From 7438f3f8022e47eaf30616fbddabb519bc74a812 Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Thu, 4 Dec 2025 13:59:32 +0200 Subject: [PATCH 01/23] feature: dos k8s / dos k8s with ebpf --- .../dos/dockerfiles/alpine-ebpf-manager.md | 28 ++ .../dos/dockerfiles/alpine-plus-dos-waf.md | 35 +- .../dos/dockerfiles/alpine-plus-dos.md | 7 +- .../dos/dockerfiles/amazon-ebpf-manager.md | 23 ++ .../dos/dockerfiles/amazon-plus-dos-waf.md | 46 +++ .../dos/dockerfiles/amazon-plus-dos.md | 8 +- .../dos/dockerfiles/debian-ebpf-manager.md | 34 ++ .../dos/dockerfiles/debian-plus-dos-waf.md | 48 +++ .../dos/dockerfiles/debian-plus-dos.md | 30 +- .../dos/dockerfiles/rhel8-ebpf-manager.md | 28 ++ .../dos/dockerfiles/rhel8-plus-dos-waf.md | 5 + .../dos/dockerfiles/rhel8-plus-dos.md | 11 +- .../dos/dockerfiles/rhel9-ebpf-manager.md | 28 ++ .../dos/dockerfiles/rhel9-plus-dos-waf.md | 5 + .../dos/dockerfiles/rhel9-plus-dos.md | 5 +- .../dos/dockerfiles/rocky9-ebpf-manager.md | 25 ++ .../dos/dockerfiles/rocky9-plus-dos-waf.md | 5 + .../dos/dockerfiles/rocky9-plus-dos.md | 2 - .../dos/dockerfiles/ubuntu-ebpf-manager.md | 40 ++ .../dos/dockerfiles/ubuntu-plus-dos-waf.md | 48 +++ .../dos/dockerfiles/ubuntu-plus-dos.md | 28 +- content/includes/dos/dos-entrypoint.md | 24 ++ content/includes/dos/dos-waf-entrypoint.md | 27 ++ .../includes/dos/ebpf-manager-entrypoint.md | 7 + content/includes/dos/install-post-checks.md | 89 +++++ .../dos/k8s_manifest/backend-nginx.md | 50 +++ .../dos/k8s_manifest/dos-deployment.md | 0 .../k8s_manifest/dos-log-default-configmap.md | 19 + .../dos/k8s_manifest/dos-namespace.md | 9 + .../k8s_manifest/dos-nginx-conf-configmap.md | 67 ++++ .../includes/dos/k8s_manifest/dos-service.md | 18 + .../includes/dos/k8s_manifest/dos-storage.md | 16 + .../k8s_with_ebpf_manifest/backend-nginx.md | 50 +++ .../k8s_with_ebpf_manifest/dos-deployment.md | 112 ++++++ .../dos-log-default-configmap.md | 19 + .../k8s_with_ebpf_manifest/dos-namespace.md | 9 + .../dos-nginx-conf-configmap.md | 69 ++++ .../dos/k8s_with_ebpf_manifest/dos-service.md | 18 + .../dos/k8s_with_ebpf_manifest/dos-storage.md | 16 + .../kubernetes-with-L3-mitigation.md | 354 ++++++++++++++++++ .../nap-dos/deployment-guide/kubernetes.md | 259 +++++++++++++ .../learn-about-deployment.md | 99 +---- 42 files changed, 1698 insertions(+), 122 deletions(-) create mode 100644 content/includes/dos/dockerfiles/alpine-ebpf-manager.md create mode 100644 content/includes/dos/dockerfiles/amazon-ebpf-manager.md create mode 100644 content/includes/dos/dockerfiles/debian-ebpf-manager.md create mode 100644 content/includes/dos/dockerfiles/rhel8-ebpf-manager.md create mode 100644 content/includes/dos/dockerfiles/rhel9-ebpf-manager.md create mode 100644 content/includes/dos/dockerfiles/rocky9-ebpf-manager.md create mode 100644 content/includes/dos/dockerfiles/ubuntu-ebpf-manager.md create mode 100644 content/includes/dos/dos-entrypoint.md create mode 100644 content/includes/dos/dos-waf-entrypoint.md create mode 100644 content/includes/dos/ebpf-manager-entrypoint.md create mode 100644 content/includes/dos/install-post-checks.md create mode 100644 content/includes/dos/k8s_manifest/backend-nginx.md create mode 100644 content/includes/dos/k8s_manifest/dos-deployment.md create mode 100644 content/includes/dos/k8s_manifest/dos-log-default-configmap.md create mode 100644 content/includes/dos/k8s_manifest/dos-namespace.md create mode 100644 content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md create mode 100644 content/includes/dos/k8s_manifest/dos-service.md create mode 100644 content/includes/dos/k8s_manifest/dos-storage.md create mode 100644 content/includes/dos/k8s_with_ebpf_manifest/backend-nginx.md create mode 100644 content/includes/dos/k8s_with_ebpf_manifest/dos-deployment.md create mode 100644 content/includes/dos/k8s_with_ebpf_manifest/dos-log-default-configmap.md create mode 100644 content/includes/dos/k8s_with_ebpf_manifest/dos-namespace.md create mode 100644 content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md create mode 100644 content/includes/dos/k8s_with_ebpf_manifest/dos-service.md create mode 100644 content/includes/dos/k8s_with_ebpf_manifest/dos-storage.md create mode 100644 content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md create mode 100644 content/nap-dos/deployment-guide/kubernetes.md diff --git a/content/includes/dos/dockerfiles/alpine-ebpf-manager.md b/content/includes/dos/dockerfiles/alpine-ebpf-manager.md new file mode 100644 index 0000000000..4a7a008b71 --- /dev/null +++ b/content/includes/dos/dockerfiles/alpine-ebpf-manager.md @@ -0,0 +1,28 @@ +--- +--- + +```dockerfile +# syntax=docker/dockerfile:1 + +# Supported OS_VER's are 3.21/3.22 +ARG OS_VER="3.22" + +# Base image +FROM alpine:${OS_VER} + +# Install F5 DoS ebpf manager for NGINX and create required nginx user +RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ + wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ + && printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories \ + && apk update \ + && apk add app-protect-dos-ebpf-manager \ + && rm -rf /var/cache/apk/* \ + && adduser -D -S -H -s /sbin/nologin nginx + +RUN ebpf_manager_dos -v + +STOPSIGNAL SIGQUIT + +CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/alpine-plus-dos-waf.md b/content/includes/dos/dockerfiles/alpine-plus-dos-waf.md index 7366890841..7845f0d724 100644 --- a/content/includes/dos/dockerfiles/alpine-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/alpine-plus-dos-waf.md @@ -10,7 +10,40 @@ ARG OS_VER="3.22" # Base image FROM alpine:${OS_VER} -# Install NGINX Plus and F5 DOS for NGINX +# Download and add the NGINX signing keys: +RUN wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub && \ + wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub +# Add NGINX Plus repository: +RUN printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories +# Add F5 WAF for NGINX & Dos repositories: +RUN printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories && \ + printf "https://pkgs.nginx.com/app-protect/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories && \ + printf "https://pkgs.nginx.com/app-protect-security-updates/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories + +# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus): +RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ + --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ + apk update && apk add app-protect app-protect-dos && \ + cat license.jwt > /etc/nginx/license.jwt + +# Forward request logs to Docker log collector: +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log + +RUN nginx -v && admd -v +RUN cat /opt/app_protect/VERSION /opt/app_protect/RELEASE + +# Copy configuration files: +COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY entrypoint.sh /root/ +RUN chmod +x /root/entrypoint.sh + +EXPOSE 80 + +STOPSIGNAL SIGQUIT + +CMD ["sh", "/root/entrypoint.sh"] ``` diff --git a/content/includes/dos/dockerfiles/alpine-plus-dos.md b/content/includes/dos/dockerfiles/alpine-plus-dos.md index df18076e3a..a00edefe7e 100644 --- a/content/includes/dos/dockerfiles/alpine-plus-dos.md +++ b/content/includes/dos/dockerfiles/alpine-plus-dos.md @@ -24,6 +24,12 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && rm -rf /var/cache/apk/* +RUN --mount=type=secret,id=nginx_license_secret \ + sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ + chmod 600 /etc/nginx/license.jwt + +RUN nginx -v && admd -v + # Copy configuration files: COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ @@ -34,5 +40,4 @@ EXPOSE 80 STOPSIGNAL SIGQUIT CMD ["sh", "/root/entrypoint.sh"] - ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/amazon-ebpf-manager.md b/content/includes/dos/dockerfiles/amazon-ebpf-manager.md new file mode 100644 index 0000000000..b926c197f5 --- /dev/null +++ b/content/includes/dos/dockerfiles/amazon-ebpf-manager.md @@ -0,0 +1,23 @@ +--- +--- + +```dockerfile +# For AmazonLinux 2023: +FROM amazonlinux:2023 + +# Install F5 DoS ebpf manager for NGINX and create required nginx user +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install ca-certificates shadow-utils \ + && curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo \ + && dnf install -y app-protect-dos-ebpf-manager \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && useradd -r -s /usr/sbin/nologin nginx + +RUN ebpf_manager_dos -v + +STOPSIGNAL SIGQUIT + +CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/amazon-plus-dos-waf.md b/content/includes/dos/dockerfiles/amazon-plus-dos-waf.md index e69de29bb2..dc023d49b1 100644 --- a/content/includes/dos/dockerfiles/amazon-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/amazon-plus-dos-waf.md @@ -0,0 +1,46 @@ +--- +--- + +```dockerfile +# syntax=docker/dockerfile:1 +FROM amazonlinux:2023 + +# Install prerequisite packages: +RUN dnf -y install ca-certificates + +# Add NGINX/NAP WAF/NAP DOS repositories: +RUN curl -o /etc/yum.repos.d/plus-amazonlinux2023.repo https://cs.nginx.com/static/files/plus-amazonlinux2023.repo && \ + curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo && \ + curl -o /etc/yum.repos.d/app-protect-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo && \ + curl -o /etc/yum.repos.d/dependencies.amazonlinux2023.repo https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo + +# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus): +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ + dnf -y install app-protect app-protect-dos && \ + cat license.jwt > /etc/nginx/license.jwt && \ + rm /etc/yum.repos.d/plus-amazonlinux2023.repo && \ + rm /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo && \ + dnf clean all && \ + rm -rf /var/cache/dnf && \ + rm -rf /var/cache/yum + +# Forward request logs to Docker log collector: +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log + +RUN nginx -v && admd -v +RUN cat /opt/app_protect/VERSION /opt/app_protect/RELEASE + +# Copy configuration files: +COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY entrypoint.sh /root/ +RUN chmod +x /root/entrypoint.sh + +EXPOSE 80 + +STOPSIGNAL SIGQUIT + +CMD ["sh", "/root/entrypoint.sh"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/amazon-plus-dos.md b/content/includes/dos/dockerfiles/amazon-plus-dos.md index aeff507adb..1abdd34bd8 100644 --- a/content/includes/dos/dockerfiles/amazon-plus-dos.md +++ b/content/includes/dos/dockerfiles/amazon-plus-dos.md @@ -2,7 +2,6 @@ --- ```dockerfile - # For AmazonLinux 2023: FROM amazonlinux:2023 @@ -20,6 +19,12 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +RUN --mount=type=secret,id=nginx_license_secret \ + sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ + chmod 600 /etc/nginx/license.jwt + +RUN nginx -v && admd -v + # Copy configuration files: COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ @@ -30,5 +35,4 @@ EXPOSE 80 STOPSIGNAL SIGQUIT CMD ["sh", "/root/entrypoint.sh"] - ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/debian-ebpf-manager.md b/content/includes/dos/dockerfiles/debian-ebpf-manager.md new file mode 100644 index 0000000000..bef23b5a52 --- /dev/null +++ b/content/includes/dos/dockerfiles/debian-ebpf-manager.md @@ -0,0 +1,34 @@ +--- +--- + +```dockerfile +# Where can be bullseye/bookworm +FROM debian:bullseye + +# Install F5 DoS for NGINX +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get update \ + && apt-get install -y --no-install-recommends \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + debian-archive-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key \ + | gpg --dearmor \ + | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian $(lsb_release -cs) nginx-plus" \ + > /etc/apt/sources.list.d/nginx-app-protect-dos.list \ + && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ + && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos-ebpf-manager \ + && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* + +RUN ebpf_manager_dos -v + +STOPSIGNAL SIGQUIT + +CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/debian-plus-dos-waf.md b/content/includes/dos/dockerfiles/debian-plus-dos-waf.md index e69de29bb2..a69204a420 100644 --- a/content/includes/dos/dockerfiles/debian-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/debian-plus-dos-waf.md @@ -0,0 +1,48 @@ +--- +--- + +```dockerfile +# Where version can be: bullseye/bookworm +FROM debian:bullseye + +# Install prerequisite packages: +RUN apt-get update && \ + apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring && \ + wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ + wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg > /dev/null + +# Add NGINX Plus, NGINX App Protect and F5 DoS for NGINX repository: +RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect-dos.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list \ + && printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/app-protect-security-updates.list + +# Download the apt configuration to `/etc/apt/apt.conf.d`: +RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx + +# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which includes NGINX Plus): +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ + apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect app-protect-dos && \ + cat license.jwt > /etc/nginx/license.jwt && \ + apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list /etc/apt/sources.list.d/nginx-app-protect.list /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ + rm -rf /etc/apt/apt.conf.d/90nginx /var/lib/apt/lists/* + +# Forward request logs to Docker log collector: +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log + +RUN nginx -v && admd -v +RUN cat /opt/app_protect/VERSION /opt/app_protect/RELEASE + +COPY nginx.conf /etc/nginx/ +COPY entrypoint.sh /root/ +RUN chmod +x /root/entrypoint.sh + +EXPOSE 80 + +STOPSIGNAL SIGQUIT + +CMD ["sh", "/root/entrypoint.sh"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/debian-plus-dos.md b/content/includes/dos/dockerfiles/debian-plus-dos.md index 2f544d3679..6811a655d4 100644 --- a/content/includes/dos/dockerfiles/debian-plus-dos.md +++ b/content/includes/dos/dockerfiles/debian-plus-dos.md @@ -2,7 +2,6 @@ --- ```dockerfile - # Where can be bullseye/bookworm FROM debian:bullseye @@ -11,19 +10,33 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ apt-get update \ - && DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring \ - && mkdir -p /etc/ssl/nginx/ /etc/nginx/ \ - && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ - && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ - && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect-dos.list \ + && apt-get install -y --no-install-recommends \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + debian-archive-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key \ + | gpg --dearmor \ + | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ + && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian $(lsb_release -cs) nginx-plus" \ + > /etc/apt/sources.list.d/nginx-app-protect-dos.list \ && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos \ && cat license.jwt > /etc/nginx/license.jwt \ - && apt-get remove --purge --auto-remove -y \ - && rm -rf /var/lib/apt/lists/* \ + && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +RUN --mount=type=secret,id=nginx_license_secret \ + sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ + chmod 600 /etc/nginx/license.jwt + +RUN nginx -v && admd -v + COPY nginx.conf /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh @@ -33,5 +46,4 @@ EXPOSE 80 STOPSIGNAL SIGQUIT CMD ["sh", "/root/entrypoint.sh"] - ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel8-ebpf-manager.md b/content/includes/dos/dockerfiles/rhel8-ebpf-manager.md new file mode 100644 index 0000000000..58498ebbbe --- /dev/null +++ b/content/includes/dos/dockerfiles/rhel8-ebpf-manager.md @@ -0,0 +1,28 @@ +--- +--- + +```dockerfile +# For UBI 8 +FROM registry.access.redhat.com/ubi8 + +ARG RHEL_ORG +ARG RHEL_ACTIVATION_KEY + +# Install F5 DoS ebpf manager for NGINX and create required nginx user +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ + && dnf -y install ca-certificates \ + && curl -o /etc/yum.repos.d/app-protect-dos-8.repo https://cs.nginx.com/static/files/app-protect-dos-8.repo \ + && dnf -y install app-protect-dos-ebpf-manager \ + && rm /etc/yum.repos.d/app-protect-dos-8.repo \ + && dnf clean all \ + && rm -rf /var/cache/yum \ + && useradd -r -s /usr/sbin/nologin nginx + +RUN ebpf_manager_dos -v + +STOPSIGNAL SIGQUIT + +CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md b/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md index e69de29bb2..8fcc9ce82f 100644 --- a/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md @@ -0,0 +1,5 @@ +--- +--- + +```dockerfile +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel8-plus-dos.md b/content/includes/dos/dockerfiles/rhel8-plus-dos.md index 12be0b12c1..247b4afdde 100644 --- a/content/includes/dos/dockerfiles/rhel8-plus-dos.md +++ b/content/includes/dos/dockerfiles/rhel8-plus-dos.md @@ -14,7 +14,6 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ && subscription-manager refresh \ - && subscription-manager attach --auto || true \ && subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms \ && subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms \ && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ @@ -28,9 +27,16 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && dnf clean all \ && rm -rf /var/cache/yum \ && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && subscription-manager unregister # Copy configuration files: +RUN --mount=type=secret,id=nginx_license_secret \ + sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ + chmod 600 /etc/nginx/license.jwt + +RUN nginx -v && admd -v + COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh @@ -40,5 +46,4 @@ EXPOSE 80 STOPSIGNAL SIGQUIT CMD ["sh", "/root/entrypoint.sh"] - ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel9-ebpf-manager.md b/content/includes/dos/dockerfiles/rhel9-ebpf-manager.md new file mode 100644 index 0000000000..1080e5f18d --- /dev/null +++ b/content/includes/dos/dockerfiles/rhel9-ebpf-manager.md @@ -0,0 +1,28 @@ +--- +--- + +```dockerfile +# For UBI 9 +FROM registry.access.redhat.com/ubi9 + +ARG RHEL_ORG +ARG RHEL_ACTIVATION_KEY + +# Install F5 DoS ebpf manager for NGINX and create required nginx user +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ + && dnf -y install ca-certificates \ + && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \ + && dnf -y install app-protect-dos-ebpf-manager \ + && rm /etc/yum.repos.d/app-protect-dos-9.repo \ + && dnf clean all \ + && rm -rf /var/cache/yum \ + && useradd -r -s /usr/sbin/nologin nginx + +RUN ebpf_manager_dos -v + +STOPSIGNAL SIGQUIT + +CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md b/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md index e69de29bb2..8fcc9ce82f 100644 --- a/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md @@ -0,0 +1,5 @@ +--- +--- + +```dockerfile +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel9-plus-dos.md b/content/includes/dos/dockerfiles/rhel9-plus-dos.md index f9bd2550d0..cb0f3e589b 100644 --- a/content/includes/dos/dockerfiles/rhel9-plus-dos.md +++ b/content/includes/dos/dockerfiles/rhel9-plus-dos.md @@ -14,7 +14,6 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ && subscription-manager refresh \ - && subscription-manager attach --auto || true \ && subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms \ && subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms \ && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ @@ -28,7 +27,8 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && dnf clean all \ && rm -rf /var/cache/yum \ && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && subscription-manager unregister # Copy configuration files: COPY nginx.conf custom_log_format.json /etc/nginx/ @@ -40,5 +40,4 @@ EXPOSE 80 STOPSIGNAL SIGQUIT CMD ["sh", "/root/entrypoint.sh"] - ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rocky9-ebpf-manager.md b/content/includes/dos/dockerfiles/rocky9-ebpf-manager.md new file mode 100644 index 0000000000..83e3ea9a85 --- /dev/null +++ b/content/includes/dos/dockerfiles/rocky9-ebpf-manager.md @@ -0,0 +1,25 @@ +--- +--- + +```dockerfile +# syntax=docker/dockerfile:1 +# For Rocky Linux 9 +FROM rockylinux:9 + +# Install F5 DoS ebpf manager for NGINX and create required nginx user +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install ca-certificates epel-release 'dnf-command(config-manager)' \ + && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \ + && dnf config-manager --set-enabled crb \ + && dnf install -y app-protect-dos-ebpf-manager \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && useradd -r -s /usr/sbin/nologin nginx + +RUN ebpf_manager_dos -v + +STOPSIGNAL SIGQUIT + +CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rocky9-plus-dos-waf.md b/content/includes/dos/dockerfiles/rocky9-plus-dos-waf.md index e69de29bb2..8fcc9ce82f 100644 --- a/content/includes/dos/dockerfiles/rocky9-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/rocky9-plus-dos-waf.md @@ -0,0 +1,5 @@ +--- +--- + +```dockerfile +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rocky9-plus-dos.md b/content/includes/dos/dockerfiles/rocky9-plus-dos.md index b779713b22..cff5570bc3 100644 --- a/content/includes/dos/dockerfiles/rocky9-plus-dos.md +++ b/content/includes/dos/dockerfiles/rocky9-plus-dos.md @@ -2,7 +2,6 @@ --- ```dockerfile - # syntax=docker/dockerfile:1 # For Rocky Linux 9 FROM rockylinux:9 @@ -32,5 +31,4 @@ EXPOSE 80 STOPSIGNAL SIGQUIT CMD ["sh", "/root/entrypoint.sh"] - ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/ubuntu-ebpf-manager.md b/content/includes/dos/dockerfiles/ubuntu-ebpf-manager.md new file mode 100644 index 0000000000..e58e530dc6 --- /dev/null +++ b/content/includes/dos/dockerfiles/ubuntu-ebpf-manager.md @@ -0,0 +1,40 @@ +--- +--- + +```dockerfile +# syntax=docker/dockerfile:1 +# For Ubuntu + +# Where version can be: jammy/noble +FROM ubuntu:noble + +# Install F5 DoS ebpf manager for NGINX and create required nginx user +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get update \ + && apt-get install -y --no-install-recommends \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + ubuntu-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key \ + | gpg --dearmor \ + | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu $(lsb_release -cs) nginx-plus" \ + > /etc/apt/sources.list.d/nginx-app-protect-dos.list \ + && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y app-protect-dos-ebpf-manager \ + && apt-get remove --purge --auto-remove -y \ + && rm -rf /var/lib/apt/lists/* \ + && useradd -r -s /usr/sbin/nologin nginx + +STOPSIGNAL SIGQUIT + +RUN ebpf_manager_dos -v + +# Idle forever +CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/ubuntu-plus-dos-waf.md b/content/includes/dos/dockerfiles/ubuntu-plus-dos-waf.md index e69de29bb2..17c657d18f 100644 --- a/content/includes/dos/dockerfiles/ubuntu-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/ubuntu-plus-dos-waf.md @@ -0,0 +1,48 @@ +--- +--- + +```dockerfile +# Where version can be:jammy/noble +FROM ubuntu:noble + +# Install prerequisite packages: +RUN apt-get update && \ + apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring && \ + wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ + wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg > /dev/null + +# Add NGINX Plus, NGINX App Protect and F5 DoS for NGINX repository: +RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect-dos.list \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list \ + && printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/app-protect-security-updates.list + +# Download the apt configuration to `/etc/apt/apt.conf.d`: +RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx + +# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus): +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ + apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect app-protect-dos && \ + cat license.jwt > /etc/nginx/license.jwt && \ + apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list /etc/apt/sources.list.d/nginx-app-protect.list /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ + rm -rf /etc/apt/apt.conf.d/90nginx /var/lib/apt/lists/* + +# Forward request logs to Docker log collector: +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log + +RUN nginx -v && admd -v +RUN cat /opt/app_protect/VERSION /opt/app_protect/RELEASE + +COPY nginx.conf /etc/nginx/ +COPY entrypoint.sh /root/ +RUN chmod +x /root/entrypoint.sh + +EXPOSE 80 + +STOPSIGNAL SIGQUIT + +CMD ["sh", "/root/entrypoint.sh"] +``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/ubuntu-plus-dos.md b/content/includes/dos/dockerfiles/ubuntu-plus-dos.md index 90db16e600..c549efdc60 100644 --- a/content/includes/dos/dockerfiles/ubuntu-plus-dos.md +++ b/content/includes/dos/dockerfiles/ubuntu-plus-dos.md @@ -2,32 +2,44 @@ --- ```dockerfile - # syntax=docker/dockerfile:1 # For Ubuntu # Where version can be: jammy/noble FROM ubuntu:noble -# Setup repository keys -RUN apt-get update && \ - # Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ apt-get update \ - && apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring \ - && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ - && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ - && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect-dos.list \ + && apt-get install -y --no-install-recommends \ + apt-transport-https \ + lsb-release \ + ca-certificates \ + wget \ + gnupg2 \ + ubuntu-keyring \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key \ + | gpg --dearmor \ + | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ + && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu $(lsb_release -cs) nginx-plus" \ + > /etc/apt/sources.list.d/nginx-app-protect-dos.list \ && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos \ && cat license.jwt > /etc/nginx/license.jwt \ && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +RUN --mount=type=secret,id=nginx_license_secret \ + sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ + chmod 600 /etc/nginx/license.jwt + +RUN nginx -v && admd -v + COPY nginx.conf /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dos-entrypoint.md b/content/includes/dos/dos-entrypoint.md new file mode 100644 index 0000000000..3f66756a79 --- /dev/null +++ b/content/includes/dos/dos-entrypoint.md @@ -0,0 +1,24 @@ +--- +nd-docs: null +nd-files: +- content/nap-dos/deployment-guide/learn-about-deployment.md +- content/nap-dos/deployment-guide/kubernetes.md +- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +--- + +```shell + #!