diff --git a/content/waf/changelog/2024.md b/content/waf/changelog/2024.md new file mode 100644 index 000000000..574834bca --- /dev/null +++ b/content/waf/changelog/2024.md @@ -0,0 +1,215 @@ +--- +title: "2024 archive" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +This page is an archive of changelog entries for 2024. + +For the current year, view [the top-level changelog]({{< ref "/waf/changelog/">}}) topic. + +## F5 WAF for NGINX 5.4 / 4.12 + +_November 19th, 2024_ + +### New features + +- Added support for Amazon Linux 2023 +- NGINX App Protect WAF now supports NGINX Plus R33. +- **5.4 Only:** Added support for [readOnlyFileSystem in Kubernetes deployments]({{< ref "/waf/configure/kubernetes-read-only/" >}}) +- **5.4 Only:** Added a [a policy converter to the compiler]({{< ref "/waf/configure/converters.md#policy-converter">}}) + +Please read the [subscription licenses]({{< ref "/solutions/about-subscription-licenses.md" >}}) topic for information about R33. + +### Important notes + +- Alpine 3.16 is no longer supported. + +### Resolved issues + +- (11973) Updated the Go version to 1.23.1 +- (11469) _apt-get update_ warning for Ubuntu 22.04 + +### Known issues + +On Ubuntu 24.04, you may receive the following error when uninstalling an old version of NGINX App Protect and installing a newer version: + +```text +APP_PROTECT failed to open /opt/app_protect/config/config_set.json +``` + +This can occur if you are not using the default `nginx.conf` file and are using the `app_protect_enforcer_address` directive. + +To fix the problem, remove the file configuration folder and recreate the directory, then restart NGINX. + +```shell +sudo rm /opt/app_protect/config +sudo mkdir /opt/app_protect/config +sudo service nginx restart +``` + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.4) | NGINX Plus (5.4) | NGINX Plus (4.12) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.27.2+5.210.0-r1.apk_ | _app-protect-module-plus-33+5.210.0-r1.apk_ | _app-protect-33.5.210.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.2+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.2+5.210.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~bullseye_amd64.deb_ | _app-protect_33+5.210.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.2+5.210.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~bookworm_amd64.deb_ | _app-protect_33+5.210.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.2+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.27.2+5.210.0-1\~focal_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~focal_amd64.deb_ | _app-protect_33+5.210.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.2+5.210.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~jammy_amd64.deb_ | _app-protect_33+5.210.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.2+5.210.0-1\~noble_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~noble_amd64.deb_ | _app-protect_33+5.210.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.2+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.27.2+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## F5 WAF for NGINX 5.3 / 4.11 + +_September 25, 2024_ + +### New features + +- Ubuntu 24.04 support +- **5.3 Only:** [Secure Traffic Between NGINX and App Protect Enforcer]({{< ref "/waf/configure/secure-mtls.md" >}}) + +### Important notes + +- Starting from this release, CentOS 7.4, Rhel 7.4 and Amazon Linux 2 support has been deprecated. + +### Resolved issues + +- (10775) Resolved a threshold calculation in the base64 decoding mechanism. +- (11426) Resolved log entry of an XFF header that contains more than one value. +- (11272) Resolved an issue where, in certain instances, the original HTTP response code was shown for rejected requests. +- (11568) Support seamless upgrades by using the latest tag instead of hardcoded versions. +- (5302) The enforcer leaves an incomplete job when NGINX reloads during DNS resolution. + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.3) | NGINX Plus (5.3) | NGINX Plus (4.11) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.25.4+5.144.0-r1.apk_ | _app-protect-module-plus-32+5.144.0-r1.apk_ | _app-protect-32.5.144.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.25.4+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.25.4+5.144.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bullseye_amd64.deb_ | _app-protect_32+5.144.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.25.4+5.144.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bookworm_amd64.deb_ | _app-protect_32+5.144.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~focal_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~focal_amd64.deb_ | _app-protect_32+5.144.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~jammy_amd64.deb_ | _app-protect_32+5.144.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~noble_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~noble_amd64.deb_ | _app-protect_32+5.144.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.25.4+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## F5 WAF for NGINX 5.2 / 4.10 + +_May 29, 2024_ + +### New features + +- [Added apreload]({{< ref "/waf/configure/apreload.md" >}}) + +### Resolved issues + +- (11038) In some scenarios, autodetect does not correctly recognize the internal buffer as base_64 buffer and so does not decode the data. +- (11059) Enforcer may crash in specific scenarios. +- (11105) Update libprotobuf to version 1.33.0+. +- (11148) When following the config guide for starting NAP v5 in docker or kubernetes and leaving nginx.conf without any 'app_protect' directive: changing the conf to include NAP does not work. Enforcer times out every 40 secs waiting for the configuration. + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.2) | NGINX Plus (5.2) | NGINX Plus (4.10) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.25.4+5.144.0-r1.apk_ | _app-protect-module-plus-32+5.144.0-r1.apk_ | _app-protect-32.5.144.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.25.4+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.25.4+5.144.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bullseye_amd64.deb_ | _app-protect_32+5.144.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.25.4+5.144.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bookworm_amd64.deb_ | _app-protect_32+5.144.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~focal_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~focal_amd64.deb_ | _app-protect_32+5.144.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~jammy_amd64.deb_ | _app-protect_32+5.144.0-1\~jammy_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.25.4+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## F5 WAF for NGINX 5.1 / 4.9 + +_April 18, 2024_ + +### New features + +- Authorization Rules in URLs +- New [JSON Web Token]({{< ref "/waf/policies/jwt-protection.md" >}}) signature signing algorithm support for: + - **RSA**: RS256, RS384, RS512 + - **PSS**: PS256, PS384, PS512 + - **ECDSA**: ES256, ES256K, ES384, ES512 + - **EdDSA** +- [Time-based signature staging]({{< ref "/waf/policies/time-based-signature-staging.md" >}}) + +### Resolved issues + +- (10250/10251) Fixed issues related to upgrading on Debian and Ubuntu. +- (10219/10512) Resolved issues related to base64 detection and decoding. +- (10465) Resolved the "header already sent" alert message in the NGINX error log. + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.1) | NGINX Plus (5.1) | NGINX Plus (4.9) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.25.4+5.17.0-r1.apk_ | _app-protect-module-plus-31+5.17.0-r1.apk_ | _app-protect-31.5.17.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.25.4+5.17.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.25.4+5.17.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~bullseye_amd64.deb_ | _app-protect_31+5.17.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.25.4+5.17.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~bookworm_amd64.deb_ | _app-protect_31+5.17.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.25.4+5.17.0-1\~focal_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~focal_amd64.deb_ | _app-protect_31+5.17.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.25.4+5.17.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~jammy_amd64.deb_ | _app-protect_31+5.17.0-1\~jammy_amd64.deb_ | +| RHEL 7 | _app-protect-module-oss-1.25.4+5.17.0-1.el7.ngx.x86_64.rpm | _app-protect-module-plus-31+5.17.0-1.el7.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el7.ngx.x86_64.rpm_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.25.4+5.17.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.el9.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## F5 WAF for NGINX 5.0 / 4.8.1 + +_March 19, 2024_ + +### New features + +- [New deployment types]({{< ref "/waf/fundamentals/technical-specifications.md#supported-deployment-environments" >}}) +- [Security policy and logging profile bundles]({{< ref "/waf/configure/compiler.md">}}) + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.1) | NGINX Plus (5.1) | NGINX Plus (4.9) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.25.4+4.815.0-r1.apk_ | _app-protect-module-plus-31+4.815.0-r1.apk_ | _app-protect-31.4.815.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.25.4+4.815.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.25.4+4.815.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~bullseye_amd64.deb_ | _app-protect_31+4.815.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.25.4+4.815.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~bookworm_amd64.deb_ | _app-protect_31+4.815.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.25.4+4.815.0-1\~focal_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~focal_amd64.deb_ | _app-protect_31+4.815.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.25.4+4.815.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~jammy_amd64.deb_ | _app-protect_31+4.815.0-1\~jammy_amd64.deb_ | +| RHEL 7 | _app-protect-module-oss-1.25.4+4.815.0-1.el7.ngx.x86_64.rpm | _app-protect-module-plus-31+4.815.0-1.el7.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el7.ngx.x86_64.rpm_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.25.4+4.815.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el9.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} \ No newline at end of file diff --git a/content/waf/changelog.md b/content/waf/changelog/_index.md similarity index 62% rename from content/waf/changelog.md rename to content/waf/changelog/_index.md index 9ea16e217..427b070f2 100644 --- a/content/waf/changelog.md +++ b/content/waf/changelog/_index.md @@ -1,10 +1,11 @@ --- # We use sentence case and present imperative tone title: "Changelog" +url: /waf/changelog/ # Weights are assigned in increments of 100: determines sorting order -weight: 600 +weight: 500 # Creates a table of contents and sidebar, useful for large documents -toc: true +nd-landing-page: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference # Intended for internal catalogue and search, case sensitive: @@ -12,15 +13,9 @@ nd-content-type: reference nd-product: NAP-WAF --- -{{< call-out "warning" "Information architecture note" >}} - -This page is incomplete, only listing the most recent releases: the remainder will be migrated and reformatted to fit the package table format. - -{{}} - This changelog lists all of the information for F5 WAF for NGINX releases in 2025. - +For older releases, check the changelogs for previous years: [2024]({{< ref "/waf/changelog/2024.md" >}}). ## F5 WAF for NGINX 5.9 @@ -32,11 +27,15 @@ _September 29th, 2025_ ### Important notes +- Renamed NGINX App Protect WAF to F5 for NGINX +- Aligned F5 WAF for NGINX versions + - Package and container artefacts now share the same version numbers + - Upgrade processes remain the same as earlier releases + - No breaking changes - Restructured documentation - - NGINX App Protect WAF renamed to F5 WAF for NGINX - no workflow or breaking changes - - Packaged NAP version (VM-based or bare-metal deployments) alignment - renamed from v4 to v5 so both packaged and containerized offerings now share the same version number (v5.9). - This doesn't introduce breaking changes. - For example: Upgrades work exactly the same. Users can upgrade from v4.x (for example, 4.16) to 5.9 just as they did between earlier v4 releases (for example, 4.15 → 4.16). + - Product name change + - Version alignment + - Grouped use cases into sections with single-purpose documents - Upgrade Go compiler to 1.23.12 ### Packages @@ -57,7 +56,7 @@ _September 29th, 2025_ {{< /table >}} -## F5 WAF for NGINX 5.8 / 4.16 +## NGINX App Protect WAF 5.8 / 4.16 _August 13th, 2025_ @@ -83,7 +82,7 @@ _August 13th, 2025_ {{< /table >}} -## F5 WAF for NGINX 5.7 / 4.15 +## NGINX App Protect WAF 5.7 / 4.15 _June 24th, 2025_ @@ -109,6 +108,7 @@ _June 24th, 2025_ ### Packages +{{< table >}} | Distribution name | NGINX Open Source (5.7) | NGINX Plus (5.7) | NGINX Plus (4.15) | | ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| @@ -122,14 +122,17 @@ _June 24th, 2025_ | RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.442.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.442.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.442.0-1.el8.ngx.x86_64.rpm_ | | RHEL 9 and Rocky Linux 9 | _app-protect-module-oss-1.27.4+5.442.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.442.0-1.el9.ngx.x86_64.rpm_ | _app-protect-34+5.442.0-1.el9.ngx.x86_64.rpm_ | -## F5 WAF for NGINX 5.6 / 4.14 +{{< /table >}} + + +## NGINX App Protect WAF 5.6 / 4.14 _April 1st, 2025_ ### New features - Added support for NGINX Plus R34 -- **5.6 Only:** You can now [deploy F5 WAF for NGINX 5+ using a Helm chart]({{< ref "/nap-waf/v5/admin-guide/deploy-with-helm.md">}}) +- **5.6 Only:** You can now [deploy F5 WAF for NGINX 5+ using a Helm chart]({{< ref "/waf/install/kubernetes.md">}}) ### Important notes @@ -143,49 +146,52 @@ _April 1st, 2025_ - (12296) "Violation Bad Unescape" is not enabled by default - (12297) "Violation Encoding" is not enabled by default -### 5.6 packages - -#### NGINX Open Source - -| Distribution name | Package file | -|--------------------------|-------------------------------------------------------------------| -| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.342.0-r1.apk_ | -| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | -| Debian 11 | _app-protect-module-oss_1.27.4+5.342.0-1\~bullseye_amd64.deb_ | -| Debian 12 | _app-protect-module-oss_1.27.4+5.342.0-1\~bookworm_amd64.deb_ | -| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | -| Ubuntu 20.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~focal_amd64.deb_ | -| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~jammy_amd64.deb_ | -| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~noble_amd64.deb_ | -| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | -| RHEL 9 | _app-protect-module-oss-1.27.4+5.342.0-1.el9.ngx.x86_64.rpm_ | - -#### NGINX Plus - -| Distribution name | Package file | -|--------------------------|----------------------------------------------------------------| -| Alpine 3.19 | _app-protect-module-plus-34+5.342.0-r1.apk_ | -| Amazon Linux 2023 | _app-protect-module-plus-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | -| Debian 11 | _app-protect-module-plus_34+5.342.0-1\~bullseye_amd64.deb_ | -| Debian 12 | _app-protect-module-plus_34+5.342.0-1\~bookworm_amd64.deb_ | -| Oracle Linux 8.1 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | -| Ubuntu 20.04 | _app-protect-module-plus_34+5.342.0-1\~focal_amd64.deb_ | -| Ubuntu 22.04 | _app-protect-module-plus_34+5.342.0-1\~jammy_amd64.deb_ | -| Ubuntu 24.04 | _app-protect-module-plus_34+5.342.0-1\~noble_amd64.deb_ | -| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | -| RHEL 9 | _app-protect-module-plus-34+5.342.0-1.el9.ngx.x86_64.rpm_ | - -### 4.14 packages - -| Distribution name | Package file | -|--------------------------|----------------------------------------------------| -| Alpine 3.19 | _app-protect-34.5.342.0-r1.apk_ | -| Amazon Linux 2023 | _app-protect-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | -| Debian 11 | _app-protect_34+5.342.0-1\~bullseye_amd64.deb_ | -| Debian 12 | _app-protect_34+5.342.0-1\~bookworm_amd64.deb_ | -| Oracle Linux 8.1 | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | -| Ubuntu 20.04 | _app-protect_34+5.342.0-1\~focal_amd64.deb_ | -| Ubuntu 22.04 | _app-protect_34+5.342.0-1\~jammy_amd64.deb_ | -| Ubuntu 24.04 | _app-protect_34+5.342.0-1\~noble_amd64.deb_ | -| RHEL 8 and Rocky Linux 8 | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | -| RHEL 9 | _app-protect-34+5.342.0-1.el9.ngx.x86_64.rpm_ | +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.6) | NGINX Plus (5.6) | NGINX Plus (4.14) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.342.0-r1.apk_ | _app-protect-module-plus-34+5.342.0-r1.apk_ | _app-protect-34.5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.4+5.342.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~bullseye_amd64.deb_ | _app-protect_34+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.4+5.342.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~bookworm_amd64.deb_ | _app-protect_34+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~focal_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~focal_amd64.deb_ | _app-protect_34+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~jammy_amd64.deb_ | _app-protect_34+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~noble_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~noble_amd64.deb_ | _app-protect_34+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.27.4+5.342.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.342.0-1.el9.ngx.x86_64.rpm_ | _app-protect-34+5.342.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## NGINX App Protect WAF 5.5 / 4.13 + +_January 30th, 2025_ + +### New features + +- Added support for Alpine 3.19 +- Added support for [Brute force attack preventions]({{< ref "/waf/policies/brute-force-attacks.md" >}}) +- **5.5 Only:** Enforcer can now upgrade without requiring policies to be recompiled +- **5.5 Only:** The standalone converter within the Compiler now supports [user-defined signatures]({{< ref "/waf/configure/compiler.md#user-defined-signatures" >}}). + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.5) | NGINX Plus (5.5) | NGINX Plus (4.13) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.27.4+5.210.0-r1.apk_ | _app-protect-module-plus-34+5.210.0-r1.apk_ | _app-protect-34.5.210.0-r1.apk_ | +| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.210.0-r1.apk_ | _app-protect-module-plus-34+5.210.0-r1.apk_ | _app-protect-34.5.210.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.4+5.210.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~bullseye_amd64.deb_ | _app-protect_34+5.210.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.4+5.210.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~bookworm_amd64.deb_ | _app-protect_34+5.210.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.27.4+5.210.0-1\~focal_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~focal_amd64.deb_ | _app-protect_34+5.210.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.210.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~jammy_amd64.deb_ | _app-protect_34+5.210.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.210.0-1\~noble_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~noble_amd64.deb_ | _app-protect_34+5.210.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.27.4+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} \ No newline at end of file diff --git a/content/waf/configure/converters.md b/content/waf/configure/converters.md index fc5170486..dc79fb05b 100644 --- a/content/waf/configure/converters.md +++ b/content/waf/configure/converters.md @@ -12,7 +12,7 @@ nd-content-type: how-to nd-product: NAP-WAF --- -F5 WAF for NGINX has multiple tools for converting existing resources or configuration files for use from a BIG-IP for use from a BIG-IP environment. +This document describes the tools F5 WAF for NGINX has to convert existing resources or configuration files from a BIG-IP environment for use with F5 WAF for NGINX. {{< call-out "important" >}} @@ -139,7 +139,7 @@ total 848 ## User Defined Signatures converter -The User Defined Signatures converter tool is used to a User Defined Signatures file from XML to JSON format. +The User Defined Signatures converter tool is used to convert a User Defined Signatures file from XML to JSON format. It is a script located on on the path `/opt/app_protect/bin/convert-signatures`. diff --git a/content/waf/policies/jwt-protection.md b/content/waf/policies/jwt-protection.md index 9d62ac1d1..8edb1239d 100644 --- a/content/waf/policies/jwt-protection.md +++ b/content/waf/policies/jwt-protection.md @@ -55,16 +55,21 @@ The header and claims are JSON objects, Base64 encoded, separated by `.` delimit ### Supported algorithms -Currently supported: `RS256` (RSA/SHA-256). +JWT protection currently supports the following algorithms: -- Example JWT header: +- `RSA`: RS256, RS384, RS512 +- `PSS`: PS256, PS384, PS512 +- `ECDSA`: ES256, ES256K, ES384, ES512 +- `EdDSA` - ```json - { - "alg": "RS256", - "typ": "JWT" - } - ``` +This is a header example: + +```json +{ +"alg": "RS256", +"typ": "JWT" +} +``` ### Configure for JWT protection