Installation with NGINX App Protect WAF
This document provides an overview of the steps required to use NGINX App Protect WAF with your NGINX Ingress Controller deployment.
Note: The NGINX Kubernetes Ingress Controller integration with NGINX App Protect WAF requires the use of NGINX Plus.
This document provides an overview of the steps required to use NGINX App Protect WAF with your NGINX Ingress Controller deployment. You can visit the linked documents to find additional information and instructions.
You can also install the Ingress Controller with App Protect WAF by using Helm. Use the controller.appprotect.*
parameters of the chart.
Prerequisites
-
Make sure you have access to the Ingress Controller image:
- For NGINX Plus Ingress Controller, see here for details on how to pull the image from the F5 Docker registry.
- To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from here.
- It is also possible to build your own image and push it to your private Docker registry by following the instructions from here).
-
Clone the Ingress Controller repo:
git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.3.2 cd kubernetes-ingress
Build the Docker Image
Take the steps below to create the Docker image that you’ll use to deploy NGINX Ingress Controller with App Protect in Kubernetes.
-
Build the NGINX Ingress Controller image).
When running the
make
command to build the image, be sure to use thedebian-image-nap-plus
target. For example:make debian-image-nap-plus PREFIX=<your Docker registry domain>/nginx-plus-ingress
Alternatively, if you want to run on an OpenShift cluster, you can use the
ubi-image-nap-plus
target.If you want to include the App Protect DoS module in the image, you can use the
debian-image-nap-dos-plus
target or theubi-image-nap-dos-plus
target for OpenShift.If you intend to use external references in NGINX App Protect WAF policies, you may want to provide a custom CA certificate to authenticate with the hosting server. In order to do so, place the
*.crt
file in the build folder and uncomment the lines that follow this comment:#Uncomment the lines below if you want to install a custom CA certificate
Note: External References in the Ingress Controller are deprecated and will not be supported in future releases.
Note: In the event of a patch version of NGINX Plus being released, make sure to rebuild your image to get the latest version. The Dockerfile will use the latest available version of the Attack Signatures and Threat Campaigns packages at the time of build. If your system is caching the Docker layers and not updating the packages, add
DOCKER_BUILD_OPTIONS="--no-cache"
to themake
command. -
[Push the image to your local Docker registry](/nginx-ingress-controller/installation/building-nginx-ingress-controller/#build-image-push-to-private-repo.
Install the Ingress Controller
Take the steps below to set up and deploy the NGINX Ingress Controller and App Protect WAF module in your Kubernetes cluster.
-
Configure role-based access control (RBAC).
Important: You must have an admin role to configure RBAC in your Kubernetes cluster.
-
Enable the App Protect WAF module by adding the
enable-app-protect
cli argument to your Deployment or DaemonSet file.
For more information, see the Configuration guide and the NGINX Ingress Controller with App Protect example resources on GitHub for VirtualServer resources and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/examples/ingress-resources/app-protect-waf" >}}).