NGINX Documentation

Using NGINX App Protect with NGINX Controller

Take the steps in this guide to deploy NGINX App Protect as a datapath instance for use with NGINX Controller App Security.

Note: Refer to the NGINX Controller Technical Specifications guide to find out which distributions are supported for use with NGINX Controller and NGINX Controller Agent.

Setup

Before proceeding, you should review the Prerequisites, Platform Security Considerations and User Permissions sections of the NGINX App Protect Admin Guide.

Install NGINX App Protect

Note: When configuring NGINX App Protect as a datapath instance for NGINX Controller App Security, you should not modify the nginx.conf file. The nginx.conf file will be automatically updated when enabling WAF on a Component in NGINX Controller.

CentOS 7.4+

  1. If you already have NGINX packages in your system, back up your configs and logs:

     sudo cp -a /etc/nginx /etc/nginx-plus-backup
     sudo cp -a /var/log/nginx /var/log/nginx-plus-backup
    
  2. Create the /etc/ssl/nginx/ directory:

     sudo mkdir -p /etc/ssl/nginx
    
  3. Log in to the NGINX Customer Portal and download the following two files:

     nginx-repo.key
     nginx-repo.crt
    
  4. Copy the above two files to the CentOS server’s /etc/ssl/nginx/ directory. Use an SCP client or another secure file transfer tool to perform this task.

  5. Install prerequisite packages:

     sudo yum install ca-certificates epel-release wget
    
  6. Add NGINX Plus repository:

     sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.repo
    
  7. Install NGINX App Protect package app-protect-22+3.243.1, which includes NGINX Plus 22 and NGINX App Protect 2.1.1:

     sudo yum install app-protect-22+3.243.1
    
  8. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly:

     sudo nginx -v
    
  9. Configure SELinux as appropriate per your organization’s security policies. App Protect applies the prebuilt SELinux policy module during the installation. If you encounter any issues, check the Troubleshooting Guide.

    Note: NGINX Controller has specific requirements regarding SELinux configuration.

  10. Start the NGINX service:

    sudo systemctl start nginx
    
  11. Verify NGINX Plus and BD processes are running:

    ps -ef | grep nginx  
    ps -ef | grep bd
    

Red Hat Enterprise Linux 7.4+

  1. If you already have NGINX packages in your system, back up your configs and logs:

     sudo cp -a /etc/nginx /etc/nginx-plus-backup
     sudo cp -a /var/log/nginx /var/log/nginx-plus-backup
    
  2. Create the /etc/ssl/nginx/ directory:

     sudo mkdir -p /etc/ssl/nginx
    
  3. Log in to the NGINX Customer Portal and download the following two files:

     nginx-repo.key
     nginx-repo.crt
    
  4. Copy the above two files to the RHEL server’s /etc/ssl/nginx/ directory. Use an SCP client or another secure file transfer tool to perform this task.

  5. Install prerequisite packages:

     sudo yum install ca-certificates wget
    
  6. Add NGINX Plus repository by downloading the file nginx-plus-7.repo to /etc/yum.repos.d:

     sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.repo
    
  7. Enable Yum repositories to pull App Protect dependencies:

    • Download the file dependencies.repo to /etc/yum.repos.d:

        sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
      
    • If you have a RHEL subscription:

        sudo yum-config-manager --enable rhui-REGION-rhel-server-optional rhui-REGION-rhel-server-releases rhel-7-server-optional-rpms
      
    • If you don’t have a RHEL subscription, you can pull the dependencies from the CentOS repository.

      Create a new repository, centos.repo, in /etc/yum.repos.d/ with the content:

        [centos]
        name=CentOS-7
        baseurl=http://ftp.heanet.ie/pub/centos/7/os/x86_64/
        enabled=1
        gpgcheck=1
        gpgkey=http://ftp.heanet.ie/pub/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7
      
  8. Install NGINX App Protect package app-protect-22+3.243.1, which includes NGINX Plus 22 and NGINX App Protect 2.1.1:

     sudo yum install app-protect-22+3.243.1
    
  9. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly:

     sudo nginx -v
    
  10. Configure SELinux as appropriate per your organization’s security policies. App Protect applies the prebuilt SELinux policy module during the installation. If you encounter any issues, check the Troubleshooting Guide.

    Note: NGINX Controller has specific requirements regarding SELinux configuration.

  11. Start the NGINX service:

    sudo systemctl start nginx
    
  12. Verify NGINX Plus and BD processes are running:

    ps -ef | grep nginx  
    ps -ef | grep bd
    

Debian 9

  1. If you already have NGINX packages in your system, back up your configs and logs:

     sudo cp -a /etc/nginx /etc/nginx-plus-backup
     sudo cp -a /var/log/nginx /var/log/nginx-plus-backup
    
  2. Create the /etc/ssl/nginx/ directory:

     sudo mkdir -p /etc/ssl/nginx
    
  3. Log in to the NGINX Customer Portal and download the following two files:

     nginx-repo.key
     nginx-repo.crt
    
  4. Copy the above two files to the Debian server’s /etc/ssl/nginx/ directory. Use an SCP client or another secure file transfer tool to perform this task.

  5. Install apt utils:

     sudo apt-get install apt-transport-https lsb-release ca-certificates wget
    
  6. Download and add the NGINX signing key:

     sudo wget https://cs.nginx.com/static/keys/nginx_signing.key && sudo apt-key add nginx_signing.key
    
  7. Add NGINX Plus repository:

     printf "deb https://plus-pkgs.nginx.com/R22/debian `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-plus.list
    
  8. Download the apt configuration to /etc/apt/apt.conf.d:

     sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90nginx
    
  9. Update the repository and install the NGINX App Protect packages and the NGINX Plus 22 package:

     sudo apt-get update
     sudo apt-get install app-protect-compiler=5.1.0-1~stretch
     sudo apt-get install app-protect-engine=5.1.0-1~stretch
     sudo apt-get install app-protect-plugin=3.243.1-1~stretch
     sudo apt-get install nginx-plus-module-appprotect=22+3.243.1-1~stretch
     sudo apt-get install app-protect=22+3.243.1-1~stretch
    
  10. Check the NGINX binary version to ensure that you have NGINX Plus installed correctly:

    sudo nginx -v
    
  11. Start the NGINX service:

    sudo systemctl start nginx
    
  12. Verify NGINX Plus and BD processes are running

    ps -ef | grep nginx  
    ps -ef | grep bd
    

Ubuntu 18.04

Using NGINX App Protect with NGINX Controller isn’t supported on Ubuntu 18.04.

Add NGINX App Protect to NGINX Controller

Complete the tasks in the NGINX Controller Add an NGINX App Protect Instance guide.

Using App Security with NGINX Controller

Refer to the following NGINX Controller user guides for further information about NGINX Controller App Security: