Disconnected or air-gapped environments
This topic describes how to install F5 WAF for NGINX in a disconnected or air-gapped environment.
Many of the steps involved are similar to other installation methods: this document will refer to them when appropriate.
To complete this guide, you will need the following prerequisites:
- The requirements of your installation method:
- An active F5 WAF for NGINX subscription (Purchased or trial) with repository credentials (JWT token or username/password).
- A connected environment with similar architecture and internet access to the NGINX package repositories.
- A method to transfer files between two environments (USB drive, SCP, rsync, etc.).
- For package downloads on apt-based systems:
wget,gnupg,ca-certificates, andapt-transport-https. - For package downloads on yum-based systems:
yum-plugin-downloadonly.
These instructions outline the broad, conceptual steps involved with working with a disconnected environment. You will need to make adjustments based on your specific security requirements.
Some users may be able to use a USB stick to transfer necessary set-up artifacts, whereas other users may be able to use tools such as SSH or SCP.
In the following sections, the term connected environment refers to the environment with access to the internet you will use to download set-up artifacts.
The term disconnected environment refers to the final environment the F5 WAF for NGINX installation is intended to run in, and is the target to transfer set-up artifacts from the connected environment.
For a disconnected environment, you may want to browse documentation offline.
This is possible by cloning the repository and the binary file for Hugo.
In addition to accessing F5 WAF for NGINX documentation, you will be able to access any supporting documentation you may need from other products.
You will need git and wget in your connected environment.
Run the following two commands: replace <hugo-release> with the tarball appropriate to the environment from the release page:
git clone git@github.com:nginx/documentation.git
wget <hugo-release>Move the repository folder and the tarball to your disconnected environment.
In your disconnected environment, extract the tarball archive, then move the hugo binary somewhere on your PATH.
Change into the cloned repository and run Hugo: you should be able to access the documentation on localhost.
cd documentation
hugo serverThis section is most relevant for a Virtual machine or bare metal installation.
When working with package files, you can install the packages directly in your disconnected environment, or add them to an internal repository.
The first step is to download the package files from your connected environment that has internet access and NGINX repository credentials.
This will vary based on your operating system choice, which determines your package manager. Select your operating system below.
- Download and install the repository signing key:
sudo wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub- Add the F5 WAF for NGINX repositories:
printf "https://pkgs.nginx.com/app-protect/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main\n" | sudo tee -a /etc/apk/repositories
printf "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main\n" | sudo tee -a /etc/apk/repositories- Create a directory for packages and download app-protect:
mkdir -p /offline/packages/
sudo apk update
sudo apk fetch -R -o /offline/packages/ \
app-protect \
app-protect-attack-signatures \
app-protect-bot-signatures \
app-protect-threat-campaigns- Add the F5 WAF for NGINX repository and dependencies:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo- Create a directory for packages and download app-protect:
mkdir -p /offline/packages/
sudo dnf install --downloadonly --downloaddir=/offline/packages/ \
app-protect \
app-protect-attack-signatures \
app-protect-bot-signatures \
app-protect-threat-campaigns- Install required packages:
sudo apt-get install -y wget gnupg ca-certificates apt-transport-https lsb-release- Download and install the NGINX repository signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx-archive.key | gpg --dearmor | \
sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg > /dev/null- Add the F5 WAF for NGINX repositories:
RELEASE=$(lsb_release -cs)
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect/debian $RELEASE nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.list
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-security-updates/debian $RELEASE nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/app-protect-security-updates.list- Create a directory for packages and download app-protect:
mkdir -p /offline/packages/
sudo apt-get update
sudo apt-get install --download-only -y \
app-protect \
app-protect-attack-signatures \
app-protect-bot-signatures \
app-protect-threat-campaigns \
-o Dir::Cache::archives=/offline/packages/- Add the F5 WAF for NGINX repository:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-rhel8.repo- Create a directory for packages and download app-protect:
mkdir -p /offline/packages/
sudo yum install --downloadonly --downloaddir=/offline/packages/ \
app-protect \
app-protect-attack-signatures \
app-protect-bot-signatures \
app-protect-threat-campaigns- Add the F5 WAF for NGINX repository:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-rhel9.repo- Create a directory for packages and download app-protect:
mkdir -p /offline/packages/
sudo dnf install --downloadonly --downloaddir=/offline/packages/ \
app-protect \
app-protect-attack-signatures \
app-protect-bot-signatures \
app-protect-threat-campaigns- Install required packages:
sudo apt-get install -y wget gnupg ca-certificates apt-transport-https lsb-release- Download and install the NGINX repository signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx-archive.key | gpg --dearmor | \
sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg > /dev/null- Add the F5 WAF for NGINX repositories:
RELEASE=$(lsb_release -cs)
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect/ubuntu $RELEASE nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.list
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-security-updates/ubuntu $RELEASE nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/app-protect-security-updates.list- Create a directory for packages and download app-protect:
mkdir -p /offline/packages/
sudo apt-get update
sudo apt-get install --download-only -y \
app-protect \
app-protect-attack-signatures \
app-protect-bot-signatures \
app-protect-threat-campaigns \
-o Dir::Cache::archives=/offline/packages/Once you’ve obtained the package files in your connected environment, transfer the packages directory to your disconnected environment.
In the disconnected environment, install the packages:
# For Alpine Linux
sudo apk add -p /offline/packages/ app-protect
# For Amazon Linux 2023, RHEL 9, Rocky Linux 9
sudo dnf install /offline/packages/*.rpm
# For Debian, Ubuntu
sudo dpkg -i /offline/packages/*.deb
# For Oracle Linux, RHEL 8, Rocky Linux 8
sudo yum localinstall /offline/packages/*.rpmAfter pulling or building Docker images in a connected environment, you can save them to .tar files:
docker save -o waf-enforcer.tar waf-enforcer:5.7.0
docker save -o waf-config-mgr.tar waf-config-mgr:5.9.0
# Optional, if using IP intelligence
docker save -o waf-ip-intelligence.tar waf-ip-intelligence:5.9.0You can then transfer the files and load the images in your disconnected environment:
docker load -i waf-enforcer.tar
docker load -i waf-config-mgr.tar
# Optional, if using IP intelligence
docker load -i waf-ip-intelligence.tarEnsure your Docker compose files use the tagged images you’ve transferred.