F5 WAF for NGINX + DoS AMIs on Amazon EC2

NGINX, Inc. participates in the Amazon Web Services (AWS) Partner Network as a Standard Technology Partner. We offer Amazon Machine Images (AMIs) for use in the Amazon Elastic Compute Cloud (EC2), available at the AWS Marketplace for several operating systems, including Amazon Linux, Red Hat Enterprise Linux, and Ubuntu.

The AMIs contain combination of the following components:

  • Latest version of F5 NGINX Plus, optimized for use on Amazon EC2

  • Latest version of F5 DoS for NGINX, optimized for use on Amazon EC2

  • Latest version of F5 WAF for NGINX, optimized for use on Amazon EC2

  • Pre-packaged software for building highly available (HA) NGINX Plus configurations

Install NGINX Plus F5 WAF for NGINX + DoS

To quickly set up an environment with NGINX Plus, F5 WAF for NGINX and F5 DoS for NGINX on AWS:

  1. Follow the instructions in Getting Started with Amazon EC2 Linux Instances to sign up on AWS and get more information about EC2 itself.

  2. Proceed to the product page for the appropriate AMI at the AWS Marketplace, and launch the AMI.

    Click the Continue to Subscribe button to proceed to the Launch on EC2 page.

  3. Select the type of launch by clicking the appropriate tab (1‑Click Launch, Manual Launch, or Service Catalog). Choose the desired options for billing, instance size, and so on, and click the Accept Software Terms… button.

  4. When configuring the firewall rules, add a rule to accept web traffic on TCP ports 80 and 443 (this happens automatically if you launch from the 1-Click Launch tab).

  5. As soon as the new EC2 instance launches, NGINX Plus starts automatically and serves a default index.html page. To view the page, use a web browser to access the public DNS name of the new instance. You can also check the status of the NGINX Plus server by logging into the EC2 instance and running this command:

    /etc/init.d/nginx status

See NGINX Plus on the AWS Cloud deployment guide for details.

  1. Verify latest NGINX PLUS / F5 DoS for NGINX / F5 WAF for NGINX packages are installed on EC2 after its first start:

    Verify F5 WAF for NGINX latest release from https://docs.nginx.com/nginx-app-protect-waf/releases/ is

    installed by comparing with installed version from following command on the EC2 machine

    cat /opt/app_protect/VERSION /opt/app_protect/RELEASE

    Verify NGINX DoS latest release from https://docs.nginx.com/nginx-app-protect-dos/releases/ is

    installed by comparing with installed version from following command on the EC2 machine

    admd -v

    Verify NGINX Plus latest release from https://docs.nginx.com/nginx/releases/ is installed by comparing with installed version from following command on the EC2 machine

    nginx -v

    In case NGINX PLUS / F5 DoS for NGINX / F5 WAF for NGINX packages are not latest release then upgrade the following with these commands:

    For App Protect DoS solution based on RedHat / CentOS

    sudo service nginx stop
sudo yum install app-protect-dos
sudo systemctl start nginx

    For App Protect DoS solution based on Debian / Ubuntu

    sudo service nginx stop
sudo apt-get update
sudo apt-get install app-protect-dos
sudo service nginx start

    For App Protect WAF solution based on RedHat / CentOS

    sudo service nginx stop
sudo yum install app-protect
sudo systemctl start nginx

    For App Protect WAF solution based on Debian / Ubuntu

    sudo service nginx stop
sudo apt-get update
sudo apt-get install app-protect
sudo service nginx start

  2. If AMI includes F5 WAF for NGINX

    To enable F5 WAF for NGINX use the following steps:

    a. Load the F5 WAF for NGINX module on the main context in the nginx.conf file:

    load_module modules/ngx_http_app_protect_module.so;

    b. Enable F5 WAF for NGINX on an http/server/location context in the nginx.conf file:

    app_protect_enable on;

    c. Restart the NGINX service:

    sudo systemctl restart nginx

    For more configuration information follow F5 WAF for NGINX Configuration Guide.

  3. If AMI includes F5 DoS for NGINX

    To enable F5 DoS for NGINX use the following steps:

    a. Load the F5 DoS for NGINX module on the main context in the nginx.conf file:

    load_module modules/ngx_http_app_protect_dos_module.so;

    b. Enable F5 DoS for NGINX on an http/server/location context in the nginx.conf file:

    app_protect_dos_enable on;
app_protect_dos_name "App1";
app_protect_dos_policy_file "/etc/app_protect_dos/BADOSDefaultPolicy.json";
app_protect_dos_monitor uri=serv:80/; # Assuming server_name "serv" on port 80, with the root path "/"

    c. Enable the L4 accelerated mitigation feature (for Debian11/Ubuntu20.04/RHEL8) in the http context of the nginx.conf file:

    app_protect_dos_accelerated_mitigation on;

    d. Restart the NGINX service:

    sudo systemctl restart nginx

For more configuration information follow F5 DoS for NGINX Directives and Policy.

What If I Need Help?

If you encounter any problems with NGINX Plus configuration, documentation is available at nginx.org and in the NGINX Plus Admin Guide.

If you encounter any problems with F5 DoS for NGINX configuration, documentation is available at the F5 DoS for NGINX Troubleshooting Guide.

If you encounter any problems with F5 WAF for NGINX configuration, documentation is available at the F5 WAF for NGINX Troubleshooting Guide.

Customers who purchase an NGINX Plus AMI at the AWS Marketplace are eligible for the AWS support provided by the NGINX, Inc. engineering team. To activate support, submit the AMI Support Activation form (you need your AWS account number). When you request support, we’ll ask you to provide the AWS account number that you registered, along with the IDs of your EC2 instances in some cases.