/usr/bin/env bash + + USER=nginx + LOGDIR=/var/log/adm + + # prepare environment + mkdir -p /var/run/adm /tmp/cores ${LOGDIR} + chmod 755 /var/run/adm /tmp/cores ${LOGDIR} + chown ${USER}:${USER} /var/run/adm /tmp/cores ${LOGDIR} + + # run processes + /bin/su -s /bin/bash -c "/usr/bin/adminstall > ${LOGDIR}/adminstall.log 2>&1" ${USER} + /bin/su -s /bin/bash -c "/usr/bin/admd -d --log info > ${LOGDIR}/admd.log 2>&1 &" ${USER} + /usr/sbin/nginx -g 'daemon off;' +``` \ No newline at end of file diff --git a/content/includes/dos/dos-waf-entrypoint.md b/content/includes/dos/dos-waf-entrypoint.md new file mode 100644 index 0000000000..ce1ad43f5b --- /dev/null +++ b/content/includes/dos/dos-waf-entrypoint.md @@ -0,0 +1,27 @@ +--- +nd-docs: null +nd-files: +- content/nap-dos/deployment-guide/learn-about-deployment.md +- content/nap-dos/deployment-guide/kubernetes.md +- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +--- + + +```shell + + #!/usr/bin/env bash + USER=nginx + LOGDIR=/var/log/adm + + # prepare environment + mkdir -p /var/run/adm /tmp/cores ${LOGDIR} + chmod 755 /var/run/adm /tmp/cores ${LOGDIR} + chown ${USER}:${USER} /var/run/adm /tmp/cores ${LOGDIR} + + # run processes + /bin/su -s /bin/bash -c "/usr/bin/adminstall > ${LOGDIR}/adminstall.log 2>&1" ${USER} + /bin/su -s /bin/bash -c "/opt/app_protect/bin/bd_agent &" ${USER} + /bin/su -s /bin/bash -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 307200000 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config 2>&1 > /var/log/app_protect/bd-socket-plugin.log &" ${USER} + /bin/su -s /bin/bash -c "/usr/bin/admd -d --log info > ${LOGDIR}/admd.log 2>&1 &" ${USER} + /usr/sbin/nginx -g 'daemon off;' +``` \ No newline at end of file diff --git a/content/includes/dos/ebpf-manager-entrypoint.md b/content/includes/dos/ebpf-manager-entrypoint.md new file mode 100644 index 0000000000..385e3219d5 --- /dev/null +++ b/content/includes/dos/ebpf-manager-entrypoint.md @@ -0,0 +1,7 @@ +--- +nd-docs: null +nd-files: +- content/nap-dos/deployment-guide/learn-about-deployment.md +- content/nap-dos/deployment-guide/kubernetes.md +- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +--- \ No newline at end of file diff --git a/content/includes/dos/install-post-checks.md b/content/includes/dos/install-post-checks.md new file mode 100644 index 0000000000..e34cddbec4 --- /dev/null +++ b/content/includes/dos/install-post-checks.md @@ -0,0 +1,89 @@ +--- +nd-docs: null +nd-files: +- content/nap-dos/deployment-guide/learn-about-deployment.md +- content/nap-dos/deployment-guide/kubernetes.md +- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +--- + +You can run the following commands to ensure that F5 DoS for NGINX enforcement is operational. + +1. Check that the three processes needed for F5 DoS for NGINX are running using `ps aux`: + + - admd + - nginx: master process + - nginx: worker process + + ```shell + USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND + nginx 7759 0.0 0.0 113120 1200 ? Ss Sep06 0:00 /bin/sh -c /usr/bin/admd -d --log info > /var/log/adm/admd.log 2>&1 + root 7765 0.0 0.0 87964 1464 ? Ss Sep06 0:00 nginx: master process /usr/sbin/nginx -g daemon off; + nginx 7767 0.0 0.1 615868 8188 ? Sl Sep06 0:04 nginx: worker process + ``` + +2. Verify that there are no NGINX errors in the `/var/log/nginx/error.log` and that the policy compiled successfully: + + ```shell + 2020/09/07 15:33:44 [notice] 9307#9307: using the "epoll" event method + 2020/09/07 15:33:44 [notice] 9307#9307: nginx/1.19.0 (nginx-plus-r22) + 2020/09/07 15:33:44 [notice] 9307#9307: built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) + 2020/09/07 15:33:44 [notice] 9307#9307: OS: Linux 3.10.0-327.28.3.el7.x86_64 + 2020/09/07 15:33:44 [notice] 9307#9307: getrlimit(RLIMIT_NOFILE): 1024:4096 + 2020/09/07 15:33:44 [notice] 9310#9310: start worker processes + 2020/09/07 15:33:44 [notice] 9310#9310: start worker process 9311 + PID <9311>, WORKER <0>, Function adm_ngx_init_process, line 684, version: 22+1.19.4-1.el7.ngx + ``` + +3. Check that by applying an attack, the attacker IP addresses are blocked while the good traffic pass through: + + a. Simulate good traffic: + + ```shell + echo "Start Good Traffic 2" + while true; do + curl ${VS}/good1 & + curl ${VS}/good2 & + curl ${VS}/good3 & + curl ${VS}/good4 + sleep 0.1 + done & + ``` + + b. After 7 minutes start the attack: + + ```shell + while [ true ] + do + ab -B ${BAD_IP1} -l -r -n 1000000 -c 150 -d -H "Host: evil.net" -H "Pragma: no-cache" -H "Cache-Control: no-cache" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: WireXBot" -H "x-requested-with:" -H "Referer: http://10.0.2.1/none.html" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US" http://${VS}/ & + ab -B ${BAD_IP2} -l -r -n 1000000 -c 150 -d -H "Host: evil.net" -H "Pragma: no-cache" -H "Cache-Control: no-cache" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: WireXBot" -H "x-requested-with:" -H "Referer: http://10.0.2.1/none.html" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US" http://${VS}/ & + ab -B ${BAD_IP3} -l -r -n 1000000 -c 150 -d -s 10 -H "Host: evil.net" -H "Pragma: no-cache" -H "Cache-Control: no-cache" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: WireXBot" -H "x-requested-with:" -H "Referer: http://10.0.2.1/none.html" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US" http://${VS}/ + + killall ab + done + ``` + + c. See that the good traffic continue as usual while the attackers receive denial of service. + +4. For DOS with L3 mitigation enabled + +Check that the ebpf_manager_dos process needed for F5 DoS for NGINX is running using `ps aux | grep /usr/bin/ebpf_manager_dos`: + +``` +root 1 0.0 0.0 4324 3072 ? Ss 19:32 0:00 bash -c /usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log +root 7 0.2 0.0 1722732 14208 ? Sl 19:32 0:01 /usr/bin/ebpf_manager_dos +root 46 0.0 0.0 3528 1792 pts/0 S+ 19:44 0:00 grep --color=auto /usr/bin/ebpf_manager_dos +``` + +Verify that there are no errors in the `/shared/ebpf_dos.log` and that the XDP program uploaded successfully: + +```[2025-12-02 19:32:12] INFO: Uninstall old eBPF maps and XDP program +[2025-12-02 19:32:13] INFO: Install eBPF maps and XDP program +[2025-12-02 19:32:13] INFO: Start ebpf manager +[2025-12-02 19:32:13] INFO: Version: 36+4.8.3-1~noble +[2025-12-02 19:32:13] INFO: Start Periodic task for update time +[2025-12-02 19:32:13] INFO: Owner of the UDS has been changed to user nginx and group nginx. +[2025-12-02 19:32:13] INFO: Permissions of the UDS have been changed successfully for user nginx and group nginx. +[2025-12-02 19:32:13] INFO: Async Callback Server listening on unix:/shared/ebpf_manager_dos_uds +``` + +To check F5 WAF for NGINX alongside F5 DoS for NGINX, just perform the normal tests as specified at [Admin Guide](https://docs.nginx.com/waf/install/virtual-environment/#post-installation-checks) diff --git a/content/includes/dos/k8s_manifest/backend-nginx.md b/content/includes/dos/k8s_manifest/backend-nginx.md new file mode 100644 index 0000000000..0f20241501 --- /dev/null +++ b/content/includes/dos/k8s_manifest/backend-nginx.md @@ -0,0 +1,50 @@ +--- +--- + +```backend-nginx.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend-nginx + namespace: app-protect-dos + labels: + app: backend-nginx +spec: + replicas: 1 + selector: + matchLabels: + app: backend-nginx + template: + metadata: + labels: + app: backend-nginx + spec: + containers: + - name: nginx + image: nginx:stable + ports: + - containerPort: 8080 + command: ["/bin/sh", "-c"] + args: + - | + # Change default port from 80 to 8080 + sed -i 's/listen 80;/listen 8080;/g' /etc/nginx/conf.d/default.conf + nginx -g "daemon off;" +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-backend-nginx + namespace: app-protect-dos + labels: + app: backend-nginx +spec: + type: ClusterIP + selector: + app: backend-nginx + ports: + - name: http + port: 8080 + targetPort: 8080 + protocol: TCP +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_manifest/dos-deployment.md b/content/includes/dos/k8s_manifest/dos-deployment.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/content/includes/dos/k8s_manifest/dos-log-default-configmap.md b/content/includes/dos/k8s_manifest/dos-log-default-configmap.md new file mode 100644 index 0000000000..7d1d4848d6 --- /dev/null +++ b/content/includes/dos/k8s_manifest/dos-log-default-configmap.md @@ -0,0 +1,19 @@ +--- +--- + +```dos-log-default-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: dos-log-default + namespace: app-protect-dos +data: + log-default.json: | + { + "filter": { + "traffic-mitigation-stats": "all", + "bad-actors": "all", + "attack-signatures": "all" + } + } +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_manifest/dos-namespace.md b/content/includes/dos/k8s_manifest/dos-namespace.md new file mode 100644 index 0000000000..1e91798fc0 --- /dev/null +++ b/content/includes/dos/k8s_manifest/dos-namespace.md @@ -0,0 +1,9 @@ +--- +--- + +```dos-namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: app-protect-dos +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md b/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md new file mode 100644 index 0000000000..35095aab74 --- /dev/null +++ b/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md @@ -0,0 +1,67 @@ +--- +--- + +```dos-nginx-conf-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: dos-nginx-conf + namespace: app-protect-dos +data: + nginx.conf: | + + user nginx; + worker_processes auto; + error_log /var/log/nginx/error.log error; + worker_rlimit_nofile 65535; + + load_module modules/ngx_http_app_protect_dos_module.so; + + working_directory /tmp/cores; + + events { + worker_connections 65535; + } + + http { + + app_protect_dos_arb_fqdn svc-appprotect-dos-arb.arb.svc.cluster.local; + + sendfile on; + tcp_nopush on; + keepalive_timeout 65; + + log_format log_dos + ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, ' + 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' + 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; + + upstream backend { + server svc-backend-nginx:8080; + } + + # Health endpoints for probes + server { + listen 8090; + location /app_protect_dos_liveness { return 200; } + location /app_protect_dos_readiness { return 200; } + } + + server { + listen 80 reuseport; + server_name serv; + + access_log /var/log/nginx/access.log log_dos if=$loggable; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log "/etc/app_protect_dos/log-default.json" syslog:server=10.197.30.219:5261; + app_protect_dos_policy_file "/etc/app_protect_dos/BADOSDefaultPolicy.json"; + + location / { + app_protect_dos_enable on; + app_protect_dos_name "main_serv"; + app_protect_dos_monitor uri=http://serv:80/ protocol=http1; + proxy_pass http://backend; + } + } + } +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_manifest/dos-service.md b/content/includes/dos/k8s_manifest/dos-service.md new file mode 100644 index 0000000000..6f5e776b27 --- /dev/null +++ b/content/includes/dos/k8s_manifest/dos-service.md @@ -0,0 +1,18 @@ +--- +--- + +```dos-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: nap-dos + namespace: app-protect-dos +spec: + type: LoadBalancer + ports: + - port: 80 + targetPort: 80 + protocol: TCP + selector: + app: app-protect-dos +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_manifest/dos-storage.md b/content/includes/dos/k8s_manifest/dos-storage.md new file mode 100644 index 0000000000..609d817a7e --- /dev/null +++ b/content/includes/dos/k8s_manifest/dos-storage.md @@ -0,0 +1,16 @@ +--- +--- + +```dos-storage.yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-app-protect-dos-shared + namespace: app-protect-dos +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/backend-nginx.md b/content/includes/dos/k8s_with_ebpf_manifest/backend-nginx.md new file mode 100644 index 0000000000..0f20241501 --- /dev/null +++ b/content/includes/dos/k8s_with_ebpf_manifest/backend-nginx.md @@ -0,0 +1,50 @@ +--- +--- + +```backend-nginx.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend-nginx + namespace: app-protect-dos + labels: + app: backend-nginx +spec: + replicas: 1 + selector: + matchLabels: + app: backend-nginx + template: + metadata: + labels: + app: backend-nginx + spec: + containers: + - name: nginx + image: nginx:stable + ports: + - containerPort: 8080 + command: ["/bin/sh", "-c"] + args: + - | + # Change default port from 80 to 8080 + sed -i 's/listen 80;/listen 8080;/g' /etc/nginx/conf.d/default.conf + nginx -g "daemon off;" +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-backend-nginx + namespace: app-protect-dos + labels: + app: backend-nginx +spec: + type: ClusterIP + selector: + app: backend-nginx + ports: + - name: http + port: 8080 + targetPort: 8080 + protocol: TCP +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-deployment.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-deployment.md new file mode 100644 index 0000000000..30891f58c7 --- /dev/null +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-deployment.md @@ -0,0 +1,112 @@ +--- +--- + +```dos-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-protect-dos + namespace: app-protect-dos + labels: + app: app-protect-dos +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: app-protect-dos + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 2 + maxUnavailable: 1 + template: + metadata: + labels: + app: app-protect-dos + spec: + containers: + - name: nginx-app-protect-dos + image: /: + imagePullPolicy: Always + + command: ["/bin/bash", "-c"] + args: + - | + /root/entrypoint.sh + + resources: + requests: + cpu: "200m" + memory: "500Mi" + limits: + cpu: "900m" + memory: "800Mi" + + ports: + - containerPort: 80 + name: web + - containerPort: 8090 + name: probe + - containerPort: 8091 + name: probe500 + + livenessProbe: + httpGet: + path: /app_protect_dos_liveness + port: 8090 + initialDelaySeconds: 5 + periodSeconds: 10 + + readinessProbe: + httpGet: + path: /app_protect_dos_readiness + port: 8090 + initialDelaySeconds: 5 + periodSeconds: 10 + + + volumeMounts: + - name: shared-dir + mountPath: /shared/ + - name: bpf + mountPath: /sys/fs/bpf + - name: conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: log-default + mountPath: /etc/app_protect_dos/log-default.json + subPath: log-default.json + + - name: dos-ebpf-manager + image: /: + securityContext: + privileged: true + volumeMounts: + - name: shared-dir + mountPath: /shared + - name: bpf + mountPath: /sys/fs/bpf + volumes: + - name: shared-dir + persistentVolumeClaim: + claimName: pvc-app-protect-dos-shared + - name: bpf + hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + - name: conf + configMap: + name: dos-nginx-conf + items: + - key: nginx.conf + path: nginx.conf + - name: log-default + configMap: + name: dos-log-default + defaultMode: 0644 + items: + - key: log-default.json + path: log-default.json + +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-log-default-configmap.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-log-default-configmap.md new file mode 100644 index 0000000000..7d1d4848d6 --- /dev/null +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-log-default-configmap.md @@ -0,0 +1,19 @@ +--- +--- + +```dos-log-default-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: dos-log-default + namespace: app-protect-dos +data: + log-default.json: | + { + "filter": { + "traffic-mitigation-stats": "all", + "bad-actors": "all", + "attack-signatures": "all" + } + } +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-namespace.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-namespace.md new file mode 100644 index 0000000000..1e91798fc0 --- /dev/null +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-namespace.md @@ -0,0 +1,9 @@ +--- +--- + +```dos-namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: app-protect-dos +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md new file mode 100644 index 0000000000..f444fd0bcb --- /dev/null +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md @@ -0,0 +1,69 @@ +--- +--- + +```dos-nginx-conf-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: dos-nginx-conf + namespace: app-protect-dos +data: + nginx.conf: | + + user nginx; + worker_processes auto; + error_log /var/log/nginx/error.log error; + worker_rlimit_nofile 65535; + + load_module modules/ngx_http_app_protect_dos_module.so; + + working_directory /tmp/cores; + + events { + worker_connections 65535; + } + + http { + + app_protect_dos_arb_fqdn svc-appprotect-dos-arb.arb.svc.cluster.local; + + sendfile on; + tcp_nopush on; + keepalive_timeout 65; + + log_format log_dos + ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, ' + 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' + 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; + + app_protect_dos_accelerated_mitigation on syn_drop=on; + + upstream backend { + server svc-backend-nginx:8080; + } + + # Health endpoints for probes + server { + listen 8090; + location /app_protect_dos_liveness { return 200; } + location /app_protect_dos_readiness { return 200; } + } + + server { + listen 80 reuseport; + server_name serv; + + access_log /var/log/nginx/access.log log_dos if=$loggable; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log "/etc/app_protect_dos/log-default.json" syslog:server=10.197.30.219:5261; + app_protect_dos_policy_file "/etc/app_protect_dos/BADOSDefaultPolicy.json"; + + location / { + app_protect_dos_enable on; + app_protect_dos_name "main_serv"; + app_protect_dos_monitor uri=http://serv:80/ protocol=http1; + proxy_pass http://backend; + } + } + } +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md new file mode 100644 index 0000000000..6f5e776b27 --- /dev/null +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md @@ -0,0 +1,18 @@ +--- +--- + +```dos-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: nap-dos + namespace: app-protect-dos +spec: + type: LoadBalancer + ports: + - port: 80 + targetPort: 80 + protocol: TCP + selector: + app: app-protect-dos +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-storage.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-storage.md new file mode 100644 index 0000000000..609d817a7e --- /dev/null +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-storage.md @@ -0,0 +1,16 @@ +--- +--- + +```dos-storage.yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-app-protect-dos-shared + namespace: app-protect-dos +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +``` \ No newline at end of file diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md new file mode 100644 index 0000000000..ca70d0040b --- /dev/null +++ b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md @@ -0,0 +1,354 @@ +--- +# We use sentence case and present imperative tone +title: "Kubernetes with L3 mitigation" +# Weights are assigned in increments of 100: determines sorting order +weight: 200 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +nd-product: DOS +--- + +This page describes how to install F5 DOS for NGINX using Kubernetes. + +It explains the common steps necessary for any Kubernetes-based deployment, then provides details specific to Helm or Manifests. + +## Before you begin + +To complete this guide, you will need the following pre-requisites: + +- A functional Kubernetes cluster +- An active F5 DOS for NGINX subscription (Purchased or trial) +- [Docker](https://docs.docker.com/get-started/get-docker/) + +To review supported operating systems, read the [Releases]({{< ref "/nap-dos/releases" >}}) topic. + +## Download your subscription credentials + +{{< include "licensing-and-reporting/download-jwt-crt-from-myf5.md" >}} + +## Create a Dockerfile + +In the same folder as your credential files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. + +### Alpine Linux + +{{< tabs name="alpine-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/alpine-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +{{< tabs name="alpine-instructions-ebpf" >}} + +{{% tab name="EBPF Manager" %}} + +{{< include "/dos/dockerfiles/alpine-ebpf-manager.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Amazon Linux + +{{< tabs name="amazon-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/amazon-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +{{< tabs name="amazon-instructions-ebpf" >}} + +{{% tab name="EBPF Manager" %}} + +{{< include "/dos/dockerfiles/amazon-ebpf-manager.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Debian + +{{< tabs name="debian-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/debian-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +{{< tabs name="debian-instructions-ebpf" >}} + +{{% tab name="EBPF Manager" %}} + +{{< include "/dos/dockerfiles/debian-ebpf-manager.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### RHEL 8 + +{{< tabs name="rhel8-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/rhel8-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +{{< tabs name="rhel8-instructions-ebpf" >}} + +{{% tab name="EBPF Manager" %}} + +{{< include "/dos/dockerfiles/rhel8-ebpf-manager.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### RHEL 9 + +{{< tabs name="rhel9-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/rhel9-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +{{< tabs name="rhel9-instructions-ebpf" >}} + +{{% tab name="EBPF Manager" %}} + +{{< include "/dos/dockerfiles/rhel9-ebpf-manager.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Rocky Linux 9 + +{{< tabs name="rocky-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/rocky9-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +{{< tabs name="rocky9-instructions-ebpf" >}} + +{{% tab name="EBPF Manager" %}} + +{{< include "/dos/dockerfiles/rocky9-ebpf-manager.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Ubuntu + +{{< tabs name="ubuntu-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/ubuntu-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +{{< tabs name="ubuntu-instructions-ebpf" >}} + +{{% tab name="EBPF Manager" %}} + +{{< include "/dos/dockerfiles/ubuntu-ebpf-manager.