From ff10725b564c77d89c574f7d5b5ad0a938c0c40d Mon Sep 17 00:00:00 2001 From: Ohad Perets Date: Thu, 25 Dec 2025 11:35:33 +0000 Subject: [PATCH 1/3] docs(waf): Add comprehensive offline/air-gap installation guide for all supported OS - Update disconnected-environment.md with complete instructions for all 6 supported OSs - Add Alpine Linux 3.22 offline installation with apk package manager - Add Amazon Linux 2023 offline installation with dnf - Add Debian 11/12 offline installation with apt-get - Add Oracle Linux/RHEL 8/Rocky Linux 8 offline installation with yum - Add RHEL 9/Rocky Linux 9 offline installation with dnf - Add Ubuntu 22.04/24.04 offline installation with apt-get - Fix incorrect apt syntax: --downloaddir replaced with -o Dir::Cache::archives - Add complete prerequisites section with required packages per OS - Add repository setup instructions for each OS - Add package transfer and installation instructions for disconnected environment - Include all app-protect packages (core, security updates, and optional) - Clarify repository authentication requirements (JWT token/credentials needed)" --- .../waf/install/disconnected-environment.md | 204 ++++++++++++++++-- 1 file changed, 191 insertions(+), 13 deletions(-) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 47c3f246a..f702244cd 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -18,9 +18,11 @@ To complete this guide, you will need the following prerequisites: - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}}) - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}}) - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}}) -- An active F5 WAF for NGINX subscription (Purchased or trial). -- A connected environment with similar architecture -- A method to transfer files between two environments +- An active F5 WAF for NGINX subscription (Purchased or trial) with repository credentials (JWT token or username/password). +- A connected environment with similar architecture and internet access to the NGINX package repositories. +- A method to transfer files between two environments (USB drive, SCP, rsync, etc.). +- For package downloads on apt-based systems: `wget`, `gnupg`, `ca-certificates`, and `apt-transport-https`. +- For package downloads on yum-based systems: `yum-plugin-downloadonly`. These instructions outline the broad, conceptual steps involved with working with a disconnected environment. You will need to make adjustments based on your specific security requirements. @@ -68,22 +70,198 @@ This section is most relevant for a [Virtual machine or bare metal]({{< ref "/wa When working with package files, you can install the packages directly in your disconnected environment, or add them to an internal repository. -The first step is to download the package files from your connected environment. +The first step is to download the package files from your connected environment that has internet access and NGINX repository credentials. -This will vary based on your operating system choice, which determines your package manager. +This will vary based on your operating system choice, which determines your package manager. Select your operating system below. -For example, a `yum` based system will require a special plugin: +### Alpine Linux + +1. Download and install the repository signing key: + +```shell +sudo wget -O /etc/apk/keys/app-protect-security-updates.rsa.pub https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub +``` + +2. Add the F5 WAF for NGINX repositories: + +```shell +printf "https://pkgs.nginx.com/app-protect/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main\n" | sudo tee -a /etc/apk/repositories +printf "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main\n" | sudo tee -a /etc/apk/repositories +``` + +3. Create a directory for packages and download app-protect: + +```shell +mkdir -p /offline/packages/ +sudo apk update +sudo apk fetch -R -o /offline/packages/ \ + app-protect \ + app-protect-attack-signatures \ + app-protect-bot-signatures \ + app-protect-threat-campaigns +``` + +### Amazon Linux 2023 + +1. Add the F5 WAF for NGINX repository and dependencies: + +```shell +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo +``` + +2. Create a directory for packages and download app-protect: + +```shell +mkdir -p /offline/packages/ +sudo dnf install --downloadonly --downloaddir=/offline/packages/ \ + app-protect \ + app-protect-attack-signatures \ + app-protect-bot-signatures \ + app-protect-threat-campaigns +``` + +### Debian + +1. Install required packages: + +```shell +sudo apt-get install -y wget gnupg ca-certificates apt-transport-https lsb-release +``` + +2. Download and install the NGINX repository signing key: + +```shell +wget -qO - https://cs.nginx.com/static/keys/nginx-archive.key | gpg --dearmor | \ + sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg > /dev/null +``` + +3. Add the F5 WAF for NGINX repositories: + +```shell +RELEASE=$(lsb_release -cs) + +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/app-protect/debian $RELEASE nginx-plus\n" | \ + sudo tee /etc/apt/sources.list.d/nginx-app-protect.list + +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/app-protect-security-updates/debian $RELEASE nginx-plus\n" | \ + sudo tee /etc/apt/sources.list.d/app-protect-security-updates.list +``` + +4. Create a directory for packages and download app-protect: + +```shell +mkdir -p /offline/packages/ +sudo apt-get update +sudo apt-get install --download-only -y \ + app-protect \ + app-protect-attack-signatures \ + app-protect-bot-signatures \ + app-protect-threat-campaigns \ + -o Dir::Cache::archives=/offline/packages/ +``` + +### Oracle Linux / RHEL / Rocky Linux 8 + +1. Add the F5 WAF for NGINX repository: + +```shell +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-rhel8.repo +``` + +2. Create a directory for packages and download app-protect: ```shell -# Install the download plugin -yum -y install yum-plugin-downloadonly -# Create a directory for packages -mkdir -p /etc/packages/ -# Use yum to download the packages into the directory -yum install --downloadonly --downloaddir=/etc/packages/ app-protect +mkdir -p /offline/packages/ +sudo yum install --downloadonly --downloaddir=/offline/packages/ \ + app-protect \ + app-protect-attack-signatures \ + app-protect-bot-signatures \ + app-protect-threat-campaigns ``` -Once you've obtained the package files and transferred them to your disconnected environment, you can directly install them or add them to a local repository. +### RHEL / Rocky Linux 9 + +1. Add the F5 WAF for NGINX repository: + +```shell +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-rhel9.repo +``` + +2. Create a directory for packages and download app-protect: + +```shell +mkdir -p /offline/packages/ +sudo dnf install --downloadonly --downloaddir=/offline/packages/ \ + app-protect \ + app-protect-attack-signatures \ + app-protect-bot-signatures \ + app-protect-threat-campaigns +``` + +### Ubuntu + +1. Install required packages: + +```shell +sudo apt-get install -y wget gnupg ca-certificates apt-transport-https lsb-release +``` + +2. Download and install the NGINX repository signing key: + +```shell +wget -qO - https://cs.nginx.com/static/keys/nginx-archive.key | gpg --dearmor | \ + sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg > /dev/null +``` + +3. Add the F5 WAF for NGINX repositories: + +```shell +RELEASE=$(lsb_release -cs) + +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/app-protect/ubuntu $RELEASE nginx-plus\n" | \ + sudo tee /etc/apt/sources.list.d/nginx-app-protect.list + +printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ +https://pkgs.nginx.com/app-protect-security-updates/ubuntu $RELEASE nginx-plus\n" | \ + sudo tee /etc/apt/sources.list.d/app-protect-security-updates.list +``` + +4. Create a directory for packages and download app-protect: + +```shell +mkdir -p /offline/packages/ +sudo apt-get update +sudo apt-get install --download-only -y \ + app-protect \ + app-protect-attack-signatures \ + app-protect-bot-signatures \ + app-protect-threat-campaigns \ + -o Dir::Cache::archives=/offline/packages/ +``` + +### Transfer and install packages + +Once you've obtained the package files in your connected environment, transfer the packages directory to your disconnected environment. + +In the disconnected environment, install the packages: + +```shell +# For Alpine Linux +sudo apk add -p /offline/packages/ app-protect + +# For Amazon Linux 2023, RHEL 9, Rocky Linux 9 +sudo dnf install /offline/packages/*.rpm + +# For Debian, Ubuntu +sudo dpkg -i /offline/packages/*.deb + +# For Oracle Linux, RHEL 8, Rocky Linux 8 +sudo yum localinstall /offline/packages/*.rpm +``` ## Download Docker images From 4b6ac78f234159a1924de1c6358afaa0ea7a113e Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Tue, 20 Jan 2026 13:21:19 +0000 Subject: [PATCH 2/3] Update content/waf/install/disconnected-environment.md --- content/waf/install/disconnected-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index f702244cd..801a1a388 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -70,7 +70,7 @@ This section is most relevant for a [Virtual machine or bare metal]({{< ref "/wa When working with package files, you can install the packages directly in your disconnected environment, or add them to an internal repository. -The first step is to download the package files from your connected environment that has internet access and NGINX repository credentials. +The first step is to download the package files from your connected environment, where you have internet access and the NGINX repository credentials). This will vary based on your operating system choice, which determines your package manager. Select your operating system below. From 0120c4f93e9046c185ed77533866a7907e6667e9 Mon Sep 17 00:00:00 2001 From: Jon Torre <78599298+JTorreG@users.noreply.github.com> Date: Tue, 20 Jan 2026 13:21:26 +0000 Subject: [PATCH 3/3] Update content/waf/install/disconnected-environment.md --- content/waf/install/disconnected-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 801a1a388..616d802d1 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -72,7 +72,7 @@ When working with package files, you can install the packages directly in your d The first step is to download the package files from your connected environment, where you have internet access and the NGINX repository credentials). -This will vary based on your operating system choice, which determines your package manager. Select your operating system below. +See the section for your operating system below: ### Alpine Linux