diff --git a/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md new file mode 100644 index 000000000..02fede65a --- /dev/null +++ b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md @@ -0,0 +1,12 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +- content/waf/install/kubernetes-plm.md +- content/waf/install/virtual-environment.md +--- + +1. Log in to [MyF5](https://my.f5.com/manage/s/). +1. Go to **My Products & Plans > Subscriptions** to see your active subscriptions. +1. Find your NGINX subscription, and select the **Subscription ID** for details. +1. Download the **SSL Certificate**, **Private Key** and **JSON Web Token** files from the subscription page. \ No newline at end of file diff --git a/content/includes/waf/dockerfiles/alpine-plus.md b/content/includes/waf/dockerfiles/alpine-plus.md index 6fe7111c5..2818c3592 100644 --- a/content/includes/waf/dockerfiles/alpine-plus.md +++ b/content/includes/waf/dockerfiles/alpine-plus.md @@ -27,6 +27,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && rm -rf /var/cache/apk/* +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/amazon-plus.md b/content/includes/waf/dockerfiles/amazon-plus.md index d4ec7bba2..d943b33f1 100644 --- a/content/includes/waf/dockerfiles/amazon-plus.md +++ b/content/includes/waf/dockerfiles/amazon-plus.md @@ -28,6 +28,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/debian-plus.md b/content/includes/waf/dockerfiles/debian-plus.md index 204dfa633..7c8581d11 100644 --- a/content/includes/waf/dockerfiles/debian-plus.md +++ b/content/includes/waf/dockerfiles/debian-plus.md @@ -41,6 +41,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && apt-get clean \ && rm -rf /var/lib/apt/lists/* +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md new file mode 100644 index 000000000..6fe7111c5 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md @@ -0,0 +1,38 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_VER's are 3.22 +ARG OS_VER="3.22" + +# Base image +FROM alpine:${OS_VER} + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ + wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ + && printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | \ + tee -a /etc/apk/repositories \ + && printf "https://pkgs.nginx.com/app-protect-x-plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | \ + tee -a /etc/apk/repositories \ + && apk update \ + && apk add app-protect-module-plus \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && rm -rf /var/cache/apk/* + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` \ No newline at end of file diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md new file mode 100644 index 000000000..d4ec7bba2 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md @@ -0,0 +1,39 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base image +FROM amazonlinux:2023 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + yum -y install wget ca-certificates shadow-utils \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/amzn/2023/\$basearch/" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-plus.repo \ + && yum -y install app-protect-module-plus \ + && yum clean all \ + && rm -rf /var/cache/yum \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md new file mode 100644 index 000000000..204dfa633 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md @@ -0,0 +1,52 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_CODENAME's are: bullseye/bookworm +ARG OS_CODENAME=bookworm + +# Base image +FROM debian:${OS_CODENAME} + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get update \ + && apt-get install -y \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + debian-archive-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | \ + gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-plus.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/app-protect-x-plus/debian `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-app-protect.list \ + && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && apt-get update \ + && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-module-plus \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md new file mode 100644 index 000000000..2f8a0ace3 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md @@ -0,0 +1,40 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base image +FROM oraclelinux:8 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install wget ca-certificates yum-utils \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/\$basearch/" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && dnf clean all \ + && dnf -y install app-protect-module-plus \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md new file mode 100644 index 000000000..9f05ce79f --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md @@ -0,0 +1,56 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported UBI_VERSION's are 7/8/9 +ARG UBI_VERSION=8 + +# Base Image +FROM registry.access.redhat.com/ubi${UBI_VERSION}/ubi + +# Define the ARG again after FROM to use it in this stage +ARG UBI_VERSION + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + PKG_MANAGER=dnf; \ + if [ "${UBI_VERSION}" = "7" ]; then \ + PKG_MANAGER=yum; \ + NGINX_PLUS_REPO="nginx-plus-7.4.repo"; \ + elif [ "${UBI_VERSION}" = "9" ]; then \ + NGINX_PLUS_REPO="plus-${UBI_VERSION}.repo"; \ + else \ + NGINX_PLUS_REPO="nginx-plus-${UBI_VERSION}.repo"; \ + fi \ + && $PKG_MANAGER -y install wget ca-certificates \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/${NGINX_PLUS_REPO} \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/${UBI_VERSION}/\$basearch/" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && $PKG_MANAGER clean all \ + && $PKG_MANAGER install -y app-protect-module-plus \ + && $PKG_MANAGER clean all \ + && rm -rf /var/cache/$PKG_MANAGER \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md new file mode 100644 index 000000000..464ba150e --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md @@ -0,0 +1,41 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base Image +FROM rockylinux:9 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install wget ca-certificates \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/${NGINX_PLUS_REPO} \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/${UBI_VERSION}/\$basearch/" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && dnf clean all \ + && dnf install -y app-protect-module-plus \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md new file mode 100644 index 000000000..464ba150e --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md @@ -0,0 +1,41 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base Image +FROM rockylinux:9 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install wget ca-certificates \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/${NGINX_PLUS_REPO} \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/${UBI_VERSION}/\$basearch/" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && dnf clean all \ + && dnf install -y app-protect-module-plus \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md new file mode 100644 index 000000000..89a2e7d8b --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md @@ -0,0 +1,52 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_CODENAME's are: focal/jammy +ARG OS_CODENAME=jammy + +# Base image +FROM ubuntu:${OS_CODENAME} + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get update \ + && apt-get install -y \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + ubuntu-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | \ + gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-plus.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-app-protect.list \ + && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && apt-get update \ + && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-module-plus \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/oracle-plus.md b/content/includes/waf/dockerfiles/oracle-plus.md index 98bd1e15b..c62d33bb1 100644 --- a/content/includes/waf/dockerfiles/oracle-plus.md +++ b/content/includes/waf/dockerfiles/oracle-plus.md @@ -29,6 +29,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/rhel8-plus.md b/content/includes/waf/dockerfiles/rhel8-plus.md index 9f05ce79f..ac00cc4e3 100644 --- a/content/includes/waf/dockerfiles/rhel8-plus.md +++ b/content/includes/waf/dockerfiles/rhel8-plus.md @@ -45,6 +45,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/rhel9-plus.md b/content/includes/waf/dockerfiles/rhel9-plus.md index 464ba150e..6f6c96a53 100644 --- a/content/includes/waf/dockerfiles/rhel9-plus.md +++ b/content/includes/waf/dockerfiles/rhel9-plus.md @@ -30,6 +30,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/rocky9-plus.md b/content/includes/waf/dockerfiles/rocky9-plus.md index 464ba150e..6f6c96a53 100644 --- a/content/includes/waf/dockerfiles/rocky9-plus.md +++ b/content/includes/waf/dockerfiles/rocky9-plus.md @@ -30,6 +30,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/ubuntu-plus.md b/content/includes/waf/dockerfiles/ubuntu-plus.md index 89a2e7d8b..7333f22d5 100644 --- a/content/includes/waf/dockerfiles/ubuntu-plus.md +++ b/content/includes/waf/dockerfiles/ubuntu-plus.md @@ -41,6 +41,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && apt-get clean \ && rm -rf /var/lib/apt/lists/* +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index 45ccc3068..d7e672e49 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -7,12 +7,27 @@ Your folder should contain the following files: - _nginx-repo.crt_ - _nginx-repo.key_ +- _license.jwt_ (Only necessary when using NGINX Plus) - _nginx.conf_ - _entrypoint.sh_ - _Dockerfile_ -- _custom_log_format.json_ (Optional) +- _custom_log_format.json_ -To build an image, use the following command, replacing `` as appropriate: +#### Building an image with NGINX Plus +To build an image for NGINX Plus, use the following command that is not RHEL-based, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . +``` + +A RHEL-based system would use the following command instead: + +```shell +podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . +``` + +#### Building an image with NGINX Open Source +To build an image for NGINX Open Source, use the following command that is not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . diff --git a/content/includes/waf/install-services-registry.md b/content/includes/waf/install-services-registry.md index c9f686e8d..40b9135b4 100644 --- a/content/includes/waf/install-services-registry.md +++ b/content/includes/waf/install-services-registry.md @@ -5,6 +5,8 @@ nd-files: - content/waf/install/kubernetes.md --- +You will need Docker registry credentials to access private-registry.nginx.com. + Create a directory and copy your certificate and key to this directory: ```shell diff --git a/content/includes/waf/install-update-configuration.md