From 39a5cc0289ea6d7898607b4df6338676e69bdd9d Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Thu, 10 Jul 2025 15:02:03 +0100 Subject: [PATCH 1/8] feat: Add NAP-WAF Refactor POC --- _banners/waf-v4-warning.md | 5 + _banners/waf-v5-warning.md | 5 + content/waf/_index.md | 45 +++++ content/waf/changelog.md | 159 ++++++++++++++++++ content/waf/features/_index.md | 6 + content/waf/fundamentals/_index.md | 5 + content/waf/fundamentals/overview.md | 23 +++ .../fundamentals/technical-specifications.md | 27 +++ content/waf/install/_index.md | 5 + content/waf/install/disconnect-environment.md | 32 ++++ content/waf/install/docker.md | 30 ++++ content/waf/install/kubernetes.md | 29 ++++ content/waf/install/uninstall.md | 30 ++++ content/waf/install/upgrade.md | 30 ++++ content/waf/install/virtual-environment.md | 37 ++++ content/waf/kubernetes/_index.md | 5 + content/waf/kubernetes/build-nic.md | 23 +++ content/waf/kubernetes/configure-nic.md | 23 +++ content/waf/kubernetes/install-nic.md | 23 +++ content/waf/kubernetes/nim-policy-compile.md | 23 +++ content/waf/policies/_index.md | 5 + content/waf/policies/configuration.md | 21 +++ content/waf/policies/parameter-reference.md | 15 ++ content/waf/signatures/_index.md | 5 + content/waf/signatures/attacks.md | 21 +++ content/waf/signatures/bots.md | 21 +++ content/waf/signatures/threat-campaigns.md | 21 +++ content/waf/support.md | 27 +++ content/waf/tools/_index.md | 5 + content/waf/tools/compiler.md | 21 +++ content/waf/tools/converter.md | 26 +++ 31 files changed, 753 insertions(+) create mode 100644 _banners/waf-v4-warning.md create mode 100644 _banners/waf-v5-warning.md create mode 100644 content/waf/_index.md create mode 100644 content/waf/changelog.md create mode 100644 content/waf/features/_index.md create mode 100644 content/waf/fundamentals/_index.md create mode 100644 content/waf/fundamentals/overview.md create mode 100644 content/waf/fundamentals/technical-specifications.md create mode 100644 content/waf/install/_index.md create mode 100644 content/waf/install/disconnect-environment.md create mode 100644 content/waf/install/docker.md create mode 100644 content/waf/install/kubernetes.md create mode 100644 content/waf/install/uninstall.md create mode 100644 content/waf/install/upgrade.md create mode 100644 content/waf/install/virtual-environment.md create mode 100644 content/waf/kubernetes/_index.md create mode 100644 content/waf/kubernetes/build-nic.md create mode 100644 content/waf/kubernetes/configure-nic.md create mode 100644 content/waf/kubernetes/install-nic.md create mode 100644 content/waf/kubernetes/nim-policy-compile.md create mode 100644 content/waf/policies/_index.md create mode 100644 content/waf/policies/configuration.md create mode 100644 content/waf/policies/parameter-reference.md create mode 100644 content/waf/signatures/_index.md create mode 100644 content/waf/signatures/attacks.md create mode 100644 content/waf/signatures/bots.md create mode 100644 content/waf/signatures/threat-campaigns.md create mode 100644 content/waf/support.md create mode 100644 content/waf/tools/_index.md create mode 100644 content/waf/tools/compiler.md create mode 100644 content/waf/tools/converter.md diff --git a/_banners/waf-v4-warning.md b/_banners/waf-v4-warning.md new file mode 100644 index 000000000..439427638 --- /dev/null +++ b/_banners/waf-v4-warning.md @@ -0,0 +1,5 @@ +{{< banner "caution" "This page is for NGINX App Protect v4.xx" >}} + This documentation is intended for NGINX App Protect v4.xx. + + For an NGINX App Protect v5.xx installation, see [Install NGINX App Protect and NGINX Ingress Controller with Docker and Helm]({{< ref "/waf/kubernetes/install-nic.md">}}) +{{}} \ No newline at end of file diff --git a/_banners/waf-v5-warning.md b/_banners/waf-v5-warning.md new file mode 100644 index 000000000..0109245a1 --- /dev/null +++ b/_banners/waf-v5-warning.md @@ -0,0 +1,5 @@ +{{< banner "caution" "This page is for NGINX App Protect v5.xx" >}} + This documentation is intended for NGINX App Protect v5.xx. + + For an NGINX App Protect v4.xx installation, see [Deploy NGINX App Protect WAF in a virtual environment]({{< ref "/waf/install/virtual-environment.md">}}) +{{}} \ No newline at end of file diff --git a/content/waf/_index.md b/content/waf/_index.md new file mode 100644 index 000000000..c09e72aa4 --- /dev/null +++ b/content/waf/_index.md @@ -0,0 +1,45 @@ +--- +# The title is the product name +title: F5 NGINX App Protect WAF +# The URL is the base of the deployed path, becoming "docs.nginx.com//" +url: /app-protect-waf/ +# The cascade directive applies its nested parameters down the page tree until overwritten +cascade: + # The logo file is resolved from the theme, in the folder /static/images/icons/ + logo: NGINX-App-Protect-WAF-product-icon.svg +# The subtitle displays directly underneath the heading of a given page +nd-subtitle: A lightweight, high-performance web application firewall for protecting APIs and applications +# Indicates that this is a custom landing page +nd-landing-page: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: landing-page +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +## About + +Defend your applications and APIs with a software security solution that seamlessly integrates into DevOps environments as a lightweight web application firewall (WAF), layer 7 denial-of-service (DoS) protection, bot protection, API security, and threat intelligence services. + +## Featured content +[//]: # "You can add a maximum of three cards: any extra will not display." +[//]: # "One card will take full width page: two will take half width each. Three will stack like an inverse pyramid." +[//]: # "Some examples of content could be the latest release note, the most common install path, and a popular new feature." + +{{}} + {{}} + {{}} + Explore the methods available to deploy NGINX App Protect WAF in your environment. + {{}} + + + {{}} + Review the latest changes and improvements to NGINX App Protect WAF. + {{}} + {{}} +{{}} + + \ No newline at end of file diff --git a/content/waf/changelog.md b/content/waf/changelog.md new file mode 100644 index 000000000..9d06aa13f --- /dev/null +++ b/content/waf/changelog.md @@ -0,0 +1,159 @@ +--- +# We use sentence case and present imperative tone +title: "Changelog" +# Weights are assigned in increments of 100: determines sorting order +weight: 800 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a single reference point for changes between each release. "Changelog" is the term being adopted across the entire NGINX product ecosystem. + +Since both versions of NGINX App Protect WAF are released at the same time, they can be stored in the same note. Change items for only one specific version are explicitly annotated when necessary. + +Updating the content of this page will likely be automated in the future, following some procedural changes to how tickets are managed within JIRA. + +{{}} + +This changelog lists all of the information for F5 NGINX App Protect WAF releases in 2025. + +For older releases, check the changelogs for previous years: [2024](), [2023](). + +## NGINX App Protect WAF 5.7 / 4.15 + +### New features + +- Added support for Rocky Linux 9 +- Added support for IP Intelligence +- Added support for Override rules for IP Address Lists + +### Important notes + +- Ubuntu 20.04 is no longer supported +- (12447) Upgrade libk5crypto3 package +- (12520) Upgrade Go compiler to 1.23.8 + +### Resolved issues + +- (12527) Remove CPAN - installed certs and source files +- (11112) Remove systemd/init.d leftovers in NAP WAF v5 pkgs +- (12400) Cookie attributes are not added to a TS cookie when there is more than one TS cookie +- (12498) Undefined behavior when using huge XFF +- (12731) Multiple clean_resp_reset internal error messages in logs when loading NAP + +### 5.7 packages + +#### NGINX Open Source + +| Distribution name | Package file | +|--------------------------|-------------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.442.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.442.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.4+5.442.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.4+5.442.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.442.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.442.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.442.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.442.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 and Rocky Linux 9 | _app-protect-module-oss-1.27.4+5.442.0-1.el9.ngx.x86_64.rpm_ | + +#### NGINX Plus + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-plus-34+5.442.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-plus-34+5.442.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-plus_34+5.442.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-plus_34+5.442.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-plus-34+5.442.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 22.04 | _app-protect-module-plus_34+5.442.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-plus_34+5.442.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-34+5.442.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 and Rocky Linux 9 | _app-protect-module-plus-34+5.442.0-1.el9.ngx.x86_64.rpm_ | + +### 4.15 packages + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------| +| Alpine 3.19 | _app-protect-34.5.442.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-34+5.442.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect_34+5.442.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect_34+5.442.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-34+5.442.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 22.04 | _app-protect_34+5.442.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect_34+5.442.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-34+5.442.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 and Rocky Linux 9 | _app-protect-34+5.442.0-1.el9.ngx.x86_64.rpm_ | + +## NGINX App Protect WAF 5.6 / 4.14 + +### New features + +- Added support for NGINX Plus R34 +- **5.6 Only:** You can now [deploy NGINX App Protect WAF 5+ using a Helm chart]({{< ref "/nap-waf/v5/admin-guide/deploy-with-helm.md">}}) + +### Important notes + +- Alpine 3.17 is no longer supported + +### Resolved issues + +- Upgraded the Go compiler to 1.23.7 +- (12140) Changed the maximum memory of the XML processing engine to 8GB +- (12254) A modified YAML file referenced by a JSON policy file causes a reload error when running `nginx -t` +- (12296) "Violation Bad Unescape" is not enabled by default +- (12297) "Violation Encoding" is not enabled by default + +### 5.6 packages + +#### NGINX Open Source + +| Distribution name | Package file | +|--------------------------|-------------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.4+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.4+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.27.4+5.342.0-1.el9.ngx.x86_64.rpm_ | + +#### NGINX Plus + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------------------| +| Alpine 3.19 | _app-protect-module-plus-34+5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-plus-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-plus_34+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-plus_34+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-plus_34+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-plus_34+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-plus_34+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-plus-34+5.342.0-1.el9.ngx.x86_64.rpm_ | + +### 4.14 packages + +| Distribution name | Package file | +|--------------------------|----------------------------------------------------| +| Alpine 3.19 | _app-protect-34.5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect_34+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect_34+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect_34+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect_34+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect_34+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-34+5.342.0-1.el9.ngx.x86_64.rpm_ | \ No newline at end of file diff --git a/content/waf/features/_index.md b/content/waf/features/_index.md new file mode 100644 index 000000000..05cb5a884 --- /dev/null +++ b/content/waf/features/_index.md @@ -0,0 +1,6 @@ +--- +title: "Features" +url: /app-protect-waf/features/ +weight: 700 +draft: true +--- \ No newline at end of file diff --git a/content/waf/fundamentals/_index.md b/content/waf/fundamentals/_index.md new file mode 100644 index 000000000..ed0e1f6a7 --- /dev/null +++ b/content/waf/fundamentals/_index.md @@ -0,0 +1,5 @@ +--- +title: "Fundamentals" +url: /app-protect-waf/fundamentals/ +weight: 100 +--- \ No newline at end of file diff --git a/content/waf/fundamentals/overview.md b/content/waf/fundamentals/overview.md new file mode 100644 index 000000000..5ed5488f7 --- /dev/null +++ b/content/waf/fundamentals/overview.md @@ -0,0 +1,23 @@ +--- +# We use sentence case and present imperative tone +title: "Overview" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to describing what NGINX App Protect is, expanding on the detail from the [landing page]({{< ref "/waf/" >}}). + +It is also an opportunity to explain the difference between NGINX App Protect versions, and how integrates with other products in the NGINX ecosystem. + +The text here will likely be synthesized from the Overview descriptions at the top of the [Administration Guides]({{< ref "/nap-waf/v4/admin-guide/install.md#overview" >}}), but there's also detail from [F5.com](https://www.f5.com/products/nginx/nginx-app-protect) that can be added. + +{{}} \ No newline at end of file diff --git a/content/waf/fundamentals/technical-specifications.md b/content/waf/fundamentals/technical-specifications.md new file mode 100644 index 000000000..f02323eac --- /dev/null +++ b/content/waf/fundamentals/technical-specifications.md @@ -0,0 +1,27 @@ +--- +# We use sentence case and present imperative tone +title: "Technical specifications" +# Weights are assigned in increments of 100: determines sorting order +weight: 200 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a single source of truth for supported operating systems and version compatibility. + +It follows a design pattern set by other NGINX product sets, showing various compatibility matrices: + +- [NGINX Plus]({{< ref "/nginx/technical-specs.md" >}}) +- [NGINX Instance Manager]({{< ref "/nim/fundamentals/tech-specs.md" >}}) +- [NGINX Ingress Controller]({{< ref "/nic/technical-specifications.md" >}}) + +It is also where information about the [Supported Security Policy Features]({{< ref "/nap-waf/v4/configuration-guide/configuration.md#supported-security-policy-features" >}}) could be referenced, though most of that detail will instead be kept in the new top-level "Policies" section. + +{{}} \ No newline at end of file diff --git a/content/waf/install/_index.md b/content/waf/install/_index.md new file mode 100644 index 000000000..37944ed9f --- /dev/null +++ b/content/waf/install/_index.md @@ -0,0 +1,5 @@ +--- +title: "Install" +url: /app-protect-waf/install/ +weight: 200 +--- diff --git a/content/waf/install/disconnect-environment.md b/content/waf/install/disconnect-environment.md new file mode 100644 index 000000000..94206bfa5 --- /dev/null +++ b/content/waf/install/disconnect-environment.md @@ -0,0 +1,32 @@ +--- +# We use sentence case and present imperative tone +title: "Deploy NGINX App Protect WAF in a disconnected environment" +# Weights are assigned in increments of 100: determines sorting order +weight: 200 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The term _disconnected environment_ has become the more commmon synonym for an air-gapped or offline installation. It follows the precedent set by NGINX Instance Manager: [Deploy in a disconnected environment -> Install the latest NGINX Instance Manager with a script (disconnected)]({{< ref "/nim/disconnected/offline-install-guide.md" >}}). + +The design intention for this page is as a standalone page for the operating system specific installation use cases: + +- [v4]({{< ref "/nap-waf/v4/admin-guide/install.md#offline-installation" >}}) +- [v5]({{< ref "/nap-waf/v5/admin-guide/install.md#air-gap-install-secure-offline-installation" >}}) + +Instead of having separate top level folders, differences between v4 and v5 will be denoted with whole page sections, tabs, or other unique signifiers. + +This reduces the amount of duplicate content, which makes maintainability much simpler and the text more uniform. + +With the full context of this section, the page is shorter, being concerned only with one specific method of installation. + +This makes it easier to link to specific instructions, and ensures that the customer sees only the critical information they need. + +{{}} \ No newline at end of file diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md new file mode 100644 index 000000000..a90e86e33 --- /dev/null +++ b/content/waf/install/docker.md @@ -0,0 +1,30 @@ +--- +# We use sentence case and present imperative tone +title: "Deploy NGINX App Protect WAF using Docker" +# Weights are assigned in increments of 100: determines sorting order +weight: 300 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is as a standalone page for the operating system specific installation use cases: + +- [v4]({{< ref "/nap-waf/v4/admin-guide/install.md#docker-deployments" >}}) +- [v5]({{< ref "/nap-waf/v5/admin-guide/install.md#waf-services-configuration" >}}) + +Instead of having separate top level folders, differences between v4 and v5 will be denoted with whole page sections, tabs, or other unique signifiers. + +This reduces the amount of duplicate content, which makes maintainability much simpler and the text more uniform. + +With the full context of this section, the page is shorter, being concerned only with one specific method of installation. + +This makes it easier to link to specific instructions, and ensures that the customer sees only the critical information they need. + +{{}} \ No newline at end of file diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md new file mode 100644 index 000000000..282570473 --- /dev/null +++ b/content/waf/install/kubernetes.md @@ -0,0 +1,29 @@ +--- +# We use sentence case and present imperative tone +title: "Deploy NGINX App Protect WAF using Kubernetes" +# Weights are assigned in increments of 100: determines sorting order +weight: 400 +# Creates a table of contents and sidebar, useful for large documents +toc: false +nd-banner: + enabled: true + type: deprecation + start-date: 2025-07-07 + md: /_banners/waf-v5-warning.md +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to encapsulate the v5+ deployment methods, currently split between the following two pages: + +- [Deploy NGINX App Protect WAF with Helm]({{< ref "/nap-waf/v5/admin-guide/deploy-with-helm.md" >}}) +- [Deploy NGINX App Protect WAF with Manifests]({{< ref "/nap-waf/v5/admin-guide/deploy-with-manifests.md" >}}) + +In execution it will probably remain two separate files: the warning banner on top of the page will explicitly indicate what version of NAP the instructions are intended for. + +{{}} \ No newline at end of file diff --git a/content/waf/install/uninstall.md b/content/waf/install/uninstall.md new file mode 100644 index 000000000..7937d4e13 --- /dev/null +++ b/content/waf/install/uninstall.md @@ -0,0 +1,30 @@ +--- +# We use sentence case and present imperative tone +title: "Uninstall NGINX App Protect WAF" +# Weights are assigned in increments of 100: determines sorting order +weight: 600 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is as a standalone page for the operating system specific installation use cases: + +- [v4]({{< ref "/nap-waf/v4/admin-guide/install.md#uninstall-app-protect" >}}) +- [v5]({{< ref "/nap-waf/v5/admin-guide/install.md#uninstall-nginx-and-nginx-app-protect-waf-module" >}}) + +Instead of having separate top level folders, differences between v4 and v5 will be denoted with whole page sections, tabs, or other unique signifiers. + +This reduces the amount of duplicate content, which makes maintainability much simpler and the text more uniform. + +With the full context of this section, the page is shorter, being concerned only with one specific method of installation. + +This makes it easier to link to specific instructions, and ensures that the customer sees only the critical information they need. + +{{}} \ No newline at end of file diff --git a/content/waf/install/upgrade.md b/content/waf/install/upgrade.md new file mode 100644 index 000000000..66bb219ea --- /dev/null +++ b/content/waf/install/upgrade.md @@ -0,0 +1,30 @@ +--- +# We use sentence case and present imperative tone +title: "Upgrade NGINX App Protect WAF" +# Weights are assigned in increments of 100: determines sorting order +weight: 500 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is as a standalone page for the operating system specific installation use cases: + +- [v4]({{< ref "/nap-waf/v4/admin-guide/install.md#upgrading-app-protect-to-the-latest-version" >}}) +- [v5]({{< ref "/nap-waf/v5/admin-guide/upgrade-nap-waf.md" >}}) + +Instead of having separate top level folders, differences between v4 and v5 will be denoted with whole page sections, tabs, or other unique signifiers. + +This reduces the amount of duplicate content, which makes maintainability much simpler and the text more uniform. + +With the full context of this section, the page is shorter, being concerned only with one specific method of installation. + +This makes it easier to link to specific instructions, and ensures that the customer sees only the critical information they need. + +{{}} \ No newline at end of file diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md new file mode 100644 index 000000000..f99e3d905 --- /dev/null +++ b/content/waf/install/virtual-environment.md @@ -0,0 +1,37 @@ +--- +# We use sentence case and present imperative tone +title: "Deploy NGINX App Protect WAF in a virtual environment" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: false +nd-banner: + enabled: true + type: deprecation + start-date: 2025-07-07 + md: /_banners/waf-v4-warning.md +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is as a standalone page for the operating system specific installation use cases: + +- [v4]({{< ref "/nap-waf/v4/admin-guide/install.md#prerequisites" >}}) +- [v5]({{< ref "/nap-waf/v5/admin-guide/install.md#common-steps-for-nginx-open-source-and-nginx-plus" >}}) + +Instead of having separate top level folders, differences between v4 and v5 will be denoted with whole page sections, tabs, or other unique signifiers. + +This reduces the amount of duplicate content, which makes maintainability much simpler and the text more uniform. + +**For an example of a unique signifier, look at the top of this page.** + +With the full context of this section, the page is shorter, being concerned only with one specific method of installation. + +This makes it easier to link to specific instructions, and ensures that the customer sees only the critical information they need. + +{{}} \ No newline at end of file diff --git a/content/waf/kubernetes/_index.md b/content/waf/kubernetes/_index.md new file mode 100644 index 000000000..9ffa5b5a9 --- /dev/null +++ b/content/waf/kubernetes/_index.md @@ -0,0 +1,5 @@ +--- +title: "Kubernetes" +url: /app-protect-waf/Kubernetes/ +weight: 300 +--- diff --git a/content/waf/kubernetes/build-nic.md b/content/waf/kubernetes/build-nic.md new file mode 100644 index 000000000..49631f084 --- /dev/null +++ b/content/waf/kubernetes/build-nic.md @@ -0,0 +1,23 @@ +--- +# We use sentence case and present imperative tone +title: "Build NGINX App Protect WAF with NGINX Ingress Controller" +# Weights are assigned in increments of 100: determines sorting order +weight: 200 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to migrate the [Build NGINX Ingress Controller with NGINX App Protect WAF]({{< ref "/nic/installation/integrations/app-protect-waf-v5/installation.md" >}}) page. + +As part of changing information architecture for the whole NGINX product portfolio, as much of the context for a specific product is kept within its own documentation set as possible. + +This reduces the amount of "hops" a customer must take across documentation sets, and improves maintainability by reducing the drift that occurs when re-documenting something in multiple places. + +{{}} \ No newline at end of file diff --git a/content/waf/kubernetes/configure-nic.md b/content/waf/kubernetes/configure-nic.md new file mode 100644 index 000000000..d80ba0005 --- /dev/null +++ b/content/waf/kubernetes/configure-nic.md @@ -0,0 +1,23 @@ +--- +# We use sentence case and present imperative tone +title: "Configure NGINX App Protect WAF with NGINX Ingress Controller" +# Weights are assigned in increments of 100: determines sorting order +weight: 300 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to migrate the [Configure NGINX App Protect with NGINX Ingress Controller]({{< ref "/nic/installation/integrations/app-protect-waf-v5/configuration.md" >}}) page. + +As part of changing information architecture for the whole NGINX product portfolio, as much of the context for a specific product is kept within its own documentation set as possible. + +This reduces the amount of "hops" a customer must take across documentation sets, and improves maintainability by reducing the drift that occurs when re-documenting something in multiple places. + +{{}} diff --git a/content/waf/kubernetes/install-nic.md b/content/waf/kubernetes/install-nic.md new file mode 100644 index 000000000..b42f191ce --- /dev/null +++ b/content/waf/kubernetes/install-nic.md @@ -0,0 +1,23 @@ +--- +# We use sentence case and present imperative tone +title: "Install NGINX App Protect and NGINX Ingress Controller with Docker and Helm" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to migrate the [Install NGINX Ingress Controller and NGINX App Protect WAF with Docker and Helm]({{< ref "/nic/installation/installing-nic/deploy-with-nap-using-helm.md" >}}) page. + +As part of changing information architecture for the whole NGINX product portfolio, as much of the context for a specific product is kept within its own documentation set as possible. + +This reduces the amount of "hops" a customer must take across documentation sets, and improves maintainability by reducing the drift that occurs when re-documenting something in multiple places. + +{{}} \ No newline at end of file diff --git a/content/waf/kubernetes/nim-policy-compile.md b/content/waf/kubernetes/nim-policy-compile.md new file mode 100644 index 000000000..7a33761ac --- /dev/null +++ b/content/waf/kubernetes/nim-policy-compile.md @@ -0,0 +1,23 @@ +--- +# We use sentence case and present imperative tone +title: "Compile NGINX App Protect WAF policies for NGINX Ingress Controller" +# Weights are assigned in increments of 100: determines sorting order +weight: 400 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to migrate the [Compile NGINX App Protect WAF policies using NGINX Instance Manager]({{< ref "/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md" >}}) page. + +As part of changing information architecture for the whole NGINX product portfolio, as much of the context for a specific product is kept within its own documentation set as possible. + +This reduces the amount of "hops" a customer must take across documentation sets, and improves maintainability by reducing the drift that occurs when re-documenting something in multiple places. + +{{}} \ No newline at end of file diff --git a/content/waf/policies/_index.md b/content/waf/policies/_index.md new file mode 100644 index 000000000..122cb2e1b --- /dev/null +++ b/content/waf/policies/_index.md @@ -0,0 +1,5 @@ +--- +title: "Policies" +url: /app-protect-waf/policies/ +weight: 500 +--- diff --git a/content/waf/policies/configuration.md b/content/waf/policies/configuration.md new file mode 100644 index 000000000..aa47e9161 --- /dev/null +++ b/content/waf/policies/configuration.md @@ -0,0 +1,21 @@ +--- +# We use sentence case and present imperative tone +title: "Configuring Policies" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to as a single source of truth to replace the two [Configuration]({{< ref "/nap-waf/v4/configuration-guide/configuration.md" >}}) [Guides]({{< ref "/nap-waf/v4/configuration-guide/configuration.md" >}}) (two separate links). + +Outside of the overlapping information for Policy configuration, the existing pages also include general configuration information, such as for NGINX App Protect WAF itself. This detail can be added to a separate page, ensuring that each document acts as a solution for exactly one problem at a time. + +{{}} \ No newline at end of file diff --git a/content/waf/policies/parameter-reference.md b/content/waf/policies/parameter-reference.md new file mode 100644 index 000000000..68c3c1d6a --- /dev/null +++ b/content/waf/policies/parameter-reference.md @@ -0,0 +1,15 @@ +--- +title: Policy parameter reference +toc: true +weight: 400 +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a single reference point for what has previously existed in documentation as [Declarative Policy]({{< ref "/nap-waf/v4/declarative-policy/policy.md" >}}). + +Like many other pages, a lot of the information was duplicated - this provides a single source of truth, and supports the Policy section by having all of the context for policies close together. + +{{}} + +{{< include "nap-waf/policy.html" >}} diff --git a/content/waf/signatures/_index.md b/content/waf/signatures/_index.md new file mode 100644 index 000000000..de4a9406a --- /dev/null +++ b/content/waf/signatures/_index.md @@ -0,0 +1,5 @@ +--- +title: "Signatures" +url: /app-protect-waf/signatures/ +weight: 600 +--- diff --git a/content/waf/signatures/attacks.md b/content/waf/signatures/attacks.md new file mode 100644 index 000000000..c2c379754 --- /dev/null +++ b/content/waf/signatures/attacks.md @@ -0,0 +1,21 @@ +--- +# We use sentence case and present imperative tone +title: "Update App Protect Attack Signatures" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a replacement for the existing [Updating App Protect Attack Signatures]({{< ref "/nap-waf/v4/admin-guide/install.md#updating-app-protect-attack-signatures" >}}) section in the Administration/Install guides. + +Each document should fulfill one specific operation: people may not need information on how to update signatures immediately after installing NGINX App Protect WAF, so this decouples the information into somewhere easily findable. + +{{}} \ No newline at end of file diff --git a/content/waf/signatures/bots.md b/content/waf/signatures/bots.md new file mode 100644 index 000000000..fe9ad6722 --- /dev/null +++ b/content/waf/signatures/bots.md @@ -0,0 +1,21 @@ +--- +# We use sentence case and present imperative tone +title: "Update App Protect Bot Signatures" +# Weights are assigned in increments of 100: determines sorting order +weight: 300 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a replacement for the existing [Updating App Protect Bot Signatures ]({{< ref "/nap-waf/v4/admin-guide/install.md#updating-app-protect-bot-signatures" >}}) section in the Administration/Install guides. + +Each document should fulfill one specific operation: people may not need information on how to update signatures immediately after installing NGINX App Protect WAF, so this decouples the information into somewhere easily findable. + +{{}} \ No newline at end of file diff --git a/content/waf/signatures/threat-campaigns.md b/content/waf/signatures/threat-campaigns.md new file mode 100644 index 000000000..6dffab90c --- /dev/null +++ b/content/waf/signatures/threat-campaigns.md @@ -0,0 +1,21 @@ +--- +# We use sentence case and present imperative tone +title: "Update App Protect Threat Campaign Signatures" +# Weights are assigned in increments of 100: determines sorting order +weight: 200 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a replacement for the existing [Updating App Protect Threat Campaigns ]({{< ref "/nap-waf/v4/admin-guide/install.md#updating-app-protect-threat-campaigns" >}}) section in the Administration/Install guides. + +Each document should fulfill one specific operation: people may not need information on how to update signatures immediately after installing NGINX App Protect WAF, so this decouples the information into somewhere easily findable. + +{{}} \ No newline at end of file diff --git a/content/waf/support.md b/content/waf/support.md new file mode 100644 index 000000000..8bd60d284 --- /dev/null +++ b/content/waf/support.md @@ -0,0 +1,27 @@ +--- +# We use sentence case and present imperative tone +title: "Support" +# Weights are assigned in increments of 100: determines sorting order +weight: 900 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to detail the F5 support policies and other important information a customer might know. + +Some existing content that would be moved to this page are the "_Opening a Support Ticket_" information from [v4]({{< ref "/nap-waf/v4/troubleshooting-guide/troubleshooting.md#opening-a-support-ticket" >}}) and [v5]({{< ref "/nap-waf/v5/troubleshooting-guide/troubleshooting.md#opening-a-support-ticket">}}). + +There's lots of examples of existing support pages, some of which may have includes available for re-use: + +- [NGINX Instance Manager - Where to go for support]({{< ref "/nim/support/contact-support.md" >}}) +- [NGINX Agent - Support]({{< ref "/agent/support.md" >}}) +- [NGINX Ingress Controller - Commercial support]({{< ref "/nic/troubleshooting/troubleshoot-support.md" >}}) + +{{}} \ No newline at end of file diff --git a/content/waf/tools/_index.md b/content/waf/tools/_index.md new file mode 100644 index 000000000..949394753 --- /dev/null +++ b/content/waf/tools/_index.md @@ -0,0 +1,5 @@ +--- +title: "Tools" +url: /app-protect-waf/tools/ +weight: 400 +--- diff --git a/content/waf/tools/compiler.md b/content/waf/tools/compiler.md new file mode 100644 index 000000000..701ec4c64 --- /dev/null +++ b/content/waf/tools/compiler.md @@ -0,0 +1,21 @@ +--- +# We use sentence case and present imperative tone +title: "Build and use the NGINX App Protect WAF Compiler" +# Weights are assigned in increments of 100: determines sorting order +weight: 200 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a new place for the v5 [NGINX App Protect WAF Compiler]({{< ref "/nap-waf/v5/admin-guide/compiler.md">}}) page. + +Information that isn't critically important to a specific task should be moved to its own page. This page is a good example of one that doesn't need to be broken up, but is still moved into a peripheral "Tools" section for when it is necessary. + +{{}} \ No newline at end of file diff --git a/content/waf/tools/converter.md b/content/waf/tools/converter.md new file mode 100644 index 000000000..abcfc61b2 --- /dev/null +++ b/content/waf/tools/converter.md @@ -0,0 +1,26 @@ +--- +# We use sentence case and present imperative tone +title: "Build and use the converter tools" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +{{< call-out "warning" "Information architecture note" >}} + +The design intention for this page is to act as a standalone page for the [Converter Tool Docker Image]({{< ref "/nap-waf/v4/admin-guide/install.md#converter-tool-docker-image" >}}) and Converter tools instructions. + +- [v4 Converter tools]({{< ref "/nap-waf/v4/configuration-guide/configuration.md#converter-tools" >}}) +- [v5 Converter tools]({{< ref "/nap-waf/v5/configuration-guide/configuration.md#converter-tools" >}}) + +There are slight differences between the v4 and v5 tool, which will be clearly denoted using tabs or another mechanism. + +The instructions are relatively short, so keeping all the context of building and using them in one place contains them as a discrete use case. + +{{}} \ No newline at end of file From 55821ff6ce3b5d1880fa2d35a5041c05059754b0 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Wed, 13 Aug 2025 12:56:46 +0100 Subject: [PATCH 2/8] feat: Add overview and compiler pages --- content/waf/_index.md | 12 +- content/waf/fundamentals/overview.md | 17 +- content/waf/policies/configuration.md | 4 +- content/waf/tools/compiler.md | 262 +++++++++++++++++++++++++- 4 files changed, 281 insertions(+), 14 deletions(-) diff --git a/content/waf/_index.md b/content/waf/_index.md index c09e72aa4..e2241bf33 100644 --- a/content/waf/_index.md +++ b/content/waf/_index.md @@ -1,8 +1,8 @@ --- # The title is the product name -title: F5 NGINX App Protect WAF +title: "F5 WAF for NGINX" # The URL is the base of the deployed path, becoming "docs.nginx.com//" -url: /app-protect-waf/ +url: /waf/ # The cascade directive applies its nested parameters down the page tree until overwritten cascade: # The logo file is resolved from the theme, in the folder /static/images/icons/ @@ -29,17 +29,11 @@ Defend your applications and APIs with a software security solution that seamles {{}} {{}} - {{}} + {{}} Explore the methods available to deploy NGINX App Protect WAF in your environment. {{}} - - {{}} Review the latest changes and improvements to NGINX App Protect WAF. {{}} {{}} {{}} - - \ No newline at end of file diff --git a/content/waf/fundamentals/overview.md b/content/waf/fundamentals/overview.md index 5ed5488f7..3e3c98a7b 100644 --- a/content/waf/fundamentals/overview.md +++ b/content/waf/fundamentals/overview.md @@ -20,4 +20,19 @@ It is also an opportunity to explain the difference between NGINX App Protect ve The text here will likely be synthesized from the Overview descriptions at the top of the [Administration Guides]({{< ref "/nap-waf/v4/admin-guide/install.md#overview" >}}), but there's also detail from [F5.com](https://www.f5.com/products/nginx/nginx-app-protect) that can be added. -{{}} \ No newline at end of file +{{< /call-out >}} + +[F5 WAF for NGINX](https://www.f5.com/products/nginx/nginx-app-protect) is an advanced, lightweight and high-performance web application firewall (WAF) for applications and APIs. + +It provides protection for the OWASP Top 10, with additional functionality: + +- HTTP response inspection and protocol compliance +- Data schema validation (JSON & XML) +- Meta character checking +- Disallowing file types + +For full details, see the [Supported Security Policy features]({{< ref "/waf/policies/configuration.md">}}). + +F5 WAF for NGINX is part of the [NGINX One](https://www.f5.com/products/nginx/one) premium packages and runs natively on [NGINX Plus](https://www.f5.com/products/nginx/nginx-plus) and [NGINX Ingress Controller](https://www.f5.com/products/nginx/nginx-ingress-controller). + +It is platform-agnostic and supports deployment options ranging from edge load balancers to individual pods in Kubernetes clusters. diff --git a/content/waf/policies/configuration.md b/content/waf/policies/configuration.md index aa47e9161..701b0af23 100644 --- a/content/waf/policies/configuration.md +++ b/content/waf/policies/configuration.md @@ -18,4 +18,6 @@ The design intention for this page is to as a single source of truth to replace Outside of the overlapping information for Policy configuration, the existing pages also include general configuration information, such as for NGINX App Protect WAF itself. This detail can be added to a separate page, ensuring that each document acts as a solution for exactly one problem at a time. -{{}} \ No newline at end of file +{{}} + +## Supported Security Policy features \ No newline at end of file diff --git a/content/waf/tools/compiler.md b/content/waf/tools/compiler.md index 701ec4c64..481db57df 100644 --- a/content/waf/tools/compiler.md +++ b/content/waf/tools/compiler.md @@ -1,10 +1,10 @@ --- # We use sentence case and present imperative tone -title: "Build and use the NGINX App Protect WAF Compiler" +title: "Build and use the F5 WAF for NGINX compiler" # Weights are assigned in increments of 100: determines sorting order weight: 200 # Creates a table of contents and sidebar, useful for large documents -toc: false +toc: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to # Intended for internal catalogue and search, case sensitive: @@ -18,4 +18,260 @@ The design intention for this page is to act as a new place for the v5 [NGINX Ap Information that isn't critically important to a specific task should be moved to its own page. This page is a good example of one that doesn't need to be broken up, but is still moved into a peripheral "Tools" section for when it is necessary. -{{}} \ No newline at end of file +**13/08/2025:** What version of F5 WAF does this work with? + +{{}} + +This document describes how to use the F5 WAF for NGINX compiler, a tool for converting security policies and logging profiles from JSON to a bundle file that F5 WAF can process and apply. + +You can use it to get the latest security updates for Attack Signatures, Threat Campaigns and Bot Signatures. The compiler is packaged as a Docker image and can executed using the Docker CLI or as part of a continuous integration/ continuous delivery (CI/CD) pipeline. + +One or more bundle files can be referenced in the NGINX configuration file, and you can configure global settings such as the cookie seed and user-defined signatures. + + +## Before you begin + +To complete this guide, you will need the following prerequisites: + +- [Docker](https://docs.docker.com/get-started/get-docker/) +- An NGINX Plus subscription (purchased or trial) +- Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. + +## Download your subscription credential files + +{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} + +## Set up Docker for the F5 Container Registry + +Create a directory and copy your certificate and key to this directory: + +```shell +mkdir -p /etc/docker/certs.d/private-registry.nginx.com +cp /etc/docker/certs.d/private-registry.nginx.com/client.cert +cp /etc/docker/certs.d/private-registry.nginx.com/client.key +``` + +Log in to the Docker registry: + +```shell +docker login private-registry.nginx.com +``` + +## Create the Dockerfile + +```dockerfile +# syntax=docker/dockerfile:1 +ARG BASE_IMAGE=private-registry.nginx.com/nap/waf-compiler: +FROM ${BASE_IMAGE} + +# Installing packages as root +USER root + +ENV DEBIAN_FRONTEND="noninteractive" + +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get update \ + && apt-get install -y \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + ubuntu-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | \ + tee /usr/share/keyrings/app-protect-security-updates.gpg >/dev/null \ + && printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] \ + https://pkgs.nginx.com/app-protect-security-updates/ubuntu `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-app-protect.list \ + && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && apt-get update \ + && apt-get install -y \ + app-protect-attack-signatures \ + app-protect-bot-signatures \ + app-protect-threat-campaigns \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# non-root default user (UID 101) +USER nginx +``` + +{{< call-out "note" >}} + +You can can upgrade or downgrade one of the Signatures by specifying a specific version, such as _app-protect-attack-signatures-2020.04.30_. + +{{< /call-out >}} + +You can use the Docker registry API to list the available image tags. + +Replace `` with the location of your client key and `` with the location of your client certificate. + +```shell +curl -s https://private-registry.nginx.com/v2/nap/waf-compiler/tags/list --key --cert +``` +```json +{ + "name": "nap/waf-compiler", + "tags": [ + "1.0.0", + "5.1.0", + "5.2.0" + ] +} +``` + +The [jq](https://jqlang.github.io/jq/) command was used to format the example output + + +## Build the container image + +Run the following command to build your image, where `waf-compiler-:custom` is an example of the image tag: + +```shell +sudo docker build --no-cache --platform linux/amd64 \ +--secret id=nginx-crt,src=nginx-repo.crt \ +--secret id=nginx-key,src=nginx-repo.key \ +-t waf-compiler-:custom . +``` + +{{< call-out "warning" >}} + +Never upload your F5 WAF for NGINX images to a public container registry such as Docker Hub. Doing so violates your license agreement. + +{{< /call-out >}} + +## Using the compiler + +This section uses `version-tag` as a placeholder in its examples, following the previous section. Ensure that all input files are accessible to UID 101. + +### Compile a security policy + +To compile a security policy from a JSON file and create a policy bundle, run the following command: + +```shell +docker run --rm \ + -v $(pwd):$(pwd) \ + waf-compiler-:custom \ + -p $(pwd)/policy.json -o $(pwd)/compiled_policy.tgz +``` + +{{< call-out "warning" >}} + +Ensure that the output directory is writable, otherwise you may encounter a permission denied error. + +{{< /call-out >}} + +To use multiple policy bundles within a single NGINX configuration, you must supply a [global settings](#global-settings) JSON file. + +This ensures that all bundles have a common foundation such as cookie seed and user-defined signatures. + +An example `global_settings.json` might look as follows: + +```json +{ + "waf-settings": { + "cookie-protection": { + "seed": "" + } + } +} +``` + +To compile a policy with global settings, add the `-g` parameter: + +```shell +docker run --rm \ + -v $(pwd):$(pwd) \ + waf-compiler-1.0.0:custom \ + -g $(pwd)/global_settings.json -p $(pwd)/policy.json -o $(pwd)/compiled_policy.tgz +``` + +You can incorporate the source of the policy (as `policy.json`) or logging profile (as `logging_profile.json`) into the final bundle using the `-include-source` parameter. + +```shell +docker run --rm \ + -v $(pwd):$(pwd) \ + waf-compiler-1.0.0:custom \ + -include-source -full-export -g $(pwd)/global_settings.json -p $(pwd)/policy.json -o $(pwd)/compiled_policy.tgz +``` + +This will transform any configuration that relies on external references into an inline configuration within the bundled source. + +Additionally, when `-include-source` is combined with `-full-export`, the policy.json within the bundle will contain the entire source policy, including any default settings from the base template. + +### Compile a logging profile + +To compile a logging profile, execute the command below: + +```shell +docker run \ + -v $(pwd):$(pwd) \ + waf-compiler-:custom \ + -l $(pwd)/log_01.json -o $(pwd)/log01.tgz +``` + +### View bundle information + +To view information about a bundle file, such as attack signatures versions, use the following command: + +```shell +docker run \ + -v $(pwd):$(pwd) \ + waf-compiler-:custom \ + -dump -bundle $(pwd)/compiled_policy.tgz +``` + +## Global settings + +The global settings allows configuration of the following items: + +### cookie-protection + +{{}} +| Field Name | Type | Description | +|-|-|-| +| seed | string | The seed value is used by F5 NGINX App Protect WAF to generate the encryption key for the cookies it creates. These cookies are used for various purposes such as validating the integrity of the cookies generated by the application. Use a random alphanumeric string of at least 20 characters length (but not more than 1000 characters). | +{{}} + +### user-defined-signatures + +{{}} +| Field Name | Reference | Type | Description | +|-|-|-|-| +| $ref | Yes | string | Path to the file that contains the user defined signatures. | +{{}} + +#### Example + +```json +{ + "waf-settings": { + "cookie-protection": { + "seed": "80miIOiSeXfvNBiDJV4t" + }, + "user-defined-signatures": [ + { + "$ref": "file:///policies/uds.json" + } + ] + } +} +``` + +{{< call-out "warning" >}} + +When deploying multiple scalability instances (Such as Kubernetes deployment replicas), ensure that all policy bundles are compiled with the same global settings and security updates. + +{{< /call-out >}} + + +## Using the compiler in a CI/CD process + +When executing commands inside the compiler container, ensure that you use `/opt/app_protect/bin/apcompile` as the compiler binary. + +This is particularly important if you're overriding the default entry point as part of a CI/CD process. + +```shell +/opt/app_protect/bin/apcompile -g /path/to/global_settings.json -p /path/to/policy.json -o /path/to/compiled_policy.tgz +``` \ No newline at end of file From 901c42cad012942362a8fbcc24f44f7245aa0421 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Fri, 15 Aug 2025 14:30:37 +0100 Subject: [PATCH 3/8] feat: Add Support page content --- _banners/waf-v4-warning.md | 5 - _banners/waf-v5-warning.md | 5 - content/waf/_index.md | 14 +- content/waf/fundamentals/overview.md | 2 +- .../fundamentals/technical-specifications.md | 26 +++- content/waf/install/_index.md | 2 +- ...ronment.md => disconnected-environment.md} | 10 +- content/waf/install/docker.md | 4 +- content/waf/install/kubernetes.md | 9 +- content/waf/install/uninstall.md | 2 +- content/waf/install/upgrade.md | 2 +- content/waf/install/virtual-environment.md | 19 +-- content/waf/support.md | 131 +++++++++++++++++- 13 files changed, 177 insertions(+), 54 deletions(-) delete mode 100644 _banners/waf-v4-warning.md delete mode 100644 _banners/waf-v5-warning.md rename content/waf/install/{disconnect-environment.md => disconnected-environment.md} (75%) diff --git a/_banners/waf-v4-warning.md b/_banners/waf-v4-warning.md deleted file mode 100644 index 439427638..000000000 --- a/_banners/waf-v4-warning.md +++ /dev/null @@ -1,5 +0,0 @@ -{{< banner "caution" "This page is for NGINX App Protect v4.xx" >}} - This documentation is intended for NGINX App Protect v4.xx. - - For an NGINX App Protect v5.xx installation, see [Install NGINX App Protect and NGINX Ingress Controller with Docker and Helm]({{< ref "/waf/kubernetes/install-nic.md">}}) -{{}} \ No newline at end of file diff --git a/_banners/waf-v5-warning.md b/_banners/waf-v5-warning.md deleted file mode 100644 index 0109245a1..000000000 --- a/_banners/waf-v5-warning.md +++ /dev/null @@ -1,5 +0,0 @@ -{{< banner "caution" "This page is for NGINX App Protect v5.xx" >}} - This documentation is intended for NGINX App Protect v5.xx. - - For an NGINX App Protect v4.xx installation, see [Deploy NGINX App Protect WAF in a virtual environment]({{< ref "/waf/install/virtual-environment.md">}}) -{{}} \ No newline at end of file diff --git a/content/waf/_index.md b/content/waf/_index.md index e2241bf33..c4111cfb1 100644 --- a/content/waf/_index.md +++ b/content/waf/_index.md @@ -23,17 +23,17 @@ nd-product: NAP-WAF Defend your applications and APIs with a software security solution that seamlessly integrates into DevOps environments as a lightweight web application firewall (WAF), layer 7 denial-of-service (DoS) protection, bot protection, API security, and threat intelligence services. ## Featured content -[//]: # "You can add a maximum of three cards: any extra will not display." -[//]: # "One card will take full width page: two will take half width each. Three will stack like an inverse pyramid." -[//]: # "Some examples of content could be the latest release note, the most common install path, and a popular new feature." {{}} {{}} - {{}} - Explore the methods available to deploy NGINX App Protect WAF in your environment. + {{}} + Learn about how F5 WAF for NGINX works and how it can be used to protect your applications {{}} - {{}} - Review the latest changes and improvements to NGINX App Protect WAF. + {{}} + Explore the methods available to deploy F5 WAF for NGINX in your environment + {{}} + {{}} + Review the latest changes and improvements to F5 WAF for NGINX {{}} {{}} {{}} diff --git a/content/waf/fundamentals/overview.md b/content/waf/fundamentals/overview.md index 3e3c98a7b..2d591539e 100644 --- a/content/waf/fundamentals/overview.md +++ b/content/waf/fundamentals/overview.md @@ -31,7 +31,7 @@ It provides protection for the OWASP Top 10, with additional functionality: - Meta character checking - Disallowing file types -For full details, see the [Supported Security Policy features]({{< ref "/waf/policies/configuration.md">}}). +For more details, see the [Supported Security Policy features]({{< ref "/waf/fundamentals/technical-specifications.md#supported-security-policy-features">}}). F5 WAF for NGINX is part of the [NGINX One](https://www.f5.com/products/nginx/one) premium packages and runs natively on [NGINX Plus](https://www.f5.com/products/nginx/nginx-plus) and [NGINX Ingress Controller](https://www.f5.com/products/nginx/nginx-ingress-controller). diff --git a/content/waf/fundamentals/technical-specifications.md b/content/waf/fundamentals/technical-specifications.md index f02323eac..6d7ae2af8 100644 --- a/content/waf/fundamentals/technical-specifications.md +++ b/content/waf/fundamentals/technical-specifications.md @@ -6,7 +6,7 @@ weight: 200 # Creates a table of contents and sidebar, useful for large documents toc: false # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this -nd-content-type: how-to +nd-content-type: reference # Intended for internal catalogue and search, case sensitive: # Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit nd-product: NAP-WAF @@ -24,4 +24,26 @@ It follows a design pattern set by other NGINX product sets, showing various com It is also where information about the [Supported Security Policy Features]({{< ref "/nap-waf/v4/configuration-guide/configuration.md#supported-security-policy-features" >}}) could be referenced, though most of that detail will instead be kept in the new top-level "Policies" section. -{{}} \ No newline at end of file +{{}} + +This page outlines the technical specifications for F5 WAF for NGINX, which includes the minimum requirements and supported platforms. + +## Supported deployment environments + +You can deploy F5 WAF for NGINX in the following environments: + +- **Virtual environment** (or bare metal) +- **Container** (Docker) +- **Kubernetes** + +View the [Install section]({{< ref "/waf/install/" >}}) for information on deploying F5 WAF for NGINX. + +## Supported operating systems + +## Supported NGINX versions + +## Supported Security Policy features + +The following Security Policy features are available with F5 WAF for NGINX. + +For additional information on each feature, view the [Configuring Policies]({{< ref "/waf/policies/configuration.md" >}}) topic. \ No newline at end of file diff --git a/content/waf/install/_index.md b/content/waf/install/_index.md index 37944ed9f..0776e1afb 100644 --- a/content/waf/install/_index.md +++ b/content/waf/install/_index.md @@ -2,4 +2,4 @@ title: "Install" url: /app-protect-waf/install/ weight: 200 ---- +--- \ No newline at end of file diff --git a/content/waf/install/disconnect-environment.md b/content/waf/install/disconnected-environment.md similarity index 75% rename from content/waf/install/disconnect-environment.md rename to content/waf/install/disconnected-environment.md index 94206bfa5..be7488886 100644 --- a/content/waf/install/disconnect-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -1,8 +1,8 @@ --- # We use sentence case and present imperative tone -title: "Deploy NGINX App Protect WAF in a disconnected environment" +title: "Deploy F5 WAF for NGINX in a disconnected environment" # Weights are assigned in increments of 100: determines sorting order -weight: 200 +weight: 400 # Creates a table of contents and sidebar, useful for large documents toc: false # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this @@ -23,10 +23,4 @@ The design intention for this page is as a standalone page for the operating sys Instead of having separate top level folders, differences between v4 and v5 will be denoted with whole page sections, tabs, or other unique signifiers. -This reduces the amount of duplicate content, which makes maintainability much simpler and the text more uniform. - -With the full context of this section, the page is shorter, being concerned only with one specific method of installation. - -This makes it easier to link to specific instructions, and ensures that the customer sees only the critical information they need. - {{}} \ No newline at end of file diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index a90e86e33..4a56a30f5 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -1,8 +1,8 @@ --- # We use sentence case and present imperative tone -title: "Deploy NGINX App Protect WAF using Docker" +title: "Deploy F5 WAF for NGINX using Docker" # Weights are assigned in increments of 100: determines sorting order -weight: 300 +weight: 200 # Creates a table of contents and sidebar, useful for large documents toc: false # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 282570473..12bfe6947 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -1,15 +1,10 @@ --- # We use sentence case and present imperative tone -title: "Deploy NGINX App Protect WAF using Kubernetes" +title: "Deploy F5 WAF for NGINX using Kubernetes" # Weights are assigned in increments of 100: determines sorting order -weight: 400 +weight: 300 # Creates a table of contents and sidebar, useful for large documents toc: false -nd-banner: - enabled: true - type: deprecation - start-date: 2025-07-07 - md: /_banners/waf-v5-warning.md # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to # Intended for internal catalogue and search, case sensitive: diff --git a/content/waf/install/uninstall.md b/content/waf/install/uninstall.md index 7937d4e13..3c0d171e7 100644 --- a/content/waf/install/uninstall.md +++ b/content/waf/install/uninstall.md @@ -1,6 +1,6 @@ --- # We use sentence case and present imperative tone -title: "Uninstall NGINX App Protect WAF" +title: "Uninstall F5 WAF for NGINX" # Weights are assigned in increments of 100: determines sorting order weight: 600 # Creates a table of contents and sidebar, useful for large documents diff --git a/content/waf/install/upgrade.md b/content/waf/install/upgrade.md index 66bb219ea..d0e18d8fe 100644 --- a/content/waf/install/upgrade.md +++ b/content/waf/install/upgrade.md @@ -1,6 +1,6 @@ --- # We use sentence case and present imperative tone -title: "Upgrade NGINX App Protect WAF" +title: "Upgrade F5 WAF for NGINX" # Weights are assigned in increments of 100: determines sorting order weight: 500 # Creates a table of contents and sidebar, useful for large documents diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index f99e3d905..6b8cbf45c 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -1,15 +1,10 @@ --- # We use sentence case and present imperative tone -title: "Deploy NGINX App Protect WAF in a virtual environment" +title: "Deploy F5 WAF for NGINX in a virtual environment" # Weights are assigned in increments of 100: determines sorting order weight: 100 # Creates a table of contents and sidebar, useful for large documents toc: false -nd-banner: - enabled: true - type: deprecation - start-date: 2025-07-07 - md: /_banners/waf-v4-warning.md # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to # Intended for internal catalogue and search, case sensitive: @@ -26,12 +21,12 @@ The design intention for this page is as a standalone page for the operating sys Instead of having separate top level folders, differences between v4 and v5 will be denoted with whole page sections, tabs, or other unique signifiers. -This reduces the amount of duplicate content, which makes maintainability much simpler and the text more uniform. +{{}} -**For an example of a unique signifier, look at the top of this page.** +This page describes how to install F5 WAF for NGINX on a virtual machine or bare metal environment. To review supported operating systems, please read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) guide. -With the full context of this section, the page is shorter, being concerned only with one specific method of installation. +There are multiple alternative deployment methods available: -This makes it easier to link to specific instructions, and ensures that the customer sees only the critical information they need. - -{{}} \ No newline at end of file +- [Deploy F5 WAF for NGINX using Docker]({{< ref "/waf/install/docker.md" >}}) +- [Deploy F5 WAF for NGINX using Kubernetes]({{< ref "/waf/install/kubernetes.md" >}}) +- [Deploy F5 WAF for NGINX in a disconnected environment]({{< ref "/waf/install/disconnected-environment.md" >}}) \ No newline at end of file diff --git a/content/waf/support.md b/content/waf/support.md index 8bd60d284..ed6a02832 100644 --- a/content/waf/support.md +++ b/content/waf/support.md @@ -4,7 +4,7 @@ title: "Support" # Weights are assigned in increments of 100: determines sorting order weight: 900 # Creates a table of contents and sidebar, useful for large documents -toc: false +toc: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to # Intended for internal catalogue and search, case sensitive: @@ -24,4 +24,131 @@ There's lots of examples of existing support pages, some of which may have inclu - [NGINX Agent - Support]({{< ref "/agent/support.md" >}}) - [NGINX Ingress Controller - Commercial support]({{< ref "/nic/troubleshooting/troubleshoot-support.md" >}}) -{{}} \ No newline at end of file +{{}} + +## Support policy + +F5 WAF for NGINX adheres to the support policy detailed in the following knowledge base article: [K000140156](https://my.f5.com/manage/s/article/K000140156). + +## Contact F5 Support + +For questions or assistance with installing, troubleshooting, or using F5 WAF for NGINX, contact support through the [MyF5 Customer Portal](https://account.f5.com/myf5). + +### Collecting log information + +As part of opening a support ticket, you will be asked to collect troubleshooting information for a customer support engineer. + +The steps involved depend on your deployment type. + +{{< tabs name="log-options" >}} + +{{% tab name="Virtual environment" %}} + +Get the operating system information: + +```shell +cat /etc/os-release > system_version.txt && uname -r >> system_version.txt && cat /proc/version >> system_version.txt +``` + +Collect the package versions: + +```shell +cat /opt/app_protect/VERSION /opt/app_protect/RELEASE > package_versions.txt +``` + +You may need a different command depending on the operating system. + +```shell +# Alpine Linux +apk info -vv | grep -E 'nginx|app-protect' > package_versions.txt +# Debian / Ubuntu +apt list --installed | grep -E 'nginx|app-protect' > package_versions.txt +# RHEL / Amazon Linux / Oracle Linux +rpm -qa nginx* app-protect* > package_versions.txt +``` + +Create a list of files called _tarball-targets.txt_: + +```text +system_version.txt +package_versions.txt +/var/log/app_protect/* +/var/log/nginx/* +/etc/nginx.conf +# Add any additional policy or log configuration files +``` + +Create a tarball using the list of files: + +```shell +tar cvfz logs.tgz `cat tarball-targets.txt` +``` + +{{% /tab %}} + +{{% tab name="Docker" %}} + +Use _docker_compose_ to create log files: + +```shell +sudo docker compose logs > docker_compose_logs.txt +``` + +If a centralized logging system such as the ELK stack is used, you should retrieve them in CSV format instead: + +```shell +sudo docker compose logs > docker_compose_logs.csv +``` + +Add the log files to a tarball: + +```shell +tar cvfz logs.tgz docker_compose_logs.txt +``` + +{{% /tab %}} + +{{% tab name="Kubernetes" %}} + +In the following steps, replace `` with the namespace you used to deploy F5 WAF for NGINX. + +Verify the pods in your deployment: + +```shell +kubectl get pods -n +``` + +Use the following script to collect logs from every pod, which will create a timestamped directory with files after each pod and container: + +```shell +#!/bin/bash + +set -x + +# Define the namespace variable +NAMESPACE="" + +# Define a directory to store log files +log_dir="k8s_logs_$(date +%Y%m%d_%H%M%S)" +mkdir -p "$log_dir" + +# Loop through all pods and containers, saving logs to timestamped directories +for pod in $(kubectl get pods -n $NAMESPACE -o=name | sed 's|pod/||g'); do + for container in $(kubectl get pod/$pod -n $NAMESPACE -o=jsonpath='{.spec.containers[*].name}'); do + kubectl logs $pod -c $container -n $NAMESPACE > "${log_dir}/${pod}_${container}_logs.txt" + done +done +``` + +Once the log files have been saved, run the following command to create a tarball: + +```shell +tar cvfz logs.tgz . +``` + + +{{% /tab %}} + +{{< /tabs >}} + +Attach the tarball named _logs.tgz_ to your support ticket. \ No newline at end of file From 94550d2c1307cc87f5733962bc9ef3c1e0de116b Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Fri, 15 Aug 2025 17:25:10 +0100 Subject: [PATCH 4/8] feat: Add tech specs details, terminology --- content/waf/changelog.md | 2 +- .../fundamentals/technical-specifications.md | 12 ++++- content/waf/fundamentals/terminology.md | 46 +++++++++++++++++++ content/waf/kubernetes/build-nic.md | 2 +- content/waf/kubernetes/configure-nic.md | 2 +- content/waf/kubernetes/install-nic.md | 2 +- content/waf/kubernetes/nim-policy-compile.md | 2 +- content/waf/policies/configuration.md | 2 + content/waf/support.md | 2 +- 9 files changed, 65 insertions(+), 7 deletions(-) create mode 100644 content/waf/fundamentals/terminology.md diff --git a/content/waf/changelog.md b/content/waf/changelog.md index 9d06aa13f..e8ffa95de 100644 --- a/content/waf/changelog.md +++ b/content/waf/changelog.md @@ -22,7 +22,7 @@ Updating the content of this page will likely be automated in the future, follow {{}} -This changelog lists all of the information for F5 NGINX App Protect WAF releases in 2025. +This changelog lists all of the information for F5 WAF for NGINX releases in 2025. For older releases, check the changelogs for previous years: [2024](), [2023](). diff --git a/content/waf/fundamentals/technical-specifications.md b/content/waf/fundamentals/technical-specifications.md index 6d7ae2af8..c95431265 100644 --- a/content/waf/fundamentals/technical-specifications.md +++ b/content/waf/fundamentals/technical-specifications.md @@ -40,7 +40,17 @@ View the [Install section]({{< ref "/waf/install/" >}}) for information on deplo ## Supported operating systems -## Supported NGINX versions +| Distribution | Version | +| ------------------ | ------------ | +| Alpine Linux | 3.19 | +| Amazon Linux | 2023 | +| Debian | 11, 12 | +| Oracle Linux | 8.1 | +| Ubuntu | 22.04, 24.04 | +| RHEL / Rocky Linux | 8, 9 | + +For release-specific packages, view the [Changelog]({{< ref "/waf/changelog.md" >}}). + ## Supported Security Policy features diff --git a/content/waf/fundamentals/terminology.md b/content/waf/fundamentals/terminology.md new file mode 100644 index 000000000..2be5de5c7 --- /dev/null +++ b/content/waf/fundamentals/terminology.md @@ -0,0 +1,46 @@ +--- +# We use sentence case and present imperative tone +title: "Terminology" +# Weights are assigned in increments of 100: determines sorting order +weight: 300 +# Creates a table of contents and sidebar, useful for large documents +toc: false +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +This page defines terminology used when describing functionality of F5 WAF for NGINX. + +It assumes you are familiar with various layer 7 (L7) hypertext transfer protocl (HTTP) concepts such as: + +- Uniform Resource Identifier (URI) +- Uniform Resource Location (URL) +- HTTP methods and status codes +- HTTP headings, requests, responses, and parameters +- Cookies + +## Terms and definitions + +|Term | Definition | +| ---| --- | +|Alarm | If selected, the NGINX App Protect WAF system records requests that trigger the violation in the remote log (depending on the settings of the logging profile). | +|Attack signature | Textual patterns which can be applied to HTTP requests and/or responses by NGINX App Protect WAF to determine if traffic is malicious. For example, the string `