From f1038483639be506f7d81bc87a59e4756f6bb11d Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 25 Nov 2025 13:37:10 +0000 Subject: [PATCH 01/63] docs: add missing prerequisite for installation --- content/waf/install/virtual-environment.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 30317ce7f..1920ed189 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,13 +17,11 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- A working [NGINX Open Source]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-open-source.md" >}}) or [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) instance. +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) instance. - An active F5 WAF for NGINX subscription (Purchased or trial). Depending on your deployment type, you may have additional requirements: -- [Docker](https://docs.docker.com/get-started/get-docker/) is required for NGINX Open Source or NGINX Plus type deployments. - You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} From 19ace63e0e609811f005bbe4b91bc39eeab2f10a Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 25 Nov 2025 15:15:36 +0000 Subject: [PATCH 02/63] added info about nginx x being installed with app protect --- content/waf/install/virtual-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 1920ed189..6920c2417 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,7 +17,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) instance. +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) - An active F5 WAF for NGINX subscription (Purchased or trial). Depending on your deployment type, you may have additional requirements: From b490c7d7817cebf62cb08525208d9d5cc2857ca1 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 08:08:46 +0000 Subject: [PATCH 03/63] updated kubernetes --- content/includes/waf/install-update-configuration.md | 5 ----- content/waf/install/docker.md | 5 +++++ content/waf/install/kubernetes.md | 2 ++ 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/content/includes/waf/install-update-configuration.md b/content/includes/waf/install-update-configuration.md index 23b1c63ae..3577367cf 100644 --- a/content/includes/waf/install-update-configuration.md +++ b/content/includes/waf/install-update-configuration.md @@ -121,8 +121,3 @@ server { {{% /tab %}} {{< /tabs >}} - -Once you have updated your configuration files, you can reload NGINX to apply the changes. You have two options depending on your environment: - -- `nginx -s reload` -- `sudo systemctl reload nginx` \ No newline at end of file diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index cc7970c3e..afa3f5d89 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -1289,6 +1289,11 @@ CMD ["sh", "/root/entrypoint.sh"] {{< include "waf/install-update-configuration.md" >}} +Once you have updated your configuration files, you can reload NGINX to apply the changes. You have two options depending on your environment: + +- `nginx -s reload` +- `sudo systemctl reload nginx` + F5 WAF for NGINX should now be operational, and you can move onto [Post-installation checks](#post-installation-checks). ## Post-installation checks diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 6eed94d27..8ab3e932e 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -222,6 +222,8 @@ From this point, the steps change based on your installation method: ### Download your JSON web token +To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: + {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ### Get the Helm chart From 729164f142fc1a6e59b2aec42165b9c3187b4f69 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 08:50:06 +0000 Subject: [PATCH 04/63] added supported os and Kubernetes ctl/cluster --- content/waf/install/docker.md | 4 ++-- content/waf/install/kubernetes-plm.md | 3 ++- content/waf/install/kubernetes.md | 5 +++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index afa3f5d89..e3e90fbac 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -139,7 +139,7 @@ http { ### Create a Dockerfile -In the same folder as your credential and configuration files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. +In the same folder as your credential and configuration files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. Alternatively, you may want make your own image based on a Dockerfile using the official NGINX image: @@ -909,7 +909,7 @@ http { Copy or move your subscription files into a new folder. -In the same folder as the subscription files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. +In the same folder as the subscription files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. {{< call-out "note" >}} diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index db5057f30..a0f329d61 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -32,7 +32,8 @@ These enhancements are only available for Helm-based deployments. To complete this guide, you will need the following prerequisites: -- [A functional Kubernetes cluster]({{< ref "/waf/install/kubernetes.md" >}}) +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/get-started/get-docker/) - An active F5 WAF for NGINX subscription (Purchased or trial) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 8ab3e932e..d8e67739a 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -14,7 +14,8 @@ It explains the common steps necessary for any Kubernetes-based deployment, then To complete this guide, you will need the following pre-requisites: -- A functional Kubernetes cluster +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - An active F5 WAF for NGINX subscription (Purchased or trial) - [Docker](https://docs.docker.com/get-started/get-docker/) @@ -32,7 +33,7 @@ To review supported operating systems, read the [Technical specifications]({{< r ## Create a Dockerfile -In the same folder as your credential files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. +In the same folder as your credential files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. Alternatively, you may want make your own image based on a Dockerfile using the official NGINX image: From 2fa9287fcac78b769b72b51f63ef6d1f1adb16f9 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 09:39:39 +0000 Subject: [PATCH 05/63] temp --- content/waf/install/virtual-environment.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 6920c2417..0e4ecf53d 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,8 +17,9 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) - An active F5 WAF for NGINX subscription (Purchased or trial). +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) + - [NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used Depending on your deployment type, you may have additional requirements: From aeece8ee8d0115bc9d087e044b8c2a3a888c3e72 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 09:47:59 +0000 Subject: [PATCH 06/63] test --- content/waf/install/virtual-environment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 0e4ecf53d..34a6b8325 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -19,8 +19,8 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - An active F5 WAF for NGINX subscription (Purchased or trial). - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) - - [NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used - +- [NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used +- this is a test Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. From 9a09c81a4ef162d9b44b467c37eb22f1441c0265 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 10:00:26 +0000 Subject: [PATCH 07/63] test --- content/waf/install/virtual-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 34a6b8325..03943745b 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -19,8 +19,8 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - An active F5 WAF for NGINX subscription (Purchased or trial). - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) -- [NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used - this is a test + Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. From d0b27a788c3df7d9a1ff11b01ceadbc1dec66f6f Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 10:07:45 +0000 Subject: [PATCH 08/63] added link to my my5 --- content/waf/install/virtual-environment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 03943745b..3402ef115 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,9 +17,8 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An active F5 WAF for NGINX subscription (Purchased or trial). +- An active [F5 WAF for NGINX subscription]({{< ref "/licensing-and-reporting/download-certificates-from-myf5.md" >}}) (Purchased or trial). - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) -- this is a test Depending on your deployment type, you may have additional requirements: From 6fcc9a2937dd47e795800333d01224eee1478ff8 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 10:35:46 +0000 Subject: [PATCH 09/63] updated myf5 with link --- content/waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 2 +- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- content/waf/install/virtual-environment.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 47c3f246a..519d2174e 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- An active F5 WAF for NGINX subscription (Purchased or trial). +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - A connected environment with similar architecture - A method to transfer files between two environments diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index e3e90fbac..735e70b54 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -12,7 +12,7 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription (Purchased or trial) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/get-started/get-docker/) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index a0f329d61..41653f9ef 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -36,7 +36,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/get-started/get-docker/) -- An active F5 WAF for NGINX subscription (Purchased or trial) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. ## Download your subscription credentials diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index d8e67739a..310854470 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -16,7 +16,7 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster -- An active F5 WAF for NGINX subscription (Purchased or trial) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/get-started/get-docker/) You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 3402ef115..52716a423 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,7 +17,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An active [F5 WAF for NGINX subscription]({{< ref "/licensing-and-reporting/download-certificates-from-myf5.md" >}}) (Purchased or trial). +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) Depending on your deployment type, you may have additional requirements: From 881c892fdaf00528a329226183f24b98a3e516cf Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 11:37:25 +0000 Subject: [PATCH 10/63] added info for docker registry access --- content/waf/install/kubernetes-plm.md | 1 + content/waf/install/kubernetes.md | 1 + 2 files changed, 2 insertions(+) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 41653f9ef..befabe1df 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -36,6 +36,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/get-started/get-docker/) +- Docker registry credentials — needed to access private-registry.nginx.com - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 310854470..49e46342a 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -18,6 +18,7 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/get-started/get-docker/) +- Docker registry credentials — needed to access private-registry.nginx.com You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. From 4e4204b6f3c3310567e274b2d13da7f9420a31f2 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 11:43:43 +0000 Subject: [PATCH 11/63] test for jwt --- content/waf/install/docker.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 735e70b54..a9bd0b7b2 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -41,6 +41,8 @@ The steps you should follow on this page are dependent on your configuration typ {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} +[NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used + ## Configure Docker for the F5 Container Registry {{< include "waf/install-services-registry.md" >}} From c62c97923e262782e6d8aee114ce533285088d9d Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 14:36:24 +0000 Subject: [PATCH 12/63] added jwt for docker --- content/includes/waf/install-build-image.md | 1 + content/waf/install/docker.md | 20 +++++++++++--------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index 45ccc3068..1a76c8373 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -7,6 +7,7 @@ Your folder should contain the following files: - _nginx-repo.crt_ - _nginx-repo.key_ +- _license.jwt_ (Only necessary when using NGINX Plus) - _nginx.conf_ - _entrypoint.sh_ - _Dockerfile_ diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index a9bd0b7b2..7c1489d2c 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -38,10 +38,12 @@ The single container configuration only supports NGINX Plus and requires a build The steps you should follow on this page are dependent on your configuration type: after the shared steps, links will guide you to the next appropriate section. ## Download your subscription credentials +### Shared Requirements {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -[NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used +### Additional Requirement for NGINX Plus Users +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Configure Docker for the F5 Container Registry @@ -952,7 +954,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -994,7 +996,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1049,7 +1051,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1095,7 +1097,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1138,7 +1140,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1180,7 +1182,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1222,7 +1224,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1277,7 +1279,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] From ceecd2172805f1cf095fc1904394908224cf7959 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 15:39:22 +0000 Subject: [PATCH 13/63] last work before remove --- content/includes/waf/install-services-registry.md | 2 ++ content/waf/install/docker.md | 14 +++++++++++--- content/waf/install/kubernetes-plm.md | 4 ++-- content/waf/install/kubernetes.md | 4 ++-- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/content/includes/waf/install-services-registry.md b/content/includes/waf/install-services-registry.md index c9f686e8d..2389912d7 100644 --- a/content/includes/waf/install-services-registry.md +++ b/content/includes/waf/install-services-registry.md @@ -5,6 +5,8 @@ nd-files: - content/waf/install/kubernetes.md --- +Docker registry credentials are needed to access private-registry.nginx.com + Create a directory and copy your certificate and key to this directory: ```shell diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 7c1489d2c..fa2aefdd0 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -13,7 +13,8 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) -- [Docker](https://docs.docker.com/get-started/get-docker/) +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- Docker registry credentials are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -438,7 +439,7 @@ Once you have updated your configuration files, you can reload NGINX to apply th {{< include "waf/install-services-docker.md" >}} #### Download Docker images - +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file @@ -814,7 +815,7 @@ sudo dnf install app-protect-module-plus {{< include "waf/install-services-docker.md" >}} #### Download Docker images - +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file @@ -1307,3 +1308,10 @@ F5 WAF for NGINX should now be operational, and you can move onto [Post-installa ## Next steps {{< include "waf/install-next-steps.md" >}} + +## Remove NGINX docker image +Before removing any Docker image, it’s important to ensure that the image is no longer needed and is not in use. + +[docker image rm](https://docs.docker.com/reference/cli/docker/image/rm/) tool + +TODO diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index befabe1df..ecebbf3d8 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -35,8 +35,8 @@ To complete this guide, you will need the following prerequisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) -- [Docker](https://docs.docker.com/get-started/get-docker/) -- Docker registry credentials — needed to access private-registry.nginx.com +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- Docker registry credentials are needed to access private-registry.nginx.com - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 49e46342a..8b225d3db 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -17,8 +17,8 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) -- [Docker](https://docs.docker.com/get-started/get-docker/) -- Docker registry credentials — needed to access private-registry.nginx.com +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- Docker registry credentials are needed to access private-registry.nginx.com You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. From 6aa9fd3a8caaa9364d272615f03c7540f6ba0523 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 27 Nov 2025 06:44:13 +0000 Subject: [PATCH 14/63] remove line since we have the line above it --- content/waf/install/kubernetes-plm.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index ecebbf3d8..7cd0c979b 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -38,7 +38,6 @@ To complete this guide, you will need the following prerequisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - Docker registry credentials are needed to access private-registry.nginx.com - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) -- Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. ## Download your subscription credentials From 8c420e21df834c5c543cf163c1c922482eaa4839 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 27 Nov 2025 13:48:31 +0000 Subject: [PATCH 15/63] updated docker for jwt --- content/includes/waf/install-build-image.md | 4 +- content/waf/install/docker.md | 48 +++++++++++++++++---- 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index 1a76c8373..dec2acb30 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -16,13 +16,13 @@ Your folder should contain the following files: To build an image, use the following command, replacing `` as appropriate: ```shell -sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . +sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` A RHEL-based system would use the following command instead: ```shell -podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . +podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` {{< call-out "note" >}} diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index fa2aefdd0..a1117036f 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -950,12 +950,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ apk update && apk add app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -992,12 +996,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf -y install app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1047,12 +1055,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ apt-get install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1093,12 +1105,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1136,12 +1152,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1182,8 +1202,12 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1220,12 +1244,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1275,12 +1303,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ apt-get install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] From 58709a272787e22eefd386331e46ce2873e03efe Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 27 Nov 2025 15:50:55 +0000 Subject: [PATCH 16/63] update dockerfile for nap --- .../includes/waf/dockerfiles/alpine-plus.md | 4 +++ .../includes/waf/dockerfiles/amazon-plus.md | 4 +++ .../includes/waf/dockerfiles/debian-plus.md | 4 +++ .../includes/waf/dockerfiles/oracle-plus.md | 4 +++ .../includes/waf/dockerfiles/rhel8-plus.md | 4 +++ .../includes/waf/dockerfiles/rhel9-plus.md | 4 +++ .../includes/waf/dockerfiles/rocky9-plus.md | 4 +++ .../includes/waf/dockerfiles/ubuntu-plus.md | 4 +++ content/includes/waf/install-build-image.md | 13 +++++++++- content/waf/install/kubernetes.md | 25 +++++++++++++------ 10 files changed, 62 insertions(+), 8 deletions(-) diff --git a/content/includes/waf/dockerfiles/alpine-plus.md b/content/includes/waf/dockerfiles/alpine-plus.md index 6fe7111c5..2818c3592 100644 --- a/content/includes/waf/dockerfiles/alpine-plus.md +++ b/content/includes/waf/dockerfiles/alpine-plus.md @@ -27,6 +27,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && rm -rf /var/cache/apk/* +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/amazon-plus.md b/content/includes/waf/dockerfiles/amazon-plus.md index d4ec7bba2..d943b33f1 100644 --- a/content/includes/waf/dockerfiles/amazon-plus.md +++ b/content/includes/waf/dockerfiles/amazon-plus.md @@ -28,6 +28,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/debian-plus.md b/content/includes/waf/dockerfiles/debian-plus.md index 204dfa633..7c8581d11 100644 --- a/content/includes/waf/dockerfiles/debian-plus.md +++ b/content/includes/waf/dockerfiles/debian-plus.md @@ -41,6 +41,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && apt-get clean \ && rm -rf /var/lib/apt/lists/* +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/oracle-plus.md b/content/includes/waf/dockerfiles/oracle-plus.md index 98bd1e15b..c62d33bb1 100644 --- a/content/includes/waf/dockerfiles/oracle-plus.md +++ b/content/includes/waf/dockerfiles/oracle-plus.md @@ -29,6 +29,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/rhel8-plus.md b/content/includes/waf/dockerfiles/rhel8-plus.md index 9f05ce79f..ac00cc4e3 100644 --- a/content/includes/waf/dockerfiles/rhel8-plus.md +++ b/content/includes/waf/dockerfiles/rhel8-plus.md @@ -45,6 +45,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/rhel9-plus.md b/content/includes/waf/dockerfiles/rhel9-plus.md index 464ba150e..6f6c96a53 100644 --- a/content/includes/waf/dockerfiles/rhel9-plus.md +++ b/content/includes/waf/dockerfiles/rhel9-plus.md @@ -30,6 +30,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/rocky9-plus.md b/content/includes/waf/dockerfiles/rocky9-plus.md index 464ba150e..6f6c96a53 100644 --- a/content/includes/waf/dockerfiles/rocky9-plus.md +++ b/content/includes/waf/dockerfiles/rocky9-plus.md @@ -30,6 +30,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/ubuntu-plus.md b/content/includes/waf/dockerfiles/ubuntu-plus.md index 89a2e7d8b..7333f22d5 100644 --- a/content/includes/waf/dockerfiles/ubuntu-plus.md +++ b/content/includes/waf/dockerfiles/ubuntu-plus.md @@ -41,6 +41,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && apt-get clean \ && rm -rf /var/lib/apt/lists/* +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index dec2acb30..86a729c98 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -13,7 +13,7 @@ Your folder should contain the following files: - _Dockerfile_ - _custom_log_format.json_ (Optional) -To build an image, use the following command, replacing `` as appropriate: +To build an image for NGINX Plus, use the following command, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . @@ -24,6 +24,17 @@ A RHEL-based system would use the following command instead: ```shell podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` +To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . +``` + +A RHEL-based system would use the following command instead: + +```shell +podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . +``` {{< call-out "note" >}} diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 8b225d3db..51f41d271 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -32,6 +32,12 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} +### Download your JSON web token + +To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: + +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} + ## Create a Dockerfile In the same folder as your credential files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. @@ -202,9 +208,20 @@ Your folder should contain the following files: - _nginx-repo.crt_ - _nginx-repo.key_ +- _license.jwt_ (Only necessary when using NGINX Plus) - _Dockerfile_ -To build an image, use the following command, replacing `` as appropriate: +To build an image for NGINX Pluse, use the following command, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 \ + --secret id=nginx-crt,src=nginx-repo.crt \ + --secret id=nginx-key,src=nginx-repo.key \ + --secret id=license-jwt,src=license.jwt \ + -t . +``` + +To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 \ @@ -222,12 +239,6 @@ From this point, the steps change based on your installation method: ## Use Helm to install F5 WAF for NGINX -### Download your JSON web token - -To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: - -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} - ### Get the Helm chart To get the Helm chart, first configure Docker for the F5 Container Registry. From e29e9ae8f82eac40fa8ec225319efce2598af7af Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 11:37:34 +0000 Subject: [PATCH 17/63] updated storage --- content/waf/install/kubernetes.md | 81 ++++++++++--------------------- 1 file changed, 26 insertions(+), 55 deletions(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 51f41d271..91809fa73 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -404,63 +404,34 @@ This configuration uses a _hostPath_ backed persistent volume claim. {{< /call-out >}} ```yaml -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: PersistentVolume metadata: - name: nap5-deployment + name: nap5-bundles-pv + labels: + type: local spec: - selector: - matchLabels: - app: nap5 - replicas: 2 - template: - metadata: - labels: - app: nap5 - spec: - imagePullSecrets: - - name: regcred - containers: - - name: nginx - image: /waf: - imagePullPolicy: IfNotPresent - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: waf-enforcer - image: private-registry.nginx.com/nap/waf-enforcer: - imagePullPolicy: IfNotPresent - env: - - name: ENFORCER_PORT - value: "50000" - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: waf-config-mgr - image: private-registry.nginx.com/nap/waf-config-mgr: - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles - volumes: - - name: app-protect-bd-config - emptyDir: {} - - name: app-protect-config - emptyDir: {} - - name: app-protect-bundles - persistentVolumeClaim: - claimName: nap5-bundles-pvc + storageClassName: manual + capacity: + storage: 2Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/mnt/nap5_bundles_pv_data" +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nap5-bundles-pvc +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + volumeName: nap5-bundles-pv ``` {{% /tab %}} From 4ecf1c4f3e68fa6c25dfc42cc6640e8c5640055a Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 11:53:46 +0000 Subject: [PATCH 18/63] fixed kubernetes --- content/waf/install/kubernetes.md | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 91809fa73..2bbb9c2a3 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -211,17 +211,7 @@ Your folder should contain the following files: - _license.jwt_ (Only necessary when using NGINX Plus) - _Dockerfile_ -To build an image for NGINX Pluse, use the following command, replacing `` as appropriate: - -```shell -sudo docker build --no-cache --platform linux/amd64 \ - --secret id=nginx-crt,src=nginx-repo.crt \ - --secret id=nginx-key,src=nginx-repo.key \ - --secret id=license-jwt,src=license.jwt \ - -t . -``` - -To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: +To build an image, use the following command, replacing as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 \ From e9dfc12c1904207695dedff9b378c43712d17b8e Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 12:06:31 +0000 Subject: [PATCH 19/63] ohad fix 1 --- content/waf/install/kubernetes.md | 2 +- content/waf/install/virtual-environment.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 2bbb9c2a3..5b98e5084 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -252,7 +252,7 @@ cd nginx-app-protect You will need to edit the `values.yaml` file for a few changes: - Update _appprotect.nginx.image.repository_ and _appprotect.nginx.image.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). -- Update _appprotect.config.nginxJWT_ with your JSON web token +- Update _appprotect.config.nginxJWT_ with your JSON web token (Only necessary when using NGINX Plus) - Update _dockerConfigJson_ to contain the base64 encoded Docker registration credentials You can encode your credentials with the following command: diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 52716a423..fa940c61a 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -25,6 +25,9 @@ Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} +### Additional Requirement for NGINX Plus Users +If you choose to install NGINX automatically with App Protect, make sure to download your JWT license from MyF5 before you begin +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Platform-specific instructions From dae1e50a6736917580cee49d53d231b873bdfd53 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 12:08:14 +0000 Subject: [PATCH 20/63] chnaged title --- content/waf/install/virtual-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index fa940c61a..39c2ec032 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -25,7 +25,7 @@ Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} -### Additional Requirement for NGINX Plus Users +### Required: Download JWT License for NGINX Plus Installation If you choose to install NGINX automatically with App Protect, make sure to download your JWT license from MyF5 before you begin {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} From 826023832bc207fae70ce13970b43c976a81b159 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 12:15:51 +0000 Subject: [PATCH 21/63] CHANGED NAME --- content/waf/install/virtual-environment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 39c2ec032..b8e661f44 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) -- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during F5 WAF for NGINX installation) Depending on your deployment type, you may have additional requirements: @@ -26,7 +26,7 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" {{< include "waf/install-selinux-warning.md" >}} ### Required: Download JWT License for NGINX Plus Installation -If you choose to install NGINX automatically with App Protect, make sure to download your JWT license from MyF5 before you begin +If you choose to install NGINX automatically with F5 WAF for NGINX, make sure to download your JWT license from MyF5 before you begin {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Platform-specific instructions From 009aa4e8e296ecf6f06796bbc4c7ae5df53408c2 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 12:22:53 +0000 Subject: [PATCH 22/63] need jwt anywasy for opensouce for docker cred --- content/waf/install/kubernetes.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 5b98e5084..51be680a9 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -35,6 +35,7 @@ To review supported operating systems, read the [Technical specifications]({{< r ### Download your JSON web token To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: +> **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} @@ -208,7 +209,7 @@ Your folder should contain the following files: - _nginx-repo.crt_ - _nginx-repo.key_ -- _license.jwt_ (Only necessary when using NGINX Plus) +- _license.jwt_ - _Dockerfile_ To build an image, use the following command, replacing as appropriate: From b3a8811d27eaa7a74b9555842a5d59d4037c9fc7 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 07:18:41 +0000 Subject: [PATCH 23/63] removed todo --- content/waf/install/docker.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index a1117036f..6cccededc 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -1344,6 +1344,4 @@ F5 WAF for NGINX should now be operational, and you can move onto [Post-installa ## Remove NGINX docker image Before removing any Docker image, it’s important to ensure that the image is no longer needed and is not in use. -[docker image rm](https://docs.docker.com/reference/cli/docker/image/rm/) tool - -TODO +[docker image rm](https://docs.docker.com/reference/cli/docker/image/rm/) tool \ No newline at end of file From b10569f540f821e4d0fc62ab5707560b001a6de6 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:19:26 +0200 Subject: [PATCH 24/63] Update content/waf/install/docker.md Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> --- content/waf/install/docker.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 6cccededc..188f76fd0 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -815,7 +815,9 @@ sudo dnf install app-protect-module-plus {{< include "waf/install-services-docker.md" >}} #### Download Docker images + [Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images + {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file From 01c8dc4f551a3a9a2bf28ddc9ae6ac61d3a8fc9f Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:19:34 +0200 Subject: [PATCH 25/63] Update content/waf/install/docker.md Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> --- content/waf/install/docker.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 188f76fd0..df5e5d669 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -439,7 +439,9 @@ Once you have updated your configuration files, you can reload NGINX to apply th {{< include "waf/install-services-docker.md" >}} #### Download Docker images + [Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images + {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file From 5b618e4bccd59502ce9e6be3bde54e47b9e0bf31 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:22:06 +0200 Subject: [PATCH 26/63] Update content/includes/waf/install-build-image.md Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> --- content/includes/waf/install-build-image.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index 86a729c98..ef28dca51 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -24,6 +24,7 @@ A RHEL-based system would use the following command instead: ```shell podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` + To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: ```shell From e8a2026efa61297a6f6daf521ed25431ae6de42c Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:22:29 +0200 Subject: [PATCH 27/63] Update content/includes/waf/install-services-registry.md Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> --- content/includes/waf/install-services-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/waf/install-services-registry.md b/content/includes/waf/install-services-registry.md index 2389912d7..40b9135b4 100644 --- a/content/includes/waf/install-services-registry.md +++ b/content/includes/waf/install-services-registry.md @@ -5,7 +5,7 @@ nd-files: - content/waf/install/kubernetes.md --- -Docker registry credentials are needed to access private-registry.nginx.com +You will need Docker registry credentials to access private-registry.nginx.com. Create a directory and copy your certificate and key to this directory: From c18f8cf6c0cd4821ce5f21401fb3e343e74fa6b4 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 12:16:37 +0000 Subject: [PATCH 28/63] made changes from suggestions --- content/includes/waf/install-build-image.md | 8 ++- content/waf/install/docker.md | 62 ++++++++++++++++++++- content/waf/install/kubernetes-plm.md | 24 +++++--- content/waf/install/kubernetes.md | 18 ++++-- content/waf/install/virtual-environment.md | 20 +++++-- 5 files changed, 109 insertions(+), 23 deletions(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index ef28dca51..c0ff97ca6 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -11,9 +11,10 @@ Your folder should contain the following files: - _nginx.conf_ - _entrypoint.sh_ - _Dockerfile_ -- _custom_log_format.json_ (Optional) +- _custom_log_format.json_ -To build an image for NGINX Plus, use the following command, replacing `` as appropriate: +#### Building an image with NGINX Plus +To build an image for NGINX Plus, use the following command that are not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . @@ -25,7 +26,8 @@ A RHEL-based system would use the following command instead: podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` -To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: +#### Building an image with NGINX Open Source +To build an image for NGINX Open Source, use the following command that are not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index df5e5d669..9cce72380 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -12,9 +12,13 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: +- A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Docker registry credentials are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -48,7 +52,15 @@ The steps you should follow on this page are dependent on your configuration typ ## Configure Docker for the F5 Container Registry -{{< include "waf/install-services-registry.md" >}} +You will need Docker registry credentials to access private-registry.nginx.com for either the Multi-container or Hybrid configuration. + +Create a directory and copy your [certificate and key]({{< ref "/waf/install/docker.md#Shared Requirements" >}}) to this directory: + +```shell +mkdir -p /etc/docker/certs.d/private-registry.nginx.com +cp /etc/docker/certs.d/private-registry.nginx.com/client.cert +cp /etc/docker/certs.d/private-registry.nginx.com/client.key +``` You should now move to the section based on your configuration type: @@ -308,7 +320,51 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu ### Build the Docker image -{{< include "waf/install-build-image.md" >}} +Your folder should contain the following files: + +- _nginx-repo.crt_ +- _nginx-repo.key_ +- _license.jwt_ +- _nginx.conf_ +- _entrypoint.sh_ +- _Dockerfile_ +- _custom_log_format.json_ + +To build an image, use the following command for system that are not RHEL-based, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . +``` + +A RHEL-based system would use the following command instead: + +```shell +podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . +``` + +{{< call-out "note" >}} + +The `--no-cache` option is used to ensure the image is built from scratch, installing the latest versions of NGINX Plus and F5 WAF for NGINX. + +{{< /call-out >}} + +Verify that your image has been created using the `docker images` command: + +```shell +docker images +``` + +Create a container based on this image, replacing as appropriate: + +```shell +docker run --name -p 80:80 -d +``` + +Verify the new container is running using the `docker ps` command: + +```shell +docker ps +``` ### Update configuration files diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 7cd0c979b..899ea84ab 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -32,20 +32,30 @@ These enhancements are only available for Helm-based deployments. To complete this guide, you will need the following prerequisites: +- A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Docker registry credentials are needed to access private-registry.nginx.com -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial), which includes the necessary **SSL Certificate** and **Private Key files**. +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- Docker registry credentials in [MyF5](https://my.f5.com/manage/s/) required to access private-registry.nginx.com. (Same as the **JSON Web Token** for NGINX Plus). ## Download your subscription credentials -1. Log in to [MyF5](https://my.f5.com/manage/s/). -1. Go to **My Products & Plans > Subscriptions** to see your active subscriptions. -1. Find your NGINX subscription, and select the **Subscription ID** for details. -1. Download the **SSL Certificate** and **Private Key files** from the subscription page. -1. Download the **JSON Web Token** file from the subscription page. +### General subscription credentials needed for deployments + +{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} + +### Additional subscription credentials needed for a deployments with NGINX Plus + +To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: + +> **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. + +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Prepare environment variables diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 51be680a9..e3c13433a 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -14,11 +14,14 @@ It explains the common steps necessary for any Kubernetes-based deployment, then To complete this guide, you will need the following pre-requisites: -- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) -- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) +- A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Docker registry credentials are needed to access private-registry.nginx.com +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- Docker registry credentials in [MyF5](https://my.f5.com/manage/s/) is required to access private-registry.nginx.com (Same as the SSL certificate and private key file ). You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. @@ -30,11 +33,14 @@ To review supported operating systems, read the [Technical specifications]({{< r ## Download your subscription credentials +### General subscription credentials needed for deployments + {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Download your JSON web token +### Additional subscription credentials needed for a deployments with NGINX Plus + +To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index b8e661f44..73223a2cb 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,16 +17,28 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) + Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/virtual-environment.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during F5 WAF for NGINX installation) +- F5 NGINX App Protect will work by default with the default values (like default policy, logging profile, etc) unless the user sets custom configurations Depending on your deployment type, you may have additional requirements: -You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. +You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} -### Required: Download JWT License for NGINX Plus Installation -If you choose to install NGINX automatically with F5 WAF for NGINX, make sure to download your JWT license from MyF5 before you begin +## Download your subscription credentials + +### General subscription credentials needed for deployments + +{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} + +### Additional subscription credentials needed for a deployments with NGINX Plus + +To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: + + {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Platform-specific instructions From 137e4730e621fa09bd7c58a06f7c5d43acd57973 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 12:58:08 +0000 Subject: [PATCH 29/63] updated compiler doc --- content/waf/configure/compiler.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index b1b303556..c1cdf84a3 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -28,8 +28,9 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription (Purchased or trial) -- Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. +- [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) ## Download your subscription credentials From 99627bc3192b8b38225da7b4f1015a2398ac75c0 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 13:41:58 +0000 Subject: [PATCH 30/63] changes to bare metal --- content/waf/install/virtual-environment.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 73223a2cb..d2ca09dfa 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,11 +17,10 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/virtual-environment.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during F5 WAF for NGINX installation) -- F5 NGINX App Protect will work by default with the default values (like default policy, logging profile, etc) unless the user sets custom configurations +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 NGINX App Protect subscription from the MyF5 Customer Portal. +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. +- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations Depending on your deployment type, you may have additional requirements: From ef7c28c067baa9a957280ae160dacc0fcc2f92ee Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 13:48:04 +0000 Subject: [PATCH 31/63] updated docker --- content/waf/install/docker.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 9cce72380..a8570509e 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -13,11 +13,10 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -26,6 +25,15 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "waf/install-selinux-warning.md" >}} + +## Download your subscription credentials +### General subscription credentials needed for deployments + +{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} + +### Additional Requirement for NGINX Plus Users +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} + ## Docker deployment options There are three kinds of Docker deployments available: @@ -42,14 +50,6 @@ The single container configuration only supports NGINX Plus and requires a build The steps you should follow on this page are dependent on your configuration type: after the shared steps, links will guide you to the next appropriate section. -## Download your subscription credentials -### Shared Requirements - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional Requirement for NGINX Plus Users -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} - ## Configure Docker for the F5 Container Registry You will need Docker registry credentials to access private-registry.nginx.com for either the Multi-container or Hybrid configuration. From 4a70b3a93061fb53e063dcbf7c2cb223cf1687a9 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 14:04:08 +0000 Subject: [PATCH 32/63] updated jwt sections --- content/waf/install/docker.md | 7 ++++--- content/waf/install/kubernetes-plm.md | 9 ++++----- content/waf/install/kubernetes.md | 9 ++++----- content/waf/install/virtual-environment.md | 2 +- 4 files changed, 13 insertions(+), 14 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index a8570509e..5419d0740 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -16,8 +16,8 @@ To complete this guide, you will need the following prerequisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. -- [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. +- [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -31,7 +31,8 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Additional Requirement for NGINX Plus Users +### Additional subscription credentials needed for deployments +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Docker deployment options diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 899ea84ab..6bd6989df 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -37,11 +37,10 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial), which includes the necessary **SSL Certificate** and **Private Key files**. - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- Docker registry credentials in [MyF5](https://my.f5.com/manage/s/) required to access private-registry.nginx.com. (Same as the **JSON Web Token** for NGINX Plus). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com ## Download your subscription credentials @@ -49,9 +48,9 @@ To complete this guide, you will need the following prerequisites: {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Additional subscription credentials needed for a deployments with NGINX Plus +### Additional subscription credentials needed for deployments -To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index e3c13433a..4b39e33ad 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -20,8 +20,8 @@ To complete this guide, you will need the following pre-requisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- Docker registry credentials in [MyF5](https://my.f5.com/manage/s/) is required to access private-registry.nginx.com (Same as the SSL certificate and private key file ). + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. @@ -37,9 +37,8 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Additional subscription credentials needed for a deployments with NGINX Plus - -To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +### Additional subscription credentials needed for deployments +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index d2ca09dfa..628cf8d98 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -33,7 +33,7 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Additional subscription credentials needed for a deployments with NGINX Plus +### Additional subscription credentials needed for deployments To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: From 26e36e99403c5583da1078c8792ad0e1e4f1fe49 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 14:04:57 +0000 Subject: [PATCH 33/63] add info about logger --- content/waf/install/docker.md | 1 + content/waf/install/kubernetes-plm.md | 1 + content/waf/install/kubernetes.md | 1 + 3 files changed, 3 insertions(+) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 5419d0740..47640b60c 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -18,6 +18,7 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) +- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 6bd6989df..47e316016 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -41,6 +41,7 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com +- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations ## Download your subscription credentials diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 4b39e33ad..94412e269 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -22,6 +22,7 @@ To complete this guide, you will need the following pre-requisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com +- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. From 350e7806b7ba7b0b62b4fb71b039ff70133c4f5f Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 14:59:32 +0000 Subject: [PATCH 34/63] alan updates --- content/waf/configure/compiler.md | 2 +- content/waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 4 ++-- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- content/waf/install/virtual-environment.md | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index c1cdf84a3..230ed6627 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -28,7 +28,7 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. - [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 519d2174e..9af8f9962 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - A connected environment with similar architecture - A method to transfer files between two environments diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 47640b60c..fe98a7ca6 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -14,9 +14,9 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) - F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 47e316016..149eabe5c 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -37,7 +37,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 94412e269..1b5803bbc 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 628cf8d98..238bdca0a 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,7 +17,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 NGINX App Protect subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. - F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations From 2afe5a94f5ee8914136dc4292495b15c7383fa88 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 15:31:04 +0000 Subject: [PATCH 35/63] more suggestions --- content/waf/configure/compiler.md | 2 +- content/waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 8 ++++---- content/waf/install/kubernetes-plm.md | 4 ++-- content/waf/install/kubernetes.md | 4 ++-- content/waf/install/virtual-environment.md | 8 ++++---- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index 230ed6627..9686b6e5c 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -28,7 +28,7 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. - [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 9af8f9962..7044142a9 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - A connected environment with similar architecture - A method to transfer files between two environments diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index fe98a7ca6..f74a3cea7 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -14,11 +14,11 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) -- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations +- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -33,7 +33,7 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Docker deployment options diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 149eabe5c..f8f247fdd 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -41,7 +41,7 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com -- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations +- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations ## Download your subscription credentials @@ -51,7 +51,7 @@ To complete this guide, you will need the following prerequisites: ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 1b5803bbc..0da5cbcf8 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -22,7 +22,7 @@ To complete this guide, you will need the following pre-requisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com -- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations +- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. @@ -39,7 +39,7 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 238bdca0a..6b188b082 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,10 +17,10 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 NGINX App Protect subscription from the MyF5 Customer Portal. +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. -- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations +- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations Depending on your deployment type, you may have additional requirements: @@ -35,7 +35,7 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" ### Additional subscription credentials needed for deployments -To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} From 61a33351d2541dd07123954b2aeff07b18490428 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 16:39:31 +0000 Subject: [PATCH 36/63] linted --- content/waf/install/docker.md | 4 +++- content/waf/install/kubernetes.md | 5 ++++- content/waf/install/virtual-environment.md | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index f74a3cea7..bb9dfc6f3 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -26,13 +26,14 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "waf/install-selinux-warning.md" >}} - ## Download your subscription credentials + ### General subscription credentials needed for deployments {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} ### Additional subscription credentials needed for deployments + To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} @@ -1404,6 +1405,7 @@ F5 WAF for NGINX should now be operational, and you can move onto [Post-installa {{< include "waf/install-next-steps.md" >}} ## Remove NGINX docker image + Before removing any Docker image, it’s important to ensure that the image is no longer needed and is not in use. [docker image rm](https://docs.docker.com/reference/cli/docker/image/rm/) tool \ No newline at end of file diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 0da5cbcf8..b61d4327a 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -39,9 +39,12 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} ### Additional subscription credentials needed for deployments + To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -> **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< call-out "note" >}} +If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< /call-out >}} {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 6b188b082..42ef5c231 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -27,6 +27,7 @@ Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} + ## Download your subscription credentials ### General subscription credentials needed for deployments @@ -37,7 +38,6 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" To use NGINX Plus, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: - {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Platform-specific instructions From 46a933053a472eabef4bb9aeec57d3cece789bd8 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 16:51:45 +0000 Subject: [PATCH 37/63] updated alan changes --- content/waf/configure/compiler.md | 2 +- content/waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 4 ++-- content/waf/install/kubernetes-plm.md | 6 ++++-- content/waf/install/kubernetes.md | 2 +- content/waf/install/virtual-environment.md | 2 +- 6 files changed, 10 insertions(+), 8 deletions(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index 9686b6e5c..ea37c430f 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -28,7 +28,7 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. - [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 7044142a9..deaa5a4b2 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - A connected environment with similar architecture - A method to transfer files between two environments diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index bb9dfc6f3..8eb066ae8 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -14,7 +14,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) @@ -55,7 +55,7 @@ The steps you should follow on this page are dependent on your configuration typ ## Configure Docker for the F5 Container Registry -You will need Docker registry credentials to access private-registry.nginx.com for either the Multi-container or Hybrid configuration. +You will need Docker registry credentials to access private-registry.nginx.com for the Multi-container or Hybrid deployment options. Create a directory and copy your [certificate and key]({{< ref "/waf/install/docker.md#Shared Requirements" >}}) to this directory: diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index f8f247fdd..add5e7f08 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -37,7 +37,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com @@ -53,7 +53,9 @@ To complete this guide, you will need the following prerequisites: To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -> **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< call-out "note" >}} +If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< /call-out >}} {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index b61d4327a..40ff8c30b 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 42ef5c231..17f22fd27 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,7 +17,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations From 5d8c0d2085d3da51033b97b501ed02c413713d09 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:25:01 +0000 Subject: [PATCH 38/63] fixed spelling --- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index add5e7f08..32967a9f0 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -37,7 +37,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 40ff8c30b..f271fb4b7 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com From a6254b105b5f973d1ef2ba2d313e5a131421237a Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:28:40 +0000 Subject: [PATCH 39/63] fixed hyperlinks --- content/waf/install/docker.md | 6 +++--- content/waf/install/kubernetes-plm.md | 6 +++--- content/waf/install/kubernetes.md | 6 +++--- content/waf/install/virtual-environment.md | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 8eb066ae8..58eca5e89 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -15,9 +15,9 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. -- [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. +- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 32967a9f0..9c8913ae7 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -38,9 +38,9 @@ To complete this guide, you will need the following prerequisites: - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations ## Download your subscription credentials diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index f271fb4b7..2bd117ef5 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -19,9 +19,9 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license](#Additional subscription credentials needed for deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 17f22fd27..5b5dc612a 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. + - Download the [SSL certificate, private key, and the JWT license](#Download your subscription credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations From 542bbe72983728e5d149a73b4aaa31c354c9c70a Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:45:19 +0000 Subject: [PATCH 40/63] updated note --- content/waf/install/docker.md | 5 ++++- content/waf/install/kubernetes-plm.md | 5 ++++- content/waf/install/kubernetes.md | 5 ++++- content/waf/install/virtual-environment.md | 5 ++++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 58eca5e89..356e4f260 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -18,7 +18,6 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) -- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -26,6 +25,10 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "waf/install-selinux-warning.md" >}} +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. + ## Download your subscription credentials ### General subscription credentials needed for deployments diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 9c8913ae7..a218ba456 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -41,7 +41,10 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com -- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations + +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. ## Download your subscription credentials diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 2bd117ef5..3a257434e 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -22,7 +22,6 @@ To complete this guide, you will need the following pre-requisites: - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license](#Additional subscription credentials needed for deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com -- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. @@ -32,6 +31,10 @@ There is another optional topic to [Add a read-only filesystem for Kubernetes]({ To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic. +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. + ## Download your subscription credentials ### General subscription credentials needed for deployments diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 5b5dc612a..21cb71a6d 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -20,7 +20,6 @@ To complete this guide, you will need the following prerequisites: - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate, private key, and the JWT license](#Download your subscription credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. -- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations Depending on your deployment type, you may have additional requirements: @@ -28,6 +27,10 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" {{< include "waf/install-selinux-warning.md" >}} +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. + ## Download your subscription credentials ### General subscription credentials needed for deployments From 7ea62ae10e479fd7cf73121f073265549943d2d0 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:51:45 +0000 Subject: [PATCH 41/63] fixed hyperlinks again --- content/waf/install/docker.md | 6 +++--- content/waf/install/kubernetes-plm.md | 4 ++-- content/waf/install/kubernetes.md | 6 +++--- content/waf/install/virtual-environment.md | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 356e4f260..c48df3eea 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -15,9 +15,9 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. -- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index a218ba456..c207ff104 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -38,8 +38,8 @@ To complete this guide, you will need the following prerequisites: - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com ## Default security policy and logging profile diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 3a257434e..fab32330b 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -19,9 +19,9 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license](#Additional subscription credentials needed for deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license](#additional-subscription-credentials-needed-for-deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 21cb71a6d..171166258 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate, private key, and the JWT license](#Download your subscription credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. + - Download the [SSL certificate, private key, and the JWT license](#download-your-subscription-credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. Depending on your deployment type, you may have additional requirements: From f5f163e2006fbafed60bde13a18072eb0974ae2b Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:57:35 +0000 Subject: [PATCH 42/63] fixed compiler link --- content/waf/configure/compiler.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index ea37c430f..ffc2712a7 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -30,7 +30,7 @@ To complete this guide, you will need the following prerequisites: - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. -- [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com +- [Docker registry credentials](configure-docker-for-the-f5-container-registry) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) ## Download your subscription credentials From 848f92d42a600fcf07d874aa69d56f1d8b135bdd Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 15:00:35 +0000 Subject: [PATCH 43/63] fixed compiler hyperlink again --- content/waf/configure/compiler.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index ffc2712a7..cafbe24a2 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -29,7 +29,7 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. + - Download the [SSL certificate and private key](download-your-subscription-credentials) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. - [Docker registry credentials](configure-docker-for-the-f5-container-registry) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) From f30cf3d064acbe3c5b2cba82c742ca7421df2027 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 4 Dec 2025 10:52:01 +0000 Subject: [PATCH 44/63] updated jwt location --- .../alpine-plus.md | 38 +++++++++++++ .../amazon-plus.md | 39 +++++++++++++ .../debian-plus.md | 52 +++++++++++++++++ .../oracle-plus.md | 40 +++++++++++++ .../rhel8-plus.md | 56 +++++++++++++++++++ .../rhel9-plus.md | 41 ++++++++++++++ .../rocky9-plus.md | 41 ++++++++++++++ .../ubuntu-plus.md | 52 +++++++++++++++++ .../waf/install/disconnected-environment.md | 4 ++ content/waf/install/docker.md | 8 ++- content/waf/install/kubernetes-plm.md | 2 + content/waf/install/kubernetes.md | 20 ++++--- content/waf/install/virtual-environment.md | 10 ++++ 13 files changed, 393 insertions(+), 10 deletions(-) create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md new file mode 100644 index 000000000..6fe7111c5 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md @@ -0,0 +1,38 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_VER's are 3.22 +ARG OS_VER="3.22" + +# Base image +FROM alpine:${OS_VER} + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ + wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ + && printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | \ + tee -a /etc/apk/repositories \ + && printf "https://pkgs.nginx.com/app-protect-x-plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | \ + tee -a /etc/apk/repositories \ + && apk update \ + && apk add app-protect-module-plus \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && rm -rf /var/cache/apk/* + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` \ No newline at end of file diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md new file mode 100644 index 000000000..d4ec7bba2 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md @@ -0,0 +1,39 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base image +FROM amazonlinux:2023 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + yum -y install wget ca-certificates shadow-utils \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/amzn/2023/\$basearch/" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-plus.repo \ + && yum -y install app-protect-module-plus \ + && yum clean all \ + && rm -rf /var/cache/yum \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md new file mode 100644 index 000000000..204dfa633 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md @@ -0,0 +1,52 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_CODENAME's are: bullseye/bookworm +ARG OS_CODENAME=bookworm + +# Base image +FROM debian:${OS_CODENAME} + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get update \ + && apt-get install -y \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + debian-archive-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | \ + gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-plus.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/app-protect-x-plus/debian `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-app-protect.list \ + && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && apt-get update \ + && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-module-plus \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md new file mode 100644 index 000000000..2f8a0ace3 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md @@ -0,0 +1,40 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base image +FROM oraclelinux:8 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install wget ca-certificates yum-utils \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/\$basearch/" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && dnf clean all \ + && dnf -y install app-protect-module-plus \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md new file mode 100644 index 000000000..9f05ce79f --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md @@ -0,0 +1,56 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported UBI_VERSION's are 7/8/9 +ARG UBI_VERSION=8 + +# Base Image +FROM registry.access.redhat.com/ubi${UBI_VERSION}/ubi + +# Define the ARG again after FROM to use it in this stage +ARG UBI_VERSION + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + PKG_MANAGER=dnf; \ + if [ "${UBI_VERSION}" = "7" ]; then \ + PKG_MANAGER=yum; \ + NGINX_PLUS_REPO="nginx-plus-7.4.repo"; \ + elif [ "${UBI_VERSION}" = "9" ]; then \ + NGINX_PLUS_REPO="plus-${UBI_VERSION}.repo"; \ + else \ + NGINX_PLUS_REPO="nginx-plus-${UBI_VERSION}.repo"; \ + fi \ + && $PKG_MANAGER -y install wget ca-certificates \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/${NGINX_PLUS_REPO} \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/${UBI_VERSION}/\$basearch/" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && $PKG_MANAGER clean all \ + && $PKG_MANAGER install -y app-protect-module-plus \ + && $PKG_MANAGER clean all \ + && rm -rf /var/cache/$PKG_MANAGER \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md new file mode 100644 index 000000000..464ba150e --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md @@ -0,0 +1,41 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base Image +FROM rockylinux:9 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install wget ca-certificates \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/${NGINX_PLUS_REPO} \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/${UBI_VERSION}/\$basearch/" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && dnf clean all \ + && dnf install -y app-protect-module-plus \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md new file mode 100644 index 000000000..464ba150e --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md @@ -0,0 +1,41 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base Image +FROM rockylinux:9 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install wget ca-certificates \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/${NGINX_PLUS_REPO} \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/${UBI_VERSION}/\$basearch/" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && dnf clean all \ + && dnf install -y app-protect-module-plus \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md new file mode 100644 index 000000000..89a2e7d8b --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md @@ -0,0 +1,52 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_CODENAME's are: focal/jammy +ARG OS_CODENAME=jammy + +# Base image +FROM ubuntu:${OS_CODENAME} + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get update \ + && apt-get install -y \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + ubuntu-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | \ + gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-plus.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-app-protect.list \ + && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && apt-get update \ + && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-module-plus \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index deaa5a4b2..4d5887e56 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -85,6 +85,10 @@ yum install --downloadonly --downloaddir=/etc/packages/ app-protect Once you've obtained the package files and transferred them to your disconnected environment, you can directly install them or add them to a local repository. +## Configure license reporting for disconnected environments + +By default, NGINX Plus automatically reports license usage to the F5 licensing endpoint, and additional configuration is not required in connected environments. However, manual configuration becomes necessary in disconnected environments. Use NGINX Instance Manager for usage reporting or use a custom path for the license file. Configuration can be done in the [`mgmt {}`](https://nginx.org/en/docs/ngx_mgmt_module.html) block of the NGINX Plus configuration file (`/etc/nginx/nginx.conf`). For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). + ## Download Docker images After pulling or building Docker images in a connected environment, you can save them to `.tar` files: diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index c48df3eea..8d8f7502b 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -16,7 +16,7 @@ To complete this guide, you will need the following prerequisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#additional-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -40,6 +40,12 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< call-out "important" >}} +The provided Dockerfile for NGINX Plus automatically handles placing the JWT license file in `/etc/nginx/` during image build. If you use a custom Dockerfile, you must ensure the JWT license is copied to this location. +{{< /call-out >}} + +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Docker deployment options There are three kinds of Docker deployments available: diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index c207ff104..22e982285 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -62,6 +62,8 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Prepare environment variables Set the following environment variables, which point towards your credential files: diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index fab32330b..af454b0d4 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -19,7 +19,7 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Open Source in your deployment. - Download the [SSL certificate, private key, and the JWT license](#additional-subscription-credentials-needed-for-deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com @@ -51,6 +51,8 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Create a Dockerfile In the same folder as your credential files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. @@ -83,7 +85,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/alpine-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md" >}} {{% /tab %}} @@ -101,7 +103,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/amazon-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md" >}} {{% /tab %}} @@ -119,7 +121,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/debian-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md" >}} {{% /tab %}} @@ -137,7 +139,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/oracle-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md" >}} {{% /tab %}} @@ -155,7 +157,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/rhel8-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md" >}} {{% /tab %}} @@ -173,7 +175,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/rhel9-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md" >}} {{% /tab %}} @@ -191,7 +193,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/rocky9-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md" >}} {{% /tab %}} @@ -209,7 +211,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/ubuntu-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md" >}} {{% /tab %}} diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 171166258..853e02f4b 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -43,6 +43,8 @@ To use NGINX Plus, you will need to download the the JWT license file associated {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Platform-specific instructions Navigate to your chosen operating system, which are alphabetically ordered. @@ -209,6 +211,14 @@ sudo apt-get update sudo apt-get install app-protect ``` +## Install NGINX Plus license + +If you have not already copied your NGINX Plus JWT license file to the `/etc/nginx/` directory (for example, if NGINX Plus was installed automatically as a dependency), do so now: + +```shell +sudo cp .jwt /etc/nginx/license.jwt +``` + ## Update configuration files Once you have installed F5 WAF for NGINX, you must load it as a module in the main context of your NGINX configuration. From 6ffd325ecd85deba98b7177075fe99f9ab369a36 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 4 Dec 2025 14:00:43 +0000 Subject: [PATCH 45/63] missing kubctl jwt copy location --- content/waf/install/kubernetes.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index af454b0d4..e2f9f1bc9 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -53,6 +53,10 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} +{{< call-out "note" >}} +When using the provided values.yaml for Helm, setting the `appprotect.config.nginxJWT` value ensures that your JWT license is automatically copied to `/etc/nginx/license.jwt` inside the NGINX container. No additional manual copying of the file is needed when deploying with the provided YAML configuration. +{{< /call-out >}} + ## Create a Dockerfile In the same folder as your credential files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. From 63092e2224053465d7da93b6440c419e57e54ae3 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 4 Dec 2025 14:03:07 +0000 Subject: [PATCH 46/63] fixed hyperlink --- content/waf/install/kubernetes-plm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 22e982285..0feabc948 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -39,7 +39,7 @@ To complete this guide, you will need the following prerequisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#additional-subscription-credentials-needed-for-a-deployments-with-nginx-plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com ## Default security policy and logging profile From 5ebd12c6de756c69536d82bf39fd8ae203199b2b Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 4 Dec 2025 14:17:04 +0000 Subject: [PATCH 47/63] updated shutout for jwt locations for experimental kubectl --- content/waf/install/kubernetes-plm.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 0feabc948..08a6d171b 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -64,6 +64,10 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} +{{< call-out "note" >}} +Setting `appprotect.config.nginxJWT` with the `--set` flag in your Helm command automatically copies the JWT license to `/etc/nginx/license.jwt` inside the NGINX container. No manual JWT file copying or mounting is needed. +{{< /call-out >}} + ## Prepare environment variables Set the following environment variables, which point towards your credential files: From 94113700d93d36333e9e59ec446ab8e32ba9b8e1 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:24:06 +0200 Subject: [PATCH 48/63] Update content/includes/waf/install-build-image.md Co-authored-by: yar --- content/includes/waf/install-build-image.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index c0ff97ca6..5ab4371ce 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -27,7 +27,7 @@ podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=ngi ``` #### Building an image with NGINX Open Source -To build an image for NGINX Open Source, use the following command that are not RHEL-based, replacing `` as appropriate: +To build an image for NGINX Open Source, use the following command that is not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . From 26af93e06346c4b872eff4cc408e7a786988b4ad Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:24:28 +0200 Subject: [PATCH 49/63] Update content/waf/install/virtual-environment.md Co-authored-by: yar --- content/waf/install/virtual-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 853e02f4b..24623bcdf 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -39,7 +39,7 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ### Additional subscription credentials needed for deployments -To use NGINX Plus, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} From 45bd6db45c40cafe120590d7cb554cebc9a5e88a Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:24:51 +0200 Subject: [PATCH 50/63] Update content/waf/install/kubernetes.md Co-authored-by: yar --- content/waf/install/kubernetes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index e2f9f1bc9..801eca84f 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -43,7 +43,7 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< call-out "note" >}} If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. From 9fe15abbdd47f9b70867f333e2f924cfba7208be Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:25:13 +0200 Subject: [PATCH 51/63] Update content/waf/install/docker.md Co-authored-by: yar --- content/waf/install/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 8d8f7502b..2dd3b3526 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -342,7 +342,7 @@ Your folder should contain the following files: - _Dockerfile_ - _custom_log_format.json_ -To build an image, use the following command for system that are not RHEL-based, replacing `` as appropriate: +To build an image, use the following command for a system that is not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . From ed51b57ac4fcc5849e26dadc013a7bb3a0cbe0f5 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:25:34 +0200 Subject: [PATCH 52/63] Update content/includes/waf/install-build-image.md Co-authored-by: yar --- content/includes/waf/install-build-image.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index 5ab4371ce..d7e672e49 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -14,7 +14,7 @@ Your folder should contain the following files: - _custom_log_format.json_ #### Building an image with NGINX Plus -To build an image for NGINX Plus, use the following command that are not RHEL-based, replacing `` as appropriate: +To build an image for NGINX Plus, use the following command that is not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . From 9282b31ad8f5da60c6dc1b92680c8d375b0f6338 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:25:51 +0200 Subject: [PATCH 53/63] Update content/waf/install/docker.md Co-authored-by: yar --- content/waf/install/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 2dd3b3526..c82571b18 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -37,7 +37,7 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} {{< call-out "important" >}} From bedee04ab6807f12a82d6847f836fe62e859ee6d Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:27:07 +0200 Subject: [PATCH 54/63] Update content/waf/install/docker.md Co-authored-by: yar --- content/waf/install/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index c82571b18..0aa0de0af 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -508,7 +508,7 @@ Once you have updated your configuration files, you can reload NGINX to apply th #### Download Docker images -[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#configure-docker-for-the-f5-container-registry" >}}) is needed to pull the following container images {{< include "waf/install-services-images.md" >}} From 88ac279022727f950cccf7885df380eeda4d6f79 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:27:23 +0200 Subject: [PATCH 55/63] Update content/waf/install/docker.md Co-authored-by: yar --- content/waf/install/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 0aa0de0af..490050b56 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -886,7 +886,7 @@ sudo dnf install app-protect-module-plus #### Download Docker images -[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#configure-docker-for-the-f5-container-registry" >}}) is needed to pull the following container images {{< include "waf/install-services-images.md" >}} From 07ce51f85bfd58b5e97d6d12313c0f9a3da5e7a6 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:27:39 +0200 Subject: [PATCH 56/63] Update content/waf/install/kubernetes-plm.md Co-authored-by: yar --- content/waf/install/kubernetes-plm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 08a6d171b..c2669ff28 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -54,7 +54,7 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< call-out "note" >}} If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. From b4a99490a538e63e2e6cb429350682c00a870db9 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Sun, 7 Dec 2025 08:34:34 +0000 Subject: [PATCH 57/63] removed extra the and fixed hyperlinks --- content/waf/install/docker.md | 2 +- content/waf/install/kubernetes-plm.md | 4 ++-- content/waf/policies/bot-signatures.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 490050b56..3b04640a6 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -66,7 +66,7 @@ The steps you should follow on this page are dependent on your configuration typ You will need Docker registry credentials to access private-registry.nginx.com for the Multi-container or Hybrid deployment options. -Create a directory and copy your [certificate and key]({{< ref "/waf/install/docker.md#Shared Requirements" >}}) to this directory: +Create a directory and copy your certificate and key to this directory: ```shell mkdir -p /etc/docker/certs.d/private-registry.nginx.com diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index c2669ff28..68fdc02e9 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -40,7 +40,7 @@ To complete this guide, you will need the following prerequisites: - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#additional-subscription-credentials-needed-for-a-deployments-with-nginx-plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com ## Default security policy and logging profile @@ -1014,7 +1014,7 @@ cd nginx-app-protect kubectl apply -f crds/ ``` -Finish the the process by using `helm upgrade`: +Finish the process by using `helm upgrade`: ```shell helm upgrade . \ diff --git a/content/waf/policies/bot-signatures.md b/content/waf/policies/bot-signatures.md index 3822fecba..4bcdbf1b5 100644 --- a/content/waf/policies/bot-signatures.md +++ b/content/waf/policies/bot-signatures.md @@ -12,7 +12,7 @@ This feature is enabled by default with the `bot-defense` parameter, and include ## Bot signatures -Bot signature detection works by inspecting the the User-Agent header and URI of a request. +Bot signature detection works by inspecting the User-Agent header and URI of a request. Each detected bot signature belongs to a bot class: search engine signatures such as `googlebot` are under the trusted_bots class, but F5 WAF for NGINX performs additional checks to authenticate a trusted bot. From d51cfa48eacfb99d6e54c80eeff4e9c6196fe14e Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 8 Dec 2025 07:17:00 +0000 Subject: [PATCH 58/63] temp --- content/waf/install/docker.md | 6 ++---- content/waf/install/kubernetes.md | 10 ++++------ 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 3b04640a6..26d2dca61 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -13,16 +13,14 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running TODO add reason for it. - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#additional-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. -To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic. - {{< include "waf/install-selinux-warning.md" >}} ## Default security policy and logging profile diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 801eca84f..a337ef085 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -15,11 +15,11 @@ It explains the common steps necessary for any Kubernetes-based deployment, then To complete this guide, you will need the following pre-requisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). -- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) TODO add reason for it. +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster TODO add reason for it.. +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running TODO add reason for it. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your f5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you plan of using NGINX Open Source in your deployment. - Download the [SSL certificate, private key, and the JWT license](#additional-subscription-credentials-needed-for-deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com @@ -29,8 +29,6 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" There is another optional topic to [Add a read-only filesystem for Kubernetes]({{< ref "/waf/configure/kubernetes-read-only.md" >}}) -To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic. - ## Default security policy and logging profile F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. From 5af186cdd573ceefb39dca10764afec4a1f4d2be Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 8 Dec 2025 09:50:19 +0000 Subject: [PATCH 59/63] added aviv suggestions --- .../download-jwt-ssl-key-from-myf5.md | 12 +++++++++ content/waf/configure/secure-mtls.md | 5 ++-- .../waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 20 ++++++-------- content/waf/install/kubernetes-plm.md | 26 +++++++----------- content/waf/install/kubernetes.md | 27 +++++++------------ content/waf/install/virtual-environment.md | 11 ++------ content/waf/policies/ip-intelligence.md | 4 +-- 8 files changed, 47 insertions(+), 60 deletions(-) create mode 100644 content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md diff --git a/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md new file mode 100644 index 000000000..9f54304a3 --- /dev/null +++ b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md @@ -0,0 +1,12 @@ +--- +nd-files: +- content/includes/use-cases/credential-download-instructions.md +- content/waf/configure/compiler.md +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +1. Log in to [MyF5](https://my.f5.com/manage/s/). +1. Go to **My Products & Plans > Subscriptions** to see your active subscriptions. +1. Find your NGINX subscription, and select the **Subscription ID** for details. +1. Download the **SSL Certificate**, **Private Key** and **JSON Web Token** files from the subscription page. \ No newline at end of file diff --git a/content/waf/configure/secure-mtls.md b/content/waf/configure/secure-mtls.md index ce490553e..1cb7483a0 100644 --- a/content/waf/configure/secure-mtls.md +++ b/content/waf/configure/secure-mtls.md @@ -149,7 +149,7 @@ With a [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment {{< /call-out >}} -## Modify Docker compose file +## Modify Docker Compose file {{< call-out "warning" >}} @@ -218,5 +218,4 @@ services: app_protect_bd_config: app_protect_config: app_protect_etc_config: -``` - +``` \ No newline at end of file diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 4d5887e56..7d4ff87cb 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -109,4 +109,4 @@ docker load -i waf-config-mgr.tar docker load -i waf-ip-intelligence.tar ``` -Ensure your Docker compose files use the tagged images you've transferred. \ No newline at end of file +Ensure your Docker Compose files use the tagged images you've transferred. \ No newline at end of file diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 26d2dca61..d2ca41d44 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -13,11 +13,10 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running TODO add reason for it. -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#additional-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) +- [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running. +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. JWT license is not needed when using NGINX Open Source. +- Access to private-registry.nginx.com using [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for pulling images need for deployment when using Multi-container and Hybrid configuration. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images for Multi-container and Hybrid configurations. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -29,14 +28,11 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -### General subscription credentials needed for deployments - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional subscription credentials needed for deployments +{{< call-out "note" >}} +If you are using NGINX Open Source for your Multi-container or Hybrid configuration, you do not need the JWT license file. +{{< /call-out >}} -To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} {{< call-out "important" >}} The provided Dockerfile for NGINX Plus automatically handles placing the JWT license file in `/etc/nginx/` during image build. If you use a custom Dockerfile, you must ensure the JWT license is copied to this location. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 68fdc02e9..684d66fa0 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -33,14 +33,12 @@ These enhancements are only available for Helm-based deployments. To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) -- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster -- [Helm](https://helm.sh/docs/intro/install/) -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#additional-subscription-credentials-needed-for-a-deployments-with-nginx-plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) (installed and running). +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. +- [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running, for pulling and managing container images. +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images +- [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. ## Default security policy and logging profile @@ -48,13 +46,9 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -### General subscription credentials needed for deployments - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional subscription credentials needed for deployments - -To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +{{< call-out "note" >}} +To access private-registry.nginx.com, you will need to download the JWT license file even when using NGINX Open Source as a base image. +{{< /call-out >}} {{< call-out "note" >}} If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. @@ -65,7 +59,7 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} {{< call-out "note" >}} -Setting `appprotect.config.nginxJWT` with the `--set` flag in your Helm command automatically copies the JWT license to `/etc/nginx/license.jwt` inside the NGINX container. No manual JWT file copying or mounting is needed. +When using the provided values.yaml for Helm, setting the `appprotect.config.nginxJWT` value ensures that your JWT license is automatically copied to `/etc/nginx/license.jwt` inside the NGINX container. No additional manual copying of the file is needed when deploying with the provided YAML configuration. {{< /call-out >}} ## Prepare environment variables diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index a337ef085..f6531ef2c 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -15,15 +15,12 @@ It explains the common steps necessary for any Kubernetes-based deployment, then To complete this guide, you will need the following pre-requisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) TODO add reason for it. -- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster TODO add reason for it.. -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running TODO add reason for it. -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your f5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you plan of using NGINX Open Source in your deployment. - - Download the [SSL certificate, private key, and the JWT license](#additional-subscription-credentials-needed-for-deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com - -You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) (installed and running). +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. +- [Access credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com for pulling deployment images. +- [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -35,13 +32,9 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -### General subscription credentials needed for deployments - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional subscription credentials needed for deployments - -To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +{{< call-out "note" >}} +To access private-registry.nginx.com, you will need to download the JWT license file even when using NGINX Open Source as a base image. +{{< /call-out >}} {{< call-out "note" >}} If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. @@ -268,7 +261,7 @@ cd nginx-app-protect You will need to edit the `values.yaml` file for a few changes: -- Update _appprotect.nginx.image.repository_ and _appprotect.nginx.image.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). +- Update _appprotect.nginx.image.repository_ and _appprotect.nginx.image.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). - Update _appprotect.config.nginxJWT_ with your JSON web token (Only necessary when using NGINX Plus) - Update _dockerConfigJson_ to contain the base64 encoded Docker registration credentials diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 24623bcdf..4be1f99cf 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -17,8 +17,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate, private key, and the JWT license](#download-your-subscription-credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. Depending on your deployment type, you may have additional requirements: @@ -33,15 +32,9 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -### General subscription credentials needed for deployments - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional subscription credentials needed for deployments - To use NGINX Plus, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} diff --git a/content/waf/policies/ip-intelligence.md b/content/waf/policies/ip-intelligence.md index dddb483b4..2f66a6d5d 100644 --- a/content/waf/policies/ip-intelligence.md +++ b/content/waf/policies/ip-intelligence.md @@ -72,7 +72,7 @@ tail -f iprepd.log Once complete, you can now [Configure policies for IP intelligence](#configure-policies-for-ip-intelligence). -### Modify Docker compose file +### Modify Docker Compose file {{< call-out "warning" >}} @@ -80,7 +80,7 @@ This section **only** applies to installations using Docker. {{< /call-out >}} -IP intelligence has its own Docker container, which can be added to an existing Docker compose file for deployment. +IP intelligence has its own Docker container, which can be added to an existing Docker Compose file for deployment. First, create the required directory: From 8b3b2eefe379b05bae17711998f45062f7042166 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 8 Dec 2025 10:07:21 +0000 Subject: [PATCH 60/63] updated hyperlinks --- .../licensing-and-reporting/download-jwt-ssl-key-from-myf5.md | 4 ++-- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md index 9f54304a3..02fede65a 100644 --- a/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md +++ b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md @@ -1,9 +1,9 @@ --- nd-files: -- content/includes/use-cases/credential-download-instructions.md -- content/waf/configure/compiler.md - content/waf/install/docker.md - content/waf/install/kubernetes.md +- content/waf/install/kubernetes-plm.md +- content/waf/install/virtual-environment.md --- 1. Log in to [MyF5](https://my.f5.com/manage/s/). diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 684d66fa0..5e2d5ab40 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -54,7 +54,7 @@ To access private-registry.nginx.com, you will need to download the JWT license If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. {{< /call-out >}} -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index f6531ef2c..7c658720d 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -40,7 +40,7 @@ To access private-registry.nginx.com, you will need to download the JWT license If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. {{< /call-out >}} -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} From b91774fe4b3a8c15ff1c6559b14b2486f6dcdc65 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 8 Dec 2025 10:21:24 +0000 Subject: [PATCH 61/63] updated hyperlinks --- content/waf/install/docker.md | 3 +-- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index d2ca41d44..96a621f4e 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -15,8 +15,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running. - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. JWT license is not needed when using NGINX Open Source. -- Access to private-registry.nginx.com using [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for pulling images need for deployment when using Multi-container and Hybrid configuration. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images for Multi-container and Hybrid configurations. +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images for Multi-container and Hybrid configurations. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 5e2d5ab40..26b6d62c7 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -37,7 +37,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running, for pulling and managing container images. - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images - [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. ## Default security policy and logging profile diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 7c658720d..777ac4d37 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -19,7 +19,7 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. -- [Access credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com for pulling deployment images. +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images - [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. From f1c0baa18533f829b9986ba2e58c87705efd20e3 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 11 Dec 2025 14:46:57 +0000 Subject: [PATCH 62/63] missing periods --- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 26b6d62c7..4c1cde613 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -37,7 +37,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running, for pulling and managing container images. - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. -- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images. - [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. ## Default security policy and logging profile diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 777ac4d37..13d68af23 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -17,14 +17,14 @@ To complete this guide, you will need the following pre-requisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) (installed and running). - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images. - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. -- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images. - [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. -There is another optional topic to [Add a read-only filesystem for Kubernetes]({{< ref "/waf/configure/kubernetes-read-only.md" >}}) +There is another optional topic to [Add a read-only filesystem for Kubernetes]({{< ref "/waf/configure/kubernetes-read-only.md" >}}). ## Default security policy and logging profile From f4b38aefbc2e226792d3c56b3eb2e1daa390c7a0 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 15 Dec 2025 13:46:22 +0000 Subject: [PATCH 63/63] updated subscriptions --- content/waf/install/docker.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 96a621f4e..121e810a4 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -27,18 +27,20 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -{{< call-out "note" >}} -If you are using NGINX Open Source for your Multi-container or Hybrid configuration, you do not need the JWT license file. -{{< /call-out >}} +To download the necessary files for deploying F5 WAF for NGINX, follow these steps: -{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} +1. Log in to [MyF5](https://my.f5.com/manage/s/). +2. Go to **My Products & Plans > Subscriptions** to see your active subscriptions. +3. Find your NGINX subscription, and select the **Subscription ID** for details. +4. Download the following files: + - **SSL Certificate** + - **Private Key** + - **JSON Web Token (JWT)** (required for NGINX Plus but not necessary for NGINX Open Source users) {{< call-out "important" >}} The provided Dockerfile for NGINX Plus automatically handles placing the JWT license file in `/etc/nginx/` during image build. If you use a custom Dockerfile, you must ensure the JWT license is copied to this location. {{< /call-out >}} -{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} - ## Docker deployment options There are three kinds of Docker deployments available: