Edit WAF configuration

After you’ve added a WAF configuration to your instances, edit your NGINX configuration files to apply the required F5 WAF for NGINX directives. This step ensures that protection is enabled and that your configuration references the correct policy and log profile bundles. You can complete this task using the F5 NGINX Instance Manager web interface or REST API.

Example configuration

Add the F5 WAF for NGINX directives in the appropriate context (http, server, or location). The following example shows a typical configuration:

nginx
server {
  ...

  location / {
    # Enable F5 WAF for NGINX
    app_protect_enable on;

    # Reference a custom security policy bundle
    app_protect_policy_file /etc/nms/ignore-xss.tgz;

    # Enable security logging
    app_protect_security_log_enable on;

    # Reference the log profile bundle
    app_protect_security_log /etc/nms/log-default.tgz /var/log/nginx/security-violations.log;

    ...
  }
}

If you’re using NGINX Instance Manager with Security Monitoring, your configuration may already include the following directive:

app_protect_security_log "/etc/nms/secops_dashboard.tgz" syslog:server=127.0.0.1:514;

Don’t change this value. For details, see the Security Monitoring setup guide.

If you’re running F5 WAF for NGINX Docker Compose, note the following:

  • Add the app_protect_enforcer_address directive to the http context:

    app_protect_enforcer_address 127.0.0.1:50000;

  • JSON policies and log profiles aren’t supported. You must precompile and publish them using NGINX Instance Manager. Make sure the precompiled_publication setting in the NGINX Agent configuration is set to true.
    See the F5 WAF for NGINX configuration guide for details.

Use the web interface or API

  1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, select Instance Manager from the Launchpad menu.

  2. In the left menu, select Instances or Instance Groups.

  3. From the Actions menu (), select Edit Config for the instance or group.

  4. If you’re using precompiled publication, change any .json file extensions to .tgz.

  5. To apply a default policy, select Apply Security, then copy the policy snippet and paste it into your configuration.

  6. Add the directives inside an http, server, or location block.

  7. Select Publish to push the configuration.

Use tools such as curl or Postman to send requests to the NGINX Instance Manager REST API. The API base URL is https://<NIM-FQDN>/api/[nim|platform]/<API_VERSION>.
All requests require authentication. For details on authentication methods, see the API overview.

You can use the NGINX Instance Manager REST API to deploy your F5 WAF for NGINX configuration.

Method Endpoint
GET /api/platform/v1/systems/{systemUID}/instances
POST /api/platform/v1/security/{systemUID}/instances/{nginxUID}/config
Important:
Before deploying a configuration to an instance group, make sure all instances in the group run the same version of F5 WAF for NGINX. Otherwise, deployment may fail.

  1. Send a GET request to list all instances. The response includes the unique identifier (UID) of the instance you want to update.

    shell
    curl -X GET https://{{NMS_FQDN}}/api/platform/v1/systems/{systemUID}/instances \
 -H "Authorization: Bearer <access token>"

  2. Add the F5 WAF for NGINX configuration to your NGINX config file (nginx.conf or another file in a valid config_dirs path):

    • At a minimum, add the following directive:

      app_protect_enable on;

    • If precompiled publication is enabled, change any .json policy references to .tgz.

    • To apply a default policy, use:

      app_protect_policy_file /etc/nms/NginxDefaultPolicy.tgz;

      or

      app_protect_policy_file /etc/nms/NginxStrictPolicy.tgz;

    • Add the directives to an http, server, or location context.

  3. Encode the updated NGINX configuration file using base64.

    base64 -i /etc/nginx/nginx.conf

  4. Send a POST request to deploy the configuration. Replace <base64-encoded-content> with your encoded config.

    shell
    curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/{systemUID}/instances/{nginxUID}/config \
-H "Authorization: Bearer <access token>" \
--header "Content-Type: application/json" \
-d '{
"configFiles": {
  "rootDir": "/etc/nginx",
  "files": [
    {
      "name": "nginx.conf",
      "contents": "<base64-encoded-content>"
    }
  ]
},
"validateConfig": true
}'

Next steps

After publishing the configuration, verify the WAF configuration to confirm that protection is active on your instances.

View source
Edit this page
Create a new issue