From 99a0e397a265053685c6d8c43d15fd54a24bbc86 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 25 Nov 2025 13:37:10 +0000 Subject: [PATCH 01/63] docs: add missing prerequisite for installation --- content/waf/install/virtual-environment.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 4b01e1634d..7a88671058 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,13 +23,11 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- A working [NGINX Open Source]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-open-source.md" >}}) or [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) instance. +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) instance. - An active F5 WAF for NGINX subscription (Purchased or trial). Depending on your deployment type, you may have additional requirements: -- [Docker](https://docs.docker.com/get-started/get-docker/) is required for NGINX Open Source or NGINX Plus type deployments. - You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} From 94d3ba5a22d974c661c07269e42e154452625abb Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 25 Nov 2025 15:15:36 +0000 Subject: [PATCH 02/63] added info about nginx x being installed with app protect --- content/waf/install/virtual-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 7a88671058..ff2ff2a22f 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,7 +23,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) instance. +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) - An active F5 WAF for NGINX subscription (Purchased or trial). Depending on your deployment type, you may have additional requirements: From 5ca5ed9a33dc32c914cc0d81708f3ffb35f3831a Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 08:08:46 +0000 Subject: [PATCH 03/63] updated kubernetes --- content/includes/waf/install-update-configuration.md | 5 ----- content/waf/install/docker.md | 5 +++++ content/waf/install/kubernetes.md | 2 ++ 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/content/includes/waf/install-update-configuration.md b/content/includes/waf/install-update-configuration.md index 23b1c63ae4..3577367cf0 100644 --- a/content/includes/waf/install-update-configuration.md +++ b/content/includes/waf/install-update-configuration.md @@ -121,8 +121,3 @@ server { {{% /tab %}} {{< /tabs >}} - -Once you have updated your configuration files, you can reload NGINX to apply the changes. You have two options depending on your environment: - -- `nginx -s reload` -- `sudo systemctl reload nginx` \ No newline at end of file diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 437440c51f..903bde2be1 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -1293,6 +1293,11 @@ CMD ["sh", "/root/entrypoint.sh"] {{< include "waf/install-update-configuration.md" >}} +Once you have updated your configuration files, you can reload NGINX to apply the changes. You have two options depending on your environment: + +- `nginx -s reload` +- `sudo systemctl reload nginx` + F5 WAF for NGINX should now be operational, and you can move onto [Post-installation checks](#post-installation-checks). ## Post-installation checks diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 1be48c5e56..f434948f3c 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -226,6 +226,8 @@ From this point, the steps change based on your installation method: ### Download your JSON web token +To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: + {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ### Get the Helm chart From 02fb8af3e6358e5d8bc3ad863d4030342b92ccb2 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 08:50:06 +0000 Subject: [PATCH 04/63] added supported os and Kubernetes ctl/cluster --- content/waf/install/docker.md | 4 ++-- content/waf/install/kubernetes-plm.md | 3 ++- content/waf/install/kubernetes.md | 5 +++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 903bde2be1..0f7d130af4 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -143,7 +143,7 @@ http { ### Create a Dockerfile -In the same folder as your credential and configuration files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. +In the same folder as your credential and configuration files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. Alternatively, you may want make your own image based on a Dockerfile using the official NGINX image: @@ -913,7 +913,7 @@ http { Copy or move your subscription files into a new folder. -In the same folder as the subscription files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. +In the same folder as the subscription files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. {{< call-out "note" >}} diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index be83573103..e1382fae76 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -36,7 +36,8 @@ These enhancements are only available for Helm-based deployments. To complete this guide, you will need the following prerequisites: -- [A functional Kubernetes cluster]({{< ref "/waf/install/kubernetes.md" >}}) +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/get-started/get-docker/) - An active F5 WAF for NGINX subscription (Purchased or trial) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index f434948f3c..9d0eab937c 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -18,7 +18,8 @@ It explains the common steps necessary for any Kubernetes-based deployment, then To complete this guide, you will need the following pre-requisites: -- A functional Kubernetes cluster +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - An active F5 WAF for NGINX subscription (Purchased or trial) - [Docker](https://docs.docker.com/get-started/get-docker/) @@ -36,7 +37,7 @@ To review supported operating systems, read the [Technical specifications]({{< r ## Create a Dockerfile -In the same folder as your credential files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. +In the same folder as your credential files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. Alternatively, you may want make your own image based on a Dockerfile using the official NGINX image: From ab0f706d1f01af2377a455a12e8032625de87279 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 09:39:39 +0000 Subject: [PATCH 05/63] temp --- content/waf/install/virtual-environment.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index ff2ff2a22f..8f81de119d 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,8 +23,9 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) - An active F5 WAF for NGINX subscription (Purchased or trial). +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) + - [NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used Depending on your deployment type, you may have additional requirements: From 2086f451ef2899a9162f06731a6ffa4f4a25b377 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 09:47:59 +0000 Subject: [PATCH 06/63] test --- content/waf/install/virtual-environment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 8f81de119d..c1a68ed50f 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -25,8 +25,8 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - An active F5 WAF for NGINX subscription (Purchased or trial). - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) - - [NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used - +- [NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used +- this is a test Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. From f31d4dc6533d3106165f5215860a8c91bab3c78c Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 10:00:26 +0000 Subject: [PATCH 07/63] test --- content/waf/install/virtual-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index c1a68ed50f..2a49ec99d6 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -25,8 +25,8 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - An active F5 WAF for NGINX subscription (Purchased or trial). - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) -- [NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used - this is a test + Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. From 0ae66b5e7d0a6729265506a18deb2a1528b50176 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 10:07:45 +0000 Subject: [PATCH 08/63] added link to my my5 --- content/waf/install/virtual-environment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 2a49ec99d6..9157d3d527 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,9 +23,8 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An active F5 WAF for NGINX subscription (Purchased or trial). +- An active [F5 WAF for NGINX subscription]({{< ref "/licensing-and-reporting/download-certificates-from-myf5.md" >}}) (Purchased or trial). - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) -- this is a test Depending on your deployment type, you may have additional requirements: From 4c7756a4715206bc76ccaaf1809c6c56e091ff14 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 10:35:46 +0000 Subject: [PATCH 09/63] updated myf5 with link --- content/waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 2 +- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- content/waf/install/virtual-environment.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 88e1a8bc98..60794d2eec 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -22,7 +22,7 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- An active F5 WAF for NGINX subscription (Purchased or trial). +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - A connected environment with similar architecture - A method to transfer files between two environments diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 0f7d130af4..a9aa3c1f2e 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -16,7 +16,7 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription (Purchased or trial) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/get-started/get-docker/) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index e1382fae76..7207dfa5ad 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -40,7 +40,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/get-started/get-docker/) -- An active F5 WAF for NGINX subscription (Purchased or trial) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. ## Download your subscription credentials diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 9d0eab937c..fede5f5cc7 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -20,7 +20,7 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster -- An active F5 WAF for NGINX subscription (Purchased or trial) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/get-started/get-docker/) You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 9157d3d527..3488841c66 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,7 +23,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An active [F5 WAF for NGINX subscription]({{< ref "/licensing-and-reporting/download-certificates-from-myf5.md" >}}) (Purchased or trial). +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) Depending on your deployment type, you may have additional requirements: From 972113e41e885b2cfb863c811cfb6f88dce7314a Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 11:37:25 +0000 Subject: [PATCH 10/63] added info for docker registry access --- content/waf/install/kubernetes-plm.md | 1 + content/waf/install/kubernetes.md | 1 + 2 files changed, 2 insertions(+) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 7207dfa5ad..ad8f9a565a 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -40,6 +40,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/get-started/get-docker/) +- Docker registry credentials — needed to access private-registry.nginx.com - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index fede5f5cc7..0150762cd1 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -22,6 +22,7 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/get-started/get-docker/) +- Docker registry credentials — needed to access private-registry.nginx.com You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. From f3ae544eb94ffaac2e3f9c31b6ca8dfd6a110075 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 11:43:43 +0000 Subject: [PATCH 11/63] test for jwt --- content/waf/install/docker.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index a9aa3c1f2e..e9f87e3c98 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -45,6 +45,8 @@ The steps you should follow on this page are dependent on your configuration typ {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} +[NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used + ## Configure Docker for the F5 Container Registry {{< include "waf/install-services-registry.md" >}} From 79769eacec7422729dd96d3155ea37a9b6997a02 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 14:36:24 +0000 Subject: [PATCH 12/63] added jwt for docker --- content/includes/waf/install-build-image.md | 1 + content/waf/install/docker.md | 20 +++++++++++--------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index 45ccc3068b..1a76c8373b 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -7,6 +7,7 @@ Your folder should contain the following files: - _nginx-repo.crt_ - _nginx-repo.key_ +- _license.jwt_ (Only necessary when using NGINX Plus) - _nginx.conf_ - _entrypoint.sh_ - _Dockerfile_ diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index e9f87e3c98..9877a652af 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -42,10 +42,12 @@ The single container configuration only supports NGINX Plus and requires a build The steps you should follow on this page are dependent on your configuration type: after the shared steps, links will guide you to the next appropriate section. ## Download your subscription credentials +### Shared Requirements {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -[NGINX Plus JWT license]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#obtaining-and-installing-the-license" >}}) — required if NGINX Plus is used +### Additional Requirement for NGINX Plus Users +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Configure Docker for the F5 Container Registry @@ -956,7 +958,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -998,7 +1000,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1053,7 +1055,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1099,7 +1101,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1142,7 +1144,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1184,7 +1186,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1226,7 +1228,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1281,7 +1283,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] From 9b20e3cd89f5c264f116fcf7c0c4ab7426f8da3d Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 26 Nov 2025 15:39:22 +0000 Subject: [PATCH 13/63] last work before remove --- content/includes/waf/install-services-registry.md | 2 ++ content/waf/install/docker.md | 14 +++++++++++--- content/waf/install/kubernetes-plm.md | 4 ++-- content/waf/install/kubernetes.md | 4 ++-- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/content/includes/waf/install-services-registry.md b/content/includes/waf/install-services-registry.md index c9f686e8de..2389912d7b 100644 --- a/content/includes/waf/install-services-registry.md +++ b/content/includes/waf/install-services-registry.md @@ -5,6 +5,8 @@ nd-files: - content/waf/install/kubernetes.md --- +Docker registry credentials are needed to access private-registry.nginx.com + Create a directory and copy your certificate and key to this directory: ```shell diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 9877a652af..338d9a5528 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -17,7 +17,8 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) -- [Docker](https://docs.docker.com/get-started/get-docker/) +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- Docker registry credentials are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -442,7 +443,7 @@ Once you have updated your configuration files, you can reload NGINX to apply th {{< include "waf/install-services-docker.md" >}} #### Download Docker images - +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file @@ -818,7 +819,7 @@ sudo dnf install app-protect-module-plus {{< include "waf/install-services-docker.md" >}} #### Download Docker images - +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file @@ -1311,3 +1312,10 @@ F5 WAF for NGINX should now be operational, and you can move onto [Post-installa ## Next steps {{< include "waf/install-next-steps.md" >}} + +## Remove NGINX docker image +Before removing any Docker image, it’s important to ensure that the image is no longer needed and is not in use. + +[docker image rm](https://docs.docker.com/reference/cli/docker/image/rm/) tool + +TODO diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index ad8f9a565a..c30d9e388f 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -39,8 +39,8 @@ To complete this guide, you will need the following prerequisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) -- [Docker](https://docs.docker.com/get-started/get-docker/) -- Docker registry credentials — needed to access private-registry.nginx.com +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- Docker registry credentials are needed to access private-registry.nginx.com - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 0150762cd1..c0287c1cf1 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -21,8 +21,8 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) -- [Docker](https://docs.docker.com/get-started/get-docker/) -- Docker registry credentials — needed to access private-registry.nginx.com +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- Docker registry credentials are needed to access private-registry.nginx.com You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. From d25dd99c08770c0ed44632a2f3cbb5d80a39421c Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 27 Nov 2025 06:44:13 +0000 Subject: [PATCH 14/63] remove line since we have the line above it --- content/waf/install/kubernetes-plm.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index c30d9e388f..1038132a87 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -42,7 +42,6 @@ To complete this guide, you will need the following prerequisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - Docker registry credentials are needed to access private-registry.nginx.com - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) -- Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. ## Download your subscription credentials From 0a81c83f74a8a9413aefc8911d396f022ffd7a32 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 27 Nov 2025 13:48:31 +0000 Subject: [PATCH 15/63] updated docker for jwt --- content/includes/waf/install-build-image.md | 4 +- content/waf/install/docker.md | 48 +++++++++++++++++---- 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index 1a76c8373b..dec2acb30c 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -16,13 +16,13 @@ Your folder should contain the following files: To build an image, use the following command, replacing `` as appropriate: ```shell -sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . +sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` A RHEL-based system would use the following command instead: ```shell -podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . +podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` {{< call-out "note" >}} diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 338d9a5528..8180f63164 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -954,12 +954,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ apk update && apk add app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -996,12 +1000,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf -y install app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1051,12 +1059,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ apt-get install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1097,12 +1109,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1140,12 +1156,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1186,8 +1206,12 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1224,12 +1248,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ dnf install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] @@ -1279,12 +1307,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ apt-get install -y app-protect-ip-intelligence +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json license.jwt /etc/nginx/ +COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ CMD ["sh", "/root/entrypoint.sh"] From c6b1e7d0cfe361504a38548c2d53187463eec26a Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 27 Nov 2025 15:50:55 +0000 Subject: [PATCH 16/63] update dockerfile for nap --- .../includes/waf/dockerfiles/alpine-plus.md | 4 +++ .../includes/waf/dockerfiles/amazon-plus.md | 4 +++ .../includes/waf/dockerfiles/debian-plus.md | 4 +++ .../includes/waf/dockerfiles/oracle-plus.md | 4 +++ .../includes/waf/dockerfiles/rhel8-plus.md | 4 +++ .../includes/waf/dockerfiles/rhel9-plus.md | 4 +++ .../includes/waf/dockerfiles/rocky9-plus.md | 4 +++ .../includes/waf/dockerfiles/ubuntu-plus.md | 4 +++ content/includes/waf/install-build-image.md | 13 +++++++++- content/waf/install/kubernetes.md | 25 +++++++++++++------ 10 files changed, 62 insertions(+), 8 deletions(-) diff --git a/content/includes/waf/dockerfiles/alpine-plus.md b/content/includes/waf/dockerfiles/alpine-plus.md index 6fe7111c58..2818c35920 100644 --- a/content/includes/waf/dockerfiles/alpine-plus.md +++ b/content/includes/waf/dockerfiles/alpine-plus.md @@ -27,6 +27,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && rm -rf /var/cache/apk/* +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/amazon-plus.md b/content/includes/waf/dockerfiles/amazon-plus.md index d4ec7bba2e..d943b33f16 100644 --- a/content/includes/waf/dockerfiles/amazon-plus.md +++ b/content/includes/waf/dockerfiles/amazon-plus.md @@ -28,6 +28,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/debian-plus.md b/content/includes/waf/dockerfiles/debian-plus.md index 204dfa6336..7c8581d119 100644 --- a/content/includes/waf/dockerfiles/debian-plus.md +++ b/content/includes/waf/dockerfiles/debian-plus.md @@ -41,6 +41,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && apt-get clean \ && rm -rf /var/lib/apt/lists/* +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/oracle-plus.md b/content/includes/waf/dockerfiles/oracle-plus.md index 98bd1e15b6..c62d33bb1a 100644 --- a/content/includes/waf/dockerfiles/oracle-plus.md +++ b/content/includes/waf/dockerfiles/oracle-plus.md @@ -29,6 +29,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/rhel8-plus.md b/content/includes/waf/dockerfiles/rhel8-plus.md index 9f05ce79f2..ac00cc4e33 100644 --- a/content/includes/waf/dockerfiles/rhel8-plus.md +++ b/content/includes/waf/dockerfiles/rhel8-plus.md @@ -45,6 +45,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/rhel9-plus.md b/content/includes/waf/dockerfiles/rhel9-plus.md index 464ba150e8..6f6c96a538 100644 --- a/content/includes/waf/dockerfiles/rhel9-plus.md +++ b/content/includes/waf/dockerfiles/rhel9-plus.md @@ -30,6 +30,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/rocky9-plus.md b/content/includes/waf/dockerfiles/rocky9-plus.md index 464ba150e8..6f6c96a538 100644 --- a/content/includes/waf/dockerfiles/rocky9-plus.md +++ b/content/includes/waf/dockerfiles/rocky9-plus.md @@ -30,6 +30,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/dockerfiles/ubuntu-plus.md b/content/includes/waf/dockerfiles/ubuntu-plus.md index 89a2e7d8bc..7333f22d5a 100644 --- a/content/includes/waf/dockerfiles/ubuntu-plus.md +++ b/content/includes/waf/dockerfiles/ubuntu-plus.md @@ -41,6 +41,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && apt-get clean \ && rm -rf /var/lib/apt/lists/* +# Securely copy the JWT license: +RUN --mount=type=secret,id=license-jwt,dst=license.jwt \ + cp license.jwt /etc/nginx/license.jwt + # Expose port EXPOSE 80 diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index dec2acb30c..86a729c984 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -13,7 +13,7 @@ Your folder should contain the following files: - _Dockerfile_ - _custom_log_format.json_ (Optional) -To build an image, use the following command, replacing `` as appropriate: +To build an image for NGINX Plus, use the following command, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . @@ -24,6 +24,17 @@ A RHEL-based system would use the following command instead: ```shell podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` +To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . +``` + +A RHEL-based system would use the following command instead: + +```shell +podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . +``` {{< call-out "note" >}} diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index c0287c1cf1..7fc45ba491 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -36,6 +36,12 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} +### Download your JSON web token + +To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: + +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} + ## Create a Dockerfile In the same folder as your credential files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. @@ -206,9 +212,20 @@ Your folder should contain the following files: - _nginx-repo.crt_ - _nginx-repo.key_ +- _license.jwt_ (Only necessary when using NGINX Plus) - _Dockerfile_ -To build an image, use the following command, replacing `` as appropriate: +To build an image for NGINX Pluse, use the following command, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 \ + --secret id=nginx-crt,src=nginx-repo.crt \ + --secret id=nginx-key,src=nginx-repo.key \ + --secret id=license-jwt,src=license.jwt \ + -t . +``` + +To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 \ @@ -226,12 +243,6 @@ From this point, the steps change based on your installation method: ## Use Helm to install F5 WAF for NGINX -### Download your JSON web token - -To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: - -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} - ### Get the Helm chart To get the Helm chart, first configure Docker for the F5 Container Registry. From 992be8a9a7f3f7932d27c1dbc1620c6d0c9426b4 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 11:37:34 +0000 Subject: [PATCH 17/63] updated storage --- content/waf/install/kubernetes.md | 81 ++++++++++--------------------- 1 file changed, 26 insertions(+), 55 deletions(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 7fc45ba491..39e81f2890 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -408,63 +408,34 @@ This configuration uses a _hostPath_ backed persistent volume claim. {{< /call-out >}} ```yaml -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: PersistentVolume metadata: - name: nap5-deployment + name: nap5-bundles-pv + labels: + type: local spec: - selector: - matchLabels: - app: nap5 - replicas: 2 - template: - metadata: - labels: - app: nap5 - spec: - imagePullSecrets: - - name: regcred - containers: - - name: nginx - image: /waf: - imagePullPolicy: IfNotPresent - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: waf-enforcer - image: private-registry.nginx.com/nap/waf-enforcer: - imagePullPolicy: IfNotPresent - env: - - name: ENFORCER_PORT - value: "50000" - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: waf-config-mgr - image: private-registry.nginx.com/nap/waf-config-mgr: - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - volumeMounts: - - name: app-protect-bd-config - mountPath: /opt/app_protect/bd_config - - name: app-protect-config - mountPath: /opt/app_protect/config - - name: app-protect-bundles - mountPath: /etc/app_protect/bundles - volumes: - - name: app-protect-bd-config - emptyDir: {} - - name: app-protect-config - emptyDir: {} - - name: app-protect-bundles - persistentVolumeClaim: - claimName: nap5-bundles-pvc + storageClassName: manual + capacity: + storage: 2Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/mnt/nap5_bundles_pv_data" +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nap5-bundles-pvc +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + volumeName: nap5-bundles-pv ``` {{% /tab %}} From 6de910a48ddb77d09237dc13d96450afc1f9244f Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 11:53:46 +0000 Subject: [PATCH 18/63] fixed kubernetes --- content/waf/install/kubernetes.md | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 39e81f2890..b57873e849 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -215,17 +215,7 @@ Your folder should contain the following files: - _license.jwt_ (Only necessary when using NGINX Plus) - _Dockerfile_ -To build an image for NGINX Pluse, use the following command, replacing `` as appropriate: - -```shell -sudo docker build --no-cache --platform linux/amd64 \ - --secret id=nginx-crt,src=nginx-repo.crt \ - --secret id=nginx-key,src=nginx-repo.key \ - --secret id=license-jwt,src=license.jwt \ - -t . -``` - -To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: +To build an image, use the following command, replacing as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 \ From 470f1a5f7d0aaae3851f8ed9303608bb13ddadcd Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 12:06:31 +0000 Subject: [PATCH 19/63] ohad fix 1 --- content/waf/install/kubernetes.md | 2 +- content/waf/install/virtual-environment.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index b57873e849..24f55efaa7 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -256,7 +256,7 @@ cd nginx-app-protect You will need to edit the `values.yaml` file for a few changes: - Update _appprotect.nginx.image.repository_ and _appprotect.nginx.image.