Installing NGINX App Protect WAF
- Active F5 NGINX App Protect WAF subscription in MyF5 (purchased or trial).
- Docker (with Docker Compose) is installed and running.
- A supported operating system (OS).
If you already have NGINX packages in your system, back up your configuration and log files:
sudo cp -a /etc/nginx /etc/nginx-plus-backup
sudo cp -a /var/log/nginx /var/log/nginx-plus-backup-
Log in to MyF5 Customer Portal and download your nginx-repo.crt and nginx-repo.key files.
-
If any old NGINX App Protect packages are installed, make sure to remove them.
-
Follow the steps below for the operating system you are working with.
Note: If not already installed,nginxornginx-pluswill be installed automatically as a dependency.
Please follow these steps before you install either NGINX Open Source or NGINX Plus.
Move nginx-repo.key to /etc/apk/cert.key and nginx-repo.crt to /etc/apk/cert.pem.
Make sure that files do not contain other certificates and keys: Alpine Linux does not support mixing client certificates for different repositories.
Install prerequisite packages:
sudo apk add openssl ca-certificatesAdd the NGINX signing public key to the directory /etc/apk/keys:
sudo wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pubCreate the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload the nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:
sudo rm /etc/yum.repos.d/nginx*.repo
sudo rm /etc/yum.repos.d/*app-protect*.repoInstall the required dependencies:
sudo dnf install ca-certificates wgetDownload the dependencies.repo file to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repoCreate the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previous NGINX repository and apt configuration files:
sudo rm /etc/apt/sources.list.d/nginx*.list
sudo rm /etc/apt/sources.list.d/*app-protect*.list
sudo rm /etc/apt/apt.conf.d/90pkgs-nginxInstall prerequisite packages:
sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyringDownload and add the NGINX signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \
sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/nullDownload the apt configuration to /etc/apt/apt.conf.d:
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginxVerify that the downloaded file contains the proper key:
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpgThe output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>If the fingerprint is different, remove the file.
Create the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:
sudo rm /etc/yum.repos.d/nginx*.repo
sudo rm /etc/yum.repos.d/*app-protect*.repoInstall required dependencies:
sudo dnf install ca-certificates wgetDownload the dependencies.repo file to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repoCreate the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:
sudo rm /etc/yum.repos.d/nginx*.repo
sudo rm /etc/yum.repos.d/*app-protect*.repoInstall required dependencies:
sudo dnf install ca-certificates wgetDownload the dependencies.repo file to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repoCreate the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previous NGINX repository and apt configuration files:
sudo rm /etc/apt/sources.list.d/nginx*.list
sudo rm /etc/apt/sources.list.d/*app-protect*.list
sudo rm /etc/apt/apt.conf.d/90pkgs-nginxInstall prerequisite packages:
sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyringDownload and add the NGINX signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \
sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/nullDownload the apt configuration to /etc/apt/apt.conf.d:
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginxVerify that the downloaded file contains the proper key:
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpgThe output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>If the fingerprint is different, remove the file.
Create the file named /etc/yum.repos.d/nginx.repo with the following contents:
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/amzn/2023/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=trueCreate the NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:
[app-protect-x-oss]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-oss/amzn/2023/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package.
sudo dnf install app-protect-module-ossSet up the apk repository for mainline nginx packages:
printf "%s%s%s\n" \
"http://nginx.org/packages/mainline/alpine/v" \
`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` \
"/main" \
| sudo tee -a /etc/apk/repositoriesAdd the NGINX App Protect WAF v5 apk repository:
printf "https://pkgs.nginx.com/app-protect-x-oss/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositoriesInstall the NGINX App Protect WAF v5 package:
sudo apk add app-protect-module-ossAdd the NGINX Open Source repository:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" | \
sudo tee /etc/apt/sources.list.d/nginx.listSet up repository pinning to prefer our packages over distribution-provided ones:
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \
sudo tee /etc/apt/preferences.d/99nginxAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-oss/debian `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-ossCreate the file named /etc/yum.repos.d/nginx.repo with the following contents:
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=trueCreate NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:
[app-protect-x-oss]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package.
sudo yum install app-protect-module-ossWhen prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.
Create the file named /etc/yum.repos.d/nginx.repo with the following contents:
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=trueCreate NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:
[app-protect-x-oss]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package.
sudo yum install app-protect-module-ossWhen prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.
Add the NGINX Open Source repository:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | \
sudo tee /etc/apt/sources.list.d/nginx.listSet up repository pinning to prefer our packages over distribution-provided ones:
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \
sudo tee /etc/apt/preferences.d/99nginxAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-oss/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-ossTo use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal:
- Log in to MyF5.
- Go to My Products & Plans > Subscriptions to see your active subscriptions.
- Find your NGINX products or services subscription, and select the Subscription ID for details.
- Download the JSON Web Token from the subscription page.
Once you have the license file:
-
Copy the license file to
/etc/nginx/license.jwton Linux or/usr/local/etc/nginx/license.jwton FreeBSD for each NGINX Plus instance. -
SELinux: If you’re running a Linux distribution with SELinux enabled, set the file security context type with the following command:
chcon -t httpd_config_t /etc/nginx/license.jwt
Then you can move onto the next step, depending on your chosen operating system.
Add the NGINX Plus apk repository to /etc/apk/repositories file:
printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositoriesAdd the NGINX App Protect WAF v5 repository:
printf "https://pkgs.nginx.com/app-protect-x-plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositoriesInstall the NGINX App Protect WAF v5 package:
sudo apk add app-protect-module-plusDownload the NGINX Plus repository file plus-amazonlinux2023.repo to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repoCreate NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:
[app-protect-x-plus]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-plus/amzn/2023/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package:
sudo dnf install app-protect-module-plusAdd the NGINX Plus repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-plus.listAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-plus/debian `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install app-protect-module-plusDownload the NGINX Plus repository file nginx-plus-8.repo to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repoCreate NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:
[app-protect-x-plus]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package:
sudo dnf install app-protect-module-plusDownload the NGINX Plus repository file plus-9.repo to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repoCreate NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:
[app-protect-x-plus]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package:
sudo dnf install app-protect-module-plusAdd the NGINX Plus repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-plus.listAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install app-protect-module-plusIn your nginx configuration:
-
Load the NGINX App Protect WAF v5 module at the main context:
load_module modules/ngx_http_app_protect_module.so; -
Configure the Enforcer address at the
httpcontext:app_protect_enforcer_address 127.0.0.1:50000; -
Enable NGINX App Protect WAF on an
http/server/locationcontext (make sure you only enable NGINX App Protect WAF withproxy_pass/grpc_passlocations):app_protect_enable on;
In this guide, the following files are used:
/etc/nginx/nginx.conf
user nginx;
worker_processes auto;
# NGINX App Protect WAF
load_module modules/ngx_http_app_protect_module.so;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
# NGINX App Protect WAF
app_protect_enforcer_address 127.0.0.1:50000;
include /etc/nginx/conf.d/*.conf;
}/etc/nginx/conf.d/default.conf
server {
listen 80;
server_name domain.com;
proxy_http_version 1.1;
location / {
# NGINX App Protect WAF
app_protect_enable on;
client_max_body_size 0;
default_type text/html;
proxy_pass http://127.0.0.1:8080/;
}
}
server {
listen 8080;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}Set up the directories with the correct ownership for NGINX App Protect WAF v5 services, where 101:101 are the default UID/GID.
Create Directories:
sudo mkdir -p /opt/app_protect/config /opt/app_protect/bd_configSet Ownership:
sudo chown -R 101:101 /opt/app_protect/Configure Docker to interact with the F5 Container Registry at private-registry.nginx.com:
sudo mkdir -p /etc/docker/certs.d/private-registry.nginx.com
sudo cp <path-to-your-nginx-repo.crt> /etc/docker/certs.d/private-registry.nginx.com/client.cert
sudo cp <path-to-your-nginx-repo.key> /etc/docker/certs.d/private-registry.nginx.com/client.keyNote: Please note that the file extension for the certificate file has changed from.crtto.cert
Create a docker-compose.yml with the following configuration:
Replace waf-enforcer and waf-config-mgr tag with the actual release version tag you are deploying. We are using version 5.2.0 for this example deployment.
services:
waf-enforcer:
container_name: waf-enforcer
image: private-registry.nginx.com/nap/waf-enforcer:5.2.0
environment:
- ENFORCER_PORT=50000
ports:
- "50000:50000"
volumes:
- /opt/app_protect/bd_config:/opt/app_protect/bd_config
networks:
- waf_network
restart: always
waf-config-mgr:
container_name: waf-config-mgr
image: private-registry.nginx.com/nap/waf-config-mgr:5.2.0
volumes:
- /opt/app_protect/bd_config:/opt/app_protect/bd_config
- /opt/app_protect/config:/opt/app_protect/config
- /etc/app_protect/conf:/etc/app_protect/conf
restart: always
network_mode: none
depends_on:
waf-enforcer:
condition: service_started
networks:
waf_network:
driver: bridgeNote: In some operating systems, security mechanisms like SELinux or AppArmor are enabled by default, potentially blocking necessary file access for thenginxprocess andwaf-config-mgrandwaf-enforcercontainers. To ensure NGINX App Protect WAF v5 operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile. For short-term troubleshooting, you may usepermissive(SELinux) orcomplain(AppArmor) mode to avoid these restrictions, but keep in mind that this lowers security and isn’t advised for prolonged use.
-
To start the WAF services, navigate to the directory that contains the
docker-compose.ymlfile and run:sudo docker compose up -d -
To start the NGINX, run:
sudo nginx -
To verify the enforcement functionality, ensure the following request is rejected:
curl "localhost/<script>"
To work with custom policy and logging profile bundles, these files must be accessible to the waf-config-mgr container.
- Assumption: Your bundle files are in
/bundleson the host machine. - Docker Compose Configuration: In your
docker-compose.yml, add a volume mount under thewaf-config-mgrservice to link the host directory/bundlesto the same path inside the container.
...
waf-config-mgr:
container_name: waf-config-mgr
image: "private-registry.nginx.com/nap/waf-config-mgr:1.0.0"
volumes:
- /bundles:/bundles # Mounting the host directory to the container
- ... #existing volume mountsBy setting up this volume mount, the bundle files can be referenced within your NGINX configuration using the /bundles directory.
For instance:
app_protect_policy_file /bundles/custom_policy.tgz;
app_protect_security_log /bundles/custom_logging_profile.tgz syslog:server=localhost:514;After deploying NGINX App Protect WAF, learn how to utilize the NGINX App Protect WAF Compiler for applying your custom policies and logging profiles.
-
Log in to MyF5 Customer Portal and download your nginx-repo.crt and nginx-repo.key files on your online machine.
-
If any old NGINX App Protect packages are installed, make sure to remove them.
-
Follow the steps below for the operating system you are working with.
Note: If not already installed,nginxornginx-pluswill be installed automatically as a dependency.
Follow these steps before you install NGINX Open Source or NGINX Plus.
Move nginx-repo.key to /etc/apk/cert.key and nginx-repo.crt to /etc/apk/cert.pem.
Make sure that files do not contain other certificates and keys: Alpine Linux does not support mixing client certificates for different repositories.
Install prerequisite packages:
sudo apk add openssl ca-certificatesAdd the NGINX signing public key to the directory /etc/apk/keys:
sudo wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pubCreate the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload the nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:
sudo rm /etc/yum.repos.d/nginx*.repo
sudo rm /etc/yum.repos.d/*app-protect*.repoInstall the required dependencies:
sudo dnf install ca-certificates wgetDownload the dependencies.repo file to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repoCreate the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previous NGINX repository and apt configuration files:
sudo rm /etc/apt/sources.list.d/nginx*.list
sudo rm /etc/apt/sources.list.d/*app-protect*.list
sudo rm /etc/apt/apt.conf.d/90pkgs-nginxInstall prerequisite packages:
sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyringDownload and add the NGINX signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \
sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/nullDownload the apt configuration to /etc/apt/apt.conf.d:
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginxVerify that the downloaded file contains the proper key:
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpgThe output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>If the fingerprint is different, remove the file.
Create the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previous NGINX repository and apt configuration files:
sudo rm /etc/apt/sources.list.d/nginx*.list
sudo rm /etc/apt/sources.list.d/*app-protect*.list
sudo rm /etc/apt/apt.conf.d/90pkgs-nginxInstall prerequisite packages:
sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyringDownload and add the NGINX signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \
sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/nullDownload the apt configuration to /etc/apt/apt.conf.d:
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginxVerify that the downloaded file contains the proper key:
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpgThe output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>If the fingerprint is different, remove the file.
Create the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:
sudo rm /etc/yum.repos.d/nginx*.repo
sudo rm /etc/yum.repos.d/*app-protect*.repoInstall required dependencies:
sudo dnf install ca-certificates wgetDownload the dependencies.repo file to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repoCreate the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:
sudo rm /etc/yum.repos.d/nginx*.repo
sudo rm /etc/yum.repos.d/*app-protect*.repoInstall required dependencies:
sudo dnf install ca-certificates wgetDownload the dependencies.repo file to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repoCreate the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:
sudo rm /etc/yum.repos.d/nginx*.repo
sudo rm /etc/yum.repos.d/*app-protect*.repoInstall required dependencies:
sudo dnf install ca-certificates wgetDownload the dependencies.repo file to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repoCreate the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previous NGINX repository and apt configuration files:
sudo rm /etc/apt/sources.list.d/nginx*.list
sudo rm /etc/apt/sources.list.d/*app-protect*.list
sudo rm /etc/apt/apt.conf.d/90pkgs-nginxInstall prerequisite packages:
sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyringDownload and add the NGINX signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \
sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/nullDownload the apt configuration to /etc/apt/apt.conf.d:
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginxVerify that the downloaded file contains the proper key:
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpgThe output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>If the fingerprint is different, remove the file.
Create the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previous NGINX repository and apt configuration files:
sudo rm /etc/apt/sources.list.d/nginx*.list
sudo rm /etc/apt/sources.list.d/*app-protect*.list
sudo rm /etc/apt/apt.conf.d/90pkgs-nginxInstall prerequisite packages:
sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyringDownload and add the NGINX signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \
sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/nullDownload the apt configuration to /etc/apt/apt.conf.d:
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginxVerify that the downloaded file contains the proper key:
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpgThe output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>If the fingerprint is different, remove the file.
Create the /etc/ssl/nginx/ directory:
sudo mkdir -p /etc/ssl/nginxUpload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.
Remove any previous NGINX repository and apt configuration files:
sudo rm /etc/apt/sources.list.d/nginx*.list
sudo rm /etc/apt/sources.list.d/*app-protect*.list
sudo rm /etc/apt/apt.conf.d/90pkgs-nginxInstall prerequisite packages:
sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyringDownload and add the NGINX signing key:
wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | \
sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/nullDownload the apt configuration to /etc/apt/apt.conf.d:
sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginxVerify that the downloaded file contains the proper key:
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpgThe output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>If the fingerprint is different, remove the file.
Set up the apk repository for mainline nginx packages:
printf "%s%s%s\n" \
"http://nginx.org/packages/mainline/alpine/v" \
`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` \
"/main" \
| sudo tee -a /etc/apk/repositoriesAdd the NGINX App Protect WAF v5 apk repository:
printf "https://pkgs.nginx.com/app-protect-x-oss/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositoriesInstall the NGINX App Protect WAF v5 package:
sudo apk add app-protect-module-oss-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir /etc/packages/ sudo apk update sudo apk fetch --recursive --output /etc/packages app-protect-module-oss
Set up the apk repository for mainline nginx packages:
printf "%s%s%s\n" \
"http://nginx.org/packages/mainline/alpine/v" \
`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` \
"/main" \
| sudo tee -a /etc/apk/repositoriesAdd the NGINX App Protect WAF v5 apk repository:
printf "https://pkgs.nginx.com/app-protect-x-oss/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositoriesInstall the NGINX App Protect WAF v5 package:
sudo apk add app-protect-module-oss-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir /etc/packages/ sudo apk update sudo apk fetch --recursive --output /etc/packages app-protect-module-oss
Set up the apk repository for mainline nginx packages:
printf "%s%s%s\n" \
"http://nginx.org/packages/mainline/alpine/v" \
`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` \
"/main" \
| sudo tee -a /etc/apk/repositoriesAdd the NGINX App Protect WAF v5 apk repository:
printf "https://pkgs.nginx.com/app-protect-x-oss/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositoriesInstall the NGINX App Protect WAF v5 package:
sudo apk add app-protect-module-oss-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir /etc/packages/ sudo apk update sudo apk fetch --recursive --output /etc/packages app-protect-module-oss
-
Create the file named
/etc/yum.repos.d/nginx.repowith the following contents:[nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/amzn2/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true -
Create NGINX App Protect WAF v5 repository file, named
/etc/yum.repos.d/app-protect-x-oss.repowith the following contents:[app-protect-x-oss] name=nginx-app-protect repo baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/ sslclientcert=/etc/ssl/nginx/nginx-repo.crt sslclientkey=/etc/ssl/nginx/nginx-repo.key gpgcheck=0 enabled=1 -
Install the NGINX App Protect WAF v5 package:
sudo yum install app-protect-module-oss sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-ossWhen prompted to accept the GPG key, verify that the fingerprint matches
573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.
Create the file named /etc/yum.repos.d/nginx.repo with the following contents:
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/amzn/2023/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=trueCreate the NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:
[app-protect-x-oss]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-oss/amzn/2023/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package.
sudo dnf install app-protect-module-oss-
Download all NGINX Open Source packages, including all dependencies: We used
repotrackfor example:Install yum-utils
sudo dnf install yum-utilsFor this test deployment we download the packages inside
/etc/packages/sudo mkdir /etc/packages/ cd /etc/packages/ sudo repotrack --forcearch x86_64 app-protect-module-oss
Add the NGINX Open Source repository:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" | \
sudo tee /etc/apt/sources.list.d/nginx.listSet up repository pinning to prefer our packages over distribution-provided ones:
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \
sudo tee /etc/apt/preferences.d/99nginxAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-oss/debian `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo bash -c 'for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss | grep "^\w" | sort -u); do apt-get download $i; done 2>>/etc/packages/errors.txt'
Add the NGINX Open Source repository:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" | \
sudo tee /etc/apt/sources.list.d/nginx.listSet up repository pinning to prefer our packages over distribution-provided ones:
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \
sudo tee /etc/apt/preferences.d/99nginxAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-oss/debian `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo bash -c 'for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss | grep "^\w" | sort -u); do apt-get download $i; done 2>>/etc/packages/errors.txt'
Create the file named /etc/yum.repos.d/nginx.repo with the following contents:
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=trueCreate NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:
[app-protect-x-oss]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package.
sudo yum install app-protect-module-ossWhen prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.
-
Download all NGINX Open Source packages, including all dependencies: We used
repotrackfor example:Install yum-utils
sudo dnf install yum-utilsFor this test deployment we download the packages inside
/etc/packages/sudo mkdir /etc/packages/ cd /etc/packages/ sudo repotrack --forcearch x86_64 app-protect-module-oss
Create the file named /etc/yum.repos.d/nginx.repo with the following contents:
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=trueCreate NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:
[app-protect-x-oss]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package.
sudo yum install app-protect-module-ossWhen prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.
-
Download all NGINX Open Source packages, including all dependencies: We used
repotrackfor example:Install yum-utils
sudo dnf install yum-utilsFor this test deployment we download the packages inside
/etc/packages/sudo mkdir /etc/packages/ cd /etc/packages/ sudo repotrack --forcearch x86_64 app-protect-module-oss
Create the file named /etc/yum.repos.d/nginx.repo with the following contents:
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=trueCreate NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:
[app-protect-x-oss]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package.
sudo yum install app-protect-module-ossWhen prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.
-
Download all NGINX Open Source packages, including all dependencies: We used
repotrackfor example:Install yum-utils
sudo dnf install yum-utilsFor this test deployment we download the packages inside
/etc/packages/sudo mkdir /etc/packages/ cd /etc/packages/ sudo repotrack --forcearch x86_64 app-protect-module-oss
Add the NGINX Open Source repository:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | \
sudo tee /etc/apt/sources.list.d/nginx.listSet up repository pinning to prefer our packages over distribution-provided ones:
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \
sudo tee /etc/apt/preferences.d/99nginxAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-oss/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo bash -c 'for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss | grep "^\w" | sort -u); do apt-get download $i; done 2>>/etc/packages/errors.txt'
Add the NGINX Open Source repository:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | \
sudo tee /etc/apt/sources.list.d/nginx.listSet up repository pinning to prefer our packages over distribution-provided ones:
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \
sudo tee /etc/apt/preferences.d/99nginxAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-oss/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo bash -c 'for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss | grep "^\w" | sort -u); do apt-get download $i; done 2>>/etc/packages/errors.txt'
Add the NGINX Open Source repository:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | \
sudo tee /etc/apt/sources.list.d/nginx.listSet up repository pinning to prefer our packages over distribution-provided ones:
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | \
sudo tee /etc/apt/preferences.d/99nginxAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-oss/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo bash -c 'for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances nginx=1.25.5-1~`lsb_release -cs` app-protect-module-oss | grep "^\w" | sort -u); do apt-get download $i; done 2>>/etc/packages/errors.txt'
To use NGINX Plus, you will need to download the the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal:
- Log in to MyF5.
- Go to My Products & Plans > Subscriptions to see your active subscriptions.
- Find your NGINX products or services subscription, and select the Subscription ID for details.
- Download the JSON Web Token from the subscription page.
Once you have the license file:
-
Copy the license file to
/etc/nginx/license.jwton Linux or/usr/local/etc/nginx/license.jwton FreeBSD for each NGINX Plus instance. -
SELinux: If you’re running a Linux distribution with SELinux enabled, set the file security context type with the following command:
chcon -t httpd_config_t /etc/nginx/license.jwt
Then you can move onto the next step, depending on your chosen operating system.
Add the NGINX Plus apk repository to /etc/apk/repositories file:
printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositoriesAdd the NGINX App Protect WAF v5 repository:
printf "https://pkgs.nginx.com/app-protect-x-plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositoriesInstall the NGINX App Protect WAF v5 package:
sudo apk add app-protect-module-plus-
Download all NGINX Plus packages, including all dependencies:
sudo mkdir /etc/packages/ sudo apk update sudo apk fetch --recursive --output /etc/packages app-protect-module-plus
Download the NGINX Plus repository file plus-amazonlinux2023.repo to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-amazonlinux2023.repoCreate NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:
[app-protect-x-plus]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-plus/amzn/2023/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package:
sudo dnf install app-protect-module-plus-
Download all NGINX Plus packages, including all dependencies: We used repotrack for example:
Install yum-utils
sudo dnf install yum-utilsFor this test deployment we download the packages inside
/etc/packages/sudo mkdir /etc/packages/ cd /etc/packages/ sudo repotrack --forcearch x86_64 app-protect-module-plus
Add the NGINX Plus repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-plus.listAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-plus/debian `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install app-protect-module-plus-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo bash -c 'for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances app-protect-module-plus | grep "^\w" | sort -u); do apt-get download $i; done 2>>/etc/packages/errors.txt'
Add the NGINX Plus repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-plus.listAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-plus/debian `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install app-protect-module-plus-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo bash -c 'for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances app-protect-module-plus | grep "^\w" | sort -u); do apt-get download $i; done 2>>/etc/packages/errors.txt'
Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:
[app-protect-x-plus]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package:
sudo dnf install app-protect-module-plus-
Download all NGINX Plus packages, including all dependencies: We used repotrack for example:
Install yum-utils
sudo dnf install yum-utilsFor this test deployment we download the packages inside
/etc/packages/sudo mkdir /etc/packages/ cd /etc/packages/ sudo repotrack --forcearch x86_64 app-protect-module-plus
Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:
[app-protect-x-plus]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package:
sudo dnf install app-protect-module-plus-
Download all NGINX Plus packages, including all dependencies: We used repotrack for example:
Install yum-utils
sudo dnf install yum-utilsFor this test deployment we download the packages inside
/etc/packages/sudo mkdir /etc/packages/ cd /etc/packages/ sudo repotrack --forcearch x86_64 app-protect-module-plus
Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:
[app-protect-x-plus]
name=nginx-app-protect repo
baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/
sslclientcert=/etc/ssl/nginx/nginx-repo.crt
sslclientkey=/etc/ssl/nginx/nginx-repo.key
gpgcheck=0
enabled=1Install the NGINX App Protect WAF v5 package:
sudo dnf install app-protect-module-plus-
Download all NGINX Plus packages, including all dependencies: We used repotrack for example:
Install yum-utils
sudo dnf install yum-utilsFor this test deployment we download the packages inside
/etc/packages/sudo mkdir /etc/packages/ cd /etc/packages/ sudo repotrack --forcearch x86_64 app-protect-module-plus
Add the NGINX Plus repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-plus.listAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install app-protect-module-plus-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo bash -c 'for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances app-protect-module-plus | grep "^\w" | sort -u); do apt-get download $i; done 2>>/etc/packages/errors.txt'
Add the NGINX Plus repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-plus.listAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install app-protect-module-plus-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo bash -c 'for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances app-protect-module-plus | grep "^\w" | sort -u); do apt-get download $i; done 2>>/etc/packages/errors.txt'
Add the NGINX Plus repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-plus.listAdd the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | \
sudo tee /etc/apt/sources.list.d/nginx-app-protect.listInstall the NGINX App Protect WAF v5 package:
sudo apt-get update
sudo apt-get install app-protect-module-plus-
Download all NGINX Open Source packages, including all dependencies:
sudo mkdir -p /etc/packages/ cd /etc/packages/ sudo apt-get update sudo apt-get install nginx app-protect-module-oss
-
Add the NGINX Plus repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-plus.list -
Add the NGINX App Protect WAF v5 repository:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-app-protect.list -
Install the NGINX App Protect WAF v5 package.
sudo apt-get update sudo apt-get install app-protect-module-plus
In your NGINX configuration:
-
Load the NGINX App Protect WAF v5 module at the main context:
load_module modules/ngx_http_app_protect_module.so; -
Configure the Enforcer address at the
httpcontext:app_protect_enforcer_address 127.0.0.1:50000; -
Enable NGINX App Protect WAF on an
http/server/locationcontext (make sure you only enable NGINX App Protect WAF withproxy_pass/grpc_passlocations):app_protect_enable on;
In this guide, the following files are used on the offline/air-gap machine:
/etc/nginx/nginx.conf
user nginx;
worker_processes auto;
# NGINX App Protect WAF
load_module modules/ngx_http_app_protect_module.so;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
# NGINX App Protect WAF
app_protect_enforcer_address 127.0.0.1:50000;
include /etc/nginx/conf.d/*.conf;
}/etc/nginx/conf.d/default.conf
server {
listen 80;
server_name domain.com;
proxy_http_version 1.1;
location / {
# NGINX App Protect WAF
app_protect_enable on;
client_max_body_size 0;
default_type text/html;
proxy_pass http://127.0.0.1:8080/;
}
}
server {
listen 8080;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}Set up the directories with the correct ownership for NGINX App Protect WAF v5 services, where 101:101 are the default UID/GID.
Create Directories:
sudo mkdir -p /opt/app_protect/config /opt/app_protect/bd_configSet Ownership:
sudo chown -R 101:101 /opt/app_protect/Configure Docker to interact with the F5 Container Registry at private-registry.nginx.com:
sudo mkdir -p /etc/docker/certs.d/private-registry.nginx.com
sudo cp <path-to-your-nginx-repo.crt> /etc/docker/certs.d/private-registry.nginx.com/client.cert
sudo cp <path-to-your-nginx-repo.key> /etc/docker/certs.d/private-registry.nginx.com/client.keyNote: Please note that the file extension for the certificate file has changed from.crtto.cert
Pull the waf-enforcer and waf-config-mgr images. Replace 5.2.0 with the actual release version you are deploying.
docker pull private-registry.nginx.com/nap/waf-enforcer:5.2.0
docker pull private-registry.nginx.com/nap/waf-config-mgr:5.2.0-
Save the
waf-enforcerdocker image:docker save -o waf-enforcer.tar waf-enforcer:5.2.0 -
Save the
waf-config-mgrdocker image:docker save -o waf-config-mgr.tar waf-config-mgr:5.2.0 -
Transfer the tar files from the online machine to the offline/air-gapped machine:
-
On the offline machine load the docker images:
docker load -i waf-enforcer.tar docker load -i waf-config-mgr.tar
Create a docker-compose.yml with the following configuration on the offline machine:
Replace waf-enforcer and waf-config-mgr tag with the actual release version tag you are deploying. We are using version 5.2.0 for this example deployment.
services:
waf-enforcer:
container_name: waf-enforcer
image: waf-enforcer:5.2.0
environment:
- ENFORCER_PORT=50000
ports:
- "50000:50000"
volumes:
- /opt/app_protect/bd_config:/opt/app_protect/bd_config
networks:
- waf_network
restart: always
waf-config-mgr:
container_name: waf-config-mgr
image: waf-config-mgr:5.2.0
volumes:
- /opt/app_protect/bd_config:/opt/app_protect/bd_config
- /opt/app_protect/config:/opt/app_protect/config
- /etc/app_protect/conf:/etc/app_protect/conf
restart: always
network_mode: none
depends_on:
waf-enforcer:
condition: service_started
networks:
waf_network:
driver: bridgeNote: In some operating systems, security mechanisms like SELinux or AppArmor are enabled by default, potentially blocking necessary file access for thenginxprocess andwaf-config-mgrandwaf-enforcercontainers. To ensure NGINX App Protect WAF v5 operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile. For short-term troubleshooting, you may usepermissive(SELinux) orcomplain(AppArmor) mode to avoid these restrictions, but keep in mind that this lowers security and isn’t advised for prolonged use.
-
To start the WAF services, navigate to the directory that contains the
docker-compose.ymlfile and run:sudo docker compose up -d -
To start the NGINX, run:
sudo nginx -
To verify the enforcement functionality, ensure the following request is rejected:
curl "localhost/<script>"
Stop the docker deployment and uninstall the NGINX packages.
To stop the WAF services, navigate to the directory that contains the docker-compose.yml file and run:
sudo docker compose stopFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo apk del app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo apk del app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo yum remove app-protect-module-oss
sudo apt-get remove nginx=1.25.5-1~`lsb_release -cs` app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo yum remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo yum remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo yum remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo dnf remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo dnf remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo yum remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo yum remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo dnf remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo dnf remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo dnf remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo dnf remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-plusFor NGINX Open Source Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-ossFor NGINX Plus Uninstall the NGINX App Protect WAF v5 package:
sudo apt-get remove app-protect-module-plus