b/content/includes/waf/install-update-configuration.md index 23b1c63ae..3577367cf 100644 --- a/content/includes/waf/install-update-configuration.md +++ b/content/includes/waf/install-update-configuration.md @@ -121,8 +121,3 @@ server { {{% /tab %}} {{< /tabs >}} - -Once you have updated your configuration files, you can reload NGINX to apply the changes. You have two options depending on your environment: - -- `nginx -s reload` -- `sudo systemctl reload nginx` \ No newline at end of file diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index 2b609b586..b7dc49c2c 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -32,8 +32,9 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription (Purchased or trial) -- Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). + - Download the [SSL certificate and private key](download-your-subscription-credentials) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. +- [Docker registry credentials](configure-docker-for-the-f5-container-registry) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) ## Download your subscription credentials diff --git a/content/waf/configure/secure-mtls.md b/content/waf/configure/secure-mtls.md index bf8d42ce0..978ab82ab 100644 --- a/content/waf/configure/secure-mtls.md +++ b/content/waf/configure/secure-mtls.md @@ -155,7 +155,7 @@ With a [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment {{< /call-out >}} -## Modify Docker compose file +## Modify Docker Compose file {{< call-out "warning" >}} @@ -224,5 +224,4 @@ services: app_protect_bd_config: app_protect_config: app_protect_etc_config: -``` - +``` \ No newline at end of file diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 88e1a8bc9..db60115e2 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -22,7 +22,7 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- An active F5 WAF for NGINX subscription (Purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - A connected environment with similar architecture - A method to transfer files between two environments @@ -89,6 +89,10 @@ yum install --downloadonly --downloaddir=/etc/packages/ app-protect Once you've obtained the package files and transferred them to your disconnected environment, you can directly install them or add them to a local repository. +## Configure license reporting for disconnected environments + +By default, NGINX Plus automatically reports license usage to the F5 licensing endpoint, and additional configuration is not required in connected environments. However, manual configuration becomes necessary in disconnected environments. Use NGINX Instance Manager for usage reporting or use a custom path for the license file. Configuration can be done in the [`mgmt {}`](https://nginx.org/en/docs/ngx_mgmt_module.html) block of the NGINX Plus configuration file (`/etc/nginx/nginx.conf`). For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). + ## Download Docker images After pulling or building Docker images in a connected environment, you can save them to `.tar` files: @@ -109,4 +113,4 @@ docker load -i waf-config-mgr.tar docker load -i waf-ip-intelligence.tar ``` -Ensure your Docker compose files use the tagged images you've transferred. \ No newline at end of file +Ensure your Docker Compose files use the tagged images you've transferred. \ No newline at end of file diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 437440c51..382cf6ecd 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -16,15 +16,33 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription (Purchased or trial) -- [Docker](https://docs.docker.com/get-started/get-docker/) +- A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). +- [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running. +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. JWT license is not needed when using NGINX Open Source. +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images for Multi-container and Hybrid configurations. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. -To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic. - {{< include "waf/install-selinux-warning.md" >}} +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. + +## Download your subscription credentials + +{{< call-out "note" >}} +If you are using NGINX Open Source for your Multi-container or Hybrid configuration, you do not need the JWT license file. +{{< /call-out >}} + +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} + +{{< call-out "important" >}} +The provided Dockerfile for NGINX Plus automatically handles placing the JWT license file in `/etc/nginx/` during image build. If you use a custom Dockerfile, you must ensure the JWT license is copied to this location. +{{< /call-out >}} + +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Docker deployment options There are three kinds of Docker deployments available: @@ -41,13 +59,17 @@ The single container configuration only supports NGINX Plus and requires a build The steps you should follow on this page are dependent on your configuration type: after the shared steps, links will guide you to the next appropriate section. -## Download your subscription credentials +## Configure Docker for the F5 Container Registry -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} +You will need Docker registry credentials to access private-registry.nginx.com for the Multi-container or Hybrid deployment options. -## Configure Docker for the F5 Container Registry +Create a directory and copy your certificate and key to this directory: -{{< include "waf/install-services-registry.md" >}} +```shell +mkdir -p /etc/docker/certs.d/private-registry.nginx.com +cp /etc/docker/certs.d/private-registry.nginx.com/client.cert +cp /etc/docker/certs.d/private-registry.nginx.com/client.key +``` You should now move to the section based on your configuration type: @@ -143,7 +165,7 @@ http { ### Create a Dockerfile -In the same folder as your credential and configuration files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. +In the same folder as your credential and configuration files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. Alternatively, you may want make your own image based on a Dockerfile using the official NGINX image: @@ -307,7 +329,51 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu ### Build the Docker image -{{< include "waf/install-build-image.md" >}} +Your folder should contain the following files: + +- _nginx-repo.crt_ +- _nginx-repo.key_ +- _license.jwt_ +- _nginx.conf_ +- _entrypoint.sh_ +- _Dockerfile_ +- _custom_log_format.json_ + +To build an image, use the following command for a system that is not RHEL-based, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . +``` + +A RHEL-based system would use the following command instead: + +```shell +podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . +``` + +{{< call-out "note" >}} + +The `--no-cache` option is used to ensure the image is built from scratch, installing the latest versions of NGINX Plus and F5 WAF for NGINX. + +{{< /call-out >}} + +Verify that your image has been created using the `docker images` command: + +```shell +docker images +``` + +Create a container based on this image, replacing as appropriate: + +```shell +docker run --name -p 80:80 -d +``` + +Verify the new container is running using the `docker ps` command: + +```shell +docker ps +``` ### Update configuration files @@ -439,6 +505,8 @@ Once you have updated your configuration files, you can reload NGINX to apply th #### Download Docker images +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#configure-docker-for-the-f5-container-registry" >}}) is needed to pull the following container images + {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file @@ -815,6 +883,8 @@ sudo dnf install app-protect-module-plus #### Download Docker images +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#configure-docker-for-the-f5-container-registry" >}}) is needed to pull the following container images + {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file @@ -913,7 +983,7 @@ http { Copy or move your subscription files into a new folder. -In the same folder as the subscription files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. +In the same folder as the subscription files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. {{< call-out "note" >}} @@ -949,6 +1019,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ apk update && apk add app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -991,6 +1065,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf -y install app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1046,6 +1124,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ apt-get install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1092,6 +1174,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1135,6 +1221,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1181,6 +1271,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Copy configuration files: COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ @@ -1219,6 +1313,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1274,6 +1372,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ apt-get install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1293,6 +1395,11 @@ CMD ["sh", "/root/entrypoint.sh"] {{< include "waf/install-update-configuration.md" >}} +Once you have updated your configuration files, you can reload NGINX to apply the changes. You have two options depending on your environment: + +- `nginx -s reload` +- `sudo systemctl reload nginx` + F5 WAF for NGINX should now be operational, and you can move onto [Post-installation checks](#post-installation-checks). ## Post-installation checks @@ -1302,3 +1409,9 @@ F5 WAF for NGINX should now be operational, and you can move onto [Post-installa ## Next steps {{< include "waf/install-next-steps.md" >}} + +## Remove NGINX docker image + +Before removing any Docker image, it’s important to ensure that the image is no longer needed and is not in use. + +[docker image rm](https://docs.docker.com/reference/cli/docker/image/rm/) tool \ No newline at end of file diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index be8357310..49f9263b4 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -36,19 +36,35 @@ These enhancements are only available for Helm-based deployments. To complete this guide, you will need the following prerequisites: -- [A functional Kubernetes cluster]({{< ref "/waf/install/kubernetes.md" >}}) -- [Helm](https://helm.sh/docs/intro/install/) -- [Docker](https://docs.docker.com/get-started/get-docker/) -- An active F5 WAF for NGINX subscription (Purchased or trial) -- Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. +- A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) (installed and running). +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. +- [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running, for pulling and managing container images. +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images +- [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. + +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. ## Download your subscription credentials -1. Log in to [MyF5](https://my.f5.com/manage/s/). -1. Go to **My Products & Plans > Subscriptions** to see your active subscriptions. -1. Find your NGINX subscription, and select the **Subscription ID** for details. -1. Download the **SSL Certificate** and **Private Key files** from the subscription page. -1. Download the **JSON Web Token** file from the subscription page. +{{< call-out "note" >}} +To access private-registry.nginx.com, you will need to download the JWT license file even when using NGINX Open Source as a base image. +{{< /call-out >}} + +{{< call-out "note" >}} +If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< /call-out >}} + +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} + +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + +{{< call-out "note" >}} +When using the provided values.yaml for Helm, setting the `appprotect.config.nginxJWT` value ensures that your JWT license is automatically copied to `/etc/nginx/license.jwt` inside the NGINX container. No additional manual copying of the file is needed when deploying with the provided YAML configuration. +{{< /call-out >}} ## Prepare environment variables @@ -996,7 +1012,7 @@ cd nginx-app-protect kubectl apply -f crds/ ``` -Finish the the process by using `helm upgrade`: +Finish the process by using `helm upgrade`: ```shell helm upgrade . \ diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 1be48c5e5..5ede12007 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -18,25 +18,43 @@ It explains the common steps necessary for any Kubernetes-based deployment, then To complete this guide, you will need the following pre-requisites: -- A functional Kubernetes cluster -- An active F5 WAF for NGINX subscription (Purchased or trial) -- [Docker](https://docs.docker.com/get-started/get-docker/) - -You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. +- A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) (installed and running). +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images +- [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. There is another optional topic to [Add a read-only filesystem for Kubernetes]({{< ref "/waf/configure/kubernetes-read-only.md" >}}) -To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic. +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. ## Download your subscription credentials -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} +{{< call-out "note" >}} +To access private-registry.nginx.com, you will need to download the JWT license file even when using NGINX Open Source as a base image. +{{< /call-out >}} + +{{< call-out "note" >}} +If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< /call-out >}} + +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} + +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + +{{< call-out "note" >}} +When using the provided values.yaml for Helm, setting the `appprotect.config.nginxJWT` value ensures that your JWT license is automatically copied to `/etc/nginx/license.jwt` inside the NGINX container. No additional manual copying of the file is needed when deploying with the provided YAML configuration. +{{< /call-out >}} ## Create a Dockerfile -In the same folder as your credential files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. +In the same folder as your credential files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. Alternatively, you may want make your own image based on a Dockerfile using the official NGINX image: @@ -66,7 +84,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/alpine-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md" >}} {{% /tab %}} @@ -84,7 +102,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/amazon-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md" >}} {{% /tab %}} @@ -102,7 +120,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/debian-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md" >}} {{% /tab %}} @@ -120,7 +138,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/oracle-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md" >}} {{% /tab %}} @@ -138,7 +156,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/rhel8-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md" >}} {{% /tab %}} @@ -156,7 +174,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/rhel9-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md" >}} {{% /tab %}} @@ -174,7 +192,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/rocky9-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md" >}} {{% /tab %}} @@ -192,7 +210,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/ubuntu-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md" >}} {{% /tab %}} @@ -204,9 +222,10 @@ Your folder should contain the following files: - _nginx-repo.crt_ - _nginx-repo.key_ +- _license.jwt_ - _Dockerfile_ -To build an image, use the following command, replacing `` as appropriate: +To build an image, use the following command, replacing as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 \ @@ -224,10 +243,6 @@ From this point, the steps change based on your installation method: ## Use Helm to install F5 WAF for NGINX -### Download your JSON web token - -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} - ### Get the Helm chart To get the Helm chart, first configure Docker for the F5 Container Registry. @@ -250,8 +265,8 @@ cd nginx-app-protect You will need to edit the `values.yaml` file for a few changes: -- Update _appprotect.nginx.image.repository_ and _appprotect.nginx.image.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). -- Update _appprotect.config.nginxJWT_ with your JSON web token +- Update _appprotect.nginx.image.repository_ and _appprotect.nginx.image.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). +- Update _appprotect.config.nginxJWT_ with your JSON web token (Only necessary when using NGINX Plus) - Update _dockerConfigJson_ to contain the base64 encoded Docker registration credentials You can encode your credentials with the following command: @@ -393,63 +408,34 @@ This configuration uses a _hostPath_ backed persistent volume claim. {{< /call-out >}} ```yaml -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: PersistentVolume metadata: - name: nap5-deployment + name: nap5-bundles-pv + labels: + type: local spec: - selector: - matchLabels: - app: nap5 - replicas: 2 - template: - metadata: - labels: - app: nap5 - spec: - imagePullSecrets: - - name: regcred - containers: - - name: nginx - image: /waf: - imagePullPolicy: IfNotPresent - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: waf-enforcer - image: private-registry.nginx.com/nap/waf-enforcer: - imagePullPolicy: IfNotPresent - env: - - name: ENFORCER_PORT - value: "50000" - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: waf-config-mgr - image: private-registry.nginx.com/nap/waf-config-mgr: - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles - volumes: - - name: app-protect-bd-config - emptyDir: {} - - name: app-protect-config - emptyDir: {} - - name: app-protect-bundles - persistentVolumeClaim: - claimName: nap5-bundles-pvc + storageClassName: manual + capacity: + storage: 2Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/mnt/nap5_bundles_pv_data" +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nap5-bundles-pvc +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + volumeName: nap5-bundles-pv ``` {{% /tab %}} diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 4b01e1634..cc2f9cce1 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,17 +23,27 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- A working [NGINX Open Source]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-open-source.md" >}}) or [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) instance. -- An active F5 WAF for NGINX subscription (Purchased or trial). +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. Depending on your deployment type, you may have additional requirements: -- [Docker](https://docs.docker.com/get-started/get-docker/) is required for NGINX Open Source or NGINX Plus type deployments. - -You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. +You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. + +## Download your subscription credentials + +To use NGINX Plus, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: + +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} + +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Platform-specific instructions Navigate to your chosen operating system, which are alphabetically ordered. @@ -200,6 +210,14 @@ sudo apt-get update sudo apt-get install app-protect ``` +## Install NGINX Plus license + +If you have not already copied your NGINX Plus JWT license file to the `/etc/nginx/` directory (for example, if NGINX Plus was installed automatically as a dependency), do so now: + +```shell +sudo cp .jwt /etc/nginx/license.jwt +``` + ## Update configuration files Once you have installed F5 WAF for NGINX, you must load it as a module in the main context of your NGINX configuration. diff --git a/content/waf/policies/bot-signatures.md b/content/waf/policies/bot-signatures.md index f661990c9..9662817e8 100644 --- a/content/waf/policies/bot-signatures.md +++ b/content/waf/policies/bot-signatures.md @@ -18,7 +18,7 @@ This feature is enabled by default with the `bot-defense` parameter, and include ## Bot signatures -Bot signature detection works by inspecting the the User-Agent header and URI of a request. +Bot signature detection works by inspecting the User-Agent header and URI of a request. Each detected bot signature belongs to a bot class: search engine signatures such as `googlebot` are under the trusted_bots class, but F5 WAF for NGINX performs additional checks to authenticate a trusted bot. diff --git a/content/waf/policies/ip-intelligence.md b/content/waf/policies/ip-intelligence.md index 566f37711..a020023b7 100644 --- a/content/waf/policies/ip-intelligence.md +++ b/content/waf/policies/ip-intelligence.md @@ -76,7 +76,7 @@ tail -f iprepd.log Once complete, you can now [Configure policies for IP intelligence](#configure-policies-for-ip-intelligence). -### Modify Docker compose file +### Modify Docker Compose file {{< call-out "warning" >}} @@ -84,7 +84,7 @@ This section **only** applies to installations using Docker. {{< /call-out >}} -IP intelligence has its own Docker container, which can be added to an existing Docker compose file for deployment. +IP intelligence has its own Docker container, which can be added to an existing Docker Compose file for deployment. First, create the required directory: