Installing NGINX App Protect WAF

This guide describes the steps to install the NGINX App Protect WAF v5 for host-based NGINX setups.

Prerequisites

• Active NGINX App Protect WAF subscription in MyF5 (purchased or trial).
• Docker (with Docker Compose) is installed and running.
• A supported operating system (OS).

Install NGINX and NGINX App Protect WAF module

1. If you already have NGINX packages in your system, back up your configs and logs:

   sudo cp -a /etc/nginx /etc/nginx-plus-backup
   sudo cp -a /var/log/nginx /var/log/nginx-plus-backup
   

2. Log in to MyF5 Customer Portal and download your nginx-repo.crt and nginx-repo.key files.

3. If any old NGINX App Protect packages are installed, make sure to remove them.

4. Follow the steps below for the operating system you are working with.

Note:
If not already installed, nginx or nginx-plus will be installed automatically as a dependency.

Alpine Linux 3.16 / Alpine Linux 3.17

Common steps for NGINX Open Source and NGINX Plus

1. Upload nginx-repo.key to /etc/apk/cert.key and nginx-repo.crt to /etc/apk/cert.pem. Make sure that files do not contain other certificates and keys: Alpine Linux does not support mixing client certificates for different repositories.

2. Install prerequisite packages:

   sudo apk add openssl ca-certificates
   

3. Put NGINX signing public key to directory /etc/apk/keys:

   sudo wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub
   

For NGINX Open source

1. Set up the apk repository for mainline nginx packages:

   printf "%s%s%s\n" \
   "http://nginx.org/packages/mainline/alpine/v" \
   `egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release` \
   "/main" \
   | sudo tee -a /etc/apk/repositories
   

2. Add the NGINX App Protect WAF v5 apk repository:

   printf "https://pkgs.nginx.com/app-protect-x-oss/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories
   

3. Install the NGINX App Protect WAF v5 package:

   sudo apk add app-protect-module-oss
   

For NGINX Plus

1. Add the NGINX Plus apk repository to /etc/apk/repositories file:

   printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories
   

2. Add the NGINX App Protect WAF v5 repository:

   printf "https://pkgs.nginx.com/app-protect-x-plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | sudo tee -a /etc/apk/repositories
   

3. Install the NGINX App Protect WAF v5 package:

   sudo apk add app-protect-module-plus
   

Amazon Linux 2

Common steps for NGINX Open Source and NGINX Plus

1. Create the /etc/ssl/nginx directory:

   sudo mkdir -p /etc/ssl/nginx
   

2. Upload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.

3. Install required dependencies:

   sudo yum install ca-certificates wget
   

4. Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:

   sudo rm /etc/yum.repos.d/nginx*.repo
   sudo rm /etc/yum.repos.d/*app-protect*.repo
   

For NGINX Open source

1. Create the file named /etc/yum.repos.d/nginx.repo with the following contents:

   [nginx-mainline]
   name=nginx mainline repo
   baseurl=http://nginx.org/packages/mainline/amzn2/$releasever/$basearch/
   gpgcheck=1
   enabled=1
   gpgkey=https://nginx.org/keys/nginx_signing.key
   module_hotfixes=true
   

2. Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:

   [app-protect-x-oss]
   name=nginx-app-protect repo
   baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/
   sslclientcert=/etc/ssl/nginx/nginx-repo.crt
   sslclientkey=/etc/ssl/nginx/nginx-repo.key
   gpgcheck=0
   enabled=1
   

3. Install the NGINX App Protect WAF v5 package.

   sudo yum install app-protect-module-oss
   sudo apt-get install nginx=1.25.4-1~`lsb_release -cs` app-protect-module-oss 
   

   When prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.

For NGINX Plus

1. Download the NGINX Plus repository file nginx-plus-amazon2.repo to /etc/yum.repos.d:

   sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-amazon2.repo
   

2. Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:

   [app-protect-x-plus]
   name=nginx-app-protect repo
   baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/7/$basearch/
   sslclientcert=/etc/ssl/nginx/nginx-repo.crt
   sslclientkey=/etc/ssl/nginx/nginx-repo.key
   gpgcheck=0
   enabled=1
   

3. Install the NGINX App Protect WAF v5 package.

   sudo yum install app-protect-module-plus
   

Debian 11 / Debian 12

Common steps for NGINX Open Source and NGINX Plus

1. Create the /etc/ssl/nginx/ directory:

   sudo mkdir -p /etc/ssl/nginx
   

2. Upload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.

3. Remove any previous NGINX repository and apt configuration files:

   sudo rm /etc/apt/sources.list.d/nginx*.list
   sudo rm /etc/apt/sources.list.d/*app-protect*.list
   sudo rm /etc/apt/apt.conf.d/90pkgs-nginx
   

4. Install prerequisite packages:

   sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring
   

5. Download and add the NGINX signing key:

   wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor \
       | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
   

6. Download the apt configuration to /etc/apt/apt.conf.d:

   sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx
   

7. Verify that the downloaded file contains the proper key:

   gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
   

   The output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:

   pub   rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
         573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
   uid                      nginx signing key <signing-key@nginx.com>
   

   If the fingerprint is different, remove the file.

For NGINX Open source

1. Add the NGINX Open Source repository:

   echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
   http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" \
       | sudo tee /etc/apt/sources.list.d/nginx.list
   

2. Set up repository pinning to prefer our packages over distribution-provided ones:

   echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
       | sudo tee /etc/apt/preferences.d/99nginx
   

3. Add the NGINX App Protect WAF v5 repository:

   printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-x-oss/debian `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-app-protect.list
   

4. Install the NGINX App Protect WAF v5 package.

   sudo apt-get update
   sudo apt-get install nginx=1.25.4-1~`lsb_release -cs` app-protect-module-oss
   

For NGINX Plus

1. Add the NGINX Plus repository:

   printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-plus.list
   

2. Add the NGINX App Protect WAF v5 repository:

   printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-x-plus/debian `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-app-protect.list
   

3. Install the NGINX App Protect WAF v5 package.

   sudo apt-get update
   sudo apt-get install app-protect-module-plus
   

RHEL 7.4+ / CentOS 7.4+

Common steps for NGINX Open Source and NGINX Plus

1. Create the /etc/ssl/nginx directory:

   sudo mkdir -p /etc/ssl/nginx
   

2. Upload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.

3. Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:

   sudo rm /etc/yum.repos.d/nginx*.repo
   sudo rm /etc/yum.repos.d/*app-protect*.repo
   

4. Install required dependencies:

   sudo yum install ca-certificates wget
   

5. Download the dependencies.repo file to /etc/yum.repos.d:

   sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
   

For NGINX Open source

1. Create the file named /etc/yum.repos.d/nginx.repo with the following contents:

   [nginx-mainline]
   name=nginx mainline repo
   baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
   gpgcheck=1
   enabled=1
   gpgkey=https://nginx.org/keys/nginx_signing.key
   module_hotfixes=true
   

2. Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:

   [app-protect-x-oss]
   name=nginx-app-protect repo
   baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/7/$basearch/
   sslclientcert=/etc/ssl/nginx/nginx-repo.crt
   sslclientkey=/etc/ssl/nginx/nginx-repo.key
   gpgcheck=0
   enabled=1
   

3. Install the NGINX App Protect WAF v5 package.

   sudo yum install app-protect-module-oss
   

   When prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.

For NGINX Plus

1. Download the NGINX Plus repository file nginx-plus-7.4.repo to /etc/yum.repos.d:

   sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.4.repo
   

2. Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:

   [app-protect-x-plus]
   name=nginx-app-protect repo
   baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/7/$basearch/
   sslclientcert=/etc/ssl/nginx/nginx-repo.crt
   sslclientkey=/etc/ssl/nginx/nginx-repo.key
   gpgcheck=0
   enabled=1
   

3. Install the NGINX App Protect WAF v5 package.

   sudo yum install app-protect-module-plus
   

RHEL 8.1+ / Oracle Linux 8.1+

Common steps for NGINX Open Source and NGINX Plus

1. Create the /etc/ssl/nginx directory:

   sudo mkdir -p /etc/ssl/nginx
   

2. Upload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.

3. Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:

   sudo rm /etc/yum.repos.d/nginx*.repo
   sudo rm /etc/yum.repos.d/*app-protect*.repo
   

4. Install required dependencies:

   sudo dnf install ca-certificates wget
   

5. Download the dependencies.repo file to /etc/yum.repos.d:

   sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
   

For NGINX Open source

1. Create the file named /etc/yum.repos.d/nginx.repo with the following contents:

   [nginx-mainline]
   name=nginx mainline repo
   baseurl=http://nginx.org/packages/mainline/centos/8/$basearch/
   gpgcheck=1
   enabled=1
   gpgkey=https://nginx.org/keys/nginx_signing.key
   module_hotfixes=true
   

2. Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:

   [app-protect-x-oss]
   name=nginx-app-protect repo
   baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/8/$basearch/
   sslclientcert=/etc/ssl/nginx/nginx-repo.crt
   sslclientkey=/etc/ssl/nginx/nginx-repo.key
   gpgcheck=0
   enabled=1
   

3. Install the NGINX App Protect WAF v5 package.

   sudo dnf install app-protect-module-oss
   

   When prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.

For NGINX Plus

1. Download the NGINX Plus repository file nginx-plus-8.repo to /etc/yum.repos.d:

   sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-8.repo
   

2. Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:

   [app-protect-x-plus]
   name=nginx-app-protect repo
   baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/
   sslclientcert=/etc/ssl/nginx/nginx-repo.crt
   sslclientkey=/etc/ssl/nginx/nginx-repo.key
   gpgcheck=0
   enabled=1
   

3. Install the NGINX App Protect WAF v5 package.

   sudo dnf install app-protect-module-plus
   

RHEL 9

Common steps for NGINX Open Source and NGINX Plus

1. Create the /etc/ssl/nginx directory:

   sudo mkdir -p /etc/ssl/nginx
   

2. Upload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.

3. Remove any previously downloaded NGINX repository files from /etc/yum.repos.d:

   sudo rm /etc/yum.repos.d/nginx*.repo
   sudo rm /etc/yum.repos.d/*app-protect*.repo
   

4. Install required dependencies:

   sudo dnf install ca-certificates wget
   

5. Download the dependencies.repo file to /etc/yum.repos.d:

   sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
   

For NGINX Open source

1. Create the file named /etc/yum.repos.d/nginx.repo with the following contents:

   [nginx-mainline]
   name=nginx mainline repo
   baseurl=http://nginx.org/packages/mainline/centos/9/$basearch/
   gpgcheck=1
   enabled=1
   gpgkey=https://nginx.org/keys/nginx_signing.key
   module_hotfixes=true
   

2. Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-oss.repo with the following contents:

   [app-protect-x-oss]
   name=nginx-app-protect repo
   baseurl=https://pkgs.nginx.com/app-protect-x-oss/centos/9/$basearch/
   sslclientcert=/etc/ssl/nginx/nginx-repo.crt
   sslclientkey=/etc/ssl/nginx/nginx-repo.key
   gpgcheck=0
   enabled=1
   

3. Install the NGINX App Protect WAF v5 package.

   sudo dnf install app-protect-module-oss
   

   When prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.

For NGINX Plus

1. Download the NGINX Plus repository file plus-9.repo to /etc/yum.repos.d:

   sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/plus-9.repo
   

2. Create NGINX App Protect WAF v5 repository file, named /etc/yum.repos.d/app-protect-x-plus.repo with the following contents:

   [app-protect-x-plus]
   name=nginx-app-protect repo
   baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/9/$basearch/
   sslclientcert=/etc/ssl/nginx/nginx-repo.crt
   sslclientkey=/etc/ssl/nginx/nginx-repo.key
   gpgcheck=0
   enabled=1
   

3. Install the NGINX App Protect WAF v5 package.

   sudo dnf install app-protect-module-plus
   

Ubuntu 20.04 / Ubuntu 22.04

Common steps for NGINX Open Source and NGINX Plus

1. Create the /etc/ssl/nginx/ directory:

   sudo mkdir -p /etc/ssl/nginx
   

2. Upload nginx-repo.crt and nginx-repo.key files to the /etc/ssl/nginx/ directory.

3. Remove any previous NGINX repository and apt configuration files:

   sudo rm /etc/apt/sources.list.d/nginx*.list
   sudo rm /etc/apt/sources.list.d/*app-protect*.list
   sudo rm /etc/apt/apt.conf.d/90pkgs-nginx
   

4. Install prerequisite packages:

   sudo apt-get update && sudo apt-get install apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring
   

5. Download and add the NGINX signing key:

   wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor \
       | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
   

6. Download the apt configuration to /etc/apt/apt.conf.d:

   sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx
   

7. Verify that the downloaded file contains the proper key:

   gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
   

   The output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:

   pub   rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
         573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
   uid                      nginx signing key <signing-key@nginx.com>
   

   If the fingerprint is different, remove the file.

For NGINX Open source

1. Add the NGINX Open Source repository:

   echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
   http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
       | sudo tee /etc/apt/sources.list.d/nginx.list
   

2. Set up repository pinning to prefer our packages over distribution-provided ones:

   echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
       | sudo tee /etc/apt/preferences.d/99nginx
   

3. Add the NGINX App Protect WAF v5 repository:

   printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-x-oss/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-app-protect.list
   

4. Install the NGINX App Protect WAF v5 package.

   sudo apt-get update
   sudo apt-get install app-protect-module-oss
   

For NGINX Plus

1. Add the NGINX Plus repository:

   printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-plus.list
   

2. Add the NGINX App Protect WAF v5 repository:

   printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-x-plus/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-app-protect.list
   

3. Install the NGINX App Protect WAF v5 package.

   sudo apt-get update
   sudo apt-get install app-protect-module-plus
   

NGINX Configuration

In your nginx configuration:

1. Load the NGINX App Protect WAF v5 module at the main context:

   load_module modules/ngx_http_app_protect_module.so;
   

2. Configure the Enforcer address at the http context:

   app_protect_enforcer_address 127.0.0.1:50000;
   

3. Enable NGINX App Protect WAF on an http/server/location context (make sure you only enable NGINX App Protect WAF with proxy_pass/grpc_pass locations):

   app_protect_enable on;
   

In this guide, the following files are used:

• nginx.conf
• default.conf

user  nginx;
worker_processes  auto;

# NGINX App Protect WAF
load_module modules/ngx_http_app_protect_module.so;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    # NGINX App Protect WAF
    app_protect_enforcer_address 127.0.0.1:50000;

    include /etc/nginx/conf.d/*.conf;
}

server {
    listen 80;
    server_name domain.com;

    proxy_http_version 1.1;

    location / {

        # NGINX App Protect WAF
        app_protect_enable on;

        client_max_body_size 0;
        default_type text/html;
        proxy_pass http://127.0.0.1:8080/;
    }
}

server {
    listen 8080;
    server_name localhost;


    location / {
        root /usr/share/nginx/html;
        index index.html index.htm;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }
}

WAF Services Configuration

Permissions

Set up the directories with the correct ownership for NGINX App Protect WAF v5 services, where 101:101 are the default UID/GID.

Create Directories:

sudo mkdir -p /opt/app_protect/config /opt/app_protect/bd_config

Set Ownership:

sudo chown -R 101:101 /opt/app_protect/

Set up Docker for F5 Container Registry

Configure Docker to interact with the F5 Container Registry at private-registry.nginx.com:

sudo mkdir -p /etc/docker/certs.d/private-registry.nginx.com
sudo cp <path-to-your-nginx-repo.crt> /etc/docker/certs.d/private-registry.nginx.com/client.cert
sudo cp <path-to-your-nginx-repo.key> /etc/docker/certs.d/private-registry.nginx.com/client.key

Note:
Please note that the file extension for the certificate file has changed from .crt to .cert

Docker Compose File

Create a docker-compose.yml with the following configuration:

Replace 1.0.0 with the actual release version you are deploying.

version: "3.9"

services:
  waf-enforcer:
    container_name: waf-enforcer
    image: private-registry.nginx.com/nap/waf-enforcer:1.0.0
    environment:
      - ENFORCER_PORT=50000
    ports:
      - "50000:50000"
    volumes:
      - /opt/app_protect/bd_config:/opt/app_protect/bd_config
    networks:
      - waf_network
    restart: always

  waf-config-mgr:
    container_name: waf-config-mgr
    image: private-registry.nginx.com/nap/waf-config-mgr:1.0.0
    volumes:
      - /opt/app_protect/bd_config:/opt/app_protect/bd_config
      - /opt/app_protect/config:/opt/app_protect/config
      - /etc/app_protect/conf:/etc/app_protect/conf
    restart: always
    network_mode: none
    depends_on:
      waf-enforcer:
        condition: service_started

networks:
  waf_network:
    driver: bridge

Note:
In some operating systems, security mechanisms like SELinux or AppArmor are enabled by default, potentially blocking necessary file access for the nginx process and waf-config-mgr and waf-enforcer containers. To ensure NGINX App Protect WAF v5 operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile. For short-term troubleshooting, you may use permissive (SELinux) or complain (AppArmor) mode to avoid these restrictions, but keep in mind that this lowers security and isn’t advised for prolonged use.

Start the Deployment

1. To start the WAF services, navigate to the directory that contains the docker-compose.yml file and run:

   sudo docker compose up -d
   

2. To start the NGINX, run:

   sudo nginx
   

3. To verify the enforcement functionality, ensure the following request is rejected:

   curl "localhost/<script>"
   

Using Policy and Logging Profile Bundles

To work with custom policy and logging profile bundles, these files must be accessible to the waf-config-mgr container.

1. Assumption: Your bundle files are in /bundles on the host machine.
2. Docker Compose Configuration: In your docker-compose.yml, add a volume mount under the waf-config-mgr service to link the host directory /bundles to the same path inside the container.

...
waf-config-mgr:
  container_name: waf-config-mgr
  image: "private-registry.nginx.com/nap/waf-config-mgr:1.0.0"
  volumes:
    - /bundles:/bundles # Mounting the host directory to the container
    - ... #existing volume mounts

By setting up this volume mount, the bundle files can be referenced within your NGINX configuration using the /bundles directory.

For instance:

app_protect_policy_file /bundles/custom_policy.tgz;
app_protect_security_log /bundles/custom_logging_profile.tgz syslog:server=localhost:5514;

After deploying NGINX App Protect WAF, learn how to utilize the NGINX App Protect WAF Compiler for applying your custom policies and logging profiles.