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +## Create DOS entrypoint.sh +Docker startup script which spins up all App Protect DoS processes, must have executable permissions + +{{< include "/dos/dos-entrypoint.md" >}} + +## Build the DOS Docker image + +Your folder should contain the following files: + +- _nginx-repo.crt_ +- _nginx-repo.key_ +- _license.jwt_ +- _entrypoint.sh_ +- _Dockerfile_ + +To build an image, use the following command, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 \ + --secret id=nginx-crt,src=nginx-repo.crt \ + --secret id=nginx-key,src=nginx-repo.key \ + --secret id=license-jwt,src=license.jwt \ + -t . +``` + +## Build the EBPF Manager Docker image + +Your folder should contain the following files: + +- _nginx-repo.crt_ +- _nginx-repo.key_ +- _Dockerfile_ + +To build an image, use the following command, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 \ + --secret id=nginx-crt,src=nginx-repo.crt \ + --secret id=nginx-key,src=nginx-repo.key \ + -t . +``` + +Once you have built the DOS and EBPF images, push them to your private image repository, which should be accessible to your Kubernetes cluster. + +From this point, the steps change based on your installation method: + +- [Use Manifests to install F5 DOS for NGINX](#use-manifests-to-install-f5-dos-for-nginx) + +## Use Manifests to install F5 DOS for NGINX + + +### Create a Secret + +Before you can start the Manifest deployment, you need a Kubernetes secret for the Docker registry. + +You can create the secret using `kubectl create`: + +```shell +kubectl create secret docker-registry regcred --docker-server=private-registry.nginx.com --docker-username= --docker-password=none +``` + +The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. + +### Create Manifest files + +The default configuration provided creates two replicas, each hosting NGINX and DOS services together in a single Kubernetes pod. + +Create all of these files in a single folder (Such as `/manifests`). + +In each file, replace + `/:` with your actual nginx-dos image tag. + `/:` with your actual ebpf-manager image tag. + +{{< tabs name="manifest-files" >}} + +{{% tab name=dos-namespace.yaml %}} + +{{< include "dos/k8s_with_ebpf_manifest/dos-namespace.md" >}} + +{{% /tab %}} + +{{% tab name=dos-storage.yaml %}} + +{{< include "dos/k8s_with_ebpf_manifest/dos-storage.md" >}} + +{{% /tab %}} + +{{% tab name=dos-nginx-conf-configmap.yaml %}} + +{{< include "dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md" >}} + +{{% /tab %}} + +{{% tab name=dos-log-default-configmap.yaml %}} + +{{< include "dos/k8s_with_ebpf_manifest/dos-log-default-configmap.md" >}} + +{{% /tab %}} + +{{% tab name=dos-deployment.yaml %}} + +{{< include "dos/k8s_with_ebpf_manifest/dos-deployment.md" >}} + +{{% /tab %}} + +{{% tab name=dos-service.yaml %}} + +{{< include "dos/k8s_with_ebpf_manifest/dos-service.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Start the Manifest deployment + +From the folder containing the YAML files from the previous step (Suggested as `/manifests`), deploy F5 DOS for NGINX using `kubectl`: + +```shell +kubectl apply -f manifests/dos-namespace.yaml +kubectl apply -f manifests/dos-storage.yaml +kubectl apply -f manifests/dos-nginx-conf-configmap.yam +kubectl apply -f manifests/dos-log-default-configmap.yaml +kubectl apply -f manifests/dos-deployment.yaml +kubectl apply -f manifests/dos-service.yaml +``` + +It will apply all the configuration defined in the files to your Kubernetes cluster. + +You can then check the status of the deployment with `kubectl get`: + +```shell +kubectl -n app-protect-dos get deployments +kubectl -n app-protect-dos get pods +kubectl -n app-protect-dos get services +``` + +You should see output similar to the following: + +```text +~$ kubectl -n app-protect-dos get deployments +NAME READY UP-TO-DATE AVAILABLE AGE +app-protect-dos 1/1 1 1 33s + +~$ kubectl -n app-protect-dos get pods +NAME READY STATUS RESTARTS AGE +app-protect-dos-7f9798654c-7ncbl 2/2 Running 0 68s + +$ kubectl -n app-protect-dos get pods -o jsonpath='{range .items[*]}Pod: {.metadata.name} -> Containers: {.spec.containers[*].name}{"\n"}{end}' +Pod: app-protect-dos-7f9798654c-7ncbl -> Containers: dos-ebpf-manager nginx-app-protect-dos + +~$ kubectl -n app-protect-dos get services +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +nap-dos LoadBalancer 10.43.212.232 80:32586/TCP 93s +``` +## Post-Installation Checks +At this stage, you have finished deploying F5 DOS for NGINX with EBPF L3 mitigation enabled +You can login to dos-ebpf-manager container like following command +```text +kubectl exec -it app-protect-dos-586fb94947-8sjnc -n app-protect-dos -c nginx-app-protect-dos -- bash +kubectl exec -it app-protect-dos-586fb94947-8sjnc -n app-protect-dos -c dos-ebpf-manager -- bash +``` +and can look at . +{{< include "dos/install-post-checks.md" >}} + + +## Next steps diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md new file mode 100644 index 0000000000..d28df075e1 --- /dev/null +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -0,0 +1,259 @@ +--- +# We use sentence case and present imperative tone +title: "Kubernetes" +# Weights are assigned in increments of 100: determines sorting order +weight: 200 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: how-to +nd-product: DOS +--- + +This page describes how to install F5 DOS for NGINX using Kubernetes. + +It explains the common steps necessary for any Kubernetes-based deployment, then provides details specific to Helm or Manifests. + +## Before you begin + +To complete this guide, you will need the following pre-requisites: + +- A functional Kubernetes cluster +- An active F5 DOS for NGINX subscription (Purchased or trial) +- [Docker](https://docs.docker.com/get-started/get-docker/) + +To review supported operating systems, read the [Releases]({{< ref "/nap-dos/releases" >}}) topic. + +## Download your subscription credentials + +{{< include "licensing-and-reporting/download-jwt-crt-from-myf5.md" >}} + +## Create a Dockerfile + +In the same folder as your credential files, create a _Dockerfile_ based on your desired operating system image using an example from the following sections. + +### Alpine Linux + +{{< tabs name="alpine-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/alpine-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Amazon Linux + +{{< tabs name="amazon-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/amazon-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Debian + +{{< tabs name="debian-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/debian-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### RHEL 8 + +{{< tabs name="rhel8-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/rhel8-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### RHEL 9 + +{{< tabs name="rhel9-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/rhel9-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Rocky Linux 9 + +{{< tabs name="rocky-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/rocky9-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Ubuntu + +{{< tabs name="ubuntu-instructions" >}} + +{{% tab name="NGINX Plus" %}} + +{{< include "/dos/dockerfiles/ubuntu-plus-dos.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +## Create DOS entrypoint.sh +Docker startup script which spins up all App Protect DoS processes, must have executable permissions + +{{< include "/dos/dos-entrypoint.md" >}} + +## Build the Docker image + +Your folder should contain the following files: + +- _nginx-repo.crt_ +- _nginx-repo.key_ +- _license.jwt_ +- _entrypoint.sh_ +- _Dockerfile_ + +To build an image, use the following command, replacing `` as appropriate: + +```shell +sudo docker build --no-cache --platform linux/amd64 \ + --secret id=nginx-crt,src=nginx-repo.crt \ + --secret id=nginx-key,src=nginx-repo.key \ + --secret id=license-jwt,src=license.jwt \ + -t . +``` + +Once you have built the image, push it to your private image repository, which should be accessible to your Kubernetes cluster. + +From this point, the steps change based on your installation method: + +- [Use Manifests to install F5 DOS for NGINX](#use-manifests-to-install-f5-dos-for-nginx) + +## Use Manifests to install F5 DOS for NGINX + +### Create a Secret + +Before you can start the Manifest deployment, you need a Kubernetes secret for the Docker registry. + +You can create the secret using `kubectl create`: + +```shell +kubectl create secret docker-registry regcred --docker-server=private-registry.nginx.com --docker-username= --docker-password=none +``` + +The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. + +### Create Manifest files + +The default configuration provided creates two replicas, each hosting NGINX and DOS services together in a single Kubernetes pod. + +Create all of these files in a single folder (Such as `/manifests`). + +In each file, replace `/:` with your actual image tag. + +{{< tabs name="manifest-files" >}} + +{{% tab name=dos-namespace.yaml %}} + +{{< include "dos/k8s_manifest/dos-namespace.md" >}} + +{{% /tab %}} + +{{% tab name=dos-storage.yaml %}} + +{{< include "dos/k8s_manifest/dos-storage.md" >}} + +{{% /tab %}} + +{{% tab name=dos-nginx-conf-configmap.yaml %}} + +{{< include "dos/k8s_manifest/dos-nginx-conf-configmap.md" >}} + +{{% /tab %}} + +{{% tab name=dos-log-default-configmap.yaml %}} + +{{< include "dos/k8s_manifest/dos-log-default-configmap.md" >}} + +{{% /tab %}} + +{{% tab name=dos-deployment.yaml %}} + +{{< include "dos/k8s_manifest/dos-deployment.md" >}} + +{{% /tab %}} + +{{% tab name=dos-service.yaml %}} + +{{< include "dos/k8s_manifest/dos-service.md" >}} + +{{% /tab %}} + +{{< /tabs >}} + +### Start the Manifest deployment + +From the folder containing the YAML files from the previous step (Suggested as `/manifests`), deploy F5 DOS for NGINX using `kubectl`: + +```shell +kubectl apply -f manifests/dos-namespace.yaml +kubectl apply -f manifests/dos-storage.yaml +kubectl apply -f manifests/dos-nginx-conf-configmap.yam +kubectl apply -f manifests/dos-log-default-configmap.yaml +kubectl apply -f manifests/dos-deployment.yaml +kubectl apply -f manifests/dos-service.yaml +``` + +It will apply all the configuration defined in the files to your Kubernetes cluster. + +You can then check the status of the deployment with `kubectl get`: + +```shell +kubectl -n app-protect-dos get deployments +kubectl -n app-protect-dos get pods +kubectl -n app-protect-dos get services +``` + +You should see output similar to the following: + +```text +~$ kubectl -n app-protect-dos get deployments +NAME READY UP-TO-DATE AVAILABLE AGE +app-protect-dos 1/1 1 1 1m + +~$ kubectl -n app-protect-dos get pods +NAME READY STATUS RESTARTS AGE +app-protect-dos-586fb94947-8sjnc 1/1 Running 0 1m + +~$ kubectl -n app-protect-dos get services +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +nap-dos LoadBalancer 10.43.83.225 80:30307/TCP 1m +``` +## Post-Installation Checks +At this stage, you have finished deploying F5 DOS for NGINX. +You csn login to app-protect-dos pod like following command +```text +kubectl exec -it app-protect-dos-586fb94947-8sjnc -n app-protect-dos -c nginx-app-protect-dos -- bash +``` +and can look at . +{{< include "dos/install-post-checks.md" >}} + +## Next steps diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index 5ef672eb81..03163b33be 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -1025,22 +1025,7 @@ You need root permissions to execute the following steps. 5. In the same directory create an `entrypoint.sh` file with executable permissions, with the following content: - ```shell - #!/usr/bin/env bash - - USER=nginx - LOGDIR=/var/log/adm - - # prepare environment - mkdir -p /var/run/adm /tmp/cores ${LOGDIR} - chmod 755 /var/run/adm /tmp/cores ${LOGDIR} - chown ${USER}:${USER} /var/run/adm /tmp/cores ${LOGDIR} - - # run processes - /bin/su -s /bin/bash -c "/usr/bin/adminstall > ${LOGDIR}/adminstall.log 2>&1" ${USER} - /bin/su -s /bin/bash -c "/usr/bin/admd -d --log info > ${LOGDIR}/admd.log 2>&1 &" ${USER} - /usr/sbin/nginx -g 'daemon off;' - ``` + {{< include "/dos/dos-entrypoint.md" >}} 6. Create a Docker image: @@ -1050,7 +1035,7 @@ You need root permissions to execute the following steps. The `--no-cache` option tells Docker to build the image from scratch and ensures the installation of the latest version of NGINX Plus and F5 DoS for NGINX. If the Dockerfile was previously used to build an image without the `--no-cache` option, the new image uses versions from the previously built image from the Docker cache. - For RHEL8/9 with subctiption manager setup add build arguments: + For RHEL8/9 with subscription manager setup add build arguments: ```shell DOCKER_BUILDKIT=1 docker build --build-arg RHEL_ORG=... --build-arg RHEL_ACTIVATION_KEY=... --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=./license.jwt -t app-protect-dos . @@ -1509,26 +1494,10 @@ Make sure to replace upstream and proxy pass directives in this example with rel 7. In the same directory create an `entrypoint.sh` file with executable permissions, with the following content: - For Alpine / Debian / Ubuntu / UBI 8 / UBI 9: + For Alpine /AmazonLinux 2023/ Debian / Ubuntu / UBI 8/ UBI 9: + +{{< include "/dos/dos-waf-entrypoint.md" >}} - ```shell - #!/usr/bin/env bash - USER=nginx - LOGDIR=/var/log/adm - - # prepare environment - mkdir -p /var/run/adm /tmp/cores ${LOGDIR} - chmod 755 /var/run/adm /tmp/cores ${LOGDIR} - chown ${USER}:${USER} /var/run/adm /tmp/cores ${LOGDIR} - - # run processes - /bin/su -s /bin/bash -c "/usr/bin/adminstall > ${LOGDIR}/adminstall.log 2>&1" ${USER} - /bin/su -s /bin/bash -c "/opt/app_protect/bin/bd_agent &" ${USER} - /bin/su -s /bin/bash -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 307200000 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config 2>&1 > /var/log/app_protect/bd-socket-plugin.log &" ${USER} - /bin/su -s /bin/bash -c "/usr/bin/admd -d --log info > ${LOGDIR}/admd.log 2>&1 &" ${USER} - /usr/sbin/nginx -g 'daemon off;' - ``` - 8. Create a Docker image: For Debian/Ubuntu/Alpine/Amazon Linux: @@ -1798,63 +1767,7 @@ There is no such option for authentications between F5 DoS for NGINX servers and ## Post-Installation Checks -You can run the following commands to ensure that F5 DoS for NGINX enforcement is operational. - -1. Check that the three processes needed for F5 DoS for NGINX are running using `ps aux`: - - - admd - - nginx: master process - - nginx: worker process - - ```shell - USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND - nginx 7759 0.0 0.0 113120 1200 ? Ss Sep06 0:00 /bin/sh -c /usr/bin/admd -d --log info > /var/log/adm/admd.log 2>&1 - root 7765 0.0 0.0 87964 1464 ? Ss Sep06 0:00 nginx: master process /usr/sbin/nginx -g daemon off; - nginx 7767 0.0 0.1 615868 8188 ? Sl Sep06 0:04 nginx: worker process - ``` - -2. Verify that there are no NGINX errors in the `/var/log/nginx/error.log` and that the policy compiled successfully: - - ```shell - 2020/09/07 15:33:44 [notice] 9307#9307: using the "epoll" event method - 2020/09/07 15:33:44 [notice] 9307#9307: nginx/1.19.0 (nginx-plus-r22) - 2020/09/07 15:33:44 [notice] 9307#9307: built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) - 2020/09/07 15:33:44 [notice] 9307#9307: OS: Linux 3.10.0-327.28.3.el7.x86_64 - 2020/09/07 15:33:44 [notice] 9307#9307: getrlimit(RLIMIT_NOFILE): 1024:4096 - 2020/09/07 15:33:44 [notice] 9310#9310: start worker processes - 2020/09/07 15:33:44 [notice] 9310#9310: start worker process 9311 - PID <9311>, WORKER <0>, Function adm_ngx_init_process, line 684, version: 22+1.19.4-1.el7.ngx - ``` - -3. Check that by applying an attack, the attacker IP addresses are blocked while the good traffic pass through: - - a. Simulate good traffic: - - ```shell - echo "Start Good Traffic 2" - while true; do - curl ${VS}/good1 & - curl ${VS}/good2 & - curl ${VS}/good3 & - curl ${VS}/good4 - sleep 0.1 - done & - ``` - - b. After 7 minutes start the attack: - - ```shell - while [ true ] - do - ab -B ${BAD_IP1} -l -r -n 1000000 -c 150 -d -H "Host: evil.net" -H "Pragma: no-cache" -H "Cache-Control: no-cache" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: WireXBot" -H "x-requested-with:" -H "Referer: http://10.0.2.1/none.html" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US" http://${VS}/ & - ab -B ${BAD_IP2} -l -r -n 1000000 -c 150 -d -H "Host: evil.net" -H "Pragma: no-cache" -H "Cache-Control: no-cache" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: WireXBot" -H "x-requested-with:" -H "Referer: http://10.0.2.1/none.html" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US" http://${VS}/ & - ab -B ${BAD_IP3} -l -r -n 1000000 -c 150 -d -s 10 -H "Host: evil.net" -H "Pragma: no-cache" -H "Cache-Control: no-cache" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: WireXBot" -H "x-requested-with:" -H "Referer: http://10.0.2.1/none.html" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US" http://${VS}/ - - killall ab - done - ``` - - c. See that the good traffic continue as usual while the attackers receive denial of service. +{{< include "dos/install-post-checks.md" >}} To check F5 WAF for NGINX alongside F5 DoS for NGINX, just perform the normal tests as specified at [Admin Guide](https://docs.nginx.com/waf/install/virtual-environment/#post-installation-checks) From dee54313fd978e4064c99bf9dde77caa8ff0934c Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Thu, 4 Dec 2025 14:09:51 +0200 Subject: [PATCH 02/23] feature: dos k8s / dos k8s with ebpf --- .../learn-about-deployment.md | 640 +----------------- 1 file changed, 14 insertions(+), 626 deletions(-) diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index 03163b33be..f3a5ff8574 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -1,7 +1,7 @@ --- description: Learn about F5 DoS for NGINX Deployment. nd-docs: DOCS-666 -title: Deployment +title: Virtual machine and Docker toc: true weight: 90 type: @@ -1112,251 +1112,31 @@ You need root permissions to execute the following steps. ### Alpine Docker Deployment Example -```Dockerfile -# syntax=docker/dockerfile:1 -# For Alpine 3.22: -FROM alpine:3.22 - -# Download and add the NGINX signing keys: -RUN wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub - -# Add NGINX Plus/F5 DoS for NGINX repository: -RUN printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories && \ - printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories - -# Update the repository and install the most recent version of the F5 DoS for NGINX package (which includes NGINX Plus): -RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apk update && apk add app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/alpine-plus-dos.md" >}} ### AmazonLinux 2023 Docker Deployment Example -```Dockerfile -# For AmazonLinux 2023: -FROM amazonlinux:2023 - -# Install prerequisite packages: -RUN dnf -y install ca-certificates - -# Add NGINX Plus/F5 DoS for NGINX repository: -RUN curl -o /etc/yum.repos.d/plus-amazonlinux2023.repo https://cs.nginx.com/static/files/plus-amazonlinux2023.repo && \ - curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo - -# Install F5 DoS for NGINX: -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - dnf install -y app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - rm /etc/yum.repos.d/plus-amazonlinux2023.repo && \ - rm /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo && \ - dnf clean all && \ - rm -rf /var/cache/dnf - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/amazon-plus-dos.md" >}} ### Debian 11 (Bullseye) / Debian 12 (Bookworm) Docker Deployment Example -```Dockerfile -# Where can be bullseye/bookworm -FROM debian:bullseye - -# Setup repository keys -RUN mkdir -p /etc/ssl/nginx/ /etc/nginx/ && \ - apt-get update && \ - apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring && \ - wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list && \ - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ - wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx - -# Install F5 DoS for NGINX -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ - rm -rf /etc/apt/apt.conf.d/90nginx /var/lib/apt/lists/* - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -COPY nginx.conf /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/debian-plus-dos.md" >}} ### Ubuntu 22.04 (Jammy) / 24.04 (Noble) Docker Deployment Example -```Dockerfile -# Where version can be: jammy/noble -FROM ubuntu:noble - -# Setup repository keys -RUN apt-get update && \ - apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring && \ - wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list && \ - printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ - wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx - -# Install F5 DoS for NGINX -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ - rm -rf /etc/apt/apt.conf.d/90nginx /var/lib/apt/lists/* - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -COPY nginx.conf /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 +{{< include "/dos/dockerfiles/ubuntu-plus-dos.md" >}} -STOPSIGNAL SIGQUIT +### RHEL 8 Docker Deployment Example -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/rhel8-plus-dos.md" >}} -### RHEL 8 Docker Deployment Example +### RHEL 9 Docker Deployment Example -```Dockerfile -# For UBI 8 -FROM registry.access.redhat.com/ubi8 - -ARG RHEL_ORG -ARG RHEL_ACTIVATION_KEY - -# Setup repository keys -RUN subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} && \ - subscription-manager refresh && \ - subscription-manager attach --auto || true && \ - subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms && \ - subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms && \ - dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ - dnf -y install ca-certificates && \ - curl -o /etc/yum.repos.d/plus-8.repo https://cs.nginx.com/static/files/plus-8.repo && \ - curl -o /etc/yum.repos.d/app-protect-dos-8.repo https://cs.nginx.com/static/files/app-protect-dos-8.repo - -# Install F5 DoS for NGINX -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - dnf -y install app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - rm /etc/yum.repos.d/plus-8.repo && \ - rm /etc/yum.repos.d/app-protect-dos-8.repo && \ - dnf clean all && \ - rm -rf /var/cache/yum - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/rhel9-plus-dos.md" >}} ### Rocky Linux 9 Docker Deployment Example -```Dockerfile -# syntax=docker/dockerfile:1 -# For Rocky Linux 9: -FROM rockylinux:9 - -# Install prerequisite packages: -RUN dnf -y install ca-certificates epel-release 'dnf-command(config-manager)' - -# Add NGINX App-protect-DoS & NGINX Plus repo to Yum: -RUN curl -o /etc/yum.repos.d/plus-9.repo https://cs.nginx.com/static/files/plus-9.repo && \ - curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo && \ - dnf config-manager --set-enabled crb && \ - dnf clean all - -# Install F5 DoS for NGINX: -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - dnf install -y app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - rm /etc/yum.repos.d/plus-9.repo && \ - rm /etc/yum.repos.d/app-protect-dos-9.repo && \ - dnf clean all && \ - rm -rf /var/cache/dnf - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/rocky9-plus-dos.md" >}} ## Docker Deployment with NGINX App Protect @@ -1537,182 +1317,19 @@ Make sure to replace upstream and proxy pass directives in this example with rel ### Alpine Dockerfile example -```dockerfile -# syntax=docker/dockerfile:1 -# For Alpine 3.22: -FROM alpine:3.22 - -# Download and add the NGINX signing keys: -RUN wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub && \ - wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub - -# Add NGINX Plus repository: -RUN printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories - -# Add F5 WAF for NGINX & Dos repositories: -RUN printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories && \ - printf "https://pkgs.nginx.com/app-protect/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories && \ - printf "https://pkgs.nginx.com/app-protect-security-updates/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories - -# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus): -RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apk update && apk add app-protect app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/alpine-plus-dos-waf.md" >}} ### Amazon Linux Dockerfile example -```dockerfile -# syntax=docker/dockerfile:1 -FROM amazonlinux:2023 - -# Install prerequisite packages: -RUN dnf -y install ca-certificates - -# Add NGINX/NAP WAF/NAP DOS repositories: -RUN curl -o /etc/yum.repos.d/plus-amazonlinux2023.repo https://cs.nginx.com/static/files/plus-amazonlinux2023.repo && \ - curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo && \ - curl -o /etc/yum.repos.d/app-protect-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo && \ - curl -o /etc/yum.repos.d/dependencies.amazonlinux2023.repo https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo - -# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus): -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - dnf -y install app-protect app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - rm /etc/yum.repos.d/plus-amazonlinux2023.repo && \ - rm /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo && \ - dnf clean all && \ - rm -rf /var/cache/dnf && \ - rm -rf /var/cache/yum - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/amazon-plus-dos-waf.md" >}} ### Debian Docker Deployment Example -```Dockerfile -# Where version can be: bullseye/bookworm -FROM debian:bullseye - -# Install prerequisite packages: -RUN apt-get update && \ - apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring && \ - wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ - wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg > /dev/null - -# Add NGINX Plus, NGINX App Protect and F5 DoS for NGINX repository: -RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \ - && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect-dos.list \ - && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list \ - && printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/app-protect-security-updates.list - -# Download the apt configuration to `/etc/apt/apt.conf.d`: -RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx - -# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which includes NGINX Plus): -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list /etc/apt/sources.list.d/nginx-app-protect.list /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ - rm -rf /etc/apt/apt.conf.d/90nginx /var/lib/apt/lists/* - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -COPY nginx.conf /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/debian-plus-dos-waf.md" >}} ### Ubuntu Docker Deployment Example -```Dockerfile -# Where version can be:jammy/noble -FROM ubuntu:noble - -# Install prerequisite packages: -RUN apt-get update && \ - apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring && \ - wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ - wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg > /dev/null - -# Add NGINX Plus, NGINX App Protect and F5 DoS for NGINX repository: -RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \ - && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect-dos.list \ - && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list \ - && printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/app-protect-security-updates.list - -# Download the apt configuration to `/etc/apt/apt.conf.d`: -RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx - -# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus): -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list /etc/apt/sources.list.d/nginx-app-protect.list /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ - rm -rf /etc/apt/apt.conf.d/90nginx /var/lib/apt/lists/* - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - -COPY nginx.conf /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] -``` +{{< include "/dos/dockerfiles/ubuntu-plus-dos-waf.md" >}} ## F5 DoS for NGINX Arbitrator @@ -1810,235 +1427,6 @@ Review the syslog ports by entering the following command: semanage port -l | grep syslog ``` -## Kubernetes Deployment Examples - -### App Protect DoS - -`appprotect-dos.yaml`: - -```yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: appprotect-dos - namespace: appprotect-dos-wp-diff - labels: - app: appprotect-dos -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: appprotect-dos - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 2 - maxUnavailable: 1 - template: - metadata: - labels: - app: appprotect-dos - spec: - containers: - - name: ubuntu-bados - image: example.com/ubuntu_app_protect_dos_r36:latest - imagePullPolicy: Always - resources: - requests: - cpu: "200m" - memory: "500Mi" - limits: - cpu: "900m" - memory: "800Mi" - ports: - - containerPort: 80 - name: web - - containerPort: 8090 - name: probe - - containerPort: 8091 - name: probe500 - livenessProbe: - httpGet: - path: /app_protect_dos_liveness - port: 8090 - initialDelaySeconds: 0 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /app_protect_dos_readiness - port: 8090 - initialDelaySeconds: 0 - periodSeconds: 10 - volumeMounts: - - name: shared - mountPath: /shared/ - - name: conf - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - - name: root-script - mountPath: /root/entrypoint.sh - subPath: entrypoint.sh - - name: log-default - mountPath: /etc/app_protect_dos/log-default.json - subPath: log-default.json - volumes: - - name: shared - persistentVolumeClaim: - claimName: pvc-appprotect-dos-shared - - name: conf - configMap: - name: cm-appprotect-dos-nginx - items: - - key: nginx.conf - path: nginx.conf - - name: root-script - configMap: - name: cm-appprotect-dos-entry - defaultMode: 0755 - items: - - key: entrypoint.sh - path: entrypoint.sh - - name: log-default - configMap: - name: cm-appprotect-dos-log-default - defaultMode: 0755 - items: - - key: log-default.json - path: log-default.json -``` - -`svc-appprotect-dos.yaml`: - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: svc-appprotect-dos - namespace: appprotect-dos-wp-diff - labels: - app: appprotect-dos -spec: - ports: - - name: app - port: 80 - protocol: TCP - nodePort: 80 - selector: - app: appprotect-dos - type: NodePort -``` - -`log-default.json`: - -```json -{ - "filter": { - "traffic-mitigation-stats": "all", - "bad-actors": "all", - "attack-signatures": "all" - } -} -``` - -`entrypoint.sh`: - -```shell -#!/usr/bin/env bash -USER=nginx -LOGDIR=/var/log/adm - -# prepare environment -mkdir -p /var/run/adm /tmp/cores ${LOGDIR} -chmod 755 /var/run/adm /tmp/cores ${LOGDIR} -chown ${USER}:${USER} /var/run/adm /tmp/cores ${LOGDIR} - -# run processes -/bin/su -s /bin/bash -c "/usr/bin/adminstall > ${LOGDIR}/adminstall.log 2>&1" ${USER} -/usr/sbin/nginx -g 'daemon off;' & -/bin/su -s /bin/bash -c "/usr/bin/admd -d --log info > ${LOGDIR}/admd.log 2>&1 &" ${USER} -``` - -`install.sh`: - -```shell -#!/bin/bash -set -ex -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -kubectl -n appprotect-dos-wp-diff create cm cm-appprotect-dos-nginx --from-file ${DIR}/nginx.conf -kubectl -n appprotect-dos-wp-diff create cm cm-appprotect-dos-entry --from-file ${DIR}/entrypoint.sh -kubectl -n appprotect-dos-wp-diff create cm cm-appprotect-dos-log-default --from-file ${DIR}/log-default.json -kubectl create -f ${DIR}/appprotect-dos.yaml -#kubectl create -f ${DIR}/svc-appprotect-dos.yaml -``` - -`nginx.conf`: - -```nginx -user nginx; -worker_processes 1; -error_log /var/log/nginx/error.log debug; -worker_rlimit_nofile 65535; -working_directory /tmp/cores; - -load_module modules/ngx_http_app_protect_dos_module.so; - -events { - worker_connections 65535; -} -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format log_napd ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, ' - 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' - 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; - - app_protect_dos_security_log_enable on; - app_protect_dos_security_log "/etc/app_protect_dos/log-default.json" /var/log/adm/logger.log; - # app_protect_dos_security_log "/etc/app_protect_dos/log-default.json" syslog:server=1.2.3.4:5261; - - app_protect_dos_liveness on; # uri:/app_protect_dos_liveness port:8090 - app_protect_dos_readiness on; # uri:/app_protect_dos_readiness port:8090 - - server { - listen 80 reuseport; - server_name serv; - - set $loggable '0'; - access_log /var/log/nginx/access.log log_napd if=$loggable; - # access_log syslog:server=1.1.1.1:5561 log_napd if=$loggable; - - app_protect_dos_policy_file "/etc/app_protect_dos/BADOSDefaultPolicy.json"; - - location / { - app_protect_dos_enable on; - app_protect_dos_name "App1"; - app_protect_dos_monitor uri=http://serv:80/ protocol=http1; - proxy_pass http://1.2.3.4:80; - } - } - - server { - listen 8090; - server_name probe; - - location / { - proxy_pass http://localhost:8091; - } - } - - server { - listen 8091; - return 503; - } - - sendfile on; - tcp_nopush on; - keepalive_timeout 65; -} -``` - ### App Protect DoS Arbitrator Arbitrator (arb) is an internal service that is essential for the scaling scenarios. The arbitrator service should be deployed in the same namespace as F5 DoS for NGINX. From 8ccf58bb3b81e5454c0d8c16e82373ab93b3df32 Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Thu, 4 Dec 2025 14:28:13 +0200 Subject: [PATCH 03/23] feature: dos k8s / dos k8s with ebpf --- .../learn-about-deployment.md | 131 ------------------ 1 file changed, 131 deletions(-) diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index f3a5ff8574..22d966fd2f 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -1331,57 +1331,6 @@ Make sure to replace upstream and proxy pass directives in this example with rel {{< include "/dos/dockerfiles/ubuntu-plus-dos-waf.md" >}} -## F5 DoS for NGINX Arbitrator - -### Overview - -F5 DoS for NGINX arbitrator orchestrates all the running F5 DoS for NGINX instances to synchronize local/global attack start/stop. - -F5 DoS for NGINX arbitrator serves as a central coordinating component for managing multiple instances of App Protect DoS in a network. It is needed when there are more than one F5 DoS for NGINX instances. Its primary function is to ensure that all instances are aware of and share the same state for each protected object. Here's a clearer breakdown of how it works and why it's necessary: - -How F5 DoS for NGINX Arbitrator Works: - -- **Collecting State Periodically**: The arbitrator regularly collects the state information from all running instances of App Protect DoS. This collection occurs at set intervals, typically every 10 seconds. -- **State Initialization for New Instances**: When a new App Protect DoS instance is created, it doesn't start with a blank or uninitialized state for a protected object. Instead, it retrieves the initial state for the protected object from the arbitrator. -- **Updating State in Case of an Attack**: If an attack is detected by one of the App Protect DoS instances, that instance sends an attack notification to the arbitrator. The arbitrator then updates the state of the affected protected object to indicate that it is under attack. Importantly, this updated state is propagated to all other instances. - -### Why F5 DoS for NGINX Arbitrator is Necessary - -F5 DoS for NGINX Arbitrator is essential for several reasons: - -- **Global State Management**: Without the arbitrator, each individual instance of App Protect DoS would manage its own isolated state for each protected object. This isolation could lead to inconsistencies. For example, if instance A declared an attack on a protected object named "PO-Example," instance B would remain unaware of this attack, potentially leaving the object vulnerable. -- **Uniform Attack Detection**: With the arbitrator in place, when instance A detects an attack on "PO-Example" and reports it to the arbitrator, the state of "PO-Example" is immediately updated to indicate an attack. This means that all instances, including instance B, are aware of the attack and can take appropriate measures to mitigate it. - -In summary, F5 DoS for NGINX Arbitrator acts as a central coordinator to maintain a consistent and up-to-date global state for protected objects across multiple instances of App Protect DoS. This coordination helps ensure that attacks are properly detected and mitigated, and that knowledge gained by one instance is efficiently shared with others, enhancing the overall security of the network. - - -### F5 DoS for NGINX Arbitrator Deployment - -1. Pull the official F5 DoS for NGINX Arbitrator image with the command: - - ```shell - docker pull docker-registry.nginx.com/nap-dos/app_protect_dos_arb:latest - ``` - -2. Create a container based on this image, for example, `app-protect-dos-arb` container: - - ```shell - docker run --name app_protect_dos_arb -p 3000:3000 -d docker-registry.nginx.com/nap-dos/app_protect_dos_arb - ``` - -3. Verify that the `app-protect-dos-arb` container is up and running with the `docker ps` command. - -4. DNS records are required for F5 DoS for NGINX Arbitrator to work properly and be accessible by F5 DoS for NGINX servers. Ensure that the `svc-appprotect-dos-arb` or configured Arbitrator FQDN (with `app_protect_dos_arb_fqdn` directive) has a valid DNS resolution. -This step is necessary only for VM/Docker deployments with arbitrator. When the arbitrator is in the same Kubernetes namespace as F5 DoS for NGINX, this step is not needed. - -### Multi-VM Deployment - -The Arbitrator service is standalone. Once it is down, it can be seamlessly re-started. It will immediately recover all the needed information from F5 DoS for NGINX instances that communicate to it every 10 sec. It’s downtime is around 10-20 seconds which will not affect the F5 DoS for NGINX working. - -F5 DoS for NGINX Arbitrator service connects to port 3000 and can be seen under App Protect DoS instances. All modules try to connect to this service automatically. If it’s not accessible, each instance works in standalone mode. - -There is no such option for authentications between F5 DoS for NGINX servers and Arbitrator service like MTLS or password . Currently Arbitrator service is not exposed outside of the namespace. It is customers responsibility to isolate it from outside. It is applicable to any deployment of Arbitrator, not only to multi-VM. - ## Post-Installation Checks {{< include "dos/install-post-checks.md" >}} @@ -1427,86 +1376,6 @@ Review the syslog ports by entering the following command: semanage port -l | grep syslog ``` -### App Protect DoS Arbitrator - -Arbitrator (arb) is an internal service that is essential for the scaling scenarios. The arbitrator service should be deployed in the same namespace as F5 DoS for NGINX. - -`appprotect-dos-arb.yaml`: - -```yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: appprotect-dos-arb - namespace: appprotect-dos-wp-diff -spec: - replicas: 1 - selector: - matchLabels: - app: appprotect-dos-arb - template: - metadata: - labels: - app: appprotect-dos-arb - spec: - containers: - - name: arb-svc - image: example.com/app_protect_dos_arb:latest - resources: - requests: - cpu: "200m" - memory: "500Mi" - limits: - cpu: "900m" - memory: "800Mi" - ports: - - containerPort: 3000 -``` - -`svc-appprotect-dos-arb.yaml`: - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: svc-appprotect-dos-arb - namespace: appprotect-dos-wp-diff -spec: - selector: - app: appprotect-dos-arb - ports: - - name: arb - port: 3000 - protocol: TCP - targetPort: 3000 - clusterIP: None -``` - -`install_appprotect-arb.sh`: - -```shell -#!/bin/bash - -set -ex -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -kubectl -n appprotect-dos-wp-diff apply -f ${DIR}/appprotect-dos-arb.yaml -kubectl -n appprotect-dos-wp-diff apply -f ${DIR}/svc-appprotect-dos-arb.yaml -``` - -`install F5 DoS for NGINX with ARB service`: - -```shell -#!/bin/bash - -set -ex -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -kubectl create ns appprotect-dos-wp-diff -${DIR}/appprotect-dos/install.sh -${DIR}/appprotect-dos-arb/install_appprotect-dos-arb.sh -``` - ---- - ## App Protect DoS eBPF manager ### Overview From 606da819362a5381f8eb4f95e596bc72aed7780e Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Thu, 4 Dec 2025 14:59:19 +0200 Subject: [PATCH 04/23] feature: dos k8s / dos k8s with ebpf --- content/includes/dos/dos-arbitrator.md | 57 +++++++++++++++++++ .../dos/k8s_arbitrator/appprotect-dos-arb.md | 32 +++++++++++ .../k8s_arbitrator/svc-appprotect-dos-arb.md | 20 +++++++ .../deployment-guide/best-practices.md | 2 +- ...with-dos-and-waf-on-amazon-web-services.md | 2 +- .../kubernetes-with-L3-mitigation.md | 5 +- .../nap-dos/deployment-guide/kubernetes.md | 6 +- .../learn-about-deployment.md | 6 +- 8 files changed, 125 insertions(+), 5 deletions(-) create mode 100644 content/includes/dos/dos-arbitrator.md create mode 100644 content/includes/dos/k8s_arbitrator/appprotect-dos-arb.md create mode 100644 content/includes/dos/k8s_arbitrator/svc-appprotect-dos-arb.md diff --git a/content/includes/dos/dos-arbitrator.md b/content/includes/dos/dos-arbitrator.md new file mode 100644 index 0000000000..6c3612a443 --- /dev/null +++ b/content/includes/dos/dos-arbitrator.md @@ -0,0 +1,57 @@ +--- +nd-docs: null +nd-files: +- content/nap-dos/deployment-guide/kubernetes.md +- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +--- +## F5 DoS for NGINX Arbitrator + +### Overview + +F5 DoS for NGINX arbitrator orchestrates all the running F5 DoS for NGINX instances to synchronize local/global attack start/stop. + +F5 DoS for NGINX arbitrator serves as a central coordinating component for managing multiple instances of App Protect DoS in a network. It is needed when there are more than one F5 DoS for NGINX instances. Its primary function is to ensure that all instances are aware of and share the same state for each protected object. Here's a clearer breakdown of how it works and why it's necessary: + +How F5 DoS for NGINX Arbitrator Works: + +- **Collecting State Periodically**: The arbitrator regularly collects the state information from all running instances of App Protect DoS. This collection occurs at set intervals, typically every 10 seconds. +- **State Initialization for New Instances**: When a new App Protect DoS instance is created, it doesn't start with a blank or uninitialized state for a protected object. Instead, it retrieves the initial state for the protected object from the arbitrator. +- **Updating State in Case of an Attack**: If an attack is detected by one of the App Protect DoS instances, that instance sends an attack notification to the arbitrator. The arbitrator then updates the state of the affected protected object to indicate that it is under attack. Importantly, this updated state is propagated to all other instances. + +### Why F5 DoS for NGINX Arbitrator is Necessary + +F5 DoS for NGINX Arbitrator is essential for several reasons: + +- **Global State Management**: Without the arbitrator, each individual instance of App Protect DoS would manage its own isolated state for each protected object. This isolation could lead to inconsistencies. For example, if instance A declared an attack on a protected object named "PO-Example," instance B would remain unaware of this attack, potentially leaving the object vulnerable. +- **Uniform Attack Detection**: With the arbitrator in place, when instance A detects an attack on "PO-Example" and reports it to the arbitrator, the state of "PO-Example" is immediately updated to indicate an attack. This means that all instances, including instance B, are aware of the attack and can take appropriate measures to mitigate it. + +In summary, F5 DoS for NGINX Arbitrator acts as a central coordinator to maintain a consistent and up-to-date global state for protected objects across multiple instances of App Protect DoS. This coordination helps ensure that attacks are properly detected and mitigated, and that knowledge gained by one instance is efficiently shared with others, enhancing the overall security of the network. + + +### F5 DoS for NGINX Arbitrator Deployment + +1. Pull the official F5 DoS for NGINX Arbitrator image with the command: + + ```shell + docker pull docker-registry.nginx.com/nap-dos/app_protect_dos_arb:latest + ``` + +2. Create a container based on this image, for example, `app-protect-dos-arb` container: + + ```shell + docker run --name app_protect_dos_arb -p 3000:3000 -d docker-registry.nginx.com/nap-dos/app_protect_dos_arb + ``` + +3. Verify that the `app-protect-dos-arb` container is up and running with the `docker ps` command. + +4. DNS records are required for F5 DoS for NGINX Arbitrator to work properly and be accessible by F5 DoS for NGINX servers. Ensure that the `svc-appprotect-dos-arb` or configured Arbitrator FQDN (with `app_protect_dos_arb_fqdn` directive) has a valid DNS resolution. + This step is necessary only for VM/Docker deployments with arbitrator. When the arbitrator is in the same Kubernetes namespace as F5 DoS for NGINX, this step is not needed. + +### Multi-VM Deployment + +The Arbitrator service is standalone. Once it is down, it can be seamlessly re-started. It will immediately recover all the needed information from F5 DoS for NGINX instances that communicate to it every 10 sec. It’s downtime is around 10-20 seconds which will not affect the F5 DoS for NGINX working. + +F5 DoS for NGINX Arbitrator service connects to port 3000 and can be seen under App Protect DoS instances. All modules try to connect to this service automatically. If it’s not accessible, each instance works in standalone mode. + +There is no such option for authentications between F5 DoS for NGINX servers and Arbitrator service like MTLS or password . Currently Arbitrator service is not exposed outside of the namespace. It is customers responsibility to isolate it from outside. It is applicable to any deployment of Arbitrator, not only to multi-VM. + diff --git a/content/includes/dos/k8s_arbitrator/appprotect-dos-arb.md b/content/includes/dos/k8s_arbitrator/appprotect-dos-arb.md new file mode 100644 index 0000000000..05576f6f2c --- /dev/null +++ b/content/includes/dos/k8s_arbitrator/appprotect-dos-arb.md @@ -0,0 +1,32 @@ +--- +--- + +```appprotect-dos-arb.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: appprotect-dos-arb + namespace: app-protect-dos +spec: + replicas: 1 + selector: + matchLabels: + app: appprotect-dos-arb + template: + metadata: + labels: + app: appprotect-dos-arb + spec: + containers: + - name: arb-svc + image: docker-registry.nginx.com/nap-dos/app_protect_dos_arb:latest + resources: + requests: + cpu: "200m" + memory: "500Mi" + limits: + cpu: "900m" + memory: "800Mi" + ports: + - containerPort: 3000 +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_arbitrator/svc-appprotect-dos-arb.md b/content/includes/dos/k8s_arbitrator/svc-appprotect-dos-arb.md new file mode 100644 index 0000000000..68cd8f5385 --- /dev/null +++ b/content/includes/dos/k8s_arbitrator/svc-appprotect-dos-arb.md @@ -0,0 +1,20 @@ +--- +--- + +```svc-appprotect-dos-arb.yaml +apiVersion: v1 +kind: Service +metadata: + name: svc-appprotect-dos + namespace: appprotect-dos-wp-diff + labels: + app: appprotect-dos +spec: + ports: + - name: app + port: 80 + protocol: TCP + nodePort: 80 + selector: + app: appprotect-dos + type: NodePort``` \ No newline at end of file diff --git a/content/nap-dos/deployment-guide/best-practices.md b/content/nap-dos/deployment-guide/best-practices.md index 206b56c75d..7f5682296a 100644 --- a/content/nap-dos/deployment-guide/best-practices.md +++ b/content/nap-dos/deployment-guide/best-practices.md @@ -3,7 +3,7 @@ description: F5 DoS for NGINX Best Practices Deployment. nd-docs: DOCS-666 title: Best Practices toc: true -weight: 100 +weight: 130 type: - how-to --- diff --git a/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md b/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md index 1a9a21bac2..8b12b68a0f 100644 --- a/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md +++ b/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md @@ -6,7 +6,7 @@ description: Install F5 NGINX Plus, F5 WAF & DoS for NGINX Plus on Amazon Web Se nd-docs: DOCS-1204 title: Installing F5 WAF & DoS for NGINX AMIs on Amazon EC2 toc: true -weight: 110 +weight: 120 type: - how-to --- diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md index ca70d0040b..bb743e6bdb 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md @@ -2,7 +2,7 @@ # We use sentence case and present imperative tone title: "Kubernetes with L3 mitigation" # Weights are assigned in increments of 100: determines sorting order -weight: 200 +weight: 110 # Creates a table of contents and sidebar, useful for large documents toc: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this @@ -350,5 +350,8 @@ kubectl exec -it app-protect-dos-586fb94947-8sjnc -n app-protect-dos -c dos-ebpf and can look at . {{< include "dos/install-post-checks.md" >}} +## F5 DoS for NGINX Arbitrator + +{{< include "/dos/dos-arbitrator.md" >}} ## Next steps diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index d28df075e1..d85b135708 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -2,7 +2,7 @@ # We use sentence case and present imperative tone title: "Kubernetes" # Weights are assigned in increments of 100: determines sorting order -weight: 200 +weight: 100 # Creates a table of contents and sidebar, useful for large documents toc: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this @@ -256,4 +256,8 @@ kubectl exec -it app-protect-dos-586fb94947-8sjnc -n app-protect-dos -c nginx-ap and can look at . {{< include "dos/install-post-checks.md" >}} +## F5 DoS for NGINX Arbitrator + +{{< include "/dos/dos-arbitrator.md" >}} + ## Next steps diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index 22d966fd2f..59587bd4ff 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -1,7 +1,7 @@ --- description: Learn about F5 DoS for NGINX Deployment. nd-docs: DOCS-666 -title: Virtual machine and Docker +title: Virtual Machine and Docker toc: true weight: 90 type: @@ -1331,6 +1331,10 @@ Make sure to replace upstream and proxy pass directives in this example with rel {{< include "/dos/dockerfiles/ubuntu-plus-dos-waf.md" >}} +## F5 DoS for NGINX Arbitrator + +{{< include "/dos/dos-arbitrator.md" >}} + ## Post-Installation Checks {{< include "dos/install-post-checks.md" >}} From aaf974e477d12302164a676db261d49ae571df2b Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Sun, 7 Dec 2025 11:23:50 +0200 Subject: [PATCH 05/23] feature: dos k8s / dos k8s with ebpf --- .../dos/dockerfiles/rhel8-plus-dos-waf.md | 54 +++++++++++++++++++ .../dos/dockerfiles/rhel8-plus-dos.md | 12 ++++- .../dos/dockerfiles/rhel9-plus-dos-waf.md | 38 +++++++++++++ content/includes/dos/install-post-checks.md | 18 ++++--- 4 files changed, 113 insertions(+), 9 deletions(-) diff --git a/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md b/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md index 8fcc9ce82f..3d903f9dea 100644 --- a/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md @@ -2,4 +2,58 @@ --- ```dockerfile +# For UBI 8 +FROM registry.access.redhat.com/ubi8 + +ARG RHEL_ORG +ARG RHEL_ACTIVATION_KEY + +# Install F5 DoS for NGINXWhat is the diff between following I see in F5 WAF for NGINX + +https://docs.nginx.com/waf/install/docker/#ubuntu + +apt install -y app-protect-module-plus + +and following that we have on F5 DOS for NGINX + +apt-get install -y app-protect + + +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ + subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ + && subscription-manager refresh \ + && subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms \ + && subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms \ + && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ + && dnf -y install ca-certificates \ + && curl -o /etc/yum.repos.d/plus-8.repo https://cs.nginx.com/static/files/plus-8.repo \ + && curl -o /etc/yum.repos.d/app-protect-dos-8.repo https://cs.nginx.com/static/files/app-protect-dos-8.repo \ + && dnf -y install app-protect-dos \ + && cat license.jwt > /etc/nginx/license.jwt \ + && rm /etc/yum.repos.d/plus-8.repo \ + && rm /etc/yum.repos.d/app-protect-dos-8.repo \ + && dnf clean all \ + && rm -rf /var/cache/yum \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && subscription-manager unregister + +# Copy configuration files: +RUN --mount=type=secret,id=nginx_license_secret \ + sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ + chmod 600 /etc/nginx/license.jwt + +RUN nginx -v && admd -v + +COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY entrypoint.sh /root/ +RUN chmod +x /root/entrypoint.sh + +EXPOSE 80 + +STOPSIGNAL SIGQUIT + +CMD ["sh", "/root/entrypoint.sh"] ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel8-plus-dos.md b/content/includes/dos/dockerfiles/rhel8-plus-dos.md index 247b4afdde..3d903f9dea 100644 --- a/content/includes/dos/dockerfiles/rhel8-plus-dos.md +++ b/content/includes/dos/dockerfiles/rhel8-plus-dos.md @@ -8,7 +8,17 @@ FROM registry.access.redhat.com/ubi8 ARG RHEL_ORG ARG RHEL_ACTIVATION_KEY -# Install F5 DoS for NGINX +# Install F5 DoS for NGINXWhat is the diff between following I see in F5 WAF for NGINX + +https://docs.nginx.com/waf/install/docker/#ubuntu + +apt install -y app-protect-module-plus + +and following that we have on F5 DOS for NGINX + +apt-get install -y app-protect + + RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ diff --git a/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md b/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md index 8fcc9ce82f..cb0f3e589b 100644 --- a/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md @@ -2,4 +2,42 @@ --- ```dockerfile +# For UBI 9 +FROM registry.access.redhat.com/ubi9 + +ARG RHEL_ORG +ARG RHEL_ACTIVATION_KEY + +# Install F5 DoS for NGINX +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ + subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ + && subscription-manager refresh \ + && subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms \ + && subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms \ + && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ + && dnf -y install ca-certificates \ + && curl -o /etc/yum.repos.d/plus-9.repo https://cs.nginx.com/static/files/plus-9.repo \ + && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \ + && dnf -y install app-protect-dos \ + && cat license.jwt > /etc/nginx/license.jwt \ + && rm /etc/yum.repos.d/plus-9.repo \ + && rm /etc/yum.repos.d/app-protect-dos-9.repo \ + && dnf clean all \ + && rm -rf /var/cache/yum \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && subscription-manager unregister + +# Copy configuration files: +COPY nginx.conf custom_log_format.json /etc/nginx/ +COPY entrypoint.sh /root/ +RUN chmod +x /root/entrypoint.sh + +EXPOSE 80 + +STOPSIGNAL SIGQUIT + +CMD ["sh", "/root/entrypoint.sh"] ``` \ No newline at end of file diff --git a/content/includes/dos/install-post-checks.md b/content/includes/dos/install-post-checks.md index e34cddbec4..f106ddf365 100644 --- a/content/includes/dos/install-post-checks.md +++ b/content/includes/dos/install-post-checks.md @@ -24,14 +24,16 @@ You can run the following commands to ensure that F5 DoS for NGINX enforcement i 2. Verify that there are no NGINX errors in the `/var/log/nginx/error.log` and that the policy compiled successfully: ```shell - 2020/09/07 15:33:44 [notice] 9307#9307: using the "epoll" event method - 2020/09/07 15:33:44 [notice] 9307#9307: nginx/1.19.0 (nginx-plus-r22) - 2020/09/07 15:33:44 [notice] 9307#9307: built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) - 2020/09/07 15:33:44 [notice] 9307#9307: OS: Linux 3.10.0-327.28.3.el7.x86_64 - 2020/09/07 15:33:44 [notice] 9307#9307: getrlimit(RLIMIT_NOFILE): 1024:4096 - 2020/09/07 15:33:44 [notice] 9310#9310: start worker processes - 2020/09/07 15:33:44 [notice] 9310#9310: start worker process 9311 - PID <9311>, WORKER <0>, Function adm_ngx_init_process, line 684, version: 22+1.19.4-1.el7.ngx + 2025/12/07 09:14:34 [notice] 675#675: APP_PROTECT_DOS { "event": "shared_memory_connected", "worker_pid": 675, "mode": "operational", "mode_changed": true } + 2025/12/07 09:14:34 [notice] 675#675: using the "epoll" event method + 2025/12/07 09:14:34 [notice] 675#675: APP_PROTECT_DOS { "event": "configuration_load_success", "software_version": "36+4.8.3-1.el8.ngx"} + 2025/12/07 09:14:34 [notice] 675#675: nginx/1.29.3 (nginx-plus-r36) + 2025/12/07 09:14:34 [notice] 675#675: built by gcc 8.5.0 20210514 (Red Hat 8.5.0-28) (GCC) + 2025/12/07 09:14:34 [notice] 675#675: OS: Linux 6.8.0-88-generic + 2025/12/07 09:14:34 [notice] 675#675: getrlimit(RLIMIT_NOFILE): 1048576:1048576 + 2025/12/07 09:14:34 [notice] 675#675: start worker processes + 2025/12/07 09:14:34 [notice] 675#675: start worker process 679 + 2025/12/07 09:14:34 [notice] 679#679: APP_PROTECT_DOS { "event": "shared_memory_connected", "worker_pid": 679, "mode": "operational", "mode_changed": true } ``` 3. Check that by applying an attack, the attacker IP addresses are blocked while the good traffic pass through: From ab150be02b1e5a7cf8b05860f4c35b812faa3f2a Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Sun, 7 Dec 2025 12:16:21 +0200 Subject: [PATCH 06/23] feature: dos k8s / dos k8s with ebpf --- .../dos/dockerfiles/rhel8-plus-dos-waf.md | 54 ------------------- .../dos/dockerfiles/rhel9-plus-dos-waf.md | 38 ------------- .../kubernetes-with-L3-mitigation.md | 1 + .../nap-dos/deployment-guide/kubernetes.md | 1 + 4 files changed, 2 insertions(+), 92 deletions(-) diff --git a/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md b/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md index 3d903f9dea..8fcc9ce82f 100644 --- a/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md @@ -2,58 +2,4 @@ --- ```dockerfile -# For UBI 8 -FROM registry.access.redhat.com/ubi8 - -ARG RHEL_ORG -ARG RHEL_ACTIVATION_KEY - -# Install F5 DoS for NGINXWhat is the diff between following I see in F5 WAF for NGINX - -https://docs.nginx.com/waf/install/docker/#ubuntu - -apt install -y app-protect-module-plus - -and following that we have on F5 DOS for NGINX - -apt-get install -y app-protect - - -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ - && subscription-manager refresh \ - && subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms \ - && subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms \ - && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ - && dnf -y install ca-certificates \ - && curl -o /etc/yum.repos.d/plus-8.repo https://cs.nginx.com/static/files/plus-8.repo \ - && curl -o /etc/yum.repos.d/app-protect-dos-8.repo https://cs.nginx.com/static/files/app-protect-dos-8.repo \ - && dnf -y install app-protect-dos \ - && cat license.jwt > /etc/nginx/license.jwt \ - && rm /etc/yum.repos.d/plus-8.repo \ - && rm /etc/yum.repos.d/app-protect-dos-8.repo \ - && dnf clean all \ - && rm -rf /var/cache/yum \ - && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log \ - && subscription-manager unregister - -# Copy configuration files: -RUN --mount=type=secret,id=nginx_license_secret \ - sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ - chmod 600 /etc/nginx/license.jwt - -RUN nginx -v && admd -v - -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md b/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md index cb0f3e589b..8fcc9ce82f 100644 --- a/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md @@ -2,42 +2,4 @@ --- ```dockerfile -# For UBI 9 -FROM registry.access.redhat.com/ubi9 - -ARG RHEL_ORG -ARG RHEL_ACTIVATION_KEY - -# Install F5 DoS for NGINX -RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ - --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ - && subscription-manager refresh \ - && subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms \ - && subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms \ - && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ - && dnf -y install ca-certificates \ - && curl -o /etc/yum.repos.d/plus-9.repo https://cs.nginx.com/static/files/plus-9.repo \ - && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \ - && dnf -y install app-protect-dos \ - && cat license.jwt > /etc/nginx/license.jwt \ - && rm /etc/yum.repos.d/plus-9.repo \ - && rm /etc/yum.repos.d/app-protect-dos-9.repo \ - && dnf clean all \ - && rm -rf /var/cache/yum \ - && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log \ - && subscription-manager unregister - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ -COPY entrypoint.sh /root/ -RUN chmod +x /root/entrypoint.sh - -EXPOSE 80 - -STOPSIGNAL SIGQUIT - -CMD ["sh", "/root/entrypoint.sh"] ``` \ No newline at end of file diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md index bb743e6bdb..b3fb80771d 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md @@ -199,6 +199,7 @@ Your folder should contain the following files: - _nginx-repo.key_ - _license.jwt_ - _entrypoint.sh_ +- _nginx.conf_ - _Dockerfile_ To build an image, use the following command, replacing `` as appropriate: diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index d85b135708..ea8f85b736 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -129,6 +129,7 @@ Your folder should contain the following files: - _nginx-repo.key_ - _license.jwt_ - _entrypoint.sh_ +- _nginx.conf_ - _Dockerfile_ To build an image, use the following command, replacing `` as appropriate: From 8e8a9b56bf4ccd525e42c9c460bed79c0b106441 Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Sun, 7 Dec 2025 13:44:15 +0200 Subject: [PATCH 07/23] feature: dos k8s / dos k8s with ebpf --- .../dos/k8s_manifest/dos-deployment.md | 96 +++++++++++++++++++ .../kubernetes-with-L3-mitigation.md | 2 +- .../nap-dos/deployment-guide/kubernetes.md | 2 +- 3 files changed, 98 insertions(+), 2 deletions(-) diff --git a/content/includes/dos/k8s_manifest/dos-deployment.md b/content/includes/dos/k8s_manifest/dos-deployment.md index e69de29bb2..5638094932 100644 --- a/content/includes/dos/k8s_manifest/dos-deployment.md +++ b/content/includes/dos/k8s_manifest/dos-deployment.md @@ -0,0 +1,96 @@ +--- +--- + +```dos-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-protect-dos + namespace: app-protect-dos + labels: + app: app-protect-dos +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: app-protect-dos + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 2 + maxUnavailable: 1 + template: + metadata: + labels: + app: app-protect-dos + spec: + containers: + - name: nginx-app-protect-dos + image: /: + imagePullPolicy: Always + + command: ["/bin/bash", "-c"] + args: + - | + /root/entrypoint.sh + + resources: + requests: + cpu: "200m" + memory: "500Mi" + limits: + cpu: "900m" + memory: "800Mi" + + ports: + - containerPort: 80 + name: web + - containerPort: 8090 + name: probe + - containerPort: 8091 + name: probe500 + + livenessProbe: + httpGet: + path: /app_protect_dos_liveness + port: 8090 + initialDelaySeconds: 5 + periodSeconds: 10 + + readinessProbe: + httpGet: + path: /app_protect_dos_readiness + port: 8090 + initialDelaySeconds: 5 + periodSeconds: 10 + + volumeMounts: + - name: shared-dir + mountPath: /shared/ + - name: conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: log-default + mountPath: /etc/app_protect_dos/log-default.json + subPath: log-default.json + + volumes: + - name: shared-dir + persistentVolumeClaim: + claimName: pvc-app-protect-dos-shared + - name: conf + configMap: + name: dos-nginx-conf + items: + - key: nginx.conf + path: nginx.conf + - name: log-default + configMap: + name: dos-log-default + defaultMode: 0644 + items: + - key: log-default.json + path: log-default.json + +``` \ No newline at end of file diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md index b3fb80771d..9b268df204 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md @@ -307,7 +307,7 @@ From the folder containing the YAML files from the previous step (Suggested as ` ```shell kubectl apply -f manifests/dos-namespace.yaml kubectl apply -f manifests/dos-storage.yaml -kubectl apply -f manifests/dos-nginx-conf-configmap.yam +kubectl apply -f manifests/dos-nginx-conf-configmap.yaml kubectl apply -f manifests/dos-log-default-configmap.yaml kubectl apply -f manifests/dos-deployment.yaml kubectl apply -f manifests/dos-service.yaml diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index ea8f85b736..ac09c61acb 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -217,7 +217,7 @@ From the folder containing the YAML files from the previous step (Suggested as ` ```shell kubectl apply -f manifests/dos-namespace.yaml kubectl apply -f manifests/dos-storage.yaml -kubectl apply -f manifests/dos-nginx-conf-configmap.yam +kubectl apply -f manifests/dos-nginx-conf-configmap.yaml kubectl apply -f manifests/dos-log-default-configmap.yaml kubectl apply -f manifests/dos-deployment.yaml kubectl apply -f manifests/dos-service.yaml From 99dd3dada6cfe8a00a31b7dd76a7280433a2ebc3 Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Sun, 7 Dec 2025 15:33:51 +0200 Subject: [PATCH 08/23] feature: dos k8s / dos k8s with ebpf --- content/includes/dos/dockerfiles/alpine-plus-dos.md | 4 ---- content/includes/dos/dockerfiles/amazon-plus-dos.md | 4 ---- content/includes/dos/dockerfiles/debian-plus-dos.md | 4 ---- content/includes/dos/dockerfiles/rhel8-plus-dos.md | 5 ----- content/includes/dos/dockerfiles/ubuntu-plus-dos.md | 4 ---- 5 files changed, 21 deletions(-) diff --git a/content/includes/dos/dockerfiles/alpine-plus-dos.md b/content/includes/dos/dockerfiles/alpine-plus-dos.md index a00edefe7e..02cc66995e 100644 --- a/content/includes/dos/dockerfiles/alpine-plus-dos.md +++ b/content/includes/dos/dockerfiles/alpine-plus-dos.md @@ -24,10 +24,6 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && rm -rf /var/cache/apk/* -RUN --mount=type=secret,id=nginx_license_secret \ - sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ - chmod 600 /etc/nginx/license.jwt - RUN nginx -v && admd -v # Copy configuration files: diff --git a/content/includes/dos/dockerfiles/amazon-plus-dos.md b/content/includes/dos/dockerfiles/amazon-plus-dos.md index 1abdd34bd8..db497f208b 100644 --- a/content/includes/dos/dockerfiles/amazon-plus-dos.md +++ b/content/includes/dos/dockerfiles/amazon-plus-dos.md @@ -19,10 +19,6 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log -RUN --mount=type=secret,id=nginx_license_secret \ - sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ - chmod 600 /etc/nginx/license.jwt - RUN nginx -v && admd -v # Copy configuration files: diff --git a/content/includes/dos/dockerfiles/debian-plus-dos.md b/content/includes/dos/dockerfiles/debian-plus-dos.md index 6811a655d4..2a62131ec0 100644 --- a/content/includes/dos/dockerfiles/debian-plus-dos.md +++ b/content/includes/dos/dockerfiles/debian-plus-dos.md @@ -31,10 +31,6 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log -RUN --mount=type=secret,id=nginx_license_secret \ - sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ - chmod 600 /etc/nginx/license.jwt - RUN nginx -v && admd -v COPY nginx.conf /etc/nginx/ diff --git a/content/includes/dos/dockerfiles/rhel8-plus-dos.md b/content/includes/dos/dockerfiles/rhel8-plus-dos.md index 3d903f9dea..4568937e25 100644 --- a/content/includes/dos/dockerfiles/rhel8-plus-dos.md +++ b/content/includes/dos/dockerfiles/rhel8-plus-dos.md @@ -40,11 +40,6 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stderr /var/log/nginx/error.log \ && subscription-manager unregister -# Copy configuration files: -RUN --mount=type=secret,id=nginx_license_secret \ - sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ - chmod 600 /etc/nginx/license.jwt - RUN nginx -v && admd -v COPY nginx.conf custom_log_format.json /etc/nginx/ diff --git a/content/includes/dos/dockerfiles/ubuntu-plus-dos.md b/content/includes/dos/dockerfiles/ubuntu-plus-dos.md index c549efdc60..132b93e2ca 100644 --- a/content/includes/dos/dockerfiles/ubuntu-plus-dos.md +++ b/content/includes/dos/dockerfiles/ubuntu-plus-dos.md @@ -34,10 +34,6 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log -RUN --mount=type=secret,id=nginx_license_secret \ - sh -c 'cat /run/secrets/nginx_license_secret | base64 -d > /etc/nginx/license.jwt' && \ - chmod 600 /etc/nginx/license.jwt - RUN nginx -v && admd -v COPY nginx.conf /etc/nginx/ From 58b91dc8717ec4506f1f8961d2674d2f5c6467af Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Sun, 7 Dec 2025 15:50:01 +0200 Subject: [PATCH 09/23] feature: dos k8s / dos k8s with ebpf --- .../kubernetes-with-L3-mitigation.md | 13 ------------- content/nap-dos/deployment-guide/kubernetes.md | 10 ---------- 2 files changed, 23 deletions(-) diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md index 9b268df204..562c4a35fe 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md @@ -237,19 +237,6 @@ From this point, the steps change based on your installation method: ## Use Manifests to install F5 DOS for NGINX - -### Create a Secret - -Before you can start the Manifest deployment, you need a Kubernetes secret for the Docker registry. - -You can create the secret using `kubectl create`: - -```shell -kubectl create secret docker-registry regcred --docker-server=private-registry.nginx.com --docker-username= --docker-password=none -``` - -The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. - ### Create Manifest files The default configuration provided creates two replicas, each hosting NGINX and DOS services together in a single Kubernetes pod. diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index ac09c61acb..c8b17b4386 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -150,16 +150,6 @@ From this point, the steps change based on your installation method: ## Use Manifests to install F5 DOS for NGINX -### Create a Secret - -Before you can start the Manifest deployment, you need a Kubernetes secret for the Docker registry. - -You can create the secret using `kubectl create`: - -```shell -kubectl create secret docker-registry regcred --docker-server=private-registry.nginx.com --docker-username= --docker-password=none -``` - The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. ### Create Manifest files From 0014447a4b8f05455a564aaff5f5dd172966905d Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Mon, 8 Dec 2025 12:57:10 +0200 Subject: [PATCH 10/23] feature: dos k8s and fix's --- content/nap-dos/monitoring/types-of-logs.md | 4 ++-- content/nap-dos/troubleshooting/how-to-troubleshoot.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/nap-dos/monitoring/types-of-logs.md b/content/nap-dos/monitoring/types-of-logs.md index eea14621c6..3a1d9de4d6 100644 --- a/content/nap-dos/monitoring/types-of-logs.md +++ b/content/nap-dos/monitoring/types-of-logs.md @@ -12,8 +12,8 @@ There are 4 types of logs corresponding to App Protect DoS: - [Security Log](#security-log): The general picture of the site and how App Protect DoS processed it, including anomalies and signatures found. - [Operation Log](#operation-log): Events such as configuration errors or warnings. -- [Debug Logs](#debug-log): Technical messages at different levels of severity used to debug and resolve incidents and error behaviors. - [Request Logging](#request-log): F5 DoS for NGINX adds information to each request logged to NGINX's access logging mechanism. +- [Debug Logs](#debug-log): Technical messages at different levels of severity used to debug and resolve incidents and error behaviors. {{< call-out "note" >}} NGINX does not have audit logs in the sense of *"**who** did **what**"*. This can be done either from the orchestration system controlling NGINX (such as NGINX Controller) or by tracking the configuration files and the systemd invocations using Linux tools. @@ -48,7 +48,7 @@ This directive determines the destination of the `access_log` and the name of th ### App Protect DoS Variables These are the variables added to Access Log. They are a subset of the Security log attributes. The Security log names are prefixed with `$app_protect_dos`.
For more information refer to [F5 DoS for NGINX Access Log]({{< ref "/nap-dos/monitoring/access-log.md" >}}) -## Debug Log - F5 DoS for NGINX +## Debug Log The F5 DoS for NGINX Debug log is used to troubleshoot the functionality of the product.
The path of the log is at a fixed location: `/var/log/adm/admd.log`. diff --git a/content/nap-dos/troubleshooting/how-to-troubleshoot.md b/content/nap-dos/troubleshooting/how-to-troubleshoot.md index 019de886ed..123f805227 100644 --- a/content/nap-dos/troubleshooting/how-to-troubleshoot.md +++ b/content/nap-dos/troubleshooting/how-to-troubleshoot.md @@ -28,7 +28,7 @@ This Troubleshooting Guide is intended to provide guidance to customers in the d | More protected objects than expected | The `app_protect_dos_enable` directive is inherited by all server and location blocks beneath it, each block will be a protected object.
Consider moving this directive from outer to inner block.
Refer to: [F5 DoS for NGINX - Directives and Policy]({{< ref "/nap-dos/directives-and-policy/learn-about-directives-and-policy.md" >}}) | | `No DOS protection for ngx_worker at idx X` warning message | There are more nginx processes than allowed.
Either decrease the number of nginx processes (ngx_processes directive in `nginx.conf` file) or increase the number of supported workers for F5 DoS for NGINX using the flag `--max-workers NUM` for `/usr/bin/adminstall`. | | `unknown directive 'app_protect_dos_xxx'` error message | App Protect DOS module is not loaded. Add this line to the main (global) context of nginx.conf:
`load_module "/etc/nginx/modules/ngx_http_app_protect_dos_module.so";` | -| NGINX struggles handling a high rate of incoming connections | Linux machine should be tuned for optimal performance.
Refer to [Tuning NGINX for Performance](https://www.nginx.com/blog/tuning-nginx/) | +| NGINX struggles handling a high rate of incoming connections | Linux machine should be tuned for optimal performance.
Refer to [Tuning NGINX for Performance](https://www.f5.com/company/blog/nginx/tuning-nginx) | | Error in `adminstall` process, such as `Failed to allocate` | Insufficient memory to allocate all the required resources.
Increase the `--memory` size or decrease the number of nginx workers (`--max_workers`) if not all of them are going to be in use.
Use the `--help` flag for more info. | {{}} From afcf19f4e043be5d9ec5313615dc00cd7026ec86 Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Mon, 8 Dec 2025 12:57:46 +0200 Subject: [PATCH 11/23] Update content/nap-dos/deployment-guide/best-practices.md Co-authored-by: Alan Dooley --- content/nap-dos/deployment-guide/best-practices.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/nap-dos/deployment-guide/best-practices.md b/content/nap-dos/deployment-guide/best-practices.md index 7f5682296a..ba1ef81888 100644 --- a/content/nap-dos/deployment-guide/best-practices.md +++ b/content/nap-dos/deployment-guide/best-practices.md @@ -4,8 +4,8 @@ nd-docs: DOCS-666 title: Best Practices toc: true weight: 130 -type: -- how-to +nd-content-type: how-to +nd-product: F5DOSN --- This guide shows how to modify your NGINX configuration to enable F5 DoS for NGINX (NGINX App Protect DoS). We will configure F5 DoS For NGINX to protect a proxy server. From daa49c9aa3780a4581488d38f04b40e38e928b87 Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Mon, 8 Dec 2025 12:57:56 +0200 Subject: [PATCH 12/23] Update content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md Co-authored-by: Alan Dooley --- ...ling-nginx-plus-with-dos-and-waf-on-amazon-web-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md b/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md index 8b12b68a0f..8a4a89217a 100644 --- a/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md +++ b/content/nap-dos/deployment-guide/installing-nginx-plus-with-dos-and-waf-on-amazon-web-services.md @@ -7,8 +7,8 @@ nd-docs: DOCS-1204 title: Installing F5 WAF & DoS for NGINX AMIs on Amazon EC2 toc: true weight: 120 -type: -- how-to +nd-content-type: how-to +nd-product: F5DOSN --- From e1c70bbc5bf097733e645340538b259340e5d76d Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Sun, 21 Dec 2025 17:45:05 +0200 Subject: [PATCH 13/23] Update content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md Co-authored-by: Alan Dooley --- .../nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md index 562c4a35fe..f99a1aed67 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md @@ -7,7 +7,7 @@ weight: 110 toc: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -nd-product: DOS +nd-product: F5DOSN --- This page describes how to install F5 DOS for NGINX using Kubernetes. From 8e23cbe56b1b017b81ab8705256af1492b6a2bfc Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Sun, 21 Dec 2025 17:45:14 +0200 Subject: [PATCH 14/23] Update content/nap-dos/deployment-guide/kubernetes.md Co-authored-by: Alan Dooley --- content/nap-dos/deployment-guide/kubernetes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index c8b17b4386..13b67f8cc7 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -7,7 +7,7 @@ weight: 100 toc: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -nd-product: DOS +nd-product: F5DOSN --- This page describes how to install F5 DOS for NGINX using Kubernetes. From e4f93935f2b0fce3fac2fef77cd48b2a98be3fdc Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Mon, 22 Dec 2025 10:49:43 +0200 Subject: [PATCH 15/23] dos k8s --- .../dos/dockerfiles/alpine-ebpf-manager.md | 11 ++-- .../dos/dockerfiles/alpine-plus-dos-waf.md | 19 +++---- .../dos/dockerfiles/alpine-plus-dos.md | 12 ++--- .../dos/dockerfiles/amazon-ebpf-manager.md | 16 +++--- .../dos/dockerfiles/amazon-plus-dos-waf.md | 27 +++++----- .../dos/dockerfiles/amazon-plus-dos.md | 13 ++--- .../dos/dockerfiles/debian-ebpf-manager.md | 15 +++--- .../dos/dockerfiles/debian-plus-dos-waf.md | 26 +++++----- .../dos/dockerfiles/debian-plus-dos.md | 18 +++---- .../dos/dockerfiles/rhel8-ebpf-manager.md | 11 ++-- .../dos/dockerfiles/rhel8-plus-dos-waf.md | 5 -- .../dos/dockerfiles/rhel8-plus-dos.md | 29 +++-------- .../dos/dockerfiles/rhel9-ebpf-manager.md | 11 ++-- .../dos/dockerfiles/rhel9-plus-dos-waf.md | 5 -- .../dos/dockerfiles/rhel9-plus-dos.md | 15 +++--- .../dos/dockerfiles/rocky9-ebpf-manager.md | 11 ++-- .../dos/dockerfiles/rocky9-plus-dos-waf.md | 34 +++++++++++++ .../dos/dockerfiles/rocky9-plus-dos.md | 9 ++-- .../dos/dockerfiles/ubuntu-ebpf-manager.md | 17 ++++--- .../dos/dockerfiles/ubuntu-plus-dos-waf.md | 32 ++++++------ .../dos/dockerfiles/ubuntu-plus-dos.md | 18 +++---- content/includes/dos/dos-waf-entrypoint.md | 3 +- .../includes/dos/ebpf-manager-entrypoint.md | 7 --- .../dos/k8s_arbitrator/appprotect-dos-arb.md | 17 ++----- .../k8s_arbitrator/svc-appprotect-dos-arb.md | 21 ++++---- .../dos/k8s_manifest/backend-nginx.md | 50 ------------------- .../dos/k8s_manifest/dos-deployment.md | 19 +++++-- .../k8s_manifest/dos-nginx-conf-configmap.md | 15 ++++-- .../includes/dos/k8s_manifest/dos-service.md | 2 +- .../includes/dos/k8s_manifest/dos-storage.md | 16 ------ .../k8s_with_ebpf_manifest/backend-nginx.md | 50 ------------------- .../k8s_with_ebpf_manifest/dos-deployment.md | 41 +++++++++------ .../dos-nginx-conf-configmap.md | 12 +++-- .../dos/k8s_with_ebpf_manifest/dos-service.md | 1 + .../dos/k8s_with_ebpf_manifest/dos-storage.md | 16 ------ .../nap-dos/deployment-guide/kubernetes.md | 8 ++- 36 files changed, 265 insertions(+), 367 deletions(-) delete mode 100644 content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md delete mode 100644 content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md delete mode 100644 content/includes/dos/ebpf-manager-entrypoint.md delete mode 100644 content/includes/dos/k8s_manifest/backend-nginx.md delete mode 100644 content/includes/dos/k8s_manifest/dos-storage.md delete mode 100644 content/includes/dos/k8s_with_ebpf_manifest/backend-nginx.md delete mode 100644 content/includes/dos/k8s_with_ebpf_manifest/dos-storage.md diff --git a/content/includes/dos/dockerfiles/alpine-ebpf-manager.md b/content/includes/dos/dockerfiles/alpine-ebpf-manager.md index 4a7a008b71..0174515b51 100644 --- a/content/includes/dos/dockerfiles/alpine-ebpf-manager.md +++ b/content/includes/dos/dockerfiles/alpine-ebpf-manager.md @@ -13,14 +13,15 @@ FROM alpine:${OS_VER} # Install F5 DoS ebpf manager for NGINX and create required nginx user RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ - wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && addgroup -S -g 101 nginx \ + && adduser -S -u 101 -G nginx -h /nonexistent -s /sbin/nologin nginx \ + && wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ && printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories \ && apk update \ && apk add app-protect-dos-ebpf-manager \ - && rm -rf /var/cache/apk/* \ - && adduser -D -S -H -s /sbin/nologin nginx - -RUN ebpf_manager_dos -v + && rm -rf /var/cache/apk/* STOPSIGNAL SIGQUIT diff --git a/content/includes/dos/dockerfiles/alpine-plus-dos-waf.md b/content/includes/dos/dockerfiles/alpine-plus-dos-waf.md index 7845f0d724..0521412801 100644 --- a/content/includes/dos/dockerfiles/alpine-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/alpine-plus-dos-waf.md @@ -25,24 +25,25 @@ RUN printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[ # Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus): RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apk update && apk add app-protect app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && addgroup -S -g 101 nginx \ + && adduser -S -u 101 -G nginx -h /nonexistent -s /sbin/nologin nginx \ + && apk update && apk add app-protect app-protect-dos \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && rm -rf /var/cache/apk/* RUN nginx -v && admd -v -RUN cat /opt/app_protect/VERSION /opt/app_protect/RELEASE +RUN echo "RELEASE:" && cat /opt/app_protect/RELEASE && echo "VERSION:" && cat /opt/app_protect/VERSION # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh EXPOSE 80 + STOPSIGNAL SIGQUIT CMD ["sh", "/root/entrypoint.sh"] diff --git a/content/includes/dos/dockerfiles/alpine-plus-dos.md b/content/includes/dos/dockerfiles/alpine-plus-dos.md index 02cc66995e..1b26fd099a 100644 --- a/content/includes/dos/dockerfiles/alpine-plus-dos.md +++ b/content/includes/dos/dockerfiles/alpine-plus-dos.md @@ -13,21 +13,19 @@ FROM alpine:${OS_VER} # Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && addgroup -S -g 101 nginx \ + && adduser -S -u 101 -G nginx -h /nonexistent -s /sbin/nologin nginx \ + && wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ && printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories \ && printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories \ && apk update \ && apk add app-protect-dos \ - && cat license.jwt > /etc/nginx/license.jwt \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && rm -rf /var/cache/apk/* -RUN nginx -v && admd -v - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dockerfiles/amazon-ebpf-manager.md b/content/includes/dos/dockerfiles/amazon-ebpf-manager.md index b926c197f5..25e1ac7fbd 100644 --- a/content/includes/dos/dockerfiles/amazon-ebpf-manager.md +++ b/content/includes/dos/dockerfiles/amazon-ebpf-manager.md @@ -8,14 +8,14 @@ FROM amazonlinux:2023 # Install F5 DoS ebpf manager for NGINX and create required nginx user RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - dnf -y install ca-certificates shadow-utils \ - && curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo \ - && dnf install -y app-protect-dos-ebpf-manager \ - && dnf clean all \ - && rm -rf /var/cache/dnf \ - && useradd -r -s /usr/sbin/nologin nginx - -RUN ebpf_manager_dos -v + set -x \ + && dnf -y install ca-certificates shadow-utils \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo \ + && dnf install -y app-protect-dos-ebpf-manager \ + && dnf clean all \ + && rm -rf /var/cache/dnf STOPSIGNAL SIGQUIT diff --git a/content/includes/dos/dockerfiles/amazon-plus-dos-waf.md b/content/includes/dos/dockerfiles/amazon-plus-dos-waf.md index dc023d49b1..490707482e 100644 --- a/content/includes/dos/dockerfiles/amazon-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/amazon-plus-dos-waf.md @@ -17,24 +17,23 @@ RUN curl -o /etc/yum.repos.d/plus-amazonlinux2023.repo https://cs.nginx.com/stat # Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus): RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - dnf -y install app-protect app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - rm /etc/yum.repos.d/plus-amazonlinux2023.repo && \ - rm /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo && \ - dnf clean all && \ - rm -rf /var/cache/dnf && \ - rm -rf /var/cache/yum - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log + set -x \ + && dnf -y install ca-certificates shadow-utils \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && dnf -y install app-protect app-protect-dos \ + && rm /etc/yum.repos.d/plus-amazonlinux2023.repo \ + && rm /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && rm -rf /var/cache/yum \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log RUN nginx -v && admd -v -RUN cat /opt/app_protect/VERSION /opt/app_protect/RELEASE +RUN echo "RELEASE:" && cat /opt/app_protect/RELEASE && echo "VERSION:" && cat /opt/app_protect/VERSION # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dockerfiles/amazon-plus-dos.md b/content/includes/dos/dockerfiles/amazon-plus-dos.md index db497f208b..640738b6a3 100644 --- a/content/includes/dos/dockerfiles/amazon-plus-dos.md +++ b/content/includes/dos/dockerfiles/amazon-plus-dos.md @@ -8,21 +8,18 @@ FROM amazonlinux:2023 # Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - dnf -y install ca-certificates \ + set -x \ + && dnf -y install ca-certificates shadow-utils \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ && curl -o /etc/yum.repos.d/plus-amazonlinux2023.repo https://cs.nginx.com/static/files/plus-amazonlinux2023.repo \ && curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo \ && dnf install -y app-protect-dos \ - && cat license.jwt > /etc/nginx/license.jwt \ && dnf clean all \ - && rm -rf /var/cache/dnf \ + && rm -rf /var/cache/dnf \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log -RUN nginx -v && admd -v - -# Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dockerfiles/debian-ebpf-manager.md b/content/includes/dos/dockerfiles/debian-ebpf-manager.md index bef23b5a52..e07085279a 100644 --- a/content/includes/dos/dockerfiles/debian-ebpf-manager.md +++ b/content/includes/dos/dockerfiles/debian-ebpf-manager.md @@ -8,8 +8,12 @@ FROM debian:bullseye # Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - apt-get update \ - && apt-get install -y --no-install-recommends \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ apt-transport-https \ lsb-release \ ca-certificates \ @@ -23,10 +27,9 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 > /etc/apt/sources.list.d/nginx-app-protect-dos.list \ && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ && DEBIAN_FRONTEND=noninteractive apt-get update \ - && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos-ebpf-manager \ - && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* - -RUN ebpf_manager_dos -v + && DEBIAN_FRONTEND=noninteractive apt-get install -y app-protect-dos-ebpf-manager \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* STOPSIGNAL SIGQUIT diff --git a/content/includes/dos/dockerfiles/debian-plus-dos-waf.md b/content/includes/dos/dockerfiles/debian-plus-dos-waf.md index a69204a420..36bcd75b40 100644 --- a/content/includes/dos/dockerfiles/debian-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/debian-plus-dos-waf.md @@ -6,8 +6,8 @@ FROM debian:bullseye # Install prerequisite packages: -RUN apt-get update && \ - apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring && \ +RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring && \ wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg > /dev/null @@ -23,20 +23,20 @@ RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx # Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which includes NGINX Plus): RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list /etc/apt/sources.list.d/nginx-app-protect.list /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ - rm -rf /etc/apt/apt.conf.d/90nginx /var/lib/apt/lists/* - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y app-protect app-protect-dos \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log RUN nginx -v && admd -v -RUN cat /opt/app_protect/VERSION /opt/app_protect/RELEASE +RUN echo "RELEASE:" && cat /opt/app_protect/RELEASE && echo "VERSION:" && cat /opt/app_protect/VERSION -COPY nginx.conf /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dockerfiles/debian-plus-dos.md b/content/includes/dos/dockerfiles/debian-plus-dos.md index 2a62131ec0..95340fccc9 100644 --- a/content/includes/dos/dockerfiles/debian-plus-dos.md +++ b/content/includes/dos/dockerfiles/debian-plus-dos.md @@ -8,9 +8,12 @@ FROM debian:bullseye # Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apt-get update \ - && apt-get install -y --no-install-recommends \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ apt-transport-https \ lsb-release \ ca-certificates \ @@ -25,15 +28,12 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 > /etc/apt/sources.list.d/nginx-app-protect-dos.list \ && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ && DEBIAN_FRONTEND=noninteractive apt-get update \ - && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos \ - && cat license.jwt > /etc/nginx/license.jwt \ - && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y app-protect-dos \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log -RUN nginx -v && admd -v - -COPY nginx.conf /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dockerfiles/rhel8-ebpf-manager.md b/content/includes/dos/dockerfiles/rhel8-ebpf-manager.md index 58498ebbbe..bf316a7592 100644 --- a/content/includes/dos/dockerfiles/rhel8-ebpf-manager.md +++ b/content/includes/dos/dockerfiles/rhel8-ebpf-manager.md @@ -11,16 +11,17 @@ ARG RHEL_ACTIVATION_KEY # Install F5 DoS ebpf manager for NGINX and create required nginx user RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ && dnf -y install ca-certificates \ && curl -o /etc/yum.repos.d/app-protect-dos-8.repo https://cs.nginx.com/static/files/app-protect-dos-8.repo \ && dnf -y install app-protect-dos-ebpf-manager \ && rm /etc/yum.repos.d/app-protect-dos-8.repo \ && dnf clean all \ - && rm -rf /var/cache/yum \ - && useradd -r -s /usr/sbin/nologin nginx - -RUN ebpf_manager_dos -v + && rm -rf /var/cache/yum STOPSIGNAL SIGQUIT diff --git a/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md b/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md deleted file mode 100644 index 8fcc9ce82f..0000000000 --- a/content/includes/dos/dockerfiles/rhel8-plus-dos-waf.md +++ /dev/null @@ -1,5 +0,0 @@ ---- ---- - -```dockerfile -``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel8-plus-dos.md b/content/includes/dos/dockerfiles/rhel8-plus-dos.md index 4568937e25..af77d4743e 100644 --- a/content/includes/dos/dockerfiles/rhel8-plus-dos.md +++ b/content/includes/dos/dockerfiles/rhel8-plus-dos.md @@ -8,21 +8,14 @@ FROM registry.access.redhat.com/ubi8 ARG RHEL_ORG ARG RHEL_ACTIVATION_KEY -# Install F5 DoS for NGINXWhat is the diff between following I see in F5 WAF for NGINX - -https://docs.nginx.com/waf/install/docker/#ubuntu - -apt install -y app-protect-module-plus - -and following that we have on F5 DOS for NGINX - -apt-get install -y app-protect - - +# Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ && subscription-manager refresh \ && subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms \ && subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms \ @@ -31,18 +24,12 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && curl -o /etc/yum.repos.d/plus-8.repo https://cs.nginx.com/static/files/plus-8.repo \ && curl -o /etc/yum.repos.d/app-protect-dos-8.repo https://cs.nginx.com/static/files/app-protect-dos-8.repo \ && dnf -y install app-protect-dos \ - && cat license.jwt > /etc/nginx/license.jwt \ - && rm /etc/yum.repos.d/plus-8.repo \ - && rm /etc/yum.repos.d/app-protect-dos-8.repo \ && dnf clean all \ && rm -rf /var/cache/yum \ + && subscription-manager unregister \ && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log \ - && subscription-manager unregister - -RUN nginx -v && admd -v + && ln -sf /dev/stderr /var/log/nginx/error.log -COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dockerfiles/rhel9-ebpf-manager.md b/content/includes/dos/dockerfiles/rhel9-ebpf-manager.md index 1080e5f18d..640b585272 100644 --- a/content/includes/dos/dockerfiles/rhel9-ebpf-manager.md +++ b/content/includes/dos/dockerfiles/rhel9-ebpf-manager.md @@ -11,16 +11,17 @@ ARG RHEL_ACTIVATION_KEY # Install F5 DoS ebpf manager for NGINX and create required nginx user RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ && dnf -y install ca-certificates \ && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \ && dnf -y install app-protect-dos-ebpf-manager \ && rm /etc/yum.repos.d/app-protect-dos-9.repo \ && dnf clean all \ - && rm -rf /var/cache/yum \ - && useradd -r -s /usr/sbin/nologin nginx - -RUN ebpf_manager_dos -v + && rm -rf /var/cache/yum STOPSIGNAL SIGQUIT diff --git a/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md b/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md deleted file mode 100644 index 8fcc9ce82f..0000000000 --- a/content/includes/dos/dockerfiles/rhel9-plus-dos-waf.md +++ /dev/null @@ -1,5 +0,0 @@ ---- ---- - -```dockerfile -``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rhel9-plus-dos.md b/content/includes/dos/dockerfiles/rhel9-plus-dos.md index cb0f3e589b..ee2b26eccf 100644 --- a/content/includes/dos/dockerfiles/rhel9-plus-dos.md +++ b/content/includes/dos/dockerfiles/rhel9-plus-dos.md @@ -11,8 +11,11 @@ ARG RHEL_ACTIVATION_KEY # Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \ && subscription-manager refresh \ && subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms \ && subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms \ @@ -21,17 +24,13 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && curl -o /etc/yum.repos.d/plus-9.repo https://cs.nginx.com/static/files/plus-9.repo \ && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \ && dnf -y install app-protect-dos \ - && cat license.jwt > /etc/nginx/license.jwt \ - && rm /etc/yum.repos.d/plus-9.repo \ - && rm /etc/yum.repos.d/app-protect-dos-9.repo \ && dnf clean all \ && rm -rf /var/cache/yum \ + && subscription-manager unregister \ && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log \ - && subscription-manager unregister + && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dockerfiles/rocky9-ebpf-manager.md b/content/includes/dos/dockerfiles/rocky9-ebpf-manager.md index 83e3ea9a85..4aaad1d121 100644 --- a/content/includes/dos/dockerfiles/rocky9-ebpf-manager.md +++ b/content/includes/dos/dockerfiles/rocky9-ebpf-manager.md @@ -9,15 +9,16 @@ FROM rockylinux:9 # Install F5 DoS ebpf manager for NGINX and create required nginx user RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - dnf -y install ca-certificates epel-release 'dnf-command(config-manager)' \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && dnf -y install ca-certificates epel-release 'dnf-command(config-manager)' \ && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \ && dnf config-manager --set-enabled crb \ && dnf install -y app-protect-dos-ebpf-manager \ && dnf clean all \ - && rm -rf /var/cache/dnf \ - && useradd -r -s /usr/sbin/nologin nginx - -RUN ebpf_manager_dos -v + && rm -rf /var/cache/dnf STOPSIGNAL SIGQUIT diff --git a/content/includes/dos/dockerfiles/rocky9-plus-dos-waf.md b/content/includes/dos/dockerfiles/rocky9-plus-dos-waf.md index 8fcc9ce82f..e03012aee2 100644 --- a/content/includes/dos/dockerfiles/rocky9-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/rocky9-plus-dos-waf.md @@ -2,4 +2,38 @@ --- ```dockerfile +# syntax=docker/dockerfile:1 +# For Rocky Linux 9 +FROM rockylinux:9 + +# Install F5 DoS for NGINX: +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && dnf -y install ca-certificates epel-release 'dnf-command(config-manager)' \ + && curl -o /etc/yum.repos.d/plus-9.repo https://cs.nginx.com/static/files/plus-9.repo \ + && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \ + && curl -o /etc/yum.repos.d/app-protect-9.repo https://cs.nginx.com/static/files/app-protect-9.repo \ + && curl -o /etc/yum.repos.d/dependencies.9.repo https://cs.nginx.com/static/files/dependencies.9.repo \ + && dnf config-manager --set-enabled crb \ + && dnf install -y app-protect app-protect-dos \ + && dnf clean all \ + && rm -rf /var/cache/dnf \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +RUN nginx -v && admd -v +RUN echo "RELEASE:" && cat /opt/app_protect/RELEASE && echo "VERSION:" && cat /opt/app_protect/VERSION + +COPY entrypoint.sh /root/ +RUN chmod +x /root/entrypoint.sh + +EXPOSE 80 + +STOPSIGNAL SIGQUIT + +CMD ["sh", "/root/entrypoint.sh"] ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/rocky9-plus-dos.md b/content/includes/dos/dockerfiles/rocky9-plus-dos.md index cff5570bc3..05224a22fd 100644 --- a/content/includes/dos/dockerfiles/rocky9-plus-dos.md +++ b/content/includes/dos/dockerfiles/rocky9-plus-dos.md @@ -9,20 +9,21 @@ FROM rockylinux:9 # Install F5 DoS for NGINX: RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - dnf -y install ca-certificates epel-release 'dnf-command(config-manager)' \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && dnf -y install ca-certificates epel-release 'dnf-command(config-manager)' \ && curl -o /etc/yum.repos.d/plus-9.repo https://cs.nginx.com/static/files/plus-9.repo \ && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \ && dnf config-manager --set-enabled crb \ && dnf install -y app-protect-dos \ - && cat license.jwt > /etc/nginx/license.jwt \ && dnf clean all \ && rm -rf /var/cache/dnf \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log # Copy configuration files: -COPY nginx.conf custom_log_format.json /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dockerfiles/ubuntu-ebpf-manager.md b/content/includes/dos/dockerfiles/ubuntu-ebpf-manager.md index e58e530dc6..9db04c03f4 100644 --- a/content/includes/dos/dockerfiles/ubuntu-ebpf-manager.md +++ b/content/includes/dos/dockerfiles/ubuntu-ebpf-manager.md @@ -3,7 +3,7 @@ ```dockerfile # syntax=docker/dockerfile:1 -# For Ubuntu +# For Ubuntu # Where version can be: jammy/noble FROM ubuntu:noble @@ -11,8 +11,12 @@ FROM ubuntu:noble # Install F5 DoS ebpf manager for NGINX and create required nginx user RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - apt-get update \ - && apt-get install -y --no-install-recommends \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ apt-transport-https \ lsb-release \ ca-certificates \ @@ -27,14 +31,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ && DEBIAN_FRONTEND=noninteractive apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y app-protect-dos-ebpf-manager \ - && apt-get remove --purge --auto-remove -y \ - && rm -rf /var/lib/apt/lists/* \ - && useradd -r -s /usr/sbin/nologin nginx + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* STOPSIGNAL SIGQUIT -RUN ebpf_manager_dos -v - # Idle forever CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"] ``` \ No newline at end of file diff --git a/content/includes/dos/dockerfiles/ubuntu-plus-dos-waf.md b/content/includes/dos/dockerfiles/ubuntu-plus-dos-waf.md index 17c657d18f..281ebab378 100644 --- a/content/includes/dos/dockerfiles/ubuntu-plus-dos-waf.md +++ b/content/includes/dos/dockerfiles/ubuntu-plus-dos-waf.md @@ -2,12 +2,12 @@ --- ```dockerfile -# Where version can be:jammy/noble +# Where version can be: noble/jammy FROM ubuntu:noble # Install prerequisite packages: -RUN apt-get update && \ - apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring && \ +RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring && \ wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg > /dev/null @@ -15,28 +15,28 @@ RUN apt-get update && \ RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \ && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect-dos.list \ && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list \ - && printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/app-protect-security-updates.list + && printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/app-protect-security-updates.list # Download the apt configuration to `/etc/apt/apt.conf.d`: RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx -# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus): +# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which includes NGINX Plus): RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect app-protect-dos && \ - cat license.jwt > /etc/nginx/license.jwt && \ - apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list /etc/apt/sources.list.d/nginx-app-protect.list /etc/apt/sources.list.d/nginx-app-protect-dos.list && \ - rm -rf /etc/apt/apt.conf.d/90nginx /var/lib/apt/lists/* - -# Forward request logs to Docker log collector: -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y app-protect app-protect-dos \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log RUN nginx -v && admd -v -RUN cat /opt/app_protect/VERSION /opt/app_protect/RELEASE +RUN echo "RELEASE:" && cat /opt/app_protect/RELEASE && echo "VERSION:" && cat /opt/app_protect/VERSION -COPY nginx.conf /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dockerfiles/ubuntu-plus-dos.md b/content/includes/dos/dockerfiles/ubuntu-plus-dos.md index 132b93e2ca..4dfb3fa9a3 100644 --- a/content/includes/dos/dockerfiles/ubuntu-plus-dos.md +++ b/content/includes/dos/dockerfiles/ubuntu-plus-dos.md @@ -11,9 +11,12 @@ FROM ubuntu:noble # Install F5 DoS for NGINX RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \ - apt-get update \ - && apt-get install -y --no-install-recommends \ + set -x \ + # Create nginx user/group first, to be consistent throughout Docker variants \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && DEBIAN_FRONTEND=noninteractive apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ apt-transport-https \ lsb-release \ ca-certificates \ @@ -28,15 +31,12 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 > /etc/apt/sources.list.d/nginx-app-protect-dos.list \ && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ && DEBIAN_FRONTEND=noninteractive apt-get update \ - && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos \ - && cat license.jwt > /etc/nginx/license.jwt \ - && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y app-protect-dos \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log -RUN nginx -v && admd -v - -COPY nginx.conf /etc/nginx/ COPY entrypoint.sh /root/ RUN chmod +x /root/entrypoint.sh diff --git a/content/includes/dos/dos-waf-entrypoint.md b/content/includes/dos/dos-waf-entrypoint.md index ce1ad43f5b..26d26919dd 100644 --- a/content/includes/dos/dos-waf-entrypoint.md +++ b/content/includes/dos/dos-waf-entrypoint.md @@ -8,8 +8,7 @@ nd-files: ```shell - - #!/usr/bin/env bash + #!/usr/bin/env bash USER=nginx LOGDIR=/var/log/adm diff --git a/content/includes/dos/ebpf-manager-entrypoint.md b/content/includes/dos/ebpf-manager-entrypoint.md deleted file mode 100644 index 385e3219d5..0000000000 --- a/content/includes/dos/ebpf-manager-entrypoint.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -nd-docs: null -nd-files: -- content/nap-dos/deployment-guide/learn-about-deployment.md -- content/nap-dos/deployment-guide/kubernetes.md -- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md ---- \ No newline at end of file diff --git a/content/includes/dos/k8s_arbitrator/appprotect-dos-arb.md b/content/includes/dos/k8s_arbitrator/appprotect-dos-arb.md index 05576f6f2c..13d30c533c 100644 --- a/content/includes/dos/k8s_arbitrator/appprotect-dos-arb.md +++ b/content/includes/dos/k8s_arbitrator/appprotect-dos-arb.md @@ -5,7 +5,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: appprotect-dos-arb + name: app-protect-dos-arb namespace: app-protect-dos spec: replicas: 1 @@ -18,15 +18,8 @@ spec: app: appprotect-dos-arb spec: containers: - - name: arb-svc - image: docker-registry.nginx.com/nap-dos/app_protect_dos_arb:latest - resources: - requests: - cpu: "200m" - memory: "500Mi" - limits: - cpu: "900m" - memory: "800Mi" - ports: - - containerPort: 3000 + - name: arb-svc + image: docker-registry.nginx.com/nap-dos/app_protect_dos_arb:latest + ports: + - containerPort: 3000 ``` \ No newline at end of file diff --git a/content/includes/dos/k8s_arbitrator/svc-appprotect-dos-arb.md b/content/includes/dos/k8s_arbitrator/svc-appprotect-dos-arb.md index 68cd8f5385..5938fb99bc 100644 --- a/content/includes/dos/k8s_arbitrator/svc-appprotect-dos-arb.md +++ b/content/includes/dos/k8s_arbitrator/svc-appprotect-dos-arb.md @@ -5,16 +5,15 @@ apiVersion: v1 kind: Service metadata: - name: svc-appprotect-dos - namespace: appprotect-dos-wp-diff - labels: - app: appprotect-dos + name: svc-appprotect-dos-arb + namespace: app-protect-dos spec: - ports: - - name: app - port: 80 - protocol: TCP - nodePort: 80 selector: - app: appprotect-dos - type: NodePort``` \ No newline at end of file + app: appprotect-dos-arb + ports: + - name: arb + port: 3000 + protocol: TCP + targetPort: 3000 + clusterIP: None +``` \ No newline at end of file diff --git a/content/includes/dos/k8s_manifest/backend-nginx.md b/content/includes/dos/k8s_manifest/backend-nginx.md deleted file mode 100644 index 0f20241501..0000000000 --- a/content/includes/dos/k8s_manifest/backend-nginx.md +++ /dev/null @@ -1,50 +0,0 @@ ---- ---- - -```backend-nginx.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: backend-nginx - namespace: app-protect-dos - labels: - app: backend-nginx -spec: - replicas: 1 - selector: - matchLabels: - app: backend-nginx - template: - metadata: - labels: - app: backend-nginx - spec: - containers: - - name: nginx - image: nginx:stable - ports: - - containerPort: 8080 - command: ["/bin/sh", "-c"] - args: - - | - # Change default port from 80 to 8080 - sed -i 's/listen 80;/listen 8080;/g' /etc/nginx/conf.d/default.conf - nginx -g "daemon off;" ---- -apiVersion: v1 -kind: Service -metadata: - name: svc-backend-nginx - namespace: app-protect-dos - labels: - app: backend-nginx -spec: - type: ClusterIP - selector: - app: backend-nginx - ports: - - name: http - port: 8080 - targetPort: 8080 - protocol: TCP -``` \ No newline at end of file diff --git a/content/includes/dos/k8s_manifest/dos-deployment.md b/content/includes/dos/k8s_manifest/dos-deployment.md index 5638094932..fb2956c090 100644 --- a/content/includes/dos/k8s_manifest/dos-deployment.md +++ b/content/includes/dos/k8s_manifest/dos-deployment.md @@ -27,7 +27,7 @@ spec: spec: containers: - name: nginx-app-protect-dos - image: /: + image: ${DOS_IMAGE_REPOSITORY}:${DOS_IMAGE_TAG} imagePullPolicy: Always command: ["/bin/bash", "-c"] @@ -63,7 +63,7 @@ spec: path: /app_protect_dos_readiness port: 8090 initialDelaySeconds: 5 - periodSeconds: 10 + periodSeconds: 10 volumeMounts: - name: shared-dir @@ -74,11 +74,14 @@ spec: - name: log-default mountPath: /etc/app_protect_dos/log-default.json subPath: log-default.json - + - name: license-token-volume + mountPath: /etc/nginx/license.jwt + subPath: license.jwt + readOnly: true + volumes: - name: shared-dir - persistentVolumeClaim: - claimName: pvc-app-protect-dos-shared + emptyDir: { } - name: conf configMap: name: dos-nginx-conf @@ -92,5 +95,11 @@ spec: items: - key: log-default.json path: log-default.json + - name: license-token-volume + secret: + secretName: license-token + items: + - key: license.jwt + path: license.jwt ``` \ No newline at end of file diff --git a/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md b/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md index 35095aab74..2f4f91cef6 100644 --- a/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md +++ b/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md @@ -36,9 +36,6 @@ data: 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; - upstream backend { - server svc-backend-nginx:8080; - } # Health endpoints for probes server { @@ -50,6 +47,7 @@ data: server { listen 80 reuseport; server_name serv; + proxy_http_version 1.1; access_log /var/log/nginx/access.log log_dos if=$loggable; app_protect_dos_security_log_enable on; @@ -60,8 +58,17 @@ data: app_protect_dos_enable on; app_protect_dos_name "main_serv"; app_protect_dos_monitor uri=http://serv:80/ protocol=http1; - proxy_pass http://backend; + proxy_pass http://127.0.0.1/proxy$request_uri; + } + + location /proxy { + app_protect_dos_enable off; + client_max_body_size 0; + default_type text/html; + return 200 "Hello! I got your URI request - $request_uri\n"; } + } } + ``` \ No newline at end of file diff --git a/content/includes/dos/k8s_manifest/dos-service.md b/content/includes/dos/k8s_manifest/dos-service.md index 6f5e776b27..0e24fc056a 100644 --- a/content/includes/dos/k8s_manifest/dos-service.md +++ b/content/includes/dos/k8s_manifest/dos-service.md @@ -8,7 +8,7 @@ metadata: name: nap-dos namespace: app-protect-dos spec: - type: LoadBalancer + type: NodePort ports: - port: 80 targetPort: 80 diff --git a/content/includes/dos/k8s_manifest/dos-storage.md b/content/includes/dos/k8s_manifest/dos-storage.md deleted file mode 100644 index 609d817a7e..0000000000 --- a/content/includes/dos/k8s_manifest/dos-storage.md +++ /dev/null @@ -1,16 +0,0 @@ ---- ---- - -```dos-storage.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: pvc-app-protect-dos-shared - namespace: app-protect-dos -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi -``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/backend-nginx.md b/content/includes/dos/k8s_with_ebpf_manifest/backend-nginx.md deleted file mode 100644 index 0f20241501..0000000000 --- a/content/includes/dos/k8s_with_ebpf_manifest/backend-nginx.md +++ /dev/null @@ -1,50 +0,0 @@ ---- ---- - -```backend-nginx.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: backend-nginx - namespace: app-protect-dos - labels: - app: backend-nginx -spec: - replicas: 1 - selector: - matchLabels: - app: backend-nginx - template: - metadata: - labels: - app: backend-nginx - spec: - containers: - - name: nginx - image: nginx:stable - ports: - - containerPort: 8080 - command: ["/bin/sh", "-c"] - args: - - | - # Change default port from 80 to 8080 - sed -i 's/listen 80;/listen 8080;/g' /etc/nginx/conf.d/default.conf - nginx -g "daemon off;" ---- -apiVersion: v1 -kind: Service -metadata: - name: svc-backend-nginx - namespace: app-protect-dos - labels: - app: backend-nginx -spec: - type: ClusterIP - selector: - app: backend-nginx - ports: - - name: http - port: 8080 - targetPort: 8080 - protocol: TCP -``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-deployment.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-deployment.md index 30891f58c7..ac0101b493 100644 --- a/content/includes/dos/k8s_with_ebpf_manifest/dos-deployment.md +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-deployment.md @@ -27,7 +27,7 @@ spec: spec: containers: - name: nginx-app-protect-dos - image: /: + image: ${DOS_IMAGE_REPOSITORY}:${DOS_IMAGE_TAG} imagePullPolicy: Always command: ["/bin/bash", "-c"] @@ -63,8 +63,7 @@ spec: path: /app_protect_dos_readiness port: 8090 initialDelaySeconds: 5 - periodSeconds: 10 - + periodSeconds: 10 volumeMounts: - name: shared-dir @@ -77,24 +76,33 @@ spec: - name: log-default mountPath: /etc/app_protect_dos/log-default.json subPath: log-default.json - + - name: license-token-volume + mountPath: /etc/nginx/license.jwt + subPath: license.jwt + readOnly: true + - name: dos-ebpf-manager - image: /: + image: ${EBPF_IMAGE_REPOSITORY}:${EBPF_IMAGE_TAG} securityContext: - privileged: true + privileged: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name # This is unique for every Pod volumeMounts: - - name: shared-dir - mountPath: /shared - - name: bpf - mountPath: /sys/fs/bpf + - name: shared-dir + mountPath: /shared/ + - name: bpf + mountPath: /sys/fs/bpf + volumes: - name: shared-dir - persistentVolumeClaim: - claimName: pvc-app-protect-dos-shared + emptyDir: {} - name: bpf hostPath: path: /sys/fs/bpf - type: DirectoryOrCreate + type: DirectoryOrCreate - name: conf configMap: name: dos-nginx-conf @@ -108,5 +116,10 @@ spec: items: - key: log-default.json path: log-default.json - + - name: license-token-volume + secret: + secretName: license-token + items: + - key: license.jwt + path: license.jwt ``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md index f444fd0bcb..5f5fe341c0 100644 --- a/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md @@ -38,9 +38,6 @@ data: app_protect_dos_accelerated_mitigation on syn_drop=on; - upstream backend { - server svc-backend-nginx:8080; - } # Health endpoints for probes server { @@ -62,7 +59,14 @@ data: app_protect_dos_enable on; app_protect_dos_name "main_serv"; app_protect_dos_monitor uri=http://serv:80/ protocol=http1; - proxy_pass http://backend; + proxy_pass http://127.0.0.1/proxy$request_uri; + } + + location /proxy { + app_protect_dos_enable off; + client_max_body_size 0; + default_type text/html; + return 200 "Hello! I got your URI request - $request_uri\n"; } } } diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md index 6f5e776b27..0f44d951e3 100644 --- a/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md @@ -9,6 +9,7 @@ metadata: namespace: app-protect-dos spec: type: LoadBalancer + externalTrafficPolicy: Local ports: - port: 80 targetPort: 80 diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-storage.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-storage.md deleted file mode 100644 index 609d817a7e..0000000000 --- a/content/includes/dos/k8s_with_ebpf_manifest/dos-storage.md +++ /dev/null @@ -1,16 +0,0 @@ ---- ---- - -```dos-storage.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: pvc-app-protect-dos-shared - namespace: app-protect-dos -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi -``` \ No newline at end of file diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index 13b67f8cc7..d173913409 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -127,7 +127,6 @@ Your folder should contain the following files: - _nginx-repo.crt_ - _nginx-repo.key_ -- _license.jwt_ - _entrypoint.sh_ - _nginx.conf_ - _Dockerfile_ @@ -138,7 +137,6 @@ To build an image, use the following command, replacing ` . ``` @@ -206,9 +204,9 @@ From the folder containing the YAML files from the previous step (Suggested as ` ```shell kubectl apply -f manifests/dos-namespace.yaml -kubectl apply -f manifests/dos-storage.yaml -kubectl apply -f manifests/dos-nginx-conf-configmap.yaml -kubectl apply -f manifests/dos-log-default-configmap.yaml +kubectl create secret generic license-token --from-file=license.jwt=license.jwt --type=nginx.com/license -n app-protect-dos +kubectl apply -f dos-manifest/dos-log-default-configmap.yaml +kubectl apply -f dos-manifest/dos-nginx-conf-configmap.yaml kubectl apply -f manifests/dos-deployment.yaml kubectl apply -f manifests/dos-service.yaml ``` From 1c5baaf56d5059c205e285d473b3dad1f8acc6b0 Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Mon, 22 Dec 2025 10:54:46 +0200 Subject: [PATCH 16/23] dos k8s --- .../nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md | 4 ---- content/nap-dos/deployment-guide/kubernetes.md | 3 --- 2 files changed, 7 deletions(-) diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md index f99a1aed67..5df8ff8ed3 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md @@ -255,9 +255,6 @@ In each file, replace {{% /tab %}} -{{% tab name=dos-storage.yaml %}} - -{{< include "dos/k8s_with_ebpf_manifest/dos-storage.md" >}} {{% /tab %}} @@ -293,7 +290,6 @@ From the folder containing the YAML files from the previous step (Suggested as ` ```shell kubectl apply -f manifests/dos-namespace.yaml -kubectl apply -f manifests/dos-storage.yaml kubectl apply -f manifests/dos-nginx-conf-configmap.yaml kubectl apply -f manifests/dos-log-default-configmap.yaml kubectl apply -f manifests/dos-deployment.yaml diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index d173913409..e11c986704 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -166,9 +166,6 @@ In each file, replace `/:}} {{% /tab %}} From 715f831691d1e775d1fd9076c69c6bc498954fab Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Mon, 22 Dec 2025 11:00:44 +0200 Subject: [PATCH 17/23] dos k8s --- content/nap-dos/deployment-guide/kubernetes.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index e11c986704..2752cb7cfc 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -167,8 +167,6 @@ In each file, replace `/:}} From 7f6d62ccc41b6bcfb4d0433765218658e252eb38 Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Mon, 22 Dec 2025 11:09:41 +0200 Subject: [PATCH 18/23] dos k8s --- .../nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md | 2 -- content/nap-dos/deployment-guide/kubernetes.md | 1 - 2 files changed, 3 deletions(-) diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md index 5df8ff8ed3..63cce42835 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md @@ -256,8 +256,6 @@ In each file, replace {{% /tab %}} -{{% /tab %}} - {{% tab name=dos-nginx-conf-configmap.yaml %}} {{< include "dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md" >}} diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index 2752cb7cfc..aac70ab183 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -166,7 +166,6 @@ In each file, replace `/:}} From c51b7cdad8dd1bf584c4343d95d8e67ac25fbc8d Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Mon, 22 Dec 2025 14:41:32 +0200 Subject: [PATCH 19/23] dos k8s --- .../kubernetes-with-L3-mitigation.md | 36 ++++++++++++++++++- .../nap-dos/deployment-guide/kubernetes.md | 35 ++++++++++++++++++ .../learn-about-deployment.md | 20 +++++------ 3 files changed, 80 insertions(+), 11 deletions(-) diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md index 63cce42835..d1032fc3ff 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md @@ -208,7 +208,6 @@ To build an image, use the following command, replacing ` . ``` @@ -233,8 +232,43 @@ Once you have built the DOS and EBPF images, push them to your private image rep From this point, the steps change based on your installation method: +- [Use Helm to install F5 DOS for NGINX](#use-helm-to-install-f5-dos-for-nginx) - [Use Manifests to install F5 DOS for NGINX](#use-manifests-to-install-f5-dos-for-nginx) +## Use Helm to install F5 DOS for NGINX + +You will need to edit the `values.yaml` file for a few changes: + +- Update _appprotectdos.nginxImage.repository_ and _appprotectdos.nginxImage.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). + +The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. + +Once you have updated `values.yaml`, you can install F5 WAF for NGINX using `helm install`: + +```shell +helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update +helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update +helm install . +kubectl create namespace --dry-run=client -o yaml | kubectl apply -f - +kubectl create secret generic license-token --from-file=license.jwt=${PWD}/license.jwt --type=nginx.com/license -n +helm install dos-release dos-helm-chart --namespace --set namespace.create=false --set service.type=NodePort --set appProtectDos.nginxImage.repository=${DOS_IMAGE_REPOSITORY} --set appProtectDos.nginxImage.tag=${DOS_IMAGE_TAG} --timeout 10m --debug +helm install dos-arbitrator nginx-stable/nginx-appprotect-dos-arbitrator --namespace --wait --timeout 5m +kubectl wait --for=condition=available --timeout=300s deployment/app-protect-dos -n +``` + +You can verify the deployment is successful with `kubectl get`, replacing `namespace` accordingly: + +```shell +kubectl get pods -n +kubectl get svc -n +``` + +{{< call-out "note" >}} + +At this stage, you have finished deploying F5 WAF for NGINX and can look at [Post-installation checks](#post-installation-checks). + +{{< /call-out >}} + ## Use Manifests to install F5 DOS for NGINX ### Create Manifest files diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index aac70ab183..4956ab95f4 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -144,8 +144,43 @@ Once you have built the image, push it to your private image repository, which s From this point, the steps change based on your installation method: +- [Use Helm to install F5 DOS for NGINX](#use-helm-to-install-f5-dos-for-nginx) - [Use Manifests to install F5 DOS for NGINX](#use-manifests-to-install-f5-dos-for-nginx) +## Use Helm to install F5 DOS for NGINX + +You will need to edit the `values.yaml` file for a few changes: + +- Update _appprotectdos.nginxImage.repository_ and _appprotectdos.nginxImage.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). + +The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. + +Once you have updated `values.yaml`, you can install F5 WAF for NGINX using `helm install`: + +```shell +helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update +helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update +helm install . +kubectl create namespace --dry-run=client -o yaml | kubectl apply -f - +kubectl create secret generic license-token --from-file=license.jwt=${PWD}/license.jwt --type=nginx.com/license -n +helm install dos-release dos-ebpf-helm-chart --namespace --set namespace.create=false --set service.type=NodePort --set appProtectDos.nginxImage.repository=${DOS_IMAGE_REPOSITORY} --set appProtectDos.nginxImage.tag=${DOS_IMAGE_TAG} --timeout 10m --debug +helm install dos-arbitrator nginx-stable/nginx-appprotect-dos-arbitrator --namespace --wait --timeout 5m +kubectl wait --for=condition=available --timeout=300s deployment/app-protect-dos -n +``` + +You can verify the deployment is successful with `kubectl get`, replacing `namespace` accordingly: + +```shell +kubectl get pods -n +kubectl get svc -n +``` + +{{< call-out "note" >}} + +At this stage, you have finished deploying F5 WAF for NGINX and can look at [Post-installation checks](#post-installation-checks). + +{{< /call-out >}} + ## Use Manifests to install F5 DOS for NGINX The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index 98f00d28f8..a8a6941967 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -933,7 +933,7 @@ You need root permissions to execute the following steps. - `license.jwt`: JWT license file for NGINX Plus license management - `nginx.conf`: User defined `nginx.conf` with `app-protect-dos` enabled - `entrypoint.sh`: Docker startup script which spins up all App Protect DoS processes, must have executable permissions - - custom_log_format.json: Optional user-defined security log format file (if not used - remove its references from the nginx.conf and Dockerfile) + - `custom_log_format.json`: Optional user-defined security log format file (if not used - remove its references from the nginx.conf and Dockerfile) 2. Log in to NGINX Plus Customer Portal and download your `nginx-repo.crt`, `nginx-repo.key` and `license.jwt` files. @@ -1030,7 +1030,7 @@ You need root permissions to execute the following steps. 6. Create a Docker image: ```shell - DOCKER_BUILDKIT=1 docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=./license.jwt -t app-protect-dos . + DOCKER_BUILDKIT=1 docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect-dos . ``` The `--no-cache` option tells Docker to build the image from scratch and ensures the installation of the latest version of NGINX Plus and F5 DoS for NGINX. If the Dockerfile was previously used to build an image without the `--no-cache` option, the new image uses versions from the previously built image from the Docker cache. @@ -1038,7 +1038,7 @@ You need root permissions to execute the following steps. For RHEL8/9 with subscription manager setup add build arguments: ```shell - DOCKER_BUILDKIT=1 docker build --build-arg RHEL_ORG=... --build-arg RHEL_ACTIVATION_KEY=... --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=./license.jwt -t app-protect-dos . + DOCKER_BUILDKIT=1 docker build --build-arg RHEL_ORG=... --build-arg RHEL_ACTIVATION_KEY=... --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect-dos . ``` 8. Verify that the `app-protect-dos` image was created successfully with the docker images command: @@ -1050,7 +1050,7 @@ You need root permissions to execute the following steps. 9. Create a container based on this image, for example, `my-app-protect-dos` container: ```shell - docker run --name my-app-protect-dos -p 80:80 -d app-protect-dos + docker run --name my-app-protect-dos -p 80:80 -v $(PWD)/license.jwt:/etc/nginx/license.jwt -d app-protect-dos ``` 10. Verify that the `my-app-protect-dos` container is up and running with the `docker ps` command: @@ -1081,14 +1081,14 @@ You need root permissions to execute the following steps. Create and run the main `app-protect-dos` container: ```shell - docker run --name my-app-protect-dos -v /shared:/shared -p 80:80 -d app-protect-dos + docker run --name my-app-protect-dos -v /shared:/shared -p 80:80 -v $(PWD)/license.jwt:/etc/nginx/license.jwt -d app-protect-dos ``` 2. Deploy Directly on the Host.
To run L4 mitigation directly on the host:
1. Install the L4 mitigation on the host, as described in the OS-specific instructions. 2. Run the app-protect-dos container: ```shell - docker run --name my-app-protect-dos -v /shared:/shared -p 80:80 -d app-protect-dos + docker run --name my-app-protect-dos -v /shared:/shared -p 80:80 -v $(PWD)/license.jwt:/etc/nginx/license.jwt -d app-protect-dos ``` 3. Run L4 Mitigation Inside the Same Container as `app-protect-dos`.
To run both L4 mitigation and the main application within the same container:
@@ -1101,7 +1101,7 @@ You need root permissions to execute the following steps. ``` 2. run the container: ```shell - docker run --name my-app-protect-dos -p 80:80 -d app-protect-dos + docker run --name my-app-protect-dos -p 80:80 -v $(PWD)/license.jwt:/etc/nginx/license.jwt -d app-protect-dos ``` {{< call-out "note" >}} @@ -1283,13 +1283,13 @@ Make sure to replace upstream and proxy pass directives in this example with rel For Debian/Ubuntu/Alpine/Amazon Linux: ```shell - DOCKER_BUILDKIT=1 docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=./license.jwt -t app-protect-dos . + DOCKER_BUILDKIT=1 docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect-dos . ``` For RHEL: ```shell - DOCKER_BUILDKIT=1 docker build --build-arg RHEL_ORG=... --build-arg RHEL_ACTIVATION_KEY=... --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key --secret id=license-jwt,src=./license.jwt -t app-protect-dos . + DOCKER_BUILDKIT=1 docker build --build-arg RHEL_ORG=... --build-arg RHEL_ACTIVATION_KEY=... --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect-dos . ``` **Notes:** @@ -1306,7 +1306,7 @@ Make sure to replace upstream and proxy pass directives in this example with rel 10. Create a container based on this image, for example, `my-app-protect-dos` container: ```shell - docker run --name my-app-protect-dos -p 80:80 -d app-protect-dos + docker run --name my-app-protect-dos -p 80:80 -v $(PWD)/license.jwt:/etc/nginx/license.jwt -d app-protect-dos ``` 11. Verify that the `my-app-protect-dos` container is up and running with the `docker ps` command: From 9a1cda12c7821192644d38986d9be3c54c1c14a2 Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Mon, 22 Dec 2025 15:33:28 +0200 Subject: [PATCH 20/23] dos k8s --- content/includes/dos/dos-arbitrator.md | 2 +- content/includes/dos/dos-entrypoint.md | 2 +- content/includes/dos/dos-waf-entrypoint.md | 2 +- content/includes/dos/install-post-checks.md | 4 +- ...rnetes-with-L4-accelerated-mitigation..md} | 67 +++++++++++++++---- .../nap-dos/deployment-guide/kubernetes.md | 48 ++++++++----- .../learn-about-deployment.md | 14 ++-- 7 files changed, 98 insertions(+), 41 deletions(-) rename content/nap-dos/deployment-guide/{kubernetes-with-L3-mitigation.md => kubernetes-with-L4-accelerated-mitigation..md} (73%) diff --git a/content/includes/dos/dos-arbitrator.md b/content/includes/dos/dos-arbitrator.md index 6c3612a443..8981917a17 100644 --- a/content/includes/dos/dos-arbitrator.md +++ b/content/includes/dos/dos-arbitrator.md @@ -2,7 +2,7 @@ nd-docs: null nd-files: - content/nap-dos/deployment-guide/kubernetes.md -- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md --- ## F5 DoS for NGINX Arbitrator diff --git a/content/includes/dos/dos-entrypoint.md b/content/includes/dos/dos-entrypoint.md index 3f66756a79..8650cdffeb 100644 --- a/content/includes/dos/dos-entrypoint.md +++ b/content/includes/dos/dos-entrypoint.md @@ -3,7 +3,7 @@ nd-docs: null nd-files: - content/nap-dos/deployment-guide/learn-about-deployment.md - content/nap-dos/deployment-guide/kubernetes.md -- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md --- ```shell diff --git a/content/includes/dos/dos-waf-entrypoint.md b/content/includes/dos/dos-waf-entrypoint.md index 26d26919dd..593bca48c7 100644 --- a/content/includes/dos/dos-waf-entrypoint.md +++ b/content/includes/dos/dos-waf-entrypoint.md @@ -3,7 +3,7 @@ nd-docs: null nd-files: - content/nap-dos/deployment-guide/learn-about-deployment.md - content/nap-dos/deployment-guide/kubernetes.md -- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md --- diff --git a/content/includes/dos/install-post-checks.md b/content/includes/dos/install-post-checks.md index f106ddf365..690da4e047 100644 --- a/content/includes/dos/install-post-checks.md +++ b/content/includes/dos/install-post-checks.md @@ -3,7 +3,7 @@ nd-docs: null nd-files: - content/nap-dos/deployment-guide/learn-about-deployment.md - content/nap-dos/deployment-guide/kubernetes.md -- content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md --- You can run the following commands to ensure that F5 DoS for NGINX enforcement is operational. @@ -66,7 +66,7 @@ You can run the following commands to ensure that F5 DoS for NGINX enforcement i c. See that the good traffic continue as usual while the attackers receive denial of service. -4. For DOS with L3 mitigation enabled +4. For DOS with L4 accelerated mitigation enabled Check that the ebpf_manager_dos process needed for F5 DoS for NGINX is running using `ps aux | grep /usr/bin/ebpf_manager_dos`: diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md b/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md similarity index 73% rename from content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md rename to content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md index d1032fc3ff..23a94c388c 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L3-mitigation.md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md @@ -1,6 +1,6 @@ --- # We use sentence case and present imperative tone -title: "Kubernetes with L3 mitigation" +title: "Kubernetes with L4 accelerated mitigation" # Weights are assigned in increments of 100: determines sorting order weight: 110 # Creates a table of contents and sidebar, useful for large documents @@ -10,7 +10,17 @@ nd-content-type: how-to nd-product: F5DOSN --- -This page describes how to install F5 DOS for NGINX using Kubernetes. +This page describes how to install F5 DOS for NGINX using Kubernetes with L4 accelerated mitigation service. +By enabling [accelerated-mitigation-directive-app_protect_dos_accelerated_mitigation](https://docs.nginx.com/nginx-app-protect-dos/directives-and-policy/learn-about-directives-and-policy/#accelerated-mitigation-directive-app_protect_dos_accelerated_mitigation) +and running the [DOS EBPF Manager]() as a sidecar container alongside the NGINX container, you can offload Layer 4 DoS mitigation to eBPF programs running in the Linux kernel. This improves mitigation performance and reduces CPU usage on the NGINX container. + +Such with L4 accelerated mitigation require the NGINX and DOS containers to run with elevated privileges, as well as additional Linux capabilities. Therefore, this guide assumes you have a good understanding of Kubernetes security best practices and have taken the necessary steps to secure your cluster accordingly. +The F5 Dos For NGINX require the service to run with [externalTrafficPolicy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) set to Local in order to preserve the client source IP address for accurate DoS mitigation. +```text +spec: + externalTrafficPolicy: Local +``` + It explains the common steps necessary for any Kubernetes-based deployment, then provides details specific to Helm or Manifests. @@ -243,29 +253,52 @@ You will need to edit the `values.yaml` file for a few changes: The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. +On helm deployment environment variables need to be set for image repository and tag. +`set enviorment variable DOS_IMAGE_REPOSITORY` with your actual nginx-dos image anmae. +`set enviorment variable DOS_IMAGE_TAG` with your actual nginx-dos image tag. +`set enviorment variable EBPF_IMAGE_REPOSITORY` with your actual ebpf-manager image name. +`set enviorment variable EBPF_IMAGE_TAG` with your actual ebpf-manager image tag. + Once you have updated `values.yaml`, you can install F5 WAF for NGINX using `helm install`: ```shell +export DOS_IMAGE_REPOSITORY= + +export DOS_IMAGE_TAG= + +export EBPF_IMAGE_REPOSITORY= + +export EBPF_IMAGE_TAG= + helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update -helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update -helm install . + kubectl create namespace --dry-run=client -o yaml | kubectl apply -f - -kubectl create secret generic license-token --from-file=license.jwt=${PWD}/license.jwt --type=nginx.com/license -n -helm install dos-release dos-helm-chart --namespace --set namespace.create=false --set service.type=NodePort --set appProtectDos.nginxImage.repository=${DOS_IMAGE_REPOSITORY} --set appProtectDos.nginxImage.tag=${DOS_IMAGE_TAG} --timeout 10m --debug -helm install dos-arbitrator nginx-stable/nginx-appprotect-dos-arbitrator --namespace --wait --timeout 5m + +kubectl create secret generic license-token \ + --from-file=license.jwt=${PWD}/license.jwt --type=nginx.com/license --namespace + +helm install dos-release dos-ebpf-helm-chart --namespace \ + --set namespace.create=false --set service.type=NodePort \ + --set appProtectDos.nginxImage.repository=${DOS_IMAGE_REPOSITORY} \ + --set appProtectDos.nginxImage.tag=${DOS_IMAGE_TAG} \ + --set appProtectDos.ebpfManagerImage.repository=$EBPF_IMAGE_REPOSITORY} \ + --set appProtectDos.ebpfManagerImage.tag=${EBPF_IMAGE_TAG} + +helm install dos-arbitrator nginx-stable/nginx-appprotect-dos-arbitrator --namespace + kubectl wait --for=condition=available --timeout=300s deployment/app-protect-dos -n ``` You can verify the deployment is successful with `kubectl get`, replacing `namespace` accordingly: ```shell -kubectl get pods -n -kubectl get svc -n +kubectl get pods --namespac +kubectl get svc --namespac ``` {{< call-out "note" >}} -At this stage, you have finished deploying F5 WAF for NGINX and can look at [Post-installation checks](#post-installation-checks). +At this stage, you have finished deploying F5 DOS for NGINX and can look at [Post-installation checks](#post-installation-checks). {{< /call-out >}} @@ -277,9 +310,11 @@ The default configuration provided creates two replicas, each hosting NGINX and Create all of these files in a single folder (Such as `/manifests`). -In each file, replace - `/:` with your actual nginx-dos image tag. - `/:` with your actual ebpf-manager image tag. +On manifest deployment environment variables need to be set for image repository and tag. + `set enviorment variable DOS_IMAGE_REPOSITORY` with your actual nginx-dos image anmae. + `set enviorment variable DOS_IMAGE_TAG` with your actual nginx-dos image tag. + `set enviorment variable EBPF_IMAGE_REPOSITORY` with your actual ebpf-manager image name. + `set enviorment variable EBPF_IMAGE_TAG` with your actual ebpf-manager image tag. {{< tabs name="manifest-files" >}} @@ -321,6 +356,10 @@ In each file, replace From the folder containing the YAML files from the previous step (Suggested as `/manifests`), deploy F5 DOS for NGINX using `kubectl`: ```shell +export DOS_IMAGE_REPOSITORY= +export DOS_IMAGE_TAG= +export EBPF_IMAGE_REPOSITORY= +export EBPF_IMAGE_TAG= kubectl apply -f manifests/dos-namespace.yaml kubectl apply -f manifests/dos-nginx-conf-configmap.yaml kubectl apply -f manifests/dos-log-default-configmap.yaml @@ -357,7 +396,7 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) nap-dos LoadBalancer 10.43.212.232 80:32586/TCP 93s ``` ## Post-Installation Checks -At this stage, you have finished deploying F5 DOS for NGINX with EBPF L3 mitigation enabled +At this stage, you have finished deploying F5 DOS for NGINX with EBPF L4 accelerated mitigation enabled You can login to dos-ebpf-manager container like following command ```text kubectl exec -it app-protect-dos-586fb94947-8sjnc -n app-protect-dos -c nginx-app-protect-dos -- bash diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index 4956ab95f4..4685ff9765 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -155,19 +155,33 @@ You will need to edit the `values.yaml` file for a few changes: The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. +On helm deployment environment variables need to be set for image repository and tag. +`set enviorment variable DOS_IMAGE_REPOSITORY` with your actual nginx-dos image anmae. +`set enviorment variable DOS_IMAGE_TAG` with your actual nginx-dos image tag. + Once you have updated `values.yaml`, you can install F5 WAF for NGINX using `helm install`: ```shell +export DOS_IMAGE_REPOSITORY= + +export DOS_IMAGE_TAG= + helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update -helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update -helm install . + kubectl create namespace --dry-run=client -o yaml | kubectl apply -f - -kubectl create secret generic license-token --from-file=license.jwt=${PWD}/license.jwt --type=nginx.com/license -n -helm install dos-release dos-ebpf-helm-chart --namespace --set namespace.create=false --set service.type=NodePort --set appProtectDos.nginxImage.repository=${DOS_IMAGE_REPOSITORY} --set appProtectDos.nginxImage.tag=${DOS_IMAGE_TAG} --timeout 10m --debug -helm install dos-arbitrator nginx-stable/nginx-appprotect-dos-arbitrator --namespace --wait --timeout 5m + +kubectl create secret generic license-token \ + --from-file=license.jwt=${PWD}/license.jwt --type=nginx.com/license --namespace + +helm install dos-release dos-helm-chart --namespace \ + --set namespace.create=false --set service.type=NodePort \ + --set appProtectDos.nginxImage.repository=${DOS_IMAGE_REPOSITORY} \ + --set appProtectDos.nginxImage.tag=${DOS_IMAGE_TAG} + +helm install dos-arbitrator nginx-stable/nginx-appprotect-dos-arbitrator --namespace + kubectl wait --for=condition=available --timeout=300s deployment/app-protect-dos -n ``` - You can verify the deployment is successful with `kubectl get`, replacing `namespace` accordingly: ```shell @@ -177,7 +191,7 @@ kubectl get svc -n {{< call-out "note" >}} -At this stage, you have finished deploying F5 WAF for NGINX and can look at [Post-installation checks](#post-installation-checks). +At this stage, you have finished deploying F5 DOS for NGINX and can look at [Post-installation checks](#post-installation-checks). {{< /call-out >}} @@ -191,7 +205,9 @@ The default configuration provided creates two replicas, each hosting NGINX and Create all of these files in a single folder (Such as `/manifests`). -In each file, replace `/:` with your actual image tag. +On manifest deployment environment variables need to be set for image repository and tag. +`set enviorment variable DOS_IMAGE_REPOSITORY` with your actual nginx-dos image anmae. +`set enviorment variable DOS_IMAGE_TAG` with your actual nginx-dos image tag. {{< tabs name="manifest-files" >}} @@ -232,8 +248,10 @@ In each file, replace `/: +export DOS_IMAGE_TAG= kubectl apply -f manifests/dos-namespace.yaml -kubectl create secret generic license-token --from-file=license.jwt=license.jwt --type=nginx.com/license -n app-protect-dos +kubectl create secret generic license-token --from-file=license.jwt=license.jwt --type=nginx.com/license --namespace app-protect-dos kubectl apply -f dos-manifest/dos-log-default-configmap.yaml kubectl apply -f dos-manifest/dos-nginx-conf-configmap.yaml kubectl apply -f manifests/dos-deployment.yaml @@ -245,23 +263,23 @@ It will apply all the configuration defined in the files to your Kubernetes clus You can then check the status of the deployment with `kubectl get`: ```shell -kubectl -n app-protect-dos get deployments -kubectl -n app-protect-dos get pods -kubectl -n app-protect-dos get services +kubectl --namespace app-protect-dos get deployments +kubectl --namespace app-protect-dos get pods +kubectl --namespace app-protect-dos get services ``` You should see output similar to the following: ```text -~$ kubectl -n app-protect-dos get deployments +~$ kubectl --namespace app-protect-dos get deployments NAME READY UP-TO-DATE AVAILABLE AGE app-protect-dos 1/1 1 1 1m -~$ kubectl -n app-protect-dos get pods +~$ kubectl --namespace app-protect-dos get pods NAME READY STATUS RESTARTS AGE app-protect-dos-586fb94947-8sjnc 1/1 Running 0 1m -~$ kubectl -n app-protect-dos get services +~$ kubectl --namespace app-protect-dos get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nap-dos LoadBalancer 10.43.83.225 80:30307/TCP 1m ``` diff --git a/content/nap-dos/deployment-guide/learn-about-deployment.md b/content/nap-dos/deployment-guide/learn-about-deployment.md index a8a6941967..0527353aa9 100644 --- a/content/nap-dos/deployment-guide/learn-about-deployment.md +++ b/content/nap-dos/deployment-guide/learn-about-deployment.md @@ -262,7 +262,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo systemctl start nginx ``` -18. L4 mitigation +18. L4 accelerated mitigation To enable the `app-protect-dos-ebpf-manager` service to start at boot, run the command: ```shell @@ -479,7 +479,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo systemctl start nginx ``` -18. L4 mitigation +18. L4 accelerated mitigation To enable the `app-protect-dos-ebpf-manager` service to start at boot, run the command: ```shell @@ -908,7 +908,7 @@ When deploying App Protect DoS on NGINX Plus take the following precautions to s sudo systemctl start nginx ``` -16. L4 mitigation +16. L4 accelerated mitigation To enable the `app-protect-dos-ebpf-manager` service to start at boot, run the command: ```shell @@ -1067,7 +1067,7 @@ You need root permissions to execute the following steps. mkdir /shared ``` This folder will be used to share data between containers. - Modify the `entrypoint.sh` to run the L4 mitigation: + Modify the `entrypoint.sh` to run the L4 accelerated mitigation: ```shell # run processes @@ -1085,13 +1085,13 @@ You need root permissions to execute the following steps. ``` 2. Deploy Directly on the Host.
To run L4 mitigation directly on the host:
- 1. Install the L4 mitigation on the host, as described in the OS-specific instructions. + 1. Install the L4 accelerated mitigation on the host, as described in the OS-specific instructions. 2. Run the app-protect-dos container: ```shell docker run --name my-app-protect-dos -v /shared:/shared -p 80:80 -v $(PWD)/license.jwt:/etc/nginx/license.jwt -d app-protect-dos ``` - 3. Run L4 Mitigation Inside the Same Container as `app-protect-dos`.
- To run both L4 mitigation and the main application within the same container:
+ 3. Run L4 Accelerated Mitigation Inside the Same Container as `app-protect-dos`.
+ To run both L4 accelerated mitigation and the main application within the same container:
1. Modify the `entrypoint.sh`: ```shell ... From ed4c619e87d9a09222c2bbe5d39994630272185a Mon Sep 17 00:00:00 2001 From: Raanan <59834489+rnitzan@users.noreply.github.com> Date: Mon, 22 Dec 2025 15:34:41 +0200 Subject: [PATCH 21/23] Update content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md Co-authored-by: Daniel Edgar --- .../kubernetes-with-L4-accelerated-mitigation..md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md b/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md index 23a94c388c..ab062f786f 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md @@ -229,7 +229,7 @@ Your folder should contain the following files: - _nginx-repo.key_ - _Dockerfile_ -To build an image, use the following command, replacing `` as appropriate: +To build an image, use the following command, replacing `` as appropriate: ```shell sudo docker build --no-cache --platform linux/amd64 \ From 2f81b510ab6405c390c29f7e5e615e248f85e0dd Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Tue, 23 Dec 2025 10:55:06 +0200 Subject: [PATCH 22/23] dos k8s --- .../k8s_manifest/dos-nginx-conf-configmap.md | 16 ++++++-- .../includes/dos/k8s_manifest/dos-service.md | 6 +-- .../dos-nginx-conf-configmap.md | 18 +++++++-- .../dos/k8s_with_ebpf_manifest/dos-service.md | 6 +-- .../learn-about-directives-and-policy.md | 38 ++++++++++++++++++- 5 files changed, 69 insertions(+), 15 deletions(-) diff --git a/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md b/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md index 2f4f91cef6..5dbc9407fa 100644 --- a/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md +++ b/content/includes/dos/k8s_manifest/dos-nginx-conf-configmap.md @@ -36,12 +36,22 @@ data: 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; - # Health endpoints for probes + app_protect_dos_liveness on; # uri:/app_protect_dos_liveness port:8090 + app_protect_dos_readiness on; # uri:/app_protect_dos_readiness port:8090 + server { listen 8090; - location /app_protect_dos_liveness { return 200; } - location /app_protect_dos_readiness { return 200; } + server_name probe; + + location / { + proxy_pass http://localhost:8091; + } + } + + server { + listen 8091; + return 503; } server { diff --git a/content/includes/dos/k8s_manifest/dos-service.md b/content/includes/dos/k8s_manifest/dos-service.md index 0e24fc056a..65bfdedb00 100644 --- a/content/includes/dos/k8s_manifest/dos-service.md +++ b/content/includes/dos/k8s_manifest/dos-service.md @@ -8,11 +8,11 @@ metadata: name: nap-dos namespace: app-protect-dos spec: - type: NodePort ports: - - port: 80 - targetPort: 80 + - name: app + port: 80 protocol: TCP selector: app: app-protect-dos + type: NodePort ``` \ No newline at end of file diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md index 5f5fe341c0..83900f2871 100644 --- a/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-nginx-conf-configmap.md @@ -37,13 +37,23 @@ data: 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; app_protect_dos_accelerated_mitigation on syn_drop=on; - - + # Health endpoints for probes + app_protect_dos_liveness on; # uri:/app_protect_dos_liveness port:8090 + app_protect_dos_readiness on; # uri:/app_protect_dos_readiness port:8090 + server { listen 8090; - location /app_protect_dos_liveness { return 200; } - location /app_protect_dos_readiness { return 200; } + server_name probe; + + location / { + proxy_pass http://localhost:8091; + } + } + + server { + listen 8091; + return 503; } server { diff --git a/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md b/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md index 0f44d951e3..c7c7916fde 100644 --- a/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md +++ b/content/includes/dos/k8s_with_ebpf_manifest/dos-service.md @@ -8,12 +8,12 @@ metadata: name: nap-dos namespace: app-protect-dos spec: - type: LoadBalancer externalTrafficPolicy: Local ports: - - port: 80 - targetPort: 80 + - name: app + port: 80 protocol: TCP selector: app: app-protect-dos + type: LoadBalancer ``` \ No newline at end of file diff --git a/content/nap-dos/directives-and-policy/learn-about-directives-and-policy.md b/content/nap-dos/directives-and-policy/learn-about-directives-and-policy.md index 39dffc953b..397e6ebabe 100644 --- a/content/nap-dos/directives-and-policy/learn-about-directives-and-policy.md +++ b/content/nap-dos/directives-and-policy/learn-about-directives-and-policy.md @@ -343,7 +343,24 @@ Any other response will indicate that our NGINX module (F5 DoS for NGINX) has no **Example:** ```nginx -app_protect_dos_liveness on uri:/liveness port:8090; +http { + + app_protect_dos_readiness on uri:/liveness port:8090; + + server { + listen 8090; + server_name probe; + + location / { + proxy_pass http://localhost:8091; + } + } + + server { + listen 8091; + return 503; + } +} ``` ### Readiness probe directive (`app_protect_dos_readiness`) @@ -375,7 +392,24 @@ RC 200 "Ready" will occur if two conditions are met: **Example:** ```nginx -app_protect_dos_readiness on uri:/readiness port:8090; +http { + + app_protect_dos_readiness on uri:/readiness port:8090; + + server { + listen 8090; + server_name probe; + + location / { + proxy_pass http://localhost:8091; + } + } + + server { + listen 8091; + return 503; + } +} ``` ### Arbitrator FQDN directive (`app_protect_dos_arb_fqdn`) From cec4b8a3fef97a5de7b55769238797bba7efa765 Mon Sep 17 00:00:00 2001 From: "r.nitzan@f5.com" Date: Wed, 24 Dec 2025 21:00:00 +0200 Subject: [PATCH 23/23] k8s --- ...ernetes-with-L4-accelerated-mitigation..md | 27 ++++++++++--------- .../nap-dos/deployment-guide/kubernetes.md | 25 +++++++++-------- 2 files changed, 28 insertions(+), 24 deletions(-) diff --git a/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md b/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md index ab062f786f..75f2de1cf4 100644 --- a/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md +++ b/content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation..md @@ -263,29 +263,30 @@ Once you have updated `values.yaml`, you can install F5 WAF for NGINX using `hel ```shell export DOS_IMAGE_REPOSITORY= - export DOS_IMAGE_TAG= - export EBPF_IMAGE_REPOSITORY= - export EBPF_IMAGE_TAG= -helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update - kubectl create namespace --dry-run=client -o yaml | kubectl apply -f - - kubectl create secret generic license-token \ --from-file=license.jwt=${PWD}/license.jwt --type=nginx.com/license --namespace - -helm install dos-release dos-ebpf-helm-chart --namespace \ + +# Install DOS Arbitrator +helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update +helm install dos-arbitrator nginx-stable/nginx-appprotect-dos-arbitrator --namespace + +# Install DOS with EBPF Manager +# release-version example: 4.8.3 +helm pull oci://private-registry.nginx.com/nap-dos/nginx-app-protect-ebpf --version --untar +cd nginx-app-protect-dos-ebpf + +helm install nginx-app-protect-dos-ebpf --namespace \ --set namespace.create=false --set service.type=NodePort \ - --set appProtectDos.nginxImage.repository=${DOS_IMAGE_REPOSITORY} \ - --set appProtectDos.nginxImage.tag=${DOS_IMAGE_TAG} \ + --set appProtectDos.image.repository=${DOS_IMAGE_REPOSITORY} \ + --set appProtectDos.image.tag=${DOS_IMAGE_TAG} \ --set appProtectDos.ebpfManagerImage.repository=$EBPF_IMAGE_REPOSITORY} \ - --set appProtectDos.ebpfManagerImage.tag=${EBPF_IMAGE_TAG} + --set appProtectDos.ebpfManagerImage.tag=${EBPF_IMAGE_TAG} . -helm install dos-arbitrator nginx-stable/nginx-appprotect-dos-arbitrator --namespace - kubectl wait --for=condition=available --timeout=300s deployment/app-protect-dos -n ``` diff --git a/content/nap-dos/deployment-guide/kubernetes.md b/content/nap-dos/deployment-guide/kubernetes.md index 4685ff9765..cd80e0beb6 100644 --- a/content/nap-dos/deployment-guide/kubernetes.md +++ b/content/nap-dos/deployment-guide/kubernetes.md @@ -151,7 +151,7 @@ From this point, the steps change based on your installation method: You will need to edit the `values.yaml` file for a few changes: -- Update _appprotectdos.nginxImage.repository_ and _appprotectdos.nginxImage.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). +- Update _appprotectdos.image.repository_ and _appprotectdos.image.tag_ with the image name chosen during when [building the Docker image](#build-the-docker-image). The `` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace. @@ -163,23 +163,26 @@ Once you have updated `values.yaml`, you can install F5 WAF for NGINX using `hel ```shell export DOS_IMAGE_REPOSITORY= - export DOS_IMAGE_TAG= -helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update - kubectl create namespace --dry-run=client -o yaml | kubectl apply -f - - kubectl create secret generic license-token \ --from-file=license.jwt=${PWD}/license.jwt --type=nginx.com/license --namespace - -helm install dos-release dos-helm-chart --namespace \ - --set namespace.create=false --set service.type=NodePort \ - --set appProtectDos.nginxImage.repository=${DOS_IMAGE_REPOSITORY} \ - --set appProtectDos.nginxImage.tag=${DOS_IMAGE_TAG} - + +# Install DOS Arbitrator +helm repo add nginx-stable https://helm.nginx.com/stable && helm repo update helm install dos-arbitrator nginx-stable/nginx-appprotect-dos-arbitrator --namespace +# Install DOS for NGINX +# release-version example: 4.8.3 +helm pull oci://private-registry.nginx.com/nap-dos/nginx-app-protect --version --untar +cd nginx-app-protect-dos + +helm install nginx-app-protect-dos --namespace \ + --set namespace.create=false --set service.type=NodePort \ + --set appProtectDos.image.repository=${DOS_IMAGE_REPOSITORY} \ + --set appProtectDos.image.tag=${DOS_IMAGE_TAG} . + kubectl wait --for=condition=available --timeout=300s deployment/app-protect-dos -n ``` You can verify the deployment is successful with `kubectl get`, replacing `namespace` accordingly: