-features.md | 192 + content/waf/configure/secure-mtls.md | 229 + content/waf/configure/selinux.md | 46 + content/waf/fundamentals/_index.md | 5 + content/waf/fundamentals/overview.md | 40 + .../fundamentals/technical-specifications.md | 66 + content/waf/fundamentals/terminology.md | 46 + content/waf/install/_index.md | 5 + .../waf/install/disconnected-environment.md | 116 + content/waf/install/docker.md | 1326 ++++ content/waf/install/kubernetes-plm.md | 1382 ++++ content/waf/install/kubernetes.md | 587 ++ content/waf/install/uninstall.md | 62 + content/waf/install/update-signatures.md | 41 + content/waf/install/upgrade.md | 65 + content/waf/install/virtual-environment.md | 187 + content/waf/logging/_index.md | 5 + content/waf/logging/access-logs.md | 63 + content/waf/logging/debug-logs.md | 75 + content/waf/logging/logs-overview.md | 134 + content/waf/logging/operation-logs.md | 166 + content/waf/logging/security-logs.md | 326 + content/waf/policies/_index.md | 5 + content/waf/policies/allowed-methods.md | 77 + content/waf/policies/attack-signatures.md | 290 + content/waf/policies/brute-force-attacks.md | 185 + content/waf/policies/configuration.md | 394 + content/waf/policies/cookie-enforcement.md | 43 + content/waf/policies/data-guard.md | 128 + content/waf/policies/deny-allow-ip.md | 125 + content/waf/policies/disallowed-extensions.md | 22 + content/waf/policies/evasion-techniques.md | 80 + content/waf/policies/geolocation.md | 91 + content/waf/policies/graphql-protection.md | 383 + content/waf/policies/grpc-protection.md | 516 ++ content/waf/policies/http-compliance.md | 79 + content/waf/policies/ip-address-lists.md | 155 + content/waf/policies/ip-intelligence.md | 359 + content/waf/policies/jwt-protection.md | 303 + content/waf/policies/parameter-reference.md | 7 + .../policies/server-technology-signatures.md | 133 + content/waf/policies/threat-campaigns.md | 36 + .../policies/time-based-signature-staging.md | 126 + content/waf/policies/user-headers.md | 96 + content/waf/policies/xff-headers.md | 51 + content/waf/policies/xml-json-content.md | 309 + content/waf/support.md | 138 + data/product-selector.yaml | 8 +- documentation/proposals/DOP-001.md | 66 +- documentation/proposals/README.md | 2 +- documentation/style-guide.md | 6 +- documentation/writing-hugo.md | 2 +- 277 files changed, 19269 insertions(+), 865 deletions(-) create mode 100644 _banners/waf-early-availability.md create mode 100644 _banners/waf-unification-notice.md create mode 100644 _banners/waf-virtual-restriction.md create mode 100644 content/includes/waf/dockerfiles/alpine-oss.md create mode 100644 content/includes/waf/dockerfiles/alpine-plus.md create mode 100644 content/includes/waf/dockerfiles/amazon-oss.md create mode 100644 content/includes/waf/dockerfiles/amazon-plus.md create mode 100644 content/includes/waf/dockerfiles/debian-oss.md create mode 100644 content/includes/waf/dockerfiles/debian-plus.md create mode 100644 content/includes/waf/dockerfiles/official-oss.md create mode 100644 content/includes/waf/dockerfiles/oracle-oss.md create mode 100644 content/includes/waf/dockerfiles/oracle-plus.md create mode 100644 content/includes/waf/dockerfiles/rhel8-oss.md create mode 100644 content/includes/waf/dockerfiles/rhel8-plus.md create mode 100644 content/includes/waf/dockerfiles/rhel9-oss.md create mode 100644 content/includes/waf/dockerfiles/rhel9-plus.md create mode 100644 content/includes/waf/dockerfiles/rocky9-oss.md create mode 100644 content/includes/waf/dockerfiles/rocky9-plus.md create mode 100644 content/includes/waf/dockerfiles/ubuntu-oss.md create mode 100644 content/includes/waf/dockerfiles/ubuntu-plus.md create mode 100644 content/includes/waf/install-build-image.md create mode 100644 content/includes/waf/install-create-configuration.md create mode 100644 content/includes/waf/install-next-steps.md create mode 100644 content/includes/waf/install-post-checks.md create mode 100644 content/includes/waf/install-selinux-warning.md create mode 100644 content/includes/waf/install-services-compose.md create mode 100644 content/includes/waf/install-services-docker.md create mode 100644 content/includes/waf/install-services-images.md create mode 100644 content/includes/waf/install-services-registry.md create mode 100644 content/includes/waf/install-update-configuration.md create mode 100644 content/includes/waf/policy.html create mode 100644 content/includes/waf/table-policy-features.md create mode 100644 content/waf/_index.md create mode 100644 content/waf/changelog.md create mode 100644 content/waf/configure/_index.md create mode 100644 content/waf/configure/apreload.md create mode 100644 content/waf/configure/compiler.md create mode 100644 content/waf/configure/converters.md create mode 100644 content/waf/configure/kubernetes-read-only.md create mode 100644 content/waf/configure/nginx-features.md create mode 100644 content/waf/configure/secure-mtls.md create mode 100644 content/waf/configure/selinux.md create mode 100644 content/waf/fundamentals/_index.md create mode 100644 content/waf/fundamentals/overview.md create mode 100644 content/waf/fundamentals/technical-specifications.md create mode 100644 content/waf/fundamentals/terminology.md create mode 100644 content/waf/install/_index.md create mode 100644 content/waf/install/disconnected-environment.md create mode 100644 content/waf/install/docker.md create mode 100644 content/waf/install/kubernetes-plm.md create mode 100644 content/waf/install/kubernetes.md create mode 100644 content/waf/install/uninstall.md create mode 100644 content/waf/install/update-signatures.md create mode 100644 content/waf/install/upgrade.md create mode 100644 content/waf/install/virtual-environment.md create mode 100644 content/waf/logging/_index.md create mode 100644 content/waf/logging/access-logs.md create mode 100644 content/waf/logging/debug-logs.md create mode 100644 content/waf/logging/logs-overview.md create mode 100644 content/waf/logging/operation-logs.md create mode 100644 content/waf/logging/security-logs.md create mode 100644 content/waf/policies/_index.md create mode 100644 content/waf/policies/allowed-methods.md create mode 100644 content/waf/policies/attack-signatures.md create mode 100644 content/waf/policies/brute-force-attacks.md create mode 100644 content/waf/policies/configuration.md create mode 100644 content/waf/policies/cookie-enforcement.md create mode 100644 content/waf/policies/data-guard.md create mode 100644 content/waf/policies/deny-allow-ip.md create mode 100644 content/waf/policies/disallowed-extensions.md create mode 100644 content/waf/policies/evasion-techniques.md create mode 100644 content/waf/policies/geolocation.md create mode 100644 content/waf/policies/graphql-protection.md create mode 100644 content/waf/policies/grpc-protection.md create mode 100644 content/waf/policies/http-compliance.md create mode 100644 content/waf/policies/ip-address-lists.md create mode 100644 content/waf/policies/ip-intelligence.md create mode 100644 content/waf/policies/jwt-protection.md create mode 100644 content/waf/policies/parameter-reference.md create mode 100644 content/waf/policies/server-technology-signatures.md create mode 100644 content/waf/policies/threat-campaigns.md create mode 100644 content/waf/policies/time-based-signature-staging.md create mode 100644 content/waf/policies/user-headers.md create mode 100644 content/waf/policies/xff-headers.md create mode 100644 content/waf/policies/xml-json-content.md create mode 100644 content/waf/support.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3d6f1daf8..f08087005 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -22,10 +22,10 @@ # NGINX Agent content/nginx/nms/agent/* @nginx/nginx-agent -# NGINX App Protect DoS +# F5 DoS for NGINX content/nap-dos/* @nginx/dos-docs-approvers -# NGINX App Protect WAF +# F5 WAF for NGINX content/nap-waf/* @nginx/nap-docs-approvers data/nap-waf/* @nginx/nap-docs-approvers diff --git a/_banners/waf-early-availability.md b/_banners/waf-early-availability.md new file mode 100644 index 000000000..2c74e5597 --- /dev/null +++ b/_banners/waf-early-availability.md @@ -0,0 +1,5 @@ +{{< banner "warning" "Early availability feature" >}} + +This functionality is available as an early availability feature in the latest release. + +{{< /banner >}} \ No newline at end of file diff --git a/_banners/waf-unification-notice.md b/_banners/waf-unification-notice.md new file mode 100644 index 000000000..f9bbde18e --- /dev/null +++ b/_banners/waf-unification-notice.md @@ -0,0 +1,7 @@ +{{< banner "note" "Documentation changes" >}} + +Welcome to the F5 WAF for NGINX documentation! This product was formerly known as NGINX App Protect WAF. + +Documentation is being incrementally rewritten: if you're looking for information that hasn't been re-integrated yet, you can still browse [the old documentation]({{< ref "/nap-waf" >}}). + +{{< /banner >}} \ No newline at end of file diff --git a/_banners/waf-virtual-restriction.md b/_banners/waf-virtual-restriction.md new file mode 100644 index 000000000..4edc2e4be --- /dev/null +++ b/_banners/waf-virtual-restriction.md @@ -0,0 +1,7 @@ +{{< banner "note" "NGINX version restriction" >}} + +For a virtual machine or bare metal installation, only NGINX Plus is available. + +If you would like to use NGINX Open Source, you should follow [Docker]({{< ref "/waf/install/docker.md" >}}) or [Kubernetes]({{< ref "/waf/install/kubernetes.md" >}}) instructions. + +{{< /banner >}} \ No newline at end of file diff --git a/cloudcannon.config.yml b/cloudcannon.config.yml index 8aa064275..20e3bc41a 100644 --- a/cloudcannon.config.yml +++ b/cloudcannon.config.yml @@ -88,8 +88,8 @@ collections_config: nap_dos: path: content/nap-dos output: true - name: NGINX App Protect DoS - description: Documentation for NGINX App Protect DoS + name: F5 DoS for NGINX + description: Documentation for F5 DoS for NGINX parse_branch_index: false icon: notes preview: @@ -132,8 +132,8 @@ collections_config: nap_waf: path: content/nap-waf output: true - name: NGINX App Protect WAF - description: Documentation for NGINX App Protect WAF. + name: F5 WAF for NGINX + description: Documentation for F5 WAF for NGINX. parse_branch_index: false icon: notes preview: diff --git a/config/_default/config.toml b/config/_default/config.toml index 54c29d430..c80e3958a 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -20,6 +20,7 @@ enableGitInfo = true nim = '/nginx-instance-manager/:sections[1:]/:contentbasename' nms = '/nginx-management-suite/:sections[1:]/:contentbasename' unit = '/nginx-unit/:sections[1:]/:contentbasename' + waf = '/waf/:sections[1:]/:contentbasename' [caches] [caches.modules] diff --git a/content/_index.md b/content/_index.md index 77eb60731..515bcd330 100644 --- a/content/_index.md +++ b/content/_index.md @@ -33,11 +33,11 @@ Learn how to deliver, manage, and protect your applications using F5 NGINX produ {{}} {{}} -{{}} - {{}} +{{}} + {{}} Lightweight, high-performance, advanced protection against Layer 7 attacks on your apps and APIs. {{}} - {{}} + {{}} Defend, adapt, and mitigate against Layer 7 denial-of-service attacks on your apps and APIs. {{}} {{}} diff --git a/content/controller/admin-guides/install/install-for-controller.md b/content/controller/admin-guides/install/install-for-controller.md index bd104db9f..7ddbeda31 100644 --- a/content/controller/admin-guides/install/install-for-controller.md +++ b/content/controller/admin-guides/install/install-for-controller.md @@ -1,8 +1,8 @@ --- -description: Take the steps in this guide to deploy F5 NGINX App Protect WAF as a +description: Take the steps in this guide to deploy F5 WAF for NGINX as a datapath instance for use with NGINX Controller. nd-docs: DOCS-645 -title: Using NGINX App Protect WAF with NGINX Controller +title: Using F5 WAF for NGINX with NGINX Controller toc: true weight: 500 type: @@ -13,12 +13,12 @@ type: ## Setup -Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/admin-guide/install#prerequisites" >}}), [Platform Security Considerations]({{< ref "/nap-waf/v4/admin-guide/install#platform-security-considerations" >}}) and [User Permissions]({{< ref "/nap-waf/v4/admin-guide/install#user-permissions" >}}) sections of the NGINX App Protect WAF Admin Guide. +Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/admin-guide/install#prerequisites" >}}), [Platform Security Considerations]({{< ref "/nap-waf/v4/admin-guide/install#platform-security-considerations" >}}) and [User Permissions]({{< ref "/nap-waf/v4/admin-guide/install#user-permissions" >}}) sections of the F5 WAF for NGINX Admin Guide. -## Install NGINX App Protect WAF +## Install F5 WAF for NGINX -**Note:** If a version of NGINX App Protect WAF prior to 3.6 is required, please contact the NGINX Sales team to assist with this configuration. +**Note:** If a version of F5 WAF for NGINX prior to 3.6 is required, please contact the NGINX Sales team to assist with this configuration. {{}} @@ -66,19 +66,19 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo ``` -8. Add NGINX App Protect WAF repository by downloading the file app-protect-7.repo to /etc/yum.repos.d: +8. Add F5 WAF for NGINX repository by downloading the file app-protect-7.repo to /etc/yum.repos.d: ```shell sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo ``` -9. If NGINX Plus or NGINX App Protect WAF was previously installed on the system, clean up package manager cache information: +9. If NGINX Plus or F5 WAF for NGINX was previously installed on the system, clean up package manager cache information: ```shell sudo yum clean all ``` -10. Install the latest NGINX App Protect WAF package. +10. Install the latest F5 WAF for NGINX package. **See Also:** Please refer to [NGINX App Protect Compatibility Matrix]({{< ref "/controller/admin-guides/install/nginx-controller-tech-specs.md#nginx-app-protect-compatibility-matrix" >}}) for specific version compatibility. @@ -94,7 +94,7 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad sudo nginx -v ``` -12. Configure SELinux as appropriate per your organization’s security policies. NGINX App Protect WAF applies the prebuilt SELinux policy module during the installation. If you encounter any issues, check the [Troubleshooting Guide]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting#selinux" >}}). +12. Configure SELinux as appropriate per your organization’s security policies. F5 WAF for NGINX applies the prebuilt SELinux policy module during the installation. If you encounter any issues, check the [Troubleshooting Guide]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting#selinux" >}}). **Note:** NGINX Controller has specific [requirements regarding SELinux configuration]({{< ref "/controller/admin-guides/install/nginx-controller-tech-specs.md#supported-distributions" >}}). @@ -171,7 +171,7 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo ``` -8. Add NGINX App Protect WAF repository by downloading the file app-protect-7.repo to /etc/yum.repos.d: +8. Add F5 WAF for NGINX repository by downloading the file app-protect-7.repo to /etc/yum.repos.d: ```shell sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo @@ -204,13 +204,13 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad gpgkey=http://ftp.heanet.ie/pub/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7 ``` -10. If NGINX Plus or NGINX App Protect WAF was previously installed on the system, clean up package manager cache information: +10. If NGINX Plus or F5 WAF for NGINX was previously installed on the system, clean up package manager cache information: ```shell sudo yum clean all ``` -11. Install the latest NGINX App Protect WAF package. +11. Install the latest F5 WAF for NGINX package. **See Also:** Please refer to [NGINX App Protect Compatibility Matrix]({{< ref "/controller/admin-guides/install/nginx-controller-tech-specs.md#nginx-app-protect-compatibility-matrix" >}}) for specific version compatibility. @@ -226,7 +226,7 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad sudo nginx -v ``` -13. Configure SELinux as appropriate per your organization’s security policies. NGINX App Protect WAF applies the prebuilt SELinux policy module during the installation. If you encounter any issues, check the [Troubleshooting Guide]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting#selinux" >}}). +13. Configure SELinux as appropriate per your organization’s security policies. F5 WAF for NGINX applies the prebuilt SELinux policy module during the installation. If you encounter any issues, check the [Troubleshooting Guide]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting#selinux" >}}). **Note:** NGINX Controller has specific [requirements regarding SELinux configuration]({{< ref "/controller/admin-guides/install/nginx-controller-tech-specs.md#supported-distributions" >}}). @@ -263,7 +263,7 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad {{%tab name="Debian"%}} -**Note:** As of NGINX Plus R24, support for Debian 9 is no longer available. As a consequence, NGINX App Protect WAF 3.1 is the final version available for this operating system version. +**Note:** As of NGINX Plus R24, support for Debian 9 is no longer available. As a consequence, F5 WAF for NGINX 3.1 is the final version available for this operating system version. 1. If you already have NGINX packages in your system, back up your configs and logs: @@ -312,7 +312,7 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad printf "deb https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-plus.list ``` -9. Add NGINX App Protect WAF repository: +9. Add F5 WAF for NGINX repository: ```shell printf "deb https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-app-protect.list @@ -324,7 +324,7 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx ``` -11. Update the repository and install the lastest supported NGINX App Protect WAF packages. +11. Update the repository and install the lastest supported F5 WAF for NGINX packages. **See Also:** Please refer to [NGINX App Protect Compatibility Matrix]({{< ref "/controller/admin-guides/install/nginx-controller-tech-specs.md#nginx-app-protect-compatibility-matrix" >}}) for specific version compatibility. @@ -430,7 +430,7 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad printf "deb https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-plus.list ``` -9. Add NGINX App Protect WAF repository: +9. Add F5 WAF for NGINX repository: ```shell printf "deb https://pkgs.nginx.com/app-protect/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-app-protect.list @@ -442,7 +442,7 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx ``` -11. Update the repository and install the latest App Protect WAF package. +11. Update the repository and install the latest F5 WAF for NGINX package. **See Also:** Please refer to [NGINX App Protect Compatibility Matrix]({{< ref "/controller/admin-guides/install/nginx-controller-tech-specs.md#nginx-app-protect-compatibility-matrix" >}}) for specific version compatibility. @@ -497,34 +497,34 @@ Before proceeding, you should review the [Prerequisites]({{< ref "/nap-waf/v4/ad 16. To upgrade your signature package to the latest version and obtain the best protection, refer to [Updating App Protect Attack Signatures]({{< ref "/nap-waf/v4/admin-guide/install#ubuntu-1804" >}}). - **Note:** Ubuntu 20.04 activates **AppArmor** by default, but NGINX App Protect WAF will run in unconfined mode after being installed as it is shipped with no AppArmor profile. To benefit from AppArmor access control capabilities for NGINX App Protect WAF, you will have to write your own AppArmor profile for NGINX App Protect WAF executables found in `/opt/app_protect/bin` such that it best suits your environment. + **Note:** Ubuntu 20.04 activates **AppArmor** by default, but F5 WAF for NGINX will run in unconfined mode after being installed as it is shipped with no AppArmor profile. To benefit from AppArmor access control capabilities for F5 WAF for NGINX, you will have to write your own AppArmor profile for F5 WAF for NGINX executables found in `/opt/app_protect/bin` such that it best suits your environment. {{%/tab%}} {{%tab name="Amazon Linux 2 LTS"%}} -Using NGINX App Protect WAF with NGINX Controller isn't supported on Amazon Linux 2 LTS. +Using F5 WAF for NGINX with NGINX Controller isn't supported on Amazon Linux 2 LTS. {{%/tab%}} {{%tab name="Alpine"%}} -Using NGINX App Protect WAF with NGINX Controller isn't supported on Alpine. +Using F5 WAF for NGINX with NGINX Controller isn't supported on Alpine. {{%/tab%}} {{}}
-## Add NGINX App Protect WAF to NGINX Controller +## Add F5 WAF for NGINX to NGINX Controller -If this NGINX Plus instance is already managed by Controller, [restart the Agent]({{< ref "/controller/admin-guides/install/agent-restart" >}}) after NGINX App Protect WAF is installed. +If this NGINX Plus instance is already managed by Controller, [restart the Agent]({{< ref "/controller/admin-guides/install/agent-restart" >}}) after F5 WAF for NGINX is installed. -Otherwise, complete the tasks in the NGINX Controller [Add an NGINX App Protect WAF Instance]({{< ref "/controller/infrastructure/instances/add-nap-instance.md#add-the-nginx-app-protect-instance" >}}) guide. +Otherwise, complete the tasks in the NGINX Controller [Add an F5 WAF for NGINX Instance]({{< ref "/controller/infrastructure/instances/add-nap-instance.md#add-the-nginx-app-protect-instance" >}}) guide. -## Use NGINX App Protect WAF with NGINX Controller +## Use F5 WAF for NGINX with NGINX Controller -**Note:** When configuring NGINX App Protect WAF as a datapath instance for NGINX Controller, **you should not modify the `nginx.conf` file**. The `nginx.conf` file will be automatically updated when enabling WAF on a Component in NGINX Controller. +**Note:** When configuring F5 WAF for NGINX as a datapath instance for NGINX Controller, **you should not modify the `nginx.conf` file**. The `nginx.conf` file will be automatically updated when enabling WAF on a Component in NGINX Controller. Refer to the following NGINX Controller user guides for further information about how to secure your apps and/or APIs with NGINX Controller: diff --git a/content/controller/app-delivery/about-snippets.md b/content/controller/app-delivery/about-snippets.md index cbeed3b4f..83c3c063f 100644 --- a/content/controller/app-delivery/about-snippets.md +++ b/content/controller/app-delivery/about-snippets.md @@ -557,7 +557,7 @@ The `reuseport` parameter creates an individual listening socket for each worker ## Extend App Security with Snippets -When adding [NGINX Controller App Security]({{< ref "add-app-security-with-waf" >}}) to your components, you can use Snippets to add NGINX App Protect directives that aren't represented in the NGINX Controller API. You can also use Snippets to [tune your NGINX App Protect WAF performance]({{< ref "/controller/app-delivery/security/tutorials/tune-waf-for-app" >}}). +When adding [NGINX Controller App Security]({{< ref "add-app-security-with-waf" >}}) to your components, you can use Snippets to add NGINX App Protect directives that aren't represented in the NGINX Controller API. You can also use Snippets to [tune your F5 WAF for NGINX performance]({{< ref "/controller/app-delivery/security/tutorials/tune-waf-for-app" >}}). Refer to [Extend App Security with Snippets]({{< ref "extend-app-security-snippets" >}}) for more information and examples. diff --git a/content/controller/app-delivery/security/concepts/bring-your-own-policy.md b/content/controller/app-delivery/security/concepts/bring-your-own-policy.md index fc1ec87ae..b9a72634e 100644 --- a/content/controller/app-delivery/security/concepts/bring-your-own-policy.md +++ b/content/controller/app-delivery/security/concepts/bring-your-own-policy.md @@ -1,5 +1,5 @@ --- -description: Learn how to use your own F5 NGINX App Protect WAF policies with NGINX +description: Learn how to use your own F5 WAF for NGINX policies with NGINX Controller. nd-docs: DOCS-481 title: Bring Your Own WAF Policy @@ -17,26 +17,26 @@ A BYO NGINX App Protect policy lets you maintain consistent Security Policies ac To export a policy from F5 Advanced WAF or ASM, take the following steps: -1. Convert your F5 XML security policy to an NGINX App Protect WAF declarative JSON policy using the [NGINX App Protect Policy Converter tool](https://docs.nginx.com/nginx-app-protect/configuration/#policy-converter). +1. Convert your F5 XML security policy to an F5 WAF for NGINX declarative JSON policy using the [NGINX App Protect Policy Converter tool](https://docs.nginx.com/nginx-app-protect/configuration/#policy-converter). {{< call-out "note" >}}We recommend using the Converter tool that corresponds with the most recent NGINX App Protect version.{{< /call-out >}} 2. Use the NGINX App Protect declarative JSON policy as the WAF policy in NGINX Controller for your app component(s).   -With a BYO NGINX App Protect policy, you can also provide customized security by crafting an NGINX App Protect WAF policy that specifies the security controls appropriate for your apps. For more information on how to configure an NGINX App Protect WAF policy, refer to the [NGINX App Protect Configuration Guide](https://docs.nginx.com/nginx-app-protect/configuration/). +With a BYO NGINX App Protect policy, you can also provide customized security by crafting an F5 WAF for NGINX policy that specifies the security controls appropriate for your apps. For more information on how to configure an F5 WAF for NGINX policy, refer to the [NGINX App Protect Configuration Guide](https://docs.nginx.com/nginx-app-protect/configuration/). ## Security Strategy for BYO NGINX App Protect Policy The BYO NGINX App Protect policy uses the concept of a [Security Strategy]({{< ref "/controller/app-delivery/security/concepts/what-is-waf.md#security-policy-and-security-strategy" >}}) With the BYO NGINX App Protect policy feature, you can specify the exact NGINX App Protect policy for the Security Strategy. Then, the Security Strategy can be shared across -- and referenced by -- multiple app components. -A Security Strategy can be comprised of various app-security-related Security Policies. NGINX Controller includes a custom NGINX App Protect WAF policy, which can be assigned to a Security Strategy. +A Security Strategy can be comprised of various app-security-related Security Policies. NGINX Controller includes a custom F5 WAF for NGINX policy, which can be assigned to a Security Strategy. -You can also add a BYO NGINX App Protect WAF policy in JSON format to NGINX Controller "as-is" for use in a Security Strategy. +You can also add a BYO F5 WAF for NGINX policy in JSON format to NGINX Controller "as-is" for use in a Security Strategy. -An **App Component** contains a reference to a **Security Strategy**, which, in turn, references a Security Policy. This Security Policy contains the **NGINX App Protect WAF policy**. +An **App Component** contains a reference to a **Security Strategy**, which, in turn, references a Security Policy. This Security Policy contains the **F5 WAF for NGINX policy**. Refer to the topic [Enable WAF for a Component Using Your Own NGINX App Protect Policy]({{< ref "/controller/app-delivery/security/tutorials/add-app-security-with-waf.md#enable-waf-for-a-component-using-your-own-nap-policy-beta" >}}) to get started. @@ -44,8 +44,8 @@ Refer to the topic [Enable WAF for a Component Using Your Own NGINX App Protect BYO NAP WAF policy currently has the following limitations: -- The size of the BYO NGINX App Protect WAF policy that's referenced by app components may affect application performance. -- References to external files, such as the following, in the NGINX App Protect WAF JSON declarative policy are not supported: +- The size of the BYO F5 WAF for NGINX policy that's referenced by app components may affect application performance. +- References to external files, such as the following, in the F5 WAF for NGINX JSON declarative policy are not supported: - User Defined Signatures - Security controls in external references - Referenced OpenAPI spec files diff --git a/content/controller/app-delivery/security/concepts/extend-app-security-snippets.md b/content/controller/app-delivery/security/concepts/extend-app-security-snippets.md index 60a6d68eb..c2bc242b2 100644 --- a/content/controller/app-delivery/security/concepts/extend-app-security-snippets.md +++ b/content/controller/app-delivery/security/concepts/extend-app-security-snippets.md @@ -14,7 +14,7 @@ type: F5 NGINX Controller [Snippets]({{< ref "/controller/app-delivery/about-snippets.md" >}}) let you customize your NGINX configuration by adding NGINX directives that aren't represented by the NGINX Controller API. -Snippets also let you customize App Security for your Components by adding NGINX App Protect directives that aren't present in the NGINX Controller API. You can use Snippets when [tuning your NGINX App Protect WAF performance]({{< ref "/controller/app-delivery/security/tutorials/tune-waf-for-app" >}}) as well. +Snippets also let you customize App Security for your Components by adding NGINX App Protect directives that aren't present in the NGINX Controller API. You can use Snippets when [tuning your F5 WAF for NGINX performance]({{< ref "/controller/app-delivery/security/tutorials/tune-waf-for-app" >}}) as well. {{< call-out "caution" >}} When you use Snippets to customize your NGINX configuration, your changes are applied to the `nginx.conf` file *as is*. NGINX Controller does not verify that your configuration is valid before applying the Snippet. @@ -92,10 +92,10 @@ Using local files as a backup for Security Events may use up disk space and affe ### Add Location of User-Defined Signature Definition File -When using [Bring Your Own WAF Policy]({{< ref "/controller/app-delivery/security/concepts/bring-your-own-policy" >}}) in NGINX Controller, you can define a URI Snippet for a Gateway API to define the location for your User-Defined Signature Definition file. The User-Defined Signature can then be referenced in the custom NGINX App Protect WAF policy that you use for your Components. +When using [Bring Your Own WAF Policy]({{< ref "/controller/app-delivery/security/concepts/bring-your-own-policy" >}}) in NGINX Controller, you can define a URI Snippet for a Gateway API to define the location for your User-Defined Signature Definition file. The User-Defined Signature can then be referenced in the custom F5 WAF for NGINX policy that you use for your Components. {{< call-out "note" >}} -The file that contains the signature definition must already exist on your NGINX App Protect WAF instances. For more information regarding User-Defined Signatures, refer to the [NGINX App Protect WAF Configuration Guide](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#user-defined-signatures). +The file that contains the signature definition must already exist on your F5 WAF for NGINX instances. For more information regarding User-Defined Signatures, refer to the [F5 WAF for NGINX Configuration Guide](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#user-defined-signatures). {{< /call-out >}} The following example adds a URI snippet to the Gateway API definition that provides the location of the User-Defined Signature Definition file. @@ -197,9 +197,9 @@ We strongly recommend verifying Snippets in a lab environment before making any This example adds an HTTP Snippet to a Gateway to control the memory and CPU threshold values which determine when NGINX App Protect enters and exits failure mode. -In *failure mode*, App Protect WAF stops processing app traffic. Traffic is either dropped or passed through, as determined by the `app_protect_failure_mode_action` directive. +In *failure mode*, F5 WAF for NGINX stops processing app traffic. Traffic is either dropped or passed through, as determined by the `app_protect_failure_mode_action` directive. -The example below directs NGINX App Protect WAF to enter failure mode when memory utilization or CPU utilization reaches 85% and to exit failure mode when memory or CPU utilization drops to 60%. +The example below directs F5 WAF for NGINX to enter failure mode when memory utilization or CPU utilization reaches 85% and to exit failure mode when memory or CPU utilization drops to 60%. ```json { diff --git a/content/controller/app-delivery/security/concepts/what-is-waf.md b/content/controller/app-delivery/security/concepts/what-is-waf.md index 7859c350c..c03264384 100644 --- a/content/controller/app-delivery/security/concepts/what-is-waf.md +++ b/content/controller/app-delivery/security/concepts/what-is-waf.md @@ -23,10 +23,10 @@ A WAF protects your web apps by filtering, monitoring, and blocking any maliciou App Security on NGINX Controller provides an app‑centric self‑service model to address the security needs of modern apps. -The App Security add-on uses the NGINX App Protect Web Application Firewall (NGINX App Protect WAF) enforcement engine on the data path (data plane). +The App Security add-on uses the NGINX App Protect Web Application Firewall (F5 WAF for NGINX) enforcement engine on the data path (data plane). When you enable WAF on an app component using NGINX Controller, a security policy (sets of security controls and enforcement logic) is deployed and applied to configured NGINX App Protect instances that process traffic for the app component. -NGINX App Protect WAF inspects incoming traffic as specified in the Security Policy to identify potential threats. When malicious traffic is suspected or blocked, the NGINX Controller Analytics module logs security events and metrics. These are then included in the NGINX Controller Threat Visibility and Analytics reporting. +F5 WAF for NGINX inspects incoming traffic as specified in the Security Policy to identify potential threats. When malicious traffic is suspected or blocked, the NGINX Controller Analytics module logs security events and metrics. These are then included in the NGINX Controller Threat Visibility and Analytics reporting. {{< call-out "note" >}}To learn more, read the [Threat Visibility and Analytics](https://www.nginx.com/blog/threat-visibility-analytics-nginx-controller-app-security/) blog post on [nginx.com](https://nginx.com).{{< /call-out>}} @@ -34,7 +34,7 @@ NGINX App Protect WAF inspects incoming traffic as specified in the Security Pol ## Security Policy -In NGINX Controller, the Security Policy contains an NGINX App Protect WAF policy. The NGINX App Protect WAF policy has security controls and settings in a declarative JSON format. The Security Policy defines the rules and settings for application traffic inspection, detection of malicious traffic, and handling violations when they occur. For more about creating, updating, or deleting Security Policies, see the [Policies API Reference](https://docs.nginx.com/nginx-controller/api/ctlr-adc-api/#operation/listPolicies). +In NGINX Controller, the Security Policy contains an F5 WAF for NGINX policy. The F5 WAF for NGINX policy has security controls and settings in a declarative JSON format. The Security Policy defines the rules and settings for application traffic inspection, detection of malicious traffic, and handling violations when they occur. For more about creating, updating, or deleting Security Policies, see the [Policies API Reference](https://docs.nginx.com/nginx-controller/api/ctlr-adc-api/#operation/listPolicies). When enabling WAF to protect your Apps, you can either add your own custom Security Policy or use the default Security Policy. diff --git a/content/controller/app-delivery/security/tutorials/add-app-security-with-waf.md b/content/controller/app-delivery/security/tutorials/add-app-security-with-waf.md index 10b02146f..74c0e66d3 100644 --- a/content/controller/app-delivery/security/tutorials/add-app-security-with-waf.md +++ b/content/controller/app-delivery/security/tutorials/add-app-security-with-waf.md @@ -129,13 +129,13 @@ This JSON object should be added to the Component endpoint similar to the follow } ``` -## Enable WAF for a Component Using Your Own NGINX App Protect WAF Policy +## Enable WAF for a Component Using Your Own F5 WAF for NGINX Policy Instead of using NGINX Controller's default policy for WAF, you can [bring your own NGINX App Protect Policy]({{< ref "/controller/app-delivery/security/concepts/bring-your-own-policy.md" >}}) for use in a Security Strategy to protect your app components. -To do so, you first need to upload your NGINX App Protect WAF declarative JSON policy to the Security Policy endpoint and reference it in a Security Strategy. Then, you can reference the Security Strategy in the Component where you are enabling WAF. +To do so, you first need to upload your F5 WAF for NGINX declarative JSON policy to the Security Policy endpoint and reference it in a Security Strategy. Then, you can reference the Security Strategy in the Component where you are enabling WAF. -### Upload your NGINX App Protect WAF Policy +### Upload your F5 WAF for NGINX Policy To upload your NGINX App Protect declarative JSON Policy to NGINX Controller, use an HTTP client like cURL and send a `PUT` request to the [Security Policy REST API}(https://docs.nginx.com/nginx-controller/api/ctlr-adc-api/) The JSON object should be similar to the example below: @@ -154,9 +154,9 @@ The JSON object should be similar to the example below: } ``` -### Create or Update a Security Strategy with a BYO NGINX App Protect WAF Policy +### Create or Update a Security Strategy with a BYO F5 WAF for NGINX Policy -You can create or update a Security Strategy that references a BYO NGINX App Protect WAF policy by sending a `PUT` request to the [Strategies REST API](https://docs.nginx.com/nginx-controller/api/ctlr-adc-api/) endpoint. +You can create or update a Security Strategy that references a BYO F5 WAF for NGINX policy by sending a `PUT` request to the [Strategies REST API](https://docs.nginx.com/nginx-controller/api/ctlr-adc-api/) endpoint. The JSON object should be similar to the example below: @@ -181,7 +181,7 @@ The JSON object should be similar to the example below: ``` -### Add a BYO NGINX App Protect WAF policy to an App Component +### Add a BYO F5 WAF for NGINX policy to an App Component To add your BYO NGINX App Protect Policy to your App(s), you need to add a reference to the Security Strategy that contains the policy to your App Component. diff --git a/content/controller/releases/adc/adc-release-notes-3.20.md b/content/controller/releases/adc/adc-release-notes-3.20.md index 90cee4aff..3f03dab3c 100644 --- a/content/controller/releases/adc/adc-release-notes-3.20.md +++ b/content/controller/releases/adc/adc-release-notes-3.20.md @@ -51,9 +51,9 @@ Take note of the following considerations when upgrading to this version of the For more information, see the AskF5 article [K02089505](https://support.f5.com/csp/article/K02089505). -- **Bring your own custom NGINX App Protect WAF Policy to configure app security** +- **Bring your own custom F5 WAF for NGINX Policy to configure app security** - Now, you can [use your own custom NGINX App Protect WAF JSON declarative policy]({{< ref "/controller/app-delivery/security/concepts/bring-your-own-policy.md" >}}) as your WAF policy with NGINX Controller, in addition to using the default policy. F5 Advanced WAF and BIG-IP Application Security Module (ASM) customers can convert their standardized WAF policy to an App Protect policy to use with NGINX Controller. + Now, you can [use your own custom F5 WAF for NGINX JSON declarative policy]({{< ref "/controller/app-delivery/security/concepts/bring-your-own-policy.md" >}}) as your WAF policy with NGINX Controller, in addition to using the default policy. F5 Advanced WAF and BIG-IP Application Security Module (ASM) customers can convert their standardized WAF policy to an App Protect policy to use with NGINX Controller. ## NAP Vulnerability Fixes diff --git a/content/includes/acm/about/api-proxy-policies.md b/content/includes/acm/about/api-proxy-policies.md index 3a604af74..6a608f174 100644 --- a/content/includes/acm/about/api-proxy-policies.md +++ b/content/includes/acm/about/api-proxy-policies.md @@ -15,7 +15,7 @@ The following table shows the available API Proxy Policies you can use when crea | [Access Control Routing]({{< ref "/nms/acm/how-to/policies/access-control-routing" >}}) | | | Inbound | Restrict access to your application servers based on JWT claims or header values. | | [ACL Consumer Restriction]({{< ref "/nms/acm/how-to/policies/api-access-control-lists#create-acl-consumer-restriction-policy" >}}) | | | Inbound | Protect your upstream TCP application servers by denying/allowing access from certain consumers client IDs or authenticated JWT claims. | | [ACL IP Restriction]({{< ref "/nms/acm/how-to/policies/api-access-control-lists#create-acl-ip-restriction-policy" >}}) | | | Inbound | Protect your upstream TCP application servers by denying/allowing access from certain client IP addresses or CIDR blocks | -| [Advanced Security]({{< ref "/nms/acm/how-to/policies/advanced-security" >}}) | | | Inbound | Protect your upstream TCP application servers by applying an NGINX App Protect WAF policy to the traffic to your proxy | +| [Advanced Security]({{< ref "/nms/acm/how-to/policies/advanced-security" >}}) | | | Inbound | Protect your upstream TCP application servers by applying an F5 WAF for NGINX policy to the traffic to your proxy | | [Allowed HTTP Methods]({{< ref "/nms/acm/how-to/policies/allowed-http-methods" >}}) | | | Inbound | Restrict access to specific request methods and set a custom response code for non-matching requests. | | [APIKey Authentication]({{< ref "/nms/acm/how-to/policies/apikey-authn" >}}) | | | Inbound | Secure the API gateway proxy by adding an API key. | | [HTTP Backend Config]({{< ref "/nms/acm/how-to/policies/http-backend-configuration" >}}) | | | Inbound | Customize settings to ensure fault tolerance, maximize throughput, reduce latency, and optimize resource usage. | diff --git a/content/includes/nap-waf/build-from-official-nginx-image.md b/content/includes/nap-waf/build-from-official-nginx-image.md index 085908c9e..3125460de 100644 --- a/content/includes/nap-waf/build-from-official-nginx-image.md +++ b/content/includes/nap-waf/build-from-official-nginx-image.md @@ -12,7 +12,7 @@ nd-docs: "DOCS-1509" # Base image FROM nginx:1.25.5-bookworm -# Install NGINX App Protect WAF v5 module +# Install F5 WAF for NGINX v5 module RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ apt-get update \ diff --git a/content/includes/nap-waf/build-nginx-image-cmd.md b/content/includes/nap-waf/build-nginx-image-cmd.md index ddc2a7100..fb1e6e805 100644 --- a/content/includes/nap-waf/build-nginx-image-cmd.md +++ b/content/includes/nap-waf/build-nginx-image-cmd.md @@ -3,7 +3,7 @@ nd-docs: "DOCS-1512" --- {{< call-out "note" >}} -Never upload your NGINX App Protect WAF v5 images to a public container registry such as Docker Hub. Doing so violates your license agreement. +Never upload your F5 WAF for NGINX v5 images to a public container registry such as Docker Hub. Doing so violates your license agreement. {{< /call-out >}} To build the image, execute the following command in the directory containing the `nginx-repo.crt`, `nginx-repo.key`, and `Dockerfile`. Here, `nginx-app-protect-5` is an example image tag. diff --git a/content/includes/nap-waf/concept/apreload.md b/content/includes/nap-waf/concept/apreload.md index 2da2e366c..4a172dc04 100644 --- a/content/includes/nap-waf/concept/apreload.md +++ b/content/includes/nap-waf/concept/apreload.md @@ -2,7 +2,7 @@ nd-docs: DOCS-000 --- -apreload is a tool that can update that can update the NGINX App Protect WAF configuration without having to reload NGINX if only the App Protect configuration is changed and the `nginx.conf` file remains unchanged. apreload does not affect the existing NGINX reload process and it functions in the same manner as before. +apreload is a tool that can update that can update the F5 WAF for NGINX configuration without having to reload NGINX if only the App Protect configuration is changed and the `nginx.conf` file remains unchanged. apreload does not affect the existing NGINX reload process and it functions in the same manner as before. #### Some Conditions Required for apreload to Work: diff --git a/content/includes/nap-waf/concept/global-directives.md b/content/includes/nap-waf/concept/global-directives.md index ad92b63d1..9efcabae7 100644 --- a/content/includes/nap-waf/concept/global-directives.md +++ b/content/includes/nap-waf/concept/global-directives.md @@ -6,7 +6,7 @@ Global configuration consists of a series of `nginx.conf` directives at the `htt When applied to a cluster, all cluster members will get the same globals as expected. -{{< call-out "note" >}} Whether an incoming request is inspected by NGINX App Protect WAF may be determined by the URL in the request. This happens if you configure `app_protect_enable` and `app_protect_policy_file` directives in the `location` scope. In the case where the URL itself has violations such as *bad unescape* or *illegal metacharacter* then the request might be assigned to a location in which NGINX App Protect WAF is disabled or has a relaxed policy that does not detect these violations. Such malicious requests will be allowed without inspection. In order to avoid this, it is recommended to have a basic policy enabled at the `http` scope or at least at the `server` scope to process malicious requests in a more complete manner.{{< /call-out >}} +{{< call-out "note" >}} Whether an incoming request is inspected by F5 WAF for NGINX may be determined by the URL in the request. This happens if you configure `app_protect_enable` and `app_protect_policy_file` directives in the `location` scope. In the case where the URL itself has violations such as *bad unescape* or *illegal metacharacter* then the request might be assigned to a location in which F5 WAF for NGINX is disabled or has a relaxed policy that does not detect these violations. Such malicious requests will be allowed without inspection. In order to avoid this, it is recommended to have a basic policy enabled at the `http` scope or at least at the `server` scope to process malicious requests in a more complete manner.{{< /call-out >}} {{< bootstrap-table "table table-striped table-bordered table-sm table-responsive" >}} |Directive Name | Syntax | Description | Default | diff --git a/content/includes/nap-waf/concept/grpc-logging.md b/content/includes/nap-waf/concept/grpc-logging.md index bcce1d690..88fc1678d 100644 --- a/content/includes/nap-waf/concept/grpc-logging.md +++ b/content/includes/nap-waf/concept/grpc-logging.md @@ -5,7 +5,7 @@ nd-docs: DOCS-000 Security log for gRPC requests has unique fields: `uri`, `grpc_method`, and `grpc_service`. Also, since the content of gRPC requests is binary (Protocol Buffers), it is better transferred in Base64 encoding. Hence, it is recommended to use the `headers` and `request_body_base64` fields instead of the `request` field. A new predefined log format called `grpc` should be used in all gRPC locations that also use policies with gRPC Content Profiles. The `grpc` format also contains the above new gRPC fields (`grpc_service` and `grpc_method`). See [Available Security Log Attributes]({{< ref "/nap-waf/v5/logging-overview/security-log#available-security-log-attributes" >}}). -NGINX App Protect WAF provides three security log bundles for gRPC: `log_grpc_all`, `log_grpc_illegal` and `log_grpc_blocked` using the `grpc` format with three filters: all requests, illegal requests, and blocked requests respectively. Unless you have special logging format requirements, the best practice is to use one of these bundles in all gRPC locations with the `app_protect_security_log` directive. +F5 WAF for NGINX provides three security log bundles for gRPC: `log_grpc_all`, `log_grpc_illegal` and `log_grpc_blocked` using the `grpc` format with three filters: all requests, illegal requests, and blocked requests respectively. Unless you have special logging format requirements, the best practice is to use one of these bundles in all gRPC locations with the `app_protect_security_log` directive. Here is a typical example: diff --git a/content/includes/nap-waf/config/common/anti-automation.md b/content/includes/nap-waf/config/common/anti-automation.md index 93459aaba..5a76d4f71 100644 --- a/content/includes/nap-waf/config/common/anti-automation.md +++ b/content/includes/nap-waf/config/common/anti-automation.md @@ -103,7 +103,7 @@ In this example, we override the action for a specific signature (python-request #### Bot Signatures Update File -Starting with NGINX App Protect WAF release 4.7, the bot signature file `included_bot_signatures`, is located at the following path: `/opt/app-protect/var/update_files/bot_signatures/included_bot_signatures`. This will be part of the **app-protect-bot-signatures** package. +Starting with F5 WAF for NGINX release 4.7, the bot signature file `included_bot_signatures`, is located at the following path: `/opt/app-protect/var/update_files/bot_signatures/included_bot_signatures`. This will be part of the **app-protect-bot-signatures** package. This file contains an up-to-date list of all bot signatures that have been updated with the new bot signature package. This list is automatically generated as a part of the **app-protect-bot-signatures** package and follows a format similar to the README-style text file found in the attack signature. This file contains essential information which includes: @@ -137,7 +137,7 @@ This is a list of the trusted bots that are currently part of the bot signatures #### Header Anomalies -In addition to detecting Bot Signatures, by default NGINX App Protect WAF verifies that a client claiming to be a browser is indeed one by inspecting the HTTP headers. +In addition to detecting Bot Signatures, by default F5 WAF for NGINX verifies that a client claiming to be a browser is indeed one by inspecting the HTTP headers. Each request receives a score, is categorized by anomaly, and is enforced according to the default configured anomaly action: diff --git a/content/includes/nap-waf/config/common/clickjacking-protection.md b/content/includes/nap-waf/config/common/clickjacking-protection.md index c73c94b8e..ed7e6f747 100644 --- a/content/includes/nap-waf/config/common/clickjacking-protection.md +++ b/content/includes/nap-waf/config/common/clickjacking-protection.md @@ -2,7 +2,7 @@ nd-docs: "DOCS-1611" --- -Clickjacking refers to a technique used by malicious actors to embed remote website content into their malicious websites, tricking the end users to click on the embedded frames triggering actions the users were not aware of, such as liking a certain Facebook page or giving a restaurant a 5 star rating. To protect against such attacks, NGINX App Protect WAF uses the `X-Frame-Options` header capabilities. The `X-Frame-Options` header is injected by NGINX App Protect WAF to indicate to the browser whether it should embed the content or not. Please note that this additional layer of security is available only in browsers that support the `X-Frame-Options` headers. +Clickjacking refers to a technique used by malicious actors to embed remote website content into their malicious websites, tricking the end users to click on the embedded frames triggering actions the users were not aware of, such as liking a certain Facebook page or giving a restaurant a 5 star rating. To protect against such attacks, F5 WAF for NGINX uses the `X-Frame-Options` header capabilities. The `X-Frame-Options` header is injected by F5 WAF for NGINX to indicate to the browser whether it should embed the content or not. Please note that this additional layer of security is available only in browsers that support the `X-Frame-Options` headers. ##### Configuration @@ -10,9 +10,9 @@ Clickjacking refers to a technique used by malicious actors to embed remote webs - X-Frame-Options: `deny` - This option will prevent the browser from displaying the content in a frame, regardless of the website trying to do so. - X-Frame-Options: `only-same` - This option allows the browser to display the content in a frame only if it comes from the same website. -Please note that a third configuration option was available but it was deprecated by RFC and is not supported by NGINX App Protect WAF. +Please note that a third configuration option was available but it was deprecated by RFC and is not supported by F5 WAF for NGINX. -To enable this protection in NGINX App Protect WAF, we enable the feature for a URL (or for all URLs, via the wildcard URL), and then set the value to be assigned to the `X-Frame-Options` header. Following is an example of a policy enabling the feature for the URL `/clickme`, and using `only-same` as the value for the `X-Frame-Options` header: +To enable this protection in F5 WAF for NGINX, we enable the feature for a URL (or for all URLs, via the wildcard URL), and then set the value to be assigned to the `X-Frame-Options` header. Following is an example of a policy enabling the feature for the URL `/clickme`, and using `only-same` as the value for the `X-Frame-Options` header: ```json { diff --git a/content/includes/nap-waf/config/common/csrf-protection.md b/content/includes/nap-waf/config/common/csrf-protection.md index f17fd9dd0..fe7b0314c 100644 --- a/content/includes/nap-waf/config/common/csrf-protection.md +++ b/content/includes/nap-waf/config/common/csrf-protection.md @@ -2,7 +2,7 @@ nd-docs: "DOCS-1590" --- -CSRF (Cross-Site Request Forgery) is an attack vector in which the victim user that visits a sensitive site such as a bank account, is lured to click on a malicious link attempting a fraudulent operation on that sensitive site. The link may be sent over email or in a hidden frame in another site. NGINX App Protect WAF provides protection against CSRF attacks by validating the Origin header for AJAX POST requests (default configuration). +CSRF (Cross-Site Request Forgery) is an attack vector in which the victim user that visits a sensitive site such as a bank account, is lured to click on a malicious link attempting a fraudulent operation on that sensitive site. The link may be sent over email or in a hidden frame in another site. F5 WAF for NGINX provides protection against CSRF attacks by validating the Origin header for AJAX POST requests (default configuration). ##### CSRF Configuration diff --git a/content/includes/nap-waf/config/common/custom-log-overview.md b/content/includes/nap-waf/config/common/custom-log-overview.md index 3ae13b711..a8bdff796 100644 --- a/content/includes/nap-waf/config/common/custom-log-overview.md +++ b/content/includes/nap-waf/config/common/custom-log-overview.md @@ -2,6 +2,6 @@ nd-docs: "DOCS-1614" --- -Custom dimensions log entries feature refers to the new configuration in NGINX App Protect WAF, where the new directive called `app_protect_custom_log_attribute` is assigned to a particular location or server or http level in the `nginx.conf` file. The need is to be able to add custom identifiers to the respective location and/or server and identify requests in the Security Log by those identifiers. +Custom dimensions log entries feature refers to the new configuration in F5 WAF for NGINX, where the new directive called `app_protect_custom_log_attribute` is assigned to a particular location or server or http level in the `nginx.conf` file. The need is to be able to add custom identifiers to the respective location and/or server and identify requests in the Security Log by those identifiers. The `app_protect_custom_log_attribute` directive will be used to track the assigned location/server/http dimension of each request by adding the `app_protect_custom_log_attribute` to the **Security Logs** a.k.a **Request Logs**. Since it is a custom attribute a customer can set, that custom attribute will appear for every request log entry that was handled by that location/server. \ No newline at end of file diff --git a/content/includes/nap-waf/config/common/deny-allow-never-log-lists.md b/content/includes/nap-waf/config/common/deny-allow-never-log-lists.md index 45ebb85ef..24c7b0e5f 100644 --- a/content/includes/nap-waf/config/common/deny-allow-never-log-lists.md +++ b/content/includes/nap-waf/config/common/deny-allow-never-log-lists.md @@ -63,7 +63,7 @@ In this IPv4 example, we use the default configuration while enabling the deny l ``` {{< call-out "note" >}} -The above configuration assumes the IP address represents the original requestor. However, it is also common that the client address may instead represent a downstream proxy device as opposed to the original requestor's IP address. In this case, you may need to configure NGINX App Protect WAF to prefer the use of an `X-Forwarded-For` (or similar) header injected to the request by a downstream proxy in order to more accurately identify the *actual* originator of the request. [See the XFF Headers and Trust](#xff-headers-and-trust) for information regarding the additional settings required for this configuration. +The above configuration assumes the IP address represents the original requestor. However, it is also common that the client address may instead represent a downstream proxy device as opposed to the original requestor's IP address. In this case, you may need to configure F5 WAF for NGINX to prefer the use of an `X-Forwarded-For` (or similar) header injected to the request by a downstream proxy in order to more accurately identify the *actual* originator of the request. [See the XFF Headers and Trust](#xff-headers-and-trust) for information regarding the additional settings required for this configuration. {{< /call-out >}} diff --git a/content/includes/nap-waf/config/common/detect-base64-string-values.md b/content/includes/nap-waf/config/common/detect-base64-string-values.md index 56e58f6a7..15d262132 100644 --- a/content/includes/nap-waf/config/common/detect-base64-string-values.md +++ b/content/includes/nap-waf/config/common/detect-base64-string-values.md @@ -2,7 +2,7 @@ nd-docs: "DOCS-1563" --- -The Detect Base64 feature allows NGINX App Protect WAF to detect whether values in string fields in gRPC payload are Base64 encoded. When a value is detected as Base64 encoded NGINX App Protect WAF will enforce the configured signatures on the decoded value __and__ on the original value. +The Detect Base64 feature allows F5 WAF for NGINX to detect whether values in string fields in gRPC payload are Base64 encoded. When a value is detected as Base64 encoded F5 WAF for NGINX will enforce the configured signatures on the decoded value __and__ on the original value. This feature is disabled by default and can be enabled by setting `decodeStringValuesAsBase64` to `enabled`. diff --git a/content/includes/nap-waf/config/common/detect-base64.md b/content/includes/nap-waf/config/common/detect-base64.md index c80861c63..9bc3e96f4 100644 --- a/content/includes/nap-waf/config/common/detect-base64.md +++ b/content/includes/nap-waf/config/common/detect-base64.md @@ -2,7 +2,7 @@ nd-docs: "DOCS-1593" --- -The Detect Base64 feature allows NGINX App Protect WAF to detect whether values in headers, cookies, and parameters are Base64 encoded. When an entity is detected as Base64 encoded NGINX App Protect WAF will enforce the configured signatures on the decoded value, instead of on the original value. +The Detect Base64 feature allows F5 WAF for NGINX to detect whether values in headers, cookies, and parameters are Base64 encoded. When an entity is detected as Base64 encoded F5 WAF for NGINX will enforce the configured signatures on the decoded value, instead of on the original value. This feature is disabled by default or by setting the `decodeValueAsBase64` to `disabled`. diff --git a/content/includes/nap-waf/config/common/enforcer-cookie-settings.md b/content/includes/nap-waf/config/common/enforcer-cookie-settings.md index 0b66474af..c128b3978 100644 --- a/content/includes/nap-waf/config/common/enforcer-cookie-settings.md +++ b/content/includes/nap-waf/config/common/enforcer-cookie-settings.md @@ -2,7 +2,7 @@ nd-docs: "DOCS-1608" --- -NGINX App Protect WAF generates its own cookies and adds them on top of the application cookies. +F5 WAF for NGINX generates its own cookies and adds them on top of the application cookies. These are called Enforcer Cookies. diff --git a/content/includes/nap-waf/config/common/evasion-techniques-subviolations.md b/content/includes/nap-waf/config/common/evasion-techniques-subviolations.md index f485fcb9a..b4250c0ba 100644 --- a/content/includes/nap-waf/config/common/evasion-techniques-subviolations.md +++ b/content/includes/nap-waf/config/common/evasion-techniques-subviolations.md @@ -2,7 +2,7 @@ nd-docs: "DOCS-1542" --- -The following table specifies the Evasion Techniques sub-violation settings. All are supported in NGINX App Protect WAF. +The following table specifies the Evasion Techniques sub-violation settings. All are supported in F5 WAF for NGINX. {{}} |Sub-Violation | Default Template | Description | diff --git a/content/includes/nap-waf/config/common/filetypes-and-responses.md b/content/includes/nap-waf/config/common/filetypes-and-responses.md index c65c0aa33..cc8231a63 100644 --- a/content/includes/nap-waf/config/common/filetypes-and-responses.md +++ b/content/includes/nap-waf/config/common/filetypes-and-responses.md @@ -94,7 +94,7 @@ When enforcing signatures on the response, we have the flexibility to restrict t #### How Does Restrict Response Signature Check Work? -The response signature check is always done on the configured `responseCheckLength` as described above. Usually NGINX App Protect WAF will buffer only that part of the response saving memory and CPU, but in some conditions the whole response may have to be buffered, such as when the response body is compressed. +The response signature check is always done on the configured `responseCheckLength` as described above. Usually F5 WAF for NGINX will buffer only that part of the response saving memory and CPU, but in some conditions the whole response may have to be buffered, such as when the response body is compressed. #### Allowed Methods diff --git a/content/includes/nap-waf/config/common/geolocation-overview.md b/content/includes/nap-waf/config/common/geolocation-overview.md index 4cf2e1833..9502ba761 100644 --- a/content/includes/nap-waf/config/common/geolocation-overview.md +++ b/content/includes/nap-waf/config/common/geolocation-overview.md @@ -4,4 +4,4 @@ nd-docs: "DOCS-1615" Geolocation refers to the process of assessing or determining the geographic location of an object. This feature helps in identifying the geographic location of a client or web application user. -In NGINX App Protect WAF, the Enforcer will look up the client IP address in the Geolocation file included in the app protect package, and extract the corresponding [ISO 3166](https://www.iso.org/obp/ui/#search) two-letter code, representing the country. For instance, "IL" denotes Israel. This information is denoted as "geolocation" in the condition and is also included in the request reporting. +In F5 WAF for NGINX, the Enforcer will look up the client IP address in the Geolocation file included in the app protect package, and extract the corresponding [ISO 3166](https://www.iso.org/obp/ui/#search) two-letter code, representing the country. For instance, "IL" denotes Israel. This information is denoted as "geolocation" in the condition and is also included in the request reporting. diff --git a/content/includes/nap-waf/config/common/graphql-security.md b/content/includes/nap-waf/config/common/graphql-security.md index 067eb4833..e898cd8e8 100644 --- a/content/includes/nap-waf/config/common/graphql-security.md +++ b/content/includes/nap-waf/config/common/graphql-security.md @@ -2,6 +2,6 @@ nd-docs: "DOCS-1566" --- -Securing GraphQL APIs with NGINX App Protect WAF involves using WAF to monitor and protect against security threats and attacks. GraphQL, like REST, is usually [served over HTTP](http://graphql.org/learn/serving-over-http/), using GET and POST requests and a proprietary [query language](https://graphql.org/learn/schema/#the-query-and-mutation-types). It is prone to the typical Web APIs security vulnerabilities, such as injection attacks, Denial of Service (DoS) attacks and abuse of flawed authorization. +Securing GraphQL APIs with F5 WAF for NGINX involves using WAF to monitor and protect against security threats and attacks. GraphQL, like REST, is usually [served over HTTP](http://graphql.org/learn/serving-over-http/), using GET and POST requests and a proprietary [query language](https://graphql.org/learn/schema/#the-query-and-mutation-types). It is prone to the typical Web APIs security vulnerabilities, such as injection attacks, Denial of Service (DoS) attacks and abuse of flawed authorization. Unlike REST, where Web resources are identified by multiple URLs, GraphQL server operates on a single URL/endpoint, usually **/graphql**. All GraphQL requests for a given service should be directed to this endpoint. \ No newline at end of file diff --git a/content/includes/nap-waf/config/common/graphql-violations.md b/content/includes/nap-waf/config/common/graphql-violations.md index 288fa29a4..bc4748339 100644 --- a/content/includes/nap-waf/config/common/graphql-violations.md +++ b/content/includes/nap-waf/config/common/graphql-violations.md @@ -2,7 +2,7 @@ nd-docs: "DOCS-1578" --- -NGINX App Protect WAF introduces four new violations specific to GraphQL: `VIOL_GRAPHQL_FORMAT`, `VIOL_GRAPHQL_MALFORMED`, `VIOL_GRAPHQL_INTROSPECTION_QUERY` and `VIOL_GRAPHQL_ERROR_RESPONSE`.
+F5 WAF for NGINX introduces four new violations specific to GraphQL: `VIOL_GRAPHQL_FORMAT`, `VIOL_GRAPHQL_MALFORMED`, `VIOL_GRAPHQL_INTROSPECTION_QUERY` and `VIOL_GRAPHQL_ERROR_RESPONSE`.
Under the "blocking-settings," user can either enable or disable these violations. Note that these violations will be enabled by default. Any changes to these violation settings here will override the default settings. The details regarding logs will be recorded in the security log.
diff --git a/content/includes/nap-waf/config/common/grpc-protection-unary-traffic.md b/content/includes/nap-waf/config/common/grpc-protection-unary-traffic.md index dac89ee48..e479c85a4 100644 --- a/content/includes/nap-waf/config/common/grpc-protection-unary-traffic.md +++ b/content/includes/nap-waf/config/common/grpc-protection-unary-traffic.md @@ -2,5 +2,5 @@ nd-docs: "DOCS-1558" --- -gRPC is a remote API standard and is an alternative to OpenAPI. If your applications expose gRPC APIs, NGINX App Protect WAF can protect them by parsing the messages; making sure they comply with the API definition; and enforcing security restrictions - such as size limits, detecting attack signatures, threat campaigns, and suspicious metacharacters in message string field values. +gRPC is a remote API standard and is an alternative to OpenAPI. If your applications expose gRPC APIs, F5 WAF for NGINX can protect them by parsing the messages; making sure they comply with the API definition; and enforcing security restrictions - such as size limits, detecting attack signatures, threat campaigns, and suspicious metacharacters in message string field values. In the following sections, you will learn how to configure gRPC protection in the policy using gRPC Content Profiles. \ No newline at end of file diff --git a/content/includes/nap-waf/config/common/http-compliance-subviolations.md b/content/includes/nap-waf/config/common/http-compliance-subviolations.md index c9482ea62..338b0a8e4 100644 --- a/content/includes/nap-waf/config/common/http-compliance-subviolations.md +++ b/content/includes/nap-waf/config/common/http-compliance-subviolations.md @@ -2,7 +2,7 @@ nd-docs: "DOCS-1576" --- -The following table specifies the HTTP Compliance sub-violation settings. All are supported in NGINX App Protect WAF, but not all are enabled in the default App Protect security template. The table specifies which. Some of the checks are enforced by NGINX Plus and App Protect only gets a notification. **Note:** In this case, the request is **always** blocked regardless of the App Protect policy. +The following table specifies the HTTP Compliance sub-violation settings. All are supported in F5 WAF for NGINX, but not all are enabled in the default App Protect security template. The table specifies which. Some of the checks are enforced by NGINX Plus and App Protect only gets a notification. **Note:** In this case, the request is **always** blocked regardless of the App Protect policy. {{}} diff --git a/content/includes/nap-waf/config/common/ip-intelligence-conf.md b/content/includes/nap-waf/config/common/ip-intelligence-conf.md index 094b42cb6..6b253b4e5 100644 --- a/content/includes/nap-waf/config/common/ip-intelligence-conf.md +++ b/content/includes/nap-waf/config/common/ip-intelligence-conf.md @@ -1,6 +1,6 @@ -NGINX App Protect WAF provides an IP Intelligence feature, which allows customizing the enforcement based on the source IP of the request to limit access from IP addresses with questionable reputation. Please note that: +F5 WAF for NGINX provides an IP Intelligence feature, which allows customizing the enforcement based on the source IP of the request to limit access from IP addresses with questionable reputation. Please note that: - The IP intelligence feature is **disabled** by default and needs to be installed, enabled, and configured within the policy. - To review the installation steps, please refer to the administration guide: [App Protect v4]({{< ref "/nap-waf/v4/admin-guide/install.md#Prerequisites" >}}) / [App Protect v5]({{< ref "/nap-waf/v5/admin-guide/install.md#Prerequisites" >}}) - The system must have an active Internet connection and a working DNS. diff --git a/content/includes/nap-waf/config/common/json-web-token-overview.md b/content/includes/nap-waf/config/common/json-web-token-overview.md index 76cf116ba..b34cf6265 100644 --- a/content/includes/nap-waf/config/common/json-web-token-overview.md +++ b/content/includes/nap-waf/config/common/json-web-token-overview.md @@ -2,11 +2,11 @@ nd-docs: "DOCS-1550" --- -JSON Web Token (JWT) is a compact and self-contained way to represent information between two parties in a JSON (JavaScript Object Notation) format and is commonly used for authentication and authorization. With NGINX App Protect now it is possible to control access to its application using JWT validation. NGINX App Protect WAF validates the authenticity and well-formedness of JWTs coming from a client, denying access to the service exclusively when the validation process fails. JWT is mainly used for API access. +JSON Web Token (JWT) is a compact and self-contained way to represent information between two parties in a JSON (JavaScript Object Notation) format and is commonly used for authentication and authorization. With NGINX App Protect now it is possible to control access to its application using JWT validation. F5 WAF for NGINX validates the authenticity and well-formedness of JWTs coming from a client, denying access to the service exclusively when the validation process fails. JWT is mainly used for API access. When a user logs in to a web application, they might receive a JWT, which can then be included in subsequent requests to the server. The server can validate the JWT to ensure that the user is authenticated to access the requested resources. -Now NGINX App Protect WAF provides JSON Web Token (JWT) protection. NGINX App Protect WAF will be placed in the path leading to the application server and will handle the token for the application. This includes: +Now F5 WAF for NGINX provides JSON Web Token (JWT) protection. F5 WAF for NGINX will be placed in the path leading to the application server and will handle the token for the application. This includes: 1. Validating the token's existence and ensuring its correct structure for specific URLs. 2. Verifying the token's signature based on provisioned certificates. @@ -45,7 +45,7 @@ These claims provide information about the JWT and can be used by the recipient - **Signature** - To create the signature part, the header and payload are encoded using a specified algorithm and a secret key. This signature can be used to verify the authenticity of the token and to ensure that it has not been tampered with during transmission. The signature is computed based on the algorithm and the keys used and also Base64-encoded. -#### NGINX App Protect WAF supports the following types of JWT: +#### F5 WAF for NGINX supports the following types of JWT: JSON Web Signature (JWS) - JWT content is digitally signed. The following algorithm can be used for signing: diff --git a/content/includes/nap-waf/config/common/json-web-tokens-violations.md b/content/includes/nap-waf/config/common/json-web-tokens-violations.md index b04d82780..efcad7a2a 100644 --- a/content/includes/nap-waf/config/common/json-web-tokens-violations.md +++ b/content/includes/nap-waf/config/common/json-web-tokens-violations.md @@ -2,7 +2,7 @@ nd-docs: "DOCS-1594" --- -NGINX App Protect WAF introduces three new violations specific to JWT: `VIOL_ACCESS_INVALID`, `VIOL_ACCESS_MISSING` and `VIOL_ACCESS_MALFORMED`. +F5 WAF for NGINX introduces three new violations specific to JWT: `VIOL_ACCESS_INVALID`, `VIOL_ACCESS_MISSING` and `VIOL_ACCESS_MALFORMED`. Under the "blocking-settings," user can either enable or disable these violations. Note that these violations will be enabled by default. The details regarding logs will be recorded in the security log. diff --git a/content/includes/nap-waf/config/common/nginx-app-protect-waf-terminology.md b/content/includes/nap-waf/config/common/nginx-app-protect-waf-terminology.md index 2630c54ec..ce32ad960 100644 --- a/content/includes/nap-waf/config/common/nginx-app-protect-waf-terminology.md +++ b/content/includes/nap-waf/config/common/nginx-app-protect-waf-terminology.md @@ -11,22 +11,22 @@ This guide assumes that you have some familiarity with various Layer 7 (L7) Hype {{}} |Term | Definition | | ---| --- | -|Alarm | If selected, the NGINX App Protect WAF system records requests that trigger the violation in the remote log (depending on the settings of the logging profile). | -|Attack signature | Textual patterns which can be applied to HTTP requests and/or responses by NGINX App Protect WAF to determine if traffic is malicious. For example, the string `