# 2024 archive This page is an archive of changelog entries for 2024. For the current year, view [the top-level changelog](/waf/changelog/) topic. ## F5 NGINX App Protect WAF 5.4 / 4.12 Released _November 19th, 2024_. ### New features - Added support for Amazon Linux 2023 - F5 NGINX App Protect WAF now supports NGINX Plus R33. - **5.4 Only:** Added support for [readOnlyFileSystem in Kubernetes deployments](/waf/configure/kubernetes-read-only/) - **5.4 Only:** Added a [a policy converter to the compiler](/waf/configure/converters.md#policy-converter) Please read the [subscription licenses](/solutions/about-subscription-licenses.md) topic for information about R33. ### Important notes - Alpine 3.16 is no longer supported. ### Resolved issues - (11973) Updated the Go version to 1.23.1 - (11469) _apt-get update_ warning for Ubuntu 22.04 ### Known issues On Ubuntu 24.04, you may receive the following error when uninstalling an old version of F5 NGINX App Protect WAF and installing a newer version: ```text APP_PROTECT failed to open /opt/app_protect/config/config_set.json ``` This can occur if you are not using the default `nginx.conf` file and are using the `app_protect_enforcer_address` directive. To fix the problem, remove the file configuration folder and recreate the directory, then restart NGINX. ```shell sudo rm /opt/app_protect/config sudo mkdir /opt/app_protect/config sudo service nginx restart ``` ### Packages | Distribution name | NGINX Open Source (5.4) | NGINX Plus (5.4) | NGINX Plus (4.12) | | ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| | Alpine 3.17 | _app-protect-module-oss-1.27.2+5.210.0-r1.apk_ | _app-protect-module-plus-33+5.210.0-r1.apk_ | _app-protect-33.5.210.0-r1.apk_ | | Amazon Linux 2023 | _app-protect-module-oss-1.27.2+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | | Debian 11 | _app-protect-module-oss_1.27.2+5.210.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~bullseye_amd64.deb_ | _app-protect_33+5.210.0-1\~bullseye_amd64.deb_ | | Debian 12 | _app-protect-module-oss_1.27.2+5.210.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~bookworm_amd64.deb_ | _app-protect_33+5.210.0-1\~bookworm_amd64.deb_ | | Oracle Linux 8.1 | _app-protect-module-oss-1.27.2+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.el8.ngx.x86_64.rpm_ | | Ubuntu 20.04 | _app-protect-module-oss_1.27.2+5.210.0-1\~focal_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~focal_amd64.deb_ | _app-protect_33+5.210.0-1\~focal_amd64.deb_ | | Ubuntu 22.04 | _app-protect-module-oss_1.27.2+5.210.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~jammy_amd64.deb_ | _app-protect_33+5.210.0-1\~jammy_amd64.deb_ | | Ubuntu 24.04 | _app-protect-module-oss_1.27.2+5.210.0-1\~noble_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~noble_amd64.deb_ | _app-protect_33+5.210.0-1\~noble_amd64.deb_ | | RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.2+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.el8.ngx.x86_64.rpm_ | | RHEL 9 | _app-protect-module-oss-1.27.2+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.el9.ngx.x86_64.rpm_ | ## F5 NGINX App Protect WAF 5.3 / 4.11 Released _September 25, 2024_. ### New features - Ubuntu 24.04 support - **5.3 Only:** [Secure traffic using mTLS](/waf/configure/secure-mtls.md) ### Important notes - Starting from this release, CentOS 7.4, Rhel 7.4 and Amazon Linux 2 support has been deprecated. ### Resolved issues - (10775) Resolved a threshold calculation in the base64 decoding mechanism. - (11426) Resolved log entry of an XFF header that contains more than one value. - (11272) Resolved an issue where, in certain instances, the original HTTP response code was shown for rejected requests. - (11568) Support seamless upgrades by using the latest tag instead of hardcoded versions. - (5302) The enforcer leaves an incomplete job when NGINX reloads during DNS resolution. ### Packages | Distribution name | NGINX Open Source (5.3) | NGINX Plus (5.3) | NGINX Plus (4.11) | | ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| | Alpine 3.17 | _app-protect-module-oss-1.25.4+5.144.0-r1.apk_ | _app-protect-module-plus-32+5.144.0-r1.apk_ | _app-protect-32.5.144.0-r1.apk_ | | Amazon Linux 2023 | _app-protect-module-oss-1.25.4+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | | Debian 11 | _app-protect-module-oss_1.25.4+5.144.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bullseye_amd64.deb_ | _app-protect_32+5.144.0-1\~bullseye_amd64.deb_ | | Debian 12 | _app-protect-module-oss_1.25.4+5.144.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bookworm_amd64.deb_ | _app-protect_32+5.144.0-1\~bookworm_amd64.deb_ | | Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | | Ubuntu 20.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~focal_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~focal_amd64.deb_ | _app-protect_32+5.144.0-1\~focal_amd64.deb_ | | Ubuntu 22.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~jammy_amd64.deb_ | _app-protect_32+5.144.0-1\~jammy_amd64.deb_ | | Ubuntu 24.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~noble_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~noble_amd64.deb_ | _app-protect_32+5.144.0-1\~noble_amd64.deb_ | | RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | | RHEL 9 | _app-protect-module-oss-1.25.4+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el9.ngx.x86_64.rpm_ | ## F5 NGINX App Protect WAF 5.2 / 4.10 Released _May 29, 2024_. ### New features - [Added apreload](/waf/configure/apreload.md) ### Resolved issues - (11038) In some scenarios, autodetect does not correctly recognize the internal buffer as base_64 buffer and so does not decode the data. - (11059) Enforcer may crash in specific scenarios. - (11105) Update libprotobuf to version 1.33.0+. - (11148) When following the config guide for starting NAP v5 in docker or kubernetes and leaving nginx.conf without any 'app_protect' directive: changing the conf to include NAP does not work. Enforcer times out every 40 secs waiting for the configuration. ### Packages | Distribution name | NGINX Open Source (5.2) | NGINX Plus (5.2) | NGINX Plus (4.10) | | ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| | Alpine 3.17 | _app-protect-module-oss-1.25.4+5.144.0-r1.apk_ | _app-protect-module-plus-32+5.144.0-r1.apk_ | _app-protect-32.5.144.0-r1.apk_ | | Amazon Linux 2023 | _app-protect-module-oss-1.25.4+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | | Debian 11 | _app-protect-module-oss_1.25.4+5.144.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bullseye_amd64.deb_ | _app-protect_32+5.144.0-1\~bullseye_amd64.deb_ | | Debian 12 | _app-protect-module-oss_1.25.4+5.144.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bookworm_amd64.deb_ | _app-protect_32+5.144.0-1\~bookworm_amd64.deb_ | | Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | | Ubuntu 20.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~focal_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~focal_amd64.deb_ | _app-protect_32+5.144.0-1\~focal_amd64.deb_ | | Ubuntu 22.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~jammy_amd64.deb_ | _app-protect_32+5.144.0-1\~jammy_amd64.deb_ | | RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | | RHEL 9 | _app-protect-module-oss-1.25.4+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el9.ngx.x86_64.rpm_ | ## F5 NGINX App Protect WAF 5.1 / 4.9 Released _April 18, 2024_. ### New features - Authorization Rules in URLs - New [JSON Web Token](/waf/policies/jwt-protection.md) signature signing algorithm support for: - **RSA**: RS256, RS384, RS512 - **PSS**: PS256, PS384, PS512 - **ECDSA**: ES256, ES256K, ES384, ES512 - **EdDSA** - [Time-based signature staging](/waf/policies/time-based-signature-staging.md) ### Resolved issues - (10250/10251) Fixed issues related to upgrading on Debian and Ubuntu. - (10219/10512) Resolved issues related to base64 detection and decoding. - (10465) Resolved the "header already sent" alert message in the NGINX error log. ### Packages | Distribution name | NGINX Open Source (5.1) | NGINX Plus (5.1) | NGINX Plus (4.9) | | ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| | Alpine 3.17 | _app-protect-module-oss-1.25.4+5.17.0-r1.apk_ | _app-protect-module-plus-31+5.17.0-r1.apk_ | _app-protect-31.5.17.0-r1.apk_ | | Amazon Linux 2023 | _app-protect-module-oss-1.25.4+5.17.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.amzn2023.ngx.x86_64.rpm_ | | Debian 11 | _app-protect-module-oss_1.25.4+5.17.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~bullseye_amd64.deb_ | _app-protect_31+5.17.0-1\~bullseye_amd64.deb_ | | Debian 12 | _app-protect-module-oss_1.25.4+5.17.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~bookworm_amd64.deb_ | _app-protect_31+5.17.0-1\~bookworm_amd64.deb_ | | Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el8.ngx.x86_64.rpm_ | | Ubuntu 20.04 | _app-protect-module-oss_1.25.4+5.17.0-1\~focal_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~focal_amd64.deb_ | _app-protect_31+5.17.0-1\~focal_amd64.deb_ | | Ubuntu 22.04 | _app-protect-module-oss_1.25.4+5.17.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~jammy_amd64.deb_ | _app-protect_31+5.17.0-1\~jammy_amd64.deb_ | | RHEL 7 | _app-protect-module-oss-1.25.4+5.17.0-1.el7.ngx.x86_64.rpm | _app-protect-module-plus-31+5.17.0-1.el7.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el7.ngx.x86_64.rpm_ | | RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el8.ngx.x86_64.rpm_ | | RHEL 9 | _app-protect-module-oss-1.25.4+5.17.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.el9.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el9.ngx.x86_64.rpm_ | ## F5 NGINX App Protect WAF 5.0 / 4.8.1 Released _March 19, 2024_. ### New features - [New deployment types](/waf/fundamentals/technical-specifications.md#supported-deployment-environments) - [Security policy and logging profile bundles](/waf/configure/compiler.md) ### Packages | Distribution name | NGINX Open Source (5.0) | NGINX Plus (5.0) | NGINX Plus (4.8.1) | | ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| | Alpine 3.17 | _app-protect-module-oss-1.25.4+4.815.0-r1.apk_ | _app-protect-module-plus-31+4.815.0-r1.apk_ | _app-protect-31.4.815.0-r1.apk_ | | Amazon Linux 2023 | _app-protect-module-oss-1.25.4+4.815.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.amzn2023.ngx.x86_64.rpm_ | | Debian 11 | _app-protect-module-oss_1.25.4+4.815.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~bullseye_amd64.deb_ | _app-protect_31+4.815.0-1\~bullseye_amd64.deb_ | | Debian 12 | _app-protect-module-oss_1.25.4+4.815.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~bookworm_amd64.deb_ | _app-protect_31+4.815.0-1\~bookworm_amd64.deb_ | | Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el8.ngx.x86_64.rpm_ | | Ubuntu 20.04 | _app-protect-module-oss_1.25.4+4.815.0-1\~focal_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~focal_amd64.deb_ | _app-protect_31+4.815.0-1\~focal_amd64.deb_ | | Ubuntu 22.04 | _app-protect-module-oss_1.25.4+4.815.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~jammy_amd64.deb_ | _app-protect_31+4.815.0-1\~jammy_amd64.deb_ | | RHEL 7 | _app-protect-module-oss-1.25.4+4.815.0-1.el7.ngx.x86_64.rpm | _app-protect-module-plus-31+4.815.0-1.el7.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el7.ngx.x86_64.rpm_ | | RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el8.ngx.x86_64.rpm_ | | RHEL 9 | _app-protect-module-oss-1.25.4+4.815.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el9.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el9.ngx.x86_64.rpm_ | ## F5 NGINX App Protect WAF 4.8 Released _February 6, 2024_. ### New Features - Debian 12 Support - [Actionable Rules in Override Rules Policy](/waf/policies/override-rules.md) - [Geolocation Enforcement](/waf/policies/geolocation.md) - [Partial Masking of Data using Data Guard](/waf/policies/data-guard.md) ### Supported Packages #### F5 NGINX App Protect WAF ##### Alpine 3.16 - app-protect-31.4.762.0-r1.apk ##### Alpine 3.17 - app-protect-31.4.762.0-r1.apk ##### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2 - app-protect-31+4.762.0-1.el7.ngx.x86_64.rpm ##### Debian 11 - app-protect_31+4.762.0-1~bullseye_amd64.deb ##### Debian 12 - app-protect_31+4.762.0-1~bookworm_amd64.deb ##### Oracle Linux 8.1+ - app-protect-31+4.762.0-1.el8.ngx.x86_64.rpm ##### RHEL 8.1+ - app-protect-31+4.762.0-1.el8.ngx.x86_64.rpm ##### RHEL 9+ - app-protect-31+4.762.0-1.el9.ngx.x86_64.rpm ##### Ubuntu 20.04 - app-protect_31+4.762.0-1~focal_amd64.deb ##### Ubuntu 22.04 - app-protect_31+4.762.0-1~jammy_amd64.deb ### Resolved Issues - 10063 Fixed - In some cases request could hang in when urlContentProfiles type set to "do-nothing". - 10156 Fixed - Chunked requests connection is stuck in CLOSE_WAIT state. ### **Important Note** - Actionable Rules and Geolocation are now supported in [Policy Override Rules](/waf/policies/override-rules.md).