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). -- Update _appprotect.config.nginxJWT_ with your JSON web token +- Update _appprotect.config.nginxJWT_ with your JSON web token (Only necessary when using NGINX Plus) - Update _dockerConfigJson_ to contain the base64 encoded Docker registration credentials You can encode your credentials with the following command: diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 3488841c66..65efd1884c 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -31,6 +31,9 @@ Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} +### Additional Requirement for NGINX Plus Users +If you choose to install NGINX automatically with App Protect, make sure to download your JWT license from MyF5 before you begin +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Platform-specific instructions From b0f149681aee8dabc54b25b59e1aedc5dd1e9974 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 12:08:14 +0000 Subject: [PATCH 20/63] chnaged title --- content/waf/install/virtual-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 65efd1884c..d35cef2ec9 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -31,7 +31,7 @@ Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} -### Additional Requirement for NGINX Plus Users +### Required: Download JWT License for NGINX Plus Installation If you choose to install NGINX automatically with App Protect, make sure to download your JWT license from MyF5 before you begin {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} From f1796315c6505d29a1d5c7e1e0cbd4848b24a1b6 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 12:15:51 +0000 Subject: [PATCH 21/63] CHANGED NAME --- content/waf/install/virtual-environment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index d35cef2ec9..8a64fad21a 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -24,7 +24,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) -- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during App Protect installation) +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during F5 WAF for NGINX installation) Depending on your deployment type, you may have additional requirements: @@ -32,7 +32,7 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" {{< include "waf/install-selinux-warning.md" >}} ### Required: Download JWT License for NGINX Plus Installation -If you choose to install NGINX automatically with App Protect, make sure to download your JWT license from MyF5 before you begin +If you choose to install NGINX automatically with F5 WAF for NGINX, make sure to download your JWT license from MyF5 before you begin {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Platform-specific instructions From 35543a36fae694f266a669f5a0b20fc4f536738e Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 1 Dec 2025 12:22:53 +0000 Subject: [PATCH 22/63] need jwt anywasy for opensouce for docker cred --- content/waf/install/kubernetes.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 24f55efaa7..44832a0870 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -39,6 +39,7 @@ To review supported operating systems, read the [Technical specifications]({{< r ### Download your JSON web token To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: +> **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} @@ -212,7 +213,7 @@ Your folder should contain the following files: - _nginx-repo.crt_ - _nginx-repo.key_ -- _license.jwt_ (Only necessary when using NGINX Plus) +- _license.jwt_ - _Dockerfile_ To build an image, use the following command, replacing as appropriate: From 9a717cbe9b8b67d917a8ba110fee3c53b7e5a10f Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 07:18:41 +0000 Subject: [PATCH 23/63] removed todo --- content/waf/install/docker.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 8180f63164..a14bad603f 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -1348,6 +1348,4 @@ F5 WAF for NGINX should now be operational, and you can move onto [Post-installa ## Remove NGINX docker image Before removing any Docker image, it’s important to ensure that the image is no longer needed and is not in use. -[docker image rm](https://docs.docker.com/reference/cli/docker/image/rm/) tool - -TODO +[docker image rm](https://docs.docker.com/reference/cli/docker/image/rm/) tool \ No newline at end of file From 3c27a6098f065e1d8072e4107bf52cd14ebca6cc Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:19:26 +0200 Subject: [PATCH 24/63] Update content/waf/install/docker.md Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> --- content/waf/install/docker.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index a14bad603f..945992ae6b 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -819,7 +819,9 @@ sudo dnf install app-protect-module-plus {{< include "waf/install-services-docker.md" >}} #### Download Docker images + [Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images + {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file From 4fd433ac1639476400400a58f37970c468cdaed6 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:19:34 +0200 Subject: [PATCH 25/63] Update content/waf/install/docker.md Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> --- content/waf/install/docker.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 945992ae6b..304184394d 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -443,7 +443,9 @@ Once you have updated your configuration files, you can reload NGINX to apply th {{< include "waf/install-services-docker.md" >}} #### Download Docker images + [Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images + {{< include "waf/install-services-images.md" >}} #### Create and run a Docker Compose file From 96b522155a40d7c240e67a859b3d4cf7ca130c7a Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:22:06 +0200 Subject: [PATCH 26/63] Update content/includes/waf/install-build-image.md Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> --- content/includes/waf/install-build-image.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index 86a729c984..ef28dca51f 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -24,6 +24,7 @@ A RHEL-based system would use the following command instead: ```shell podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` + To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: ```shell From 8b430732dde743fa37aef0e595c5a77406ca0a49 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:22:29 +0200 Subject: [PATCH 27/63] Update content/includes/waf/install-services-registry.md Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> --- content/includes/waf/install-services-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/waf/install-services-registry.md b/content/includes/waf/install-services-registry.md index 2389912d7b..40b9135b4f 100644 --- a/content/includes/waf/install-services-registry.md +++ b/content/includes/waf/install-services-registry.md @@ -5,7 +5,7 @@ nd-files: - content/waf/install/kubernetes.md --- -Docker registry credentials are needed to access private-registry.nginx.com +You will need Docker registry credentials to access private-registry.nginx.com. Create a directory and copy your certificate and key to this directory: From 2860c266bbf6021a4ad9fcac19d45cc0271f7737 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 12:16:37 +0000 Subject: [PATCH 28/63] made changes from suggestions --- content/includes/waf/install-build-image.md | 8 ++- content/waf/install/docker.md | 62 ++++++++++++++++++++- content/waf/install/kubernetes-plm.md | 24 +++++--- content/waf/install/kubernetes.md | 18 ++++-- content/waf/install/virtual-environment.md | 20 +++++-- 5 files changed, 109 insertions(+), 23 deletions(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index ef28dca51f..c0ff97ca62 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -11,9 +11,10 @@ Your folder should contain the following files: - _nginx.conf_ - _entrypoint.sh_ - _Dockerfile_ -- _custom_log_format.json_ (Optional) +- _custom_log_format.json_ -To build an image for NGINX Plus, use the following command, replacing `` as appropriate: +#### Building an image with NGINX Plus +To build an image for NGINX Plus, use the following command that are not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . @@ -25,7 +26,8 @@ A RHEL-based system would use the following command instead: podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . ``` -To build an image for NGINX Open Source, use the following command, replacing `` as appropriate: +#### Building an image with NGINX Open Source +To build an image for NGINX Open Source, use the following command that are not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 304184394d..0abfbbf832 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -16,9 +16,13 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: +- A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Docker registry credentials are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -52,7 +56,15 @@ The steps you should follow on this page are dependent on your configuration typ ## Configure Docker for the F5 Container Registry -{{< include "waf/install-services-registry.md" >}} +You will need Docker registry credentials to access private-registry.nginx.com for either the Multi-container or Hybrid configuration. + +Create a directory and copy your [certificate and key]({{< ref "/waf/install/docker.md#Shared Requirements" >}}) to this directory: + +```shell +mkdir -p /etc/docker/certs.d/private-registry.nginx.com +cp /etc/docker/certs.d/private-registry.nginx.com/client.cert +cp /etc/docker/certs.d/private-registry.nginx.com/client.key +``` You should now move to the section based on your configuration type: @@ -312,7 +324,51 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu ### Build the Docker image -{{< include "waf/install-build-image.md" >}} +Your folder should contain the following files: + +- _nginx-repo.crt_ +- _nginx-repo.key_ +- _license.jwt_ +- _nginx.conf_ +- _entrypoint.sh_ +- _Dockerfile_ +- _custom_log_format.json_ + +To build an image, use the following command for system that are not RHEL-based, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . +``` + +A RHEL-based system would use the following command instead: + +```shell +podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . +``` + +{{< call-out "note" >}} + +The `--no-cache` option is used to ensure the image is built from scratch, installing the latest versions of NGINX Plus and F5 WAF for NGINX. + +{{< /call-out >}} + +Verify that your image has been created using the `docker images` command: + +```shell +docker images +``` + +Create a container based on this image, replacing as appropriate: + +```shell +docker run --name -p 80:80 -d +``` + +Verify the new container is running using the `docker ps` command: + +```shell +docker ps +``` ### Update configuration files diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 1038132a87..c6f6fe48de 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -36,20 +36,30 @@ These enhancements are only available for Helm-based deployments. To complete this guide, you will need the following prerequisites: +- A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Docker registry credentials are needed to access private-registry.nginx.com -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial), which includes the necessary **SSL Certificate** and **Private Key files**. +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- Docker registry credentials in [MyF5](https://my.f5.com/manage/s/) required to access private-registry.nginx.com. (Same as the **JSON Web Token** for NGINX Plus). ## Download your subscription credentials -1. Log in to [MyF5](https://my.f5.com/manage/s/). -1. Go to **My Products & Plans > Subscriptions** to see your active subscriptions. -1. Find your NGINX subscription, and select the **Subscription ID** for details. -1. Download the **SSL Certificate** and **Private Key files** from the subscription page. -1. Download the **JSON Web Token** file from the subscription page. +### General subscription credentials needed for deployments + +{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} + +### Additional subscription credentials needed for a deployments with NGINX Plus + +To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: + +> **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. + +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Prepare environment variables diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 44832a0870..3515c8192b 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -18,11 +18,14 @@ It explains the common steps necessary for any Kubernetes-based deployment, then To complete this guide, you will need the following pre-requisites: -- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) -- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) +- A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Docker registry credentials are needed to access private-registry.nginx.com +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- Docker registry credentials in [MyF5](https://my.f5.com/manage/s/) is required to access private-registry.nginx.com (Same as the SSL certificate and private key file ). You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. @@ -34,11 +37,14 @@ To review supported operating systems, read the [Technical specifications]({{< r ## Download your subscription credentials +### General subscription credentials needed for deployments + {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Download your JSON web token +### Additional subscription credentials needed for a deployments with NGINX Plus + +To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 8a64fad21a..2abc4887fe 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,16 +23,28 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) + Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/virtual-environment.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during F5 WAF for NGINX installation) +- F5 NGINX App Protect will work by default with the default values (like default policy, logging profile, etc) unless the user sets custom configurations Depending on your deployment type, you may have additional requirements: -You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. +You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} -### Required: Download JWT License for NGINX Plus Installation -If you choose to install NGINX automatically with F5 WAF for NGINX, make sure to download your JWT license from MyF5 before you begin +## Download your subscription credentials + +### General subscription credentials needed for deployments + +{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} + +### Additional subscription credentials needed for a deployments with NGINX Plus + +To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: + + {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Platform-specific instructions From 23eef4079aeb87a7f024d9158f294b827b125ccd Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 12:58:08 +0000 Subject: [PATCH 29/63] updated compiler doc --- content/waf/configure/compiler.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index 7c5a562529..9319ab8cf9 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -32,8 +32,9 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription (Purchased or trial) -- Credentials to the [MyF5 Customer Portal](https://account.f5.com/myf5), provided by email from F5, Inc. +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. +- [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) ## Download your subscription credentials From f2f2a6f1837783a32ca266e15192e82f9133a291 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 13:41:58 +0000 Subject: [PATCH 30/63] changes to bare metal --- content/waf/install/virtual-environment.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 2abc4887fe..143816562f 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,11 +23,10 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/virtual-environment.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}) optional if not yet installed (NGINX will be installed automatically during F5 WAF for NGINX installation) -- F5 NGINX App Protect will work by default with the default values (like default policy, logging profile, etc) unless the user sets custom configurations +- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 NGINX App Protect subscription from the MyF5 Customer Portal. +- A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. +- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations Depending on your deployment type, you may have additional requirements: From 17e0a477ccbc8c86f39a288581792c726669af43 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 13:48:04 +0000 Subject: [PATCH 31/63] updated docker --- content/waf/install/docker.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 0abfbbf832..5a7ddae5d5 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -17,11 +17,10 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -30,6 +29,15 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "waf/install-selinux-warning.md" >}} + +## Download your subscription credentials +### General subscription credentials needed for deployments + +{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} + +### Additional Requirement for NGINX Plus Users +{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} + ## Docker deployment options There are three kinds of Docker deployments available: @@ -46,14 +54,6 @@ The single container configuration only supports NGINX Plus and requires a build The steps you should follow on this page are dependent on your configuration type: after the shared steps, links will guide you to the next appropriate section. -## Download your subscription credentials -### Shared Requirements - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional Requirement for NGINX Plus Users -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} - ## Configure Docker for the F5 Container Registry You will need Docker registry credentials to access private-registry.nginx.com for either the Multi-container or Hybrid configuration. From 70b755ad1cd0ae56a4f4a65244a3a2384367c79b Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 14:04:08 +0000 Subject: [PATCH 32/63] updated jwt sections --- content/waf/install/docker.md | 7 ++++--- content/waf/install/kubernetes-plm.md | 9 ++++----- content/waf/install/kubernetes.md | 9 ++++----- content/waf/install/virtual-environment.md | 2 +- 4 files changed, 13 insertions(+), 14 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 5a7ddae5d5..2f6a413409 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -20,8 +20,8 @@ To complete this guide, you will need the following prerequisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. -- [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional Requirement for NGINX Plus Users" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. +- [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -35,7 +35,8 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Additional Requirement for NGINX Plus Users +### Additional subscription credentials needed for deployments +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Docker deployment options diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index c6f6fe48de..98b4a1372c 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -41,11 +41,10 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial), which includes the necessary **SSL Certificate** and **Private Key files**. - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- Docker registry credentials in [MyF5](https://my.f5.com/manage/s/) required to access private-registry.nginx.com. (Same as the **JSON Web Token** for NGINX Plus). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com ## Download your subscription credentials @@ -53,9 +52,9 @@ To complete this guide, you will need the following prerequisites: {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Additional subscription credentials needed for a deployments with NGINX Plus +### Additional subscription credentials needed for deployments -To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 3515c8192b..d1e44191aa 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -24,8 +24,8 @@ To complete this guide, you will need the following pre-requisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- Docker registry credentials in [MyF5](https://my.f5.com/manage/s/) is required to access private-registry.nginx.com (Same as the SSL certificate and private key file ). + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. @@ -41,9 +41,8 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Additional subscription credentials needed for a deployments with NGINX Plus - -To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +### Additional subscription credentials needed for deployments +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 143816562f..5350689734 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -39,7 +39,7 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} -### Additional subscription credentials needed for a deployments with NGINX Plus +### Additional subscription credentials needed for deployments To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: From fab1a8d1d9ef86581680b3e0679e3b7d8737936d Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 14:04:57 +0000 Subject: [PATCH 33/63] add info about logger --- content/waf/install/docker.md | 1 + content/waf/install/kubernetes-plm.md | 1 + content/waf/install/kubernetes.md | 1 + 3 files changed, 3 insertions(+) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 2f6a413409..b88f2087a6 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -22,6 +22,7 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) +- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 98b4a1372c..44544a0077 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -45,6 +45,7 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com +- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations ## Download your subscription credentials diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index d1e44191aa..f0fbe1df94 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -26,6 +26,7 @@ To complete this guide, you will need the following pre-requisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com +- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. From ec55e408501b8f1686c539b02e267718fce40478 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 14:59:32 +0000 Subject: [PATCH 34/63] alan updates --- content/waf/configure/compiler.md | 2 +- content/waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 4 ++-- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- content/waf/install/virtual-environment.md | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index 9319ab8cf9..e51bcd7897 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -32,7 +32,7 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. - [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 60794d2eec..697a55b397 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -22,7 +22,7 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial) +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - A connected environment with similar architecture - A method to transfer files between two environments diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index b88f2087a6..d9a7734a79 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -18,9 +18,9 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) - F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 44544a0077..da8d5f86db 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -41,7 +41,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index f0fbe1df94..716e0295b6 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -22,7 +22,7 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 5350689734..3a97e57237 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,7 +23,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- Active F5 NGINX App Protect WAF subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 NGINX App Protect subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. - F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations From 96cf601c15a0e5c8fc9df93075f3ff0c1bcd276d Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 15:31:04 +0000 Subject: [PATCH 35/63] more suggestions --- content/waf/configure/compiler.md | 2 +- content/waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 8 ++++---- content/waf/install/kubernetes-plm.md | 4 ++-- content/waf/install/kubernetes.md | 4 ++-- content/waf/install/virtual-environment.md | 8 ++++---- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index e51bcd7897..b87c24c807 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -32,7 +32,7 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. - [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 697a55b397..5cd0b163c4 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -22,7 +22,7 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - A connected environment with similar architecture - A method to transfer files between two environments diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index d9a7734a79..babec5f219 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -18,11 +18,11 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) -- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations +- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -37,7 +37,7 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Docker deployment options diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index da8d5f86db..fd645b87ae 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -45,7 +45,7 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com -- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations +- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations ## Download your subscription credentials @@ -55,7 +55,7 @@ To complete this guide, you will need the following prerequisites: ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 716e0295b6..c2f0b69ad4 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -26,7 +26,7 @@ To complete this guide, you will need the following pre-requisites: - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com -- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations +- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. @@ -43,7 +43,7 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: > **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 3a97e57237..4bae4ec069 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,10 +23,10 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 NGINX App Protect subscription from the MyF5 Customer Portal. +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). + - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. -- F5 NGINX App Protect will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations +- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations Depending on your deployment type, you may have additional requirements: @@ -41,7 +41,7 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" ### Additional subscription credentials needed for deployments -To use NGINX Plus, you will need to download the the JWT license file associated with your F5 NGINX App Protect WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} From d1d4f27fb55aadbe968ab91a1493459df241c716 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 16:39:31 +0000 Subject: [PATCH 36/63] linted --- content/waf/install/docker.md | 4 +++- content/waf/install/kubernetes.md | 5 ++++- content/waf/install/virtual-environment.md | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index babec5f219..c93770c7c9 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -30,13 +30,14 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "waf/install-selinux-warning.md" >}} - ## Download your subscription credentials + ### General subscription credentials needed for deployments {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} ### Additional subscription credentials needed for deployments + To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} @@ -1408,6 +1409,7 @@ F5 WAF for NGINX should now be operational, and you can move onto [Post-installa {{< include "waf/install-next-steps.md" >}} ## Remove NGINX docker image + Before removing any Docker image, it’s important to ensure that the image is no longer needed and is not in use. [docker image rm](https://docs.docker.com/reference/cli/docker/image/rm/) tool \ No newline at end of file diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index c2f0b69ad4..748107bbda 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -43,9 +43,12 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} ### Additional subscription credentials needed for deployments + To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -> **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< call-out "note" >}} +If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< /call-out >}} {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 4bae4ec069..6f65c587bd 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -33,6 +33,7 @@ Depending on your deployment type, you may have additional requirements: You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) topics for additional set-up configuration if you want to use them immediately. {{< include "waf/install-selinux-warning.md" >}} + ## Download your subscription credentials ### General subscription credentials needed for deployments @@ -43,7 +44,6 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" To use NGINX Plus, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: - {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} ## Platform-specific instructions From eeb0384c4bc695f377f9a64f6a75a817242b089f Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Tue, 2 Dec 2025 16:51:45 +0000 