2.8.0 release notes

January 30, 2023

NGINX Instance Manager 2.8.0 release notes

Upgrade Paths

NGINX Instance Manager 2.8.0 supports upgrades from these previous versions:

  • 2.5.0 - 2.7.0

If your NGINX Instance Manager version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s new

This release includes the following updates:

  • Enhanced details page for SSL Certificates

    The Instance Manager web interface now features an improved details page for SSL Certificates. This page provides important information about the certificate and any associated instances.

  • Automatic retrieval of Attack Signatures and Threat Campaign updates to Instance Manager

    Instance Manager now allows you to set up automatic downloads of the most recent Attack Signature and Threat Campaign packages. By publishing these updates to your App Protect instances from Instance Manager, you can ensure your applications are shielded from all recognized attack types.

  • Improved WAF Compiler error messages

    The messaging around security policy compilation errors has been improved by providing more detailed information and alerting users if the required compiler version is missing.

Changes in default behavior

This release has the following changes in default behavior:

  • Switching between storing secrets on disk and using Vault migrates secrets

    When transitioning between storing secrets on disk or using HashiCorp Vault, any existing secrets can be easily migrated to the new storage method. For instructions, refer to the guide Configure Vault for Storing Secrets.

  • Create roles using either an object name or UID

    You can now use either an object name or a unique identifier (UID) when assigning object-level permissions while creating or editing a role via the Instance Manager REST API.

  • Upgrading from 2.7 or earlier, you must re-enable precompiled_publication to continue publishing security policies with Instance Manager

    To continue publishing security policies with Instance Manager if you are upgrading from Instance Manager 2.7 and earlier, you must set the precompiled_publication parameter to true in the nginx-agent.conf file.

    In Instance Manager 2.7 and earlier, the pre-compiled_publication setting was set to true by default. However, starting with Instance Manager 2.8, this setting is set to false by default. This means you will need to change this setting to true again when upgrading from earlier versions.

    To publish App Protect policies from Instance Manager, add the following to your nginx-agent.conf file:

    yaml
        nginx_app_protect:
       precompiled_publication: true

Resolved issues

This release fixes the following issues. Use your browser’s search function to find the issue ID in the page.

  • Web interface reports no license found when a license is present (30647)
  • Associating instances with expired certificates causes internal error (34182)
  • Publishing to an Instance/instance-group will fail when the configuration references a JSON policy or a JSON log profile (38357)
  • Missing dimension data for Advanced Metrics with modules (38634)
  • Large payloads can result in disk I/O error for database operations (38827)
  • The Policy API endpoint only allows NGINX App Protect policy upsert with content length upto 3.14MB. (38839)
  • Deploy NGINX App Protect policy is listed as "Not Deployed" on the Policy Version detail page (38876)
  • NGINX Management Suite services may lose connection to ClickHouse in a Kubernetes deployment (39285)
  • NGINX App Protect status may not be displayed after publishing a configuration with a security policy and certificate reference (39382)
  • Security Policy Snippet selector adds incorrect path reference for policy directive (39492)
  • "Unpack: parse error" when compiling security update packages on CentOS 7, RHEL 7, and Amazon Linux 2 (39563)
  • The API Connectivity Manager module won’t load if the Security Monitoring module is enabled (39943)
  • Automatic downloads of attack signatures and threat campaigns are not supported on CentOS 7, RHEL 7, or Amazon Linux 2 (40396)
  • The API Connectivity Manager module won’t load if the Security Monitoring module is enabled (44433)

Known issues

You can find information about known issues in the Known Issues topic.

View source
Edit this page
Create a new issue