Subject: [PATCH 37/63] updated alan changes --- content/waf/configure/compiler.md | 2 +- content/waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 4 ++-- content/waf/install/kubernetes-plm.md | 6 ++++-- content/waf/install/kubernetes.md | 2 +- content/waf/install/virtual-environment.md | 2 +- 6 files changed, 10 insertions(+), 8 deletions(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index b87c24c807..c493ae9ebf 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -32,7 +32,7 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. - [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 5cd0b163c4..fae92d527f 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -22,7 +22,7 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - A connected environment with similar architecture - A method to transfer files between two environments diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index c93770c7c9..231146cf1e 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -18,7 +18,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) @@ -59,7 +59,7 @@ The steps you should follow on this page are dependent on your configuration typ ## Configure Docker for the F5 Container Registry -You will need Docker registry credentials to access private-registry.nginx.com for either the Multi-container or Hybrid configuration. +You will need Docker registry credentials to access private-registry.nginx.com for the Multi-container or Hybrid deployment options. Create a directory and copy your [certificate and key]({{< ref "/waf/install/docker.md#Shared Requirements" >}}) to this directory: diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index fd645b87ae..993be8e8aa 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -41,7 +41,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com @@ -57,7 +57,9 @@ To complete this guide, you will need the following prerequisites: To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -> **Note:** If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< call-out "note" >}} +If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. +{{< /call-out >}} {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 748107bbda..f3197d6a4f 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -22,7 +22,7 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 6f65c587bd..866d338c4e 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,7 +23,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (purchased or trial). +- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations From 83a5393ff96ad3f6ab7209d7946c1a8c9d86e72c Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:25:01 +0000 Subject: [PATCH 38/63] fixed spelling --- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 993be8e8aa..880773f70d 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -41,7 +41,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index f3197d6a4f..938be74d8d 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -22,7 +22,7 @@ To complete this guide, you will need the following pre-requisites: - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An ctive F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). +- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com From 82b356fee9a9a4f8a5700c19c410164d65c24ea2 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:28:40 +0000 Subject: [PATCH 39/63] fixed hyperlinks --- content/waf/install/docker.md | 6 +++--- content/waf/install/kubernetes-plm.md | 6 +++--- content/waf/install/kubernetes.md | 6 +++--- content/waf/install/virtual-environment.md | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 231146cf1e..709f43d47a 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -19,9 +19,9 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file]({{< ref "/waf/install/docker.md#General subscription credentials needed for deployments" >}}), and the [JWT license file]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. -- [Docker registry credentials]({{< ref "/waf/install/docker.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. +- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 880773f70d..64087d312f 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -42,9 +42,9 @@ To complete this guide, you will need the following prerequisites: - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes-plm.md#General subscription credentials needed for deployments" >}}), and the [JWT license]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for a deployments with NGINX Plus" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials]({{< ref "/waf/install/kubernetes-plm.md#Additional subscription credentials needed for deployments " >}}) are needed to access private-registry.nginx.com + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations ## Download your subscription credentials diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 938be74d8d..02b747e4c9 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -23,9 +23,9 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file]({{< ref "/waf/install/kubernetes.md#General subscription credentials needed for deployments" >}}) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials]({{< ref "/waf/install/kubernetes.md#Additional subscription credentials needed for deployments" >}}) are needed to access private-registry.nginx.com + - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license](#Additional subscription credentials needed for deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 866d338c4e..9b057c22c9 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -24,7 +24,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate, private key, and the JWT license]({{< ref "/waf/install/virtual-environment.md#Download your subscription credentials" >}}) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. + - Download the [SSL certificate, private key, and the JWT license](#Download your subscription credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. - F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations From f494df8059f41aa78f596c4b1091d56a38ef29f4 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:45:19 +0000 Subject: [PATCH 40/63] updated note --- content/waf/install/docker.md | 5 ++++- content/waf/install/kubernetes-plm.md | 5 ++++- content/waf/install/kubernetes.md | 5 ++++- content/waf/install/virtual-environment.md | 5 ++++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 709f43d47a..2783beccda 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -22,7 +22,6 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) -- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -30,6 +29,10 @@ To review supported operating systems, read the [Technical specifications]({{< r {{< include "waf/install-selinux-warning.md" >}} +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. + ## Download your subscription credentials ### General subscription credentials needed for deployments diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 64087d312f..d2f77fa9c7 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -45,7 +45,10 @@ To complete this guide, you will need the following prerequisites: - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com -- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations + +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. ## Download your subscription credentials diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 02b747e4c9..a158c9565b 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -26,7 +26,6 @@ To complete this guide, you will need the following pre-requisites: - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate, private key, and the JWT license](#Additional subscription credentials needed for deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com -- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. @@ -36,6 +35,10 @@ There is another optional topic to [Add a read-only filesystem for Kubernetes]({ To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic. +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. + ## Download your subscription credentials ### General subscription credentials needed for deployments diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 9b057c22c9..a415fbc337 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -26,7 +26,6 @@ To complete this guide, you will need the following prerequisites: - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate, private key, and the JWT license](#Download your subscription credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. -- F5 WAF for NGINX will work by default with the default values like default policy, logging profile, etc unless the user sets custom configurations Depending on your deployment type, you may have additional requirements: @@ -34,6 +33,10 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" {{< include "waf/install-selinux-warning.md" >}} +## Default security policy and logging profile + +F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. + ## Download your subscription credentials ### General subscription credentials needed for deployments From 877f63687ff60020b91daf6e703651fd6c8faa9e Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:51:45 +0000 Subject: [PATCH 41/63] fixed hyperlinks again --- content/waf/install/docker.md | 6 +++--- content/waf/install/kubernetes-plm.md | 4 ++-- content/waf/install/kubernetes.md | 6 +++--- content/waf/install/virtual-environment.md | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 2783beccda..15a77711e9 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -19,9 +19,9 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. -- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index d2f77fa9c7..20adac9b99 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -42,8 +42,8 @@ To complete this guide, you will need the following prerequisites: - [Helm](https://helm.sh/docs/intro/install/) - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com ## Default security policy and logging profile diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index a158c9565b..14e93a6fae 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -23,9 +23,9 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#General subscription credentials needed for deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate, private key, and the JWT license](#Additional subscription credentials needed for deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate, private key, and the JWT license](#additional-subscription-credentials-needed-for-deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index a415fbc337..3948b158bb 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -24,7 +24,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate, private key, and the JWT license](#Download your subscription credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. + - Download the [SSL certificate, private key, and the JWT license](#download-your-subscription-credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. Depending on your deployment type, you may have additional requirements: From 86a5fad10c24c9a09aa6e0c90de342683b068e8b Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 14:57:35 +0000 Subject: [PATCH 42/63] fixed compiler link --- content/waf/configure/compiler.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index c493ae9ebf..55354f98a5 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -34,7 +34,7 @@ To complete this guide, you will need the following prerequisites: - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. -- [Docker registry credentials]({{< ref "/waf/configure/compiler.md#Configure Docker for the F5 Container Registry" >}}) are needed to access private-registry.nginx.com +- [Docker registry credentials](configure-docker-for-the-f5-container-registry) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) ## Download your subscription credentials From 157b3bb1f7740ec98675e912869c7bc0b945f797 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Wed, 3 Dec 2025 15:00:35 +0000 Subject: [PATCH 43/63] fixed compiler hyperlink again --- content/waf/configure/compiler.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index 55354f98a5..d75d6090ad 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -33,7 +33,7 @@ For more information about policies, read the [Configure policies]({{< ref "/waf To complete this guide, you will need the following prerequisites: - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key]({{< ref "/waf/install/compiler.md#Download your subscription credentials" >}}) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. + - Download the [SSL certificate and private key](download-your-subscription-credentials) associated with your F5 NGINX App Protect WAF subscription from the MyF5 Customer Portal. - [Docker registry credentials](configure-docker-for-the-f5-container-registry) are needed to access private-registry.nginx.com - [Docker](https://docs.docker.com/get-started/get-docker/) From 725f0d447f1be7c85986f6caa60394a05ee1835e Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 4 Dec 2025 10:52:01 +0000 Subject: [PATCH 44/63] updated jwt location --- .../alpine-plus.md | 38 +++++++++++++ .../amazon-plus.md | 39 +++++++++++++ .../debian-plus.md | 52 +++++++++++++++++ .../oracle-plus.md | 40 +++++++++++++ .../rhel8-plus.md | 56 +++++++++++++++++++ .../rhel9-plus.md | 41 ++++++++++++++ .../rocky9-plus.md | 41 ++++++++++++++ .../ubuntu-plus.md | 52 +++++++++++++++++ .../waf/install/disconnected-environment.md | 4 ++ content/waf/install/docker.md | 8 ++- content/waf/install/kubernetes-plm.md | 2 + content/waf/install/kubernetes.md | 20 ++++--- content/waf/install/virtual-environment.md | 10 ++++ 13 files changed, 393 insertions(+), 10 deletions(-) create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md create mode 100644 content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md new file mode 100644 index 0000000000..6fe7111c58 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md @@ -0,0 +1,38 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_VER's are 3.22 +ARG OS_VER="3.22" + +# Base image +FROM alpine:${OS_VER} + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ + wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ + && printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | \ + tee -a /etc/apk/repositories \ + && printf "https://pkgs.nginx.com/app-protect-x-plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | \ + tee -a /etc/apk/repositories \ + && apk update \ + && apk add app-protect-module-plus \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && rm -rf /var/cache/apk/* + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` \ No newline at end of file diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md new file mode 100644 index 0000000000..d4ec7bba2e --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md @@ -0,0 +1,39 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base image +FROM amazonlinux:2023 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + yum -y install wget ca-certificates shadow-utils \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repo \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/amzn/2023/\$basearch/" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-plus.repo \ + && yum -y install app-protect-module-plus \ + && yum clean all \ + && rm -rf /var/cache/yum \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md new file mode 100644 index 0000000000..204dfa6336 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md @@ -0,0 +1,52 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_CODENAME's are: bullseye/bookworm +ARG OS_CODENAME=bookworm + +# Base image +FROM debian:${OS_CODENAME} + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get update \ + && apt-get install -y \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + debian-archive-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | \ + gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-plus.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/app-protect-x-plus/debian `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-app-protect.list \ + && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && apt-get update \ + && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-module-plus \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md new file mode 100644 index 0000000000..2f8a0ace30 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md @@ -0,0 +1,40 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base image +FROM oraclelinux:8 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install wget ca-certificates yum-utils \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/\$basearch/" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-8-x-plus.repo \ + && dnf clean all \ + && dnf -y install app-protect-module-plus \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md new file mode 100644 index 0000000000..9f05ce79f2 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md @@ -0,0 +1,56 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported UBI_VERSION's are 7/8/9 +ARG UBI_VERSION=8 + +# Base Image +FROM registry.access.redhat.com/ubi${UBI_VERSION}/ubi + +# Define the ARG again after FROM to use it in this stage +ARG UBI_VERSION + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + PKG_MANAGER=dnf; \ + if [ "${UBI_VERSION}" = "7" ]; then \ + PKG_MANAGER=yum; \ + NGINX_PLUS_REPO="nginx-plus-7.4.repo"; \ + elif [ "${UBI_VERSION}" = "9" ]; then \ + NGINX_PLUS_REPO="plus-${UBI_VERSION}.repo"; \ + else \ + NGINX_PLUS_REPO="nginx-plus-${UBI_VERSION}.repo"; \ + fi \ + && $PKG_MANAGER -y install wget ca-certificates \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/${NGINX_PLUS_REPO} \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/${UBI_VERSION}/\$basearch/" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && $PKG_MANAGER clean all \ + && $PKG_MANAGER install -y app-protect-module-plus \ + && $PKG_MANAGER clean all \ + && rm -rf /var/cache/$PKG_MANAGER \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md new file mode 100644 index 0000000000..464ba150e8 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md @@ -0,0 +1,41 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base Image +FROM rockylinux:9 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install wget ca-certificates \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/${NGINX_PLUS_REPO} \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/${UBI_VERSION}/\$basearch/" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && dnf clean all \ + && dnf install -y app-protect-module-plus \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md new file mode 100644 index 0000000000..464ba150e8 --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md @@ -0,0 +1,41 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Base Image +FROM rockylinux:9 + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install wget ca-certificates \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo \ + && wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/${NGINX_PLUS_REPO} \ + && echo "[app-protect-x-plus]" > /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "name=nginx-app-protect repo" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/${UBI_VERSION}/\$basearch/" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientcert=/etc/ssl/nginx/nginx-repo.crt" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "sslclientkey=/etc/ssl/nginx/nginx-repo.key" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "gpgcheck=0" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && echo "enabled=1" >> /etc/yum.repos.d/app-protect-${UBI_VERSION}-x-plus.repo \ + && dnf clean all \ + && dnf install -y app-protect-module-plus \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md new file mode 100644 index 0000000000..89a2e7d8bc --- /dev/null +++ b/content/includes/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md @@ -0,0 +1,52 @@ +--- +nd-files: +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_CODENAME's are: focal/jammy +ARG OS_CODENAME=jammy + +# Base image +FROM ubuntu:${OS_CODENAME} + +# Install NGINX Plus and F5 WAF for NGINX v5 module +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get update \ + && apt-get install -y \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + ubuntu-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | \ + gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-plus.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | \ + tee /etc/apt/sources.list.d/nginx-app-protect.list \ + && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && apt-get update \ + && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-module-plus \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Expose port +EXPOSE 80 + +# Define stop signal +STOPSIGNAL SIGQUIT + +# Set default command +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index fae92d527f..aa0588d63c 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -89,6 +89,10 @@ yum install --downloadonly --downloaddir=/etc/packages/ app-protect Once you've obtained the package files and transferred them to your disconnected environment, you can directly install them or add them to a local repository. +## Configure license reporting for disconnected environments + +By default, NGINX Plus automatically reports license usage to the F5 licensing endpoint, and additional configuration is not required in connected environments. However, manual configuration becomes necessary in disconnected environments. Use NGINX Instance Manager for usage reporting or use a custom path for the license file. Configuration can be done in the [`mgmt {}`](https://nginx.org/en/docs/ngx_mgmt_module.html) block of the NGINX Plus configuration file (`/etc/nginx/nginx.conf`). For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). + ## Download Docker images After pulling or building Docker images in a connected environment, you can save them to `.tar` files: diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 15a77711e9..72dd6446e5 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -20,7 +20,7 @@ To complete this guide, you will need the following prerequisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#Additional subscription credentials needed for deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#additional-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -44,6 +44,12 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< call-out "important" >}} +The provided Dockerfile for NGINX Plus automatically handles placing the JWT license file in `/etc/nginx/` during image build. If you use a custom Dockerfile, you must ensure the JWT license is copied to this location. +{{< /call-out >}} + +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Docker deployment options There are three kinds of Docker deployments available: diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 20adac9b99..472e09f917 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -66,6 +66,8 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Prepare environment variables Set the following environment variables, which point towards your credential files: diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 14e93a6fae..930d720b79 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -23,7 +23,7 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Open Source in your deployment. - Download the [SSL certificate, private key, and the JWT license](#additional-subscription-credentials-needed-for-deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com @@ -55,6 +55,8 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Create a Dockerfile In the same folder as your credential files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. @@ -87,7 +89,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/alpine-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/alpine-plus.md" >}} {{% /tab %}} @@ -105,7 +107,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/amazon-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/amazon-plus.md" >}} {{% /tab %}} @@ -123,7 +125,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/debian-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/debian-plus.md" >}} {{% /tab %}} @@ -141,7 +143,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/oracle-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/oracle-plus.md" >}} {{% /tab %}} @@ -159,7 +161,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/rhel8-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel8-plus.md" >}} {{% /tab %}} @@ -177,7 +179,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/rhel9-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/rhel9-plus.md" >}} {{% /tab %}} @@ -195,7 +197,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/rocky9-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/rocky9-plus.md" >}} {{% /tab %}} @@ -213,7 +215,7 @@ If you are not using using `custom_log_format.json` or the IP intelligence featu {{% tab name="NGINX Plus" %}} -{{< include "/waf/dockerfiles/ubuntu-plus.md" >}} +{{< include "/waf/dockerfiles/nginx-plus-without-jwt-mount/ubuntu-plus.md" >}} {{% /tab %}} diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 3948b158bb..280b71f90a 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -49,6 +49,8 @@ To use NGINX Plus, you will need to download the the JWT license file associated {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} + ## Platform-specific instructions Navigate to your chosen operating system, which are alphabetically ordered. @@ -215,6 +217,14 @@ sudo apt-get update sudo apt-get install app-protect ``` +## Install NGINX Plus license + +If you have not already copied your NGINX Plus JWT license file to the `/etc/nginx/` directory (for example, if NGINX Plus was installed automatically as a dependency), do so now: + +```shell +sudo cp .jwt /etc/nginx/license.jwt +``` + ## Update configuration files Once you have installed F5 WAF for NGINX, you must load it as a module in the main context of your NGINX configuration. From f107eecc1be07e8899485ac3894e062461937713 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 4 Dec 2025 14:00:43 +0000 Subject: [PATCH 45/63] missing kubctl jwt copy location --- content/waf/install/kubernetes.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 930d720b79..c8711d4eb5 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -57,6 +57,10 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} +{{< call-out "note" >}} +When using the provided values.yaml for Helm, setting the `appprotect.config.nginxJWT` value ensures that your JWT license is automatically copied to `/etc/nginx/license.jwt` inside the NGINX container. No additional manual copying of the file is needed when deploying with the provided YAML configuration. +{{< /call-out >}} + ## Create a Dockerfile In the same folder as your credential files, create a _Dockerfile_ based on your [desired operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}) image using an example from the following sections. From 4015395be8b61080b46d0a752b6dbe3c7c25730c Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 4 Dec 2025 14:03:07 +0000 Subject: [PATCH 46/63] fixed hyperlink --- content/waf/install/kubernetes-plm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 472e09f917..7b343a87fa 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -43,7 +43,7 @@ To complete this guide, you will need the following prerequisites: - [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#Additional subscription credentials needed for a deployments with NGINX Plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#additional-subscription-credentials-needed-for-a-deployments-with-nginx-plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com ## Default security policy and logging profile From 5589dee981f070eb71aa9bacae659cb5197f14d5 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 4 Dec 2025 14:17:04 +0000 Subject: [PATCH 47/63] updated shutout for jwt locations for experimental kubectl --- content/waf/install/kubernetes-plm.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 7b343a87fa..1684468cd4 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -68,6 +68,10 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} +{{< call-out "note" >}} +Setting `appprotect.config.nginxJWT` with the `--set` flag in your Helm command automatically copies the JWT license to `/etc/nginx/license.jwt` inside the NGINX container. No manual JWT file copying or mounting is needed. +{{< /call-out >}} + ## Prepare environment variables Set the following environment variables, which point towards your credential files: From 77c2898afbc8ef39e7e4e28a746d7e412b352dc0 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:24:06 +0200 Subject: [PATCH 48/63] Update content/includes/waf/install-build-image.md Co-authored-by: yar --- content/includes/waf/install-build-image.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index c0ff97ca62..5ab4371ce2 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -27,7 +27,7 @@ podman build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=ngi ``` #### Building an image with NGINX Open Source -To build an image for NGINX Open Source, use the following command that are not RHEL-based, replacing `` as appropriate: +To build an image for NGINX Open Source, use the following command that is not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t . From 7e6ee3650ef3ad213461d579ce05a8d1c6ca8389 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:24:28 +0200 Subject: [PATCH 49/63] Update content/waf/install/virtual-environment.md Co-authored-by: yar --- content/waf/install/virtual-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 280b71f90a..857525c31b 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -45,7 +45,7 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ### Additional subscription credentials needed for deployments -To use NGINX Plus, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} From 74eaa552342d696fc1ba714da3b89b327877b7f1 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:24:51 +0200 Subject: [PATCH 50/63] Update content/waf/install/kubernetes.md Co-authored-by: yar --- content/waf/install/kubernetes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index c8711d4eb5..269ffeb33c 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -47,7 +47,7 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< call-out "note" >}} If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. From e425645d805f29fad278a1ebaf84e8e70bd1c627 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:25:13 +0200 Subject: [PATCH 51/63] Update content/waf/install/docker.md Co-authored-by: yar --- content/waf/install/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 72dd6446e5..4223532e6c 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -346,7 +346,7 @@ Your folder should contain the following files: - _Dockerfile_ - _custom_log_format.json_ -To build an image, use the following command for system that are not RHEL-based, replacing `` as appropriate: +To build an image, use the following command for a system that is not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . From 752ce1d7aaade954f9b5a3fa36329d9676226031 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:25:34 +0200 Subject: [PATCH 52/63] Update content/includes/waf/install-build-image.md Co-authored-by: yar --- content/includes/waf/install-build-image.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/includes/waf/install-build-image.md b/content/includes/waf/install-build-image.md index 5ab4371ce2..d7e672e496 100644 --- a/content/includes/waf/install-build-image.md +++ b/content/includes/waf/install-build-image.md @@ -14,7 +14,7 @@ Your folder should contain the following files: - _custom_log_format.json_ #### Building an image with NGINX Plus -To build an image for NGINX Plus, use the following command that are not RHEL-based, replacing `` as appropriate: +To build an image for NGINX Plus, use the following command that is not RHEL-based, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=license.jwt -t . From b962c020b8cd277b83d058d8522c454c5bc44b3a Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:25:51 +0200 Subject: [PATCH 53/63] Update content/waf/install/docker.md Co-authored-by: yar --- content/waf/install/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 4223532e6c..988386dce7 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -41,7 +41,7 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} {{< call-out "important" >}} From ba72204cb0635a80578059bd4fed7451125004a4 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:27:07 +0200 Subject: [PATCH 54/63] Update content/waf/install/docker.md Co-authored-by: yar --- content/waf/install/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 988386dce7..7e8f20309d 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -512,7 +512,7 @@ Once you have updated your configuration files, you can reload NGINX to apply th #### Download Docker images -[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#configure-docker-for-the-f5-container-registry" >}}) is needed to pull the following container images {{< include "waf/install-services-images.md" >}} From 7c2318b6235c6352f882ffaee900fef3734c30a5 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:27:23 +0200 Subject: [PATCH 55/63] Update content/waf/install/docker.md Co-authored-by: yar --- content/waf/install/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 7e8f20309d..5b0cf6f301 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -890,7 +890,7 @@ sudo dnf install app-protect-module-plus #### Download Docker images -[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#Configure Docker for the F5 Container Registry" >}}) is needed to pull the following container images +[Access to NGINX repo private-registry.nginx.com]({{< ref "/waf/install/docker.md#configure-docker-for-the-f5-container-registry" >}}) is needed to pull the following container images {{< include "waf/install-services-images.md" >}} From ab0b890078ebd781eee5c3dbe296ee6033d13bf4 Mon Sep 17 00:00:00 2001 From: dkleinF5 <135969067+dkleinF5@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:27:39 +0200 Subject: [PATCH 56/63] Update content/waf/install/kubernetes-plm.md Co-authored-by: yar --- content/waf/install/kubernetes-plm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 1684468cd4..9e936266e1 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -58,7 +58,7 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ### Additional subscription credentials needed for deployments -To use NGINX Plus and access private-registry.nginx.com, you will need to download the the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: {{< call-out "note" >}} If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. From 83965e4749ffea2e5ce3fafd52e7c130803e4a1f Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Sun, 7 Dec 2025 08:34:34 +0000 Subject: [PATCH 57/63] removed extra the and fixed hyperlinks --- content/waf/install/docker.md | 2 +- content/waf/install/kubernetes-plm.md | 4 ++-- content/waf/policies/bot-signatures.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 5b0cf6f301..bfc99011c9 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -70,7 +70,7 @@ The steps you should follow on this page are dependent on your configuration typ You will need Docker registry credentials to access private-registry.nginx.com for the Multi-container or Hybrid deployment options. -Create a directory and copy your [certificate and key]({{< ref "/waf/install/docker.md#Shared Requirements" >}}) to this directory: +Create a directory and copy your certificate and key to this directory: ```shell mkdir -p /etc/docker/certs.d/private-registry.nginx.com diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 9e936266e1..2bf1ec54fd 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -44,7 +44,7 @@ To complete this guide, you will need the following prerequisites: - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#additional-subscription-credentials-needed-for-a-deployments-with-nginx-plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials](#Additional subscription credentials needed for deployments) are needed to access private-registry.nginx.com +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com ## Default security policy and logging profile @@ -1018,7 +1018,7 @@ cd nginx-app-protect kubectl apply -f crds/ ``` -Finish the the process by using `helm upgrade`: +Finish the process by using `helm upgrade`: ```shell helm upgrade . \ diff --git a/content/waf/policies/bot-signatures.md b/content/waf/policies/bot-signatures.md index f661990c90..9662817e84 100644 --- a/content/waf/policies/bot-signatures.md +++ b/content/waf/policies/bot-signatures.md @@ -18,7 +18,7 @@ This feature is enabled by default with the `bot-defense` parameter, and include ## Bot signatures -Bot signature detection works by inspecting the the User-Agent header and URI of a request. +Bot signature detection works by inspecting the User-Agent header and URI of a request. Each detected bot signature belongs to a bot class: search engine signatures such as `googlebot` are under the trusted_bots class, but F5 WAF for NGINX performs additional checks to authenticate a trusted bot. From cd4545be3861d9255625b97b57afc05972b42fc7 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 8 Dec 2025 07:17:00 +0000 Subject: [PATCH 58/63] temp --- content/waf/install/docker.md | 6 ++---- content/waf/install/kubernetes.md | 10 ++++------ 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index bfc99011c9..d82e15f840 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -17,16 +17,14 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running TODO add reason for it. - An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX WAF subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#additional-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. -To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic. - {{< include "waf/install-selinux-warning.md" >}} ## Default security policy and logging profile diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 269ffeb33c..f2dbc39cea 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -19,11 +19,11 @@ It explains the common steps necessary for any Kubernetes-based deployment, then To complete this guide, you will need the following pre-requisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/). -- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) TODO add reason for it. +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster TODO add reason for it.. +- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running TODO add reason for it. - An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Open Source in your deployment. + - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your f5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you plan of using NGINX Open Source in your deployment. - Download the [SSL certificate, private key, and the JWT license](#additional-subscription-credentials-needed-for-deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com @@ -33,8 +33,6 @@ You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" There is another optional topic to [Add a read-only filesystem for Kubernetes]({{< ref "/waf/configure/kubernetes-read-only.md" >}}) -To review supported operating systems, read the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}) topic. - ## Default security policy and logging profile F5 WAF for NGINX uses built-in default security policy and logging profile after installation. To use custom policies or logging profiles, update your NGINX configuration file accordingly. From 25ceff39f05b54ca66f258820b09b96806767c8f Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 8 Dec 2025 09:50:19 +0000 Subject: [PATCH 59/63] added aviv suggestions --- .../download-jwt-ssl-key-from-myf5.md | 12 +++++++++ content/waf/configure/secure-mtls.md | 5 ++-- .../waf/install/disconnected-environment.md | 2 +- content/waf/install/docker.md | 20 ++++++-------- content/waf/install/kubernetes-plm.md | 26 +++++++----------- content/waf/install/kubernetes.md | 27 +++++++------------ content/waf/install/virtual-environment.md | 11 ++------ content/waf/policies/ip-intelligence.md | 4 +-- 8 files changed, 47 insertions(+), 60 deletions(-) create mode 100644 content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md diff --git a/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md new file mode 100644 index 0000000000..9f54304a3a --- /dev/null +++ b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md @@ -0,0 +1,12 @@ +--- +nd-files: +- content/includes/use-cases/credential-download-instructions.md +- content/waf/configure/compiler.md +- content/waf/install/docker.md +- content/waf/install/kubernetes.md +--- + +1. Log in to [MyF5](https://my.f5.com/manage/s/). +1. Go to **My Products & Plans > Subscriptions** to see your active subscriptions. +1. Find your NGINX subscription, and select the **Subscription ID** for details. +1. Download the **SSL Certificate**, **Private Key** and **JSON Web Token** files from the subscription page. \ No newline at end of file diff --git a/content/waf/configure/secure-mtls.md b/content/waf/configure/secure-mtls.md index 9b0c37da06..389a16da61 100644 --- a/content/waf/configure/secure-mtls.md +++ b/content/waf/configure/secure-mtls.md @@ -155,7 +155,7 @@ With a [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment {{< /call-out >}} -## Modify Docker compose file +## Modify Docker Compose file {{< call-out "warning" >}} @@ -224,5 +224,4 @@ services: app_protect_bd_config: app_protect_config: app_protect_etc_config: -``` - +``` \ No newline at end of file diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index aa0588d63c..db60115e24 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -113,4 +113,4 @@ docker load -i waf-config-mgr.tar docker load -i waf-ip-intelligence.tar ``` -Ensure your Docker compose files use the tagged images you've transferred. \ No newline at end of file +Ensure your Docker Compose files use the tagged images you've transferred. \ No newline at end of file diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index d82e15f840..9233ad5c5f 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -17,11 +17,10 @@ This page describes how to install F5 WAF for NGINX using Docker. To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running TODO add reason for it. -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Open Source in your deployment. - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license file](#additional-subscription-credentials-needed-for-deployments) associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal if you are using NGINX Plus in your deployment. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com (For Multi-container and Hybrid configuration) +- [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running. +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. JWT license is not needed when using NGINX Open Source. +- Access to private-registry.nginx.com using [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for pulling images need for deployment when using Multi-container and Hybrid configuration. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images for Multi-container and Hybrid configurations. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -33,14 +32,11 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -### General subscription credentials needed for deployments - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional subscription credentials needed for deployments +{{< call-out "note" >}} +If you are using NGINX Open Source for your Multi-container or Hybrid configuration, you do not need the JWT license file. +{{< /call-out >}} -To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} {{< call-out "important" >}} The provided Dockerfile for NGINX Plus automatically handles placing the JWT license file in `/etc/nginx/` during image build. If you use a custom Dockerfile, you must ensure the JWT license is copied to this location. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 2bf1ec54fd..27d127a2af 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -37,14 +37,12 @@ These enhancements are only available for Helm-based deployments. To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) -- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster -- [Helm](https://helm.sh/docs/intro/install/) -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running. -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your 5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you do not plan of using NGINX Plus in your deployment. - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments), and the [JWT license](#additional-subscription-credentials-needed-for-a-deployments-with-nginx-plus) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) (installed and running). +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. +- [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running, for pulling and managing container images. +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images +- [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. ## Default security policy and logging profile @@ -52,13 +50,9 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -### General subscription credentials needed for deployments - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional subscription credentials needed for deployments - -To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +{{< call-out "note" >}} +To access private-registry.nginx.com, you will need to download the JWT license file even when using NGINX Open Source as a base image. +{{< /call-out >}} {{< call-out "note" >}} If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. @@ -69,7 +63,7 @@ If you are deploying with Helm, you will also need the JWT license for the `dock {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} {{< call-out "note" >}} -Setting `appprotect.config.nginxJWT` with the `--set` flag in your Helm command automatically copies the JWT license to `/etc/nginx/license.jwt` inside the NGINX container. No manual JWT file copying or mounting is needed. +When using the provided values.yaml for Helm, setting the `appprotect.config.nginxJWT` value ensures that your JWT license is automatically copied to `/etc/nginx/license.jwt` inside the NGINX container. No additional manual copying of the file is needed when deploying with the provided YAML configuration. {{< /call-out >}} ## Prepare environment variables diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index f2dbc39cea..9ee2e274ae 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -19,15 +19,12 @@ It explains the common steps necessary for any Kubernetes-based deployment, then To complete this guide, you will need the following pre-requisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) TODO add reason for it. -- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster TODO add reason for it.. -- [Docker](https://docs.docker.com/engine/install/) (with Docker compose) installed and running TODO add reason for it. -- An active F5 WAF for NGINX subscription in [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate and private key file](#general-subscription-credentials-needed-for-deployments) associated with your f5 NGINX App Protect WAF subscription from the MyF5 Customer Portal if you plan of using NGINX Open Source in your deployment. - - Download the [SSL certificate, private key, and the JWT license](#additional-subscription-credentials-needed-for-deployments) file associated with your NGINX Plus subscription from the MyF5 Customer Portal if you plan of using NGINX Plus in your deployment. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) are needed to access private-registry.nginx.com - -You will need [Helm](https://helm.sh/docs/intro/install/) installed for a Helm-based deployment. +- [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) (installed and running). +- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. +- [Access credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com for pulling deployment images. +- [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. @@ -39,13 +36,9 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -### General subscription credentials needed for deployments - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional subscription credentials needed for deployments - -To use NGINX Plus and access private-registry.nginx.com, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: +{{< call-out "note" >}} +To access private-registry.nginx.com, you will need to download the JWT license file even when using NGINX Open Source as a base image. +{{< /call-out >}} {{< call-out "note" >}} If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. @@ -272,7 +265,7 @@ cd nginx-app-protect You will need to edit the `values.yaml` file for a few changes: -- Update _appprotect.nginx.image.repository_ and _appprotect.nginx.image.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). +- Update _appprotect.nginx.image.repository_ and _appprotect.nginx.image.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). - Update _appprotect.config.nginxJWT_ with your JSON web token (Only necessary when using NGINX Plus) - Update _dockerConfigJson_ to contain the base64 encoded Docker registration credentials diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 857525c31b..cc2f9cce1e 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -23,8 +23,7 @@ This page describes how to install F5 WAF for NGINX in a virtual machine or bare To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). -- An active F5 WAF for NGINX subscription. Available from [MyF5](https://my.f5.com/manage/s/) (Purchased or trial). - - Download the [SSL certificate, private key, and the JWT license](#download-your-subscription-credentials) file associated with your F5 WAF for NGINX subscription from the MyF5 Customer Portal. +- Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. - A working [NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}). If NGINX Plus is not installed separately it will be installed automatically during F5 WAF for NGINX installation. Depending on your deployment type, you may have additional requirements: @@ -39,15 +38,9 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -### General subscription credentials needed for deployments - -{{< include "licensing-and-reporting/download-certificates-from-myf5.md" >}} - -### Additional subscription credentials needed for deployments - To use NGINX Plus, you will need to download the JWT license file associated with your F5 WAF for NGINX WAF subscription from the [MyF5](https://my.f5.com/manage/s/) Customer Portal: -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} diff --git a/content/waf/policies/ip-intelligence.md b/content/waf/policies/ip-intelligence.md index 566f37711a..a020023b7e 100644 --- a/content/waf/policies/ip-intelligence.md +++ b/content/waf/policies/ip-intelligence.md @@ -76,7 +76,7 @@ tail -f iprepd.log Once complete, you can now [Configure policies for IP intelligence](#configure-policies-for-ip-intelligence). -### Modify Docker compose file +### Modify Docker Compose file {{< call-out "warning" >}} @@ -84,7 +84,7 @@ This section **only** applies to installations using Docker. {{< /call-out >}} -IP intelligence has its own Docker container, which can be added to an existing Docker compose file for deployment. +IP intelligence has its own Docker container, which can be added to an existing Docker Compose file for deployment. First, create the required directory: From cebdcbc77dc0c758325858758409eaa8b48e5e18 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 8 Dec 2025 10:07:21 +0000 Subject: [PATCH 60/63] updated hyperlinks --- .../licensing-and-reporting/download-jwt-ssl-key-from-myf5.md | 4 ++-- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md index 9f54304a3a..02fede65a8 100644 --- a/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md +++ b/content/includes/licensing-and-reporting/download-jwt-ssl-key-from-myf5.md @@ -1,9 +1,9 @@ --- nd-files: -- content/includes/use-cases/credential-download-instructions.md -- content/waf/configure/compiler.md - content/waf/install/docker.md - content/waf/install/kubernetes.md +- content/waf/install/kubernetes-plm.md +- content/waf/install/virtual-environment.md --- 1. Log in to [MyF5](https://my.f5.com/manage/s/). diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 27d127a2af..0164ea059d 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -58,7 +58,7 @@ To access private-registry.nginx.com, you will need to download the JWT license If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. {{< /call-out >}} -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 9ee2e274ae..243d4b3bb8 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -44,7 +44,7 @@ To access private-registry.nginx.com, you will need to download the JWT license If you are deploying with Helm, you will also need the JWT license for the `dockerConfigJson`. {{< /call-out >}} -{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}} +{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} {{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} From 5139373387c9610059b2b17b497ee9af20c29c3a Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 8 Dec 2025 10:21:24 +0000 Subject: [PATCH 61/63] updated hyperlinks --- content/waf/install/docker.md | 3 +-- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 9233ad5c5f..382cf6ecda 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -19,8 +19,7 @@ To complete this guide, you will need the following prerequisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running. - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. JWT license is not needed when using NGINX Open Source. -- Access to private-registry.nginx.com using [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for pulling images need for deployment when using Multi-container and Hybrid configuration. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images for Multi-container and Hybrid configurations. +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images for Multi-container and Hybrid configurations. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 0164ea059d..49f9263b4c 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -41,7 +41,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running, for pulling and managing container images. - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images - [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. ## Default security policy and logging profile diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 243d4b3bb8..5ede120074 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -23,7 +23,7 @@ To complete this guide, you will need the following pre-requisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. -- [Access credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com for pulling deployment images. +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images - [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. From cc0a686dfbbb9e7f986b686f3ff84925150b5a7b Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Thu, 11 Dec 2025 14:46:57 +0000 Subject: [PATCH 62/63] missing periods --- content/waf/install/kubernetes-plm.md | 2 +- content/waf/install/kubernetes.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index 49f9263b4c..ced81e0a16 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -41,7 +41,7 @@ To complete this guide, you will need the following prerequisites: - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. - [Docker](https://docs.docker.com/engine/install/) (with Docker Compose) installed and running, for pulling and managing container images. - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. -- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images. - [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. ## Default security policy and logging profile diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 5ede120074..fa212f516e 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -21,14 +21,14 @@ To complete this guide, you will need the following pre-requisites: - A [supported operating system]({{< ref "/waf/fundamentals/technical-specifications.md#supported-operating-systems" >}}). - [A functional Kubernetes cluster](https://kubernetes.io/docs/setup/) (installed and running). - [kubectl CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) configured and connected to your cluster. -- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images +- [Docker registry credentials](#additional-subscription-credentials-needed-for-deployments) for private-registry.nginx.com, required to pull images. - Ensure you have an active F5 WAF for NGINX subscription (purchased or trial) and have downloaded the associated [SSL certificate, private key, and JWT license](#download-your-subscription-credentials) file from the MyF5 Customer Portal. -- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images +- [Docker registry credentials](#download-your-subscription-credentials) for private-registry.nginx.com, required to pull images. - [Helm](https://helm.sh/docs/intro/install/) installed, required for deployment. You should read the [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) and [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}}) topics for additional set-up configuration if you want to use them immediately. -There is another optional topic to [Add a read-only filesystem for Kubernetes]({{< ref "/waf/configure/kubernetes-read-only.md" >}}) +There is another optional topic to [Add a read-only filesystem for Kubernetes]({{< ref "/waf/configure/kubernetes-read-only.md" >}}). ## Default security policy and logging profile From 8ad5ae9151b24549634a3e3cc56d36cb9f5da9c7 Mon Sep 17 00:00:00 2001 From: Daniel Klein Date: Mon, 15 Dec 2025 13:46:22 +0000 Subject: [PATCH 63/63] updated subscriptions --- content/waf/install/docker.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 382cf6ecda..d25682a7c2 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -31,18 +31,20 @@ F5 WAF for NGINX uses built-in default security policy and logging profile after ## Download your subscription credentials -{{< call-out "note" >}} -If you are using NGINX Open Source for your Multi-container or Hybrid configuration, you do not need the JWT license file. -{{< /call-out >}} +To download the necessary files for deploying F5 WAF for NGINX, follow these steps: -{{< include "licensing-and-reporting/download-jwt-ssl-key-from-myf5.md" >}} +1. Log in to [MyF5](https://my.f5.com/manage/s/). +2. Go to **My Products & Plans > Subscriptions** to see your active subscriptions. +3. Find your NGINX subscription, and select the **Subscription ID** for details. +4. Download the following files: + - **SSL Certificate** + - **Private Key** + - **JSON Web Token (JWT)** (required for NGINX Plus but not necessary for NGINX Open Source users) {{< call-out "important" >}} The provided Dockerfile for NGINX Plus automatically handles placing the JWT license file in `/etc/nginx/` during image build. If you use a custom Dockerfile, you must ensure the JWT license is copied to this location. {{< /call-out >}} -{{< call-out "note" >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), a JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /call-out >}} - ## Docker deployment options There are three kinds of Docker deployments available: