From 7c8a31645434216425e2ff785a2f434156fdb2e0 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Thu, 2 Oct 2025 15:47:25 +0100 Subject: [PATCH] feat: Add WAF 2025 & 2024 changelog entries This commit updates the F5 WAF for NGINX changelog to add the remaining entries for 2025 and the entries from 2024 where the product diverged into the V4 and V5 labels. As part of migrating the content, feature links are updated to reflect recent documentation restructuring, and package names were combined into singular tables to reflect the new style convention. --- content/waf/changelog/2024.md | 215 ++++++++++++++++++ .../waf/{changelog.md => changelog/_index.md} | 132 ++++++----- content/waf/configure/converters.md | 4 +- content/waf/policies/jwt-protection.md | 21 +- 4 files changed, 299 insertions(+), 73 deletions(-) create mode 100644 content/waf/changelog/2024.md rename content/waf/{changelog.md => changelog/_index.md} (62%) diff --git a/content/waf/changelog/2024.md b/content/waf/changelog/2024.md new file mode 100644 index 000000000..574834bca --- /dev/null +++ b/content/waf/changelog/2024.md @@ -0,0 +1,215 @@ +--- +title: "2024 archive" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +# Intended for internal catalogue and search, case sensitive: +# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit +nd-product: NAP-WAF +--- + +This page is an archive of changelog entries for 2024. + +For the current year, view [the top-level changelog]({{< ref "/waf/changelog/">}}) topic. + +## F5 WAF for NGINX 5.4 / 4.12 + +_November 19th, 2024_ + +### New features + +- Added support for Amazon Linux 2023 +- NGINX App Protect WAF now supports NGINX Plus R33. +- **5.4 Only:** Added support for [readOnlyFileSystem in Kubernetes deployments]({{< ref "/waf/configure/kubernetes-read-only/" >}}) +- **5.4 Only:** Added a [a policy converter to the compiler]({{< ref "/waf/configure/converters.md#policy-converter">}}) + +Please read the [subscription licenses]({{< ref "/solutions/about-subscription-licenses.md" >}}) topic for information about R33. + +### Important notes + +- Alpine 3.16 is no longer supported. + +### Resolved issues + +- (11973) Updated the Go version to 1.23.1 +- (11469) _apt-get update_ warning for Ubuntu 22.04 + +### Known issues + +On Ubuntu 24.04, you may receive the following error when uninstalling an old version of NGINX App Protect and installing a newer version: + +```text +APP_PROTECT failed to open /opt/app_protect/config/config_set.json +``` + +This can occur if you are not using the default `nginx.conf` file and are using the `app_protect_enforcer_address` directive. + +To fix the problem, remove the file configuration folder and recreate the directory, then restart NGINX. + +```shell +sudo rm /opt/app_protect/config +sudo mkdir /opt/app_protect/config +sudo service nginx restart +``` + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.4) | NGINX Plus (5.4) | NGINX Plus (4.12) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.27.2+5.210.0-r1.apk_ | _app-protect-module-plus-33+5.210.0-r1.apk_ | _app-protect-33.5.210.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.2+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.2+5.210.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~bullseye_amd64.deb_ | _app-protect_33+5.210.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.2+5.210.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~bookworm_amd64.deb_ | _app-protect_33+5.210.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.2+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.27.2+5.210.0-1\~focal_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~focal_amd64.deb_ | _app-protect_33+5.210.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.2+5.210.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~jammy_amd64.deb_ | _app-protect_33+5.210.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.2+5.210.0-1\~noble_amd64.deb_ | _app-protect-module-plus_33+5.210.0-1\~noble_amd64.deb_ | _app-protect_33+5.210.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.2+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.27.2+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-33+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-33+5.210.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## F5 WAF for NGINX 5.3 / 4.11 + +_September 25, 2024_ + +### New features + +- Ubuntu 24.04 support +- **5.3 Only:** [Secure Traffic Between NGINX and App Protect Enforcer]({{< ref "/waf/configure/secure-mtls.md" >}}) + +### Important notes + +- Starting from this release, CentOS 7.4, Rhel 7.4 and Amazon Linux 2 support has been deprecated. + +### Resolved issues + +- (10775) Resolved a threshold calculation in the base64 decoding mechanism. +- (11426) Resolved log entry of an XFF header that contains more than one value. +- (11272) Resolved an issue where, in certain instances, the original HTTP response code was shown for rejected requests. +- (11568) Support seamless upgrades by using the latest tag instead of hardcoded versions. +- (5302) The enforcer leaves an incomplete job when NGINX reloads during DNS resolution. + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.3) | NGINX Plus (5.3) | NGINX Plus (4.11) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.25.4+5.144.0-r1.apk_ | _app-protect-module-plus-32+5.144.0-r1.apk_ | _app-protect-32.5.144.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.25.4+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.25.4+5.144.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bullseye_amd64.deb_ | _app-protect_32+5.144.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.25.4+5.144.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bookworm_amd64.deb_ | _app-protect_32+5.144.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~focal_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~focal_amd64.deb_ | _app-protect_32+5.144.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~jammy_amd64.deb_ | _app-protect_32+5.144.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~noble_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~noble_amd64.deb_ | _app-protect_32+5.144.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.25.4+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## F5 WAF for NGINX 5.2 / 4.10 + +_May 29, 2024_ + +### New features + +- [Added apreload]({{< ref "/waf/configure/apreload.md" >}}) + +### Resolved issues + +- (11038) In some scenarios, autodetect does not correctly recognize the internal buffer as base_64 buffer and so does not decode the data. +- (11059) Enforcer may crash in specific scenarios. +- (11105) Update libprotobuf to version 1.33.0+. +- (11148) When following the config guide for starting NAP v5 in docker or kubernetes and leaving nginx.conf without any 'app_protect' directive: changing the conf to include NAP does not work. Enforcer times out every 40 secs waiting for the configuration. + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.2) | NGINX Plus (5.2) | NGINX Plus (4.10) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.25.4+5.144.0-r1.apk_ | _app-protect-module-plus-32+5.144.0-r1.apk_ | _app-protect-32.5.144.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.25.4+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.25.4+5.144.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bullseye_amd64.deb_ | _app-protect_32+5.144.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.25.4+5.144.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~bookworm_amd64.deb_ | _app-protect_32+5.144.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~focal_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~focal_amd64.deb_ | _app-protect_32+5.144.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.25.4+5.144.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_32+5.144.0-1\~jammy_amd64.deb_ | _app-protect_32+5.144.0-1\~jammy_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el8.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.25.4+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-32+5.144.0-1.el9.ngx.x86_64.rpm_ | _app-protect-32+5.144.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## F5 WAF for NGINX 5.1 / 4.9 + +_April 18, 2024_ + +### New features + +- Authorization Rules in URLs +- New [JSON Web Token]({{< ref "/waf/policies/jwt-protection.md" >}}) signature signing algorithm support for: + - **RSA**: RS256, RS384, RS512 + - **PSS**: PS256, PS384, PS512 + - **ECDSA**: ES256, ES256K, ES384, ES512 + - **EdDSA** +- [Time-based signature staging]({{< ref "/waf/policies/time-based-signature-staging.md" >}}) + +### Resolved issues + +- (10250/10251) Fixed issues related to upgrading on Debian and Ubuntu. +- (10219/10512) Resolved issues related to base64 detection and decoding. +- (10465) Resolved the "header already sent" alert message in the NGINX error log. + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.1) | NGINX Plus (5.1) | NGINX Plus (4.9) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.25.4+5.17.0-r1.apk_ | _app-protect-module-plus-31+5.17.0-r1.apk_ | _app-protect-31.5.17.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.25.4+5.17.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.25.4+5.17.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~bullseye_amd64.deb_ | _app-protect_31+5.17.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.25.4+5.17.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~bookworm_amd64.deb_ | _app-protect_31+5.17.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.25.4+5.17.0-1\~focal_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~focal_amd64.deb_ | _app-protect_31+5.17.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.25.4+5.17.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_31+5.17.0-1\~jammy_amd64.deb_ | _app-protect_31+5.17.0-1\~jammy_amd64.deb_ | +| RHEL 7 | _app-protect-module-oss-1.25.4+5.17.0-1.el7.ngx.x86_64.rpm | _app-protect-module-plus-31+5.17.0-1.el7.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el7.ngx.x86_64.rpm_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.25.4+5.17.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-31+5.17.0-1.el9.ngx.x86_64.rpm_ | _app-protect-31+5.17.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## F5 WAF for NGINX 5.0 / 4.8.1 + +_March 19, 2024_ + +### New features + +- [New deployment types]({{< ref "/waf/fundamentals/technical-specifications.md#supported-deployment-environments" >}}) +- [Security policy and logging profile bundles]({{< ref "/waf/configure/compiler.md">}}) + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.1) | NGINX Plus (5.1) | NGINX Plus (4.9) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.25.4+4.815.0-r1.apk_ | _app-protect-module-plus-31+4.815.0-r1.apk_ | _app-protect-31.4.815.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.25.4+4.815.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.25.4+4.815.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~bullseye_amd64.deb_ | _app-protect_31+4.815.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.25.4+4.815.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~bookworm_amd64.deb_ | _app-protect_31+4.815.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.25.4+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.25.4+4.815.0-1\~focal_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~focal_amd64.deb_ | _app-protect_31+4.815.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.25.4+4.815.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_31+4.815.0-1\~jammy_amd64.deb_ | _app-protect_31+4.815.0-1\~jammy_amd64.deb_ | +| RHEL 7 | _app-protect-module-oss-1.25.4+4.815.0-1.el7.ngx.x86_64.rpm | _app-protect-module-plus-31+4.815.0-1.el7.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el7.ngx.x86_64.rpm_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.25.4+4.815.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el9.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} \ No newline at end of file diff --git a/content/waf/changelog.md b/content/waf/changelog/_index.md similarity index 62% rename from content/waf/changelog.md rename to content/waf/changelog/_index.md index 9ea16e217..427b070f2 100644 --- a/content/waf/changelog.md +++ b/content/waf/changelog/_index.md @@ -1,10 +1,11 @@ --- # We use sentence case and present imperative tone title: "Changelog" +url: /waf/changelog/ # Weights are assigned in increments of 100: determines sorting order -weight: 600 +weight: 500 # Creates a table of contents and sidebar, useful for large documents -toc: true +nd-landing-page: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference # Intended for internal catalogue and search, case sensitive: @@ -12,15 +13,9 @@ nd-content-type: reference nd-product: NAP-WAF --- -{{< call-out "warning" "Information architecture note" >}} - -This page is incomplete, only listing the most recent releases: the remainder will be migrated and reformatted to fit the package table format. - -{{}} - This changelog lists all of the information for F5 WAF for NGINX releases in 2025. - +For older releases, check the changelogs for previous years: [2024]({{< ref "/waf/changelog/2024.md" >}}). ## F5 WAF for NGINX 5.9 @@ -32,11 +27,15 @@ _September 29th, 2025_ ### Important notes +- Renamed NGINX App Protect WAF to F5 for NGINX +- Aligned F5 WAF for NGINX versions + - Package and container artefacts now share the same version numbers + - Upgrade processes remain the same as earlier releases + - No breaking changes - Restructured documentation - - NGINX App Protect WAF renamed to F5 WAF for NGINX - no workflow or breaking changes - - Packaged NAP version (VM-based or bare-metal deployments) alignment - renamed from v4 to v5 so both packaged and containerized offerings now share the same version number (v5.9). - This doesn't introduce breaking changes. - For example: Upgrades work exactly the same. Users can upgrade from v4.x (for example, 4.16) to 5.9 just as they did between earlier v4 releases (for example, 4.15 → 4.16). + - Product name change + - Version alignment + - Grouped use cases into sections with single-purpose documents - Upgrade Go compiler to 1.23.12 ### Packages @@ -57,7 +56,7 @@ _September 29th, 2025_ {{< /table >}} -## F5 WAF for NGINX 5.8 / 4.16 +## NGINX App Protect WAF 5.8 / 4.16 _August 13th, 2025_ @@ -83,7 +82,7 @@ _August 13th, 2025_ {{< /table >}} -## F5 WAF for NGINX 5.7 / 4.15 +## NGINX App Protect WAF 5.7 / 4.15 _June 24th, 2025_ @@ -109,6 +108,7 @@ _June 24th, 2025_ ### Packages +{{< table >}} | Distribution name | NGINX Open Source (5.7) | NGINX Plus (5.7) | NGINX Plus (4.15) | | ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| @@ -122,14 +122,17 @@ _June 24th, 2025_ | RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.442.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.442.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.442.0-1.el8.ngx.x86_64.rpm_ | | RHEL 9 and Rocky Linux 9 | _app-protect-module-oss-1.27.4+5.442.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.442.0-1.el9.ngx.x86_64.rpm_ | _app-protect-34+5.442.0-1.el9.ngx.x86_64.rpm_ | -## F5 WAF for NGINX 5.6 / 4.14 +{{< /table >}} + + +## NGINX App Protect WAF 5.6 / 4.14 _April 1st, 2025_ ### New features - Added support for NGINX Plus R34 -- **5.6 Only:** You can now [deploy F5 WAF for NGINX 5+ using a Helm chart]({{< ref "/nap-waf/v5/admin-guide/deploy-with-helm.md">}}) +- **5.6 Only:** You can now [deploy F5 WAF for NGINX 5+ using a Helm chart]({{< ref "/waf/install/kubernetes.md">}}) ### Important notes @@ -143,49 +146,52 @@ _April 1st, 2025_ - (12296) "Violation Bad Unescape" is not enabled by default - (12297) "Violation Encoding" is not enabled by default -### 5.6 packages - -#### NGINX Open Source - -| Distribution name | Package file | -|--------------------------|-------------------------------------------------------------------| -| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.342.0-r1.apk_ | -| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | -| Debian 11 | _app-protect-module-oss_1.27.4+5.342.0-1\~bullseye_amd64.deb_ | -| Debian 12 | _app-protect-module-oss_1.27.4+5.342.0-1\~bookworm_amd64.deb_ | -| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | -| Ubuntu 20.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~focal_amd64.deb_ | -| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~jammy_amd64.deb_ | -| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~noble_amd64.deb_ | -| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | -| RHEL 9 | _app-protect-module-oss-1.27.4+5.342.0-1.el9.ngx.x86_64.rpm_ | - -#### NGINX Plus - -| Distribution name | Package file | -|--------------------------|----------------------------------------------------------------| -| Alpine 3.19 | _app-protect-module-plus-34+5.342.0-r1.apk_ | -| Amazon Linux 2023 | _app-protect-module-plus-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | -| Debian 11 | _app-protect-module-plus_34+5.342.0-1\~bullseye_amd64.deb_ | -| Debian 12 | _app-protect-module-plus_34+5.342.0-1\~bookworm_amd64.deb_ | -| Oracle Linux 8.1 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | -| Ubuntu 20.04 | _app-protect-module-plus_34+5.342.0-1\~focal_amd64.deb_ | -| Ubuntu 22.04 | _app-protect-module-plus_34+5.342.0-1\~jammy_amd64.deb_ | -| Ubuntu 24.04 | _app-protect-module-plus_34+5.342.0-1\~noble_amd64.deb_ | -| RHEL 8 and Rocky Linux 8 | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | -| RHEL 9 | _app-protect-module-plus-34+5.342.0-1.el9.ngx.x86_64.rpm_ | - -### 4.14 packages - -| Distribution name | Package file | -|--------------------------|----------------------------------------------------| -| Alpine 3.19 | _app-protect-34.5.342.0-r1.apk_ | -| Amazon Linux 2023 | _app-protect-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | -| Debian 11 | _app-protect_34+5.342.0-1\~bullseye_amd64.deb_ | -| Debian 12 | _app-protect_34+5.342.0-1\~bookworm_amd64.deb_ | -| Oracle Linux 8.1 | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | -| Ubuntu 20.04 | _app-protect_34+5.342.0-1\~focal_amd64.deb_ | -| Ubuntu 22.04 | _app-protect_34+5.342.0-1\~jammy_amd64.deb_ | -| Ubuntu 24.04 | _app-protect_34+5.342.0-1\~noble_amd64.deb_ | -| RHEL 8 and Rocky Linux 8 | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | -| RHEL 9 | _app-protect-34+5.342.0-1.el9.ngx.x86_64.rpm_ | +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.6) | NGINX Plus (5.6) | NGINX Plus (4.14) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.342.0-r1.apk_ | _app-protect-module-plus-34+5.342.0-r1.apk_ | _app-protect-34.5.342.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-34+5.342.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.4+5.342.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~bullseye_amd64.deb_ | _app-protect_34+5.342.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.4+5.342.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~bookworm_amd64.deb_ | _app-protect_34+5.342.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~focal_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~focal_amd64.deb_ | _app-protect_34+5.342.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~jammy_amd64.deb_ | _app-protect_34+5.342.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.342.0-1\~noble_amd64.deb_ | _app-protect-module-plus_34+5.342.0-1\~noble_amd64.deb_ | _app-protect_34+5.342.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.342.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.342.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.342.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.27.4+5.342.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.342.0-1.el9.ngx.x86_64.rpm_ | _app-protect-34+5.342.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} + +## NGINX App Protect WAF 5.5 / 4.13 + +_January 30th, 2025_ + +### New features + +- Added support for Alpine 3.19 +- Added support for [Brute force attack preventions]({{< ref "/waf/policies/brute-force-attacks.md" >}}) +- **5.5 Only:** Enforcer can now upgrade without requiring policies to be recompiled +- **5.5 Only:** The standalone converter within the Compiler now supports [user-defined signatures]({{< ref "/waf/configure/compiler.md#user-defined-signatures" >}}). + +### Packages + +{{< table >}} + +| Distribution name | NGINX Open Source (5.5) | NGINX Plus (5.5) | NGINX Plus (4.13) | +| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------| +| Alpine 3.17 | _app-protect-module-oss-1.27.4+5.210.0-r1.apk_ | _app-protect-module-plus-34+5.210.0-r1.apk_ | _app-protect-34.5.210.0-r1.apk_ | +| Alpine 3.19 | _app-protect-module-oss-1.27.4+5.210.0-r1.apk_ | _app-protect-module-plus-34+5.210.0-r1.apk_ | _app-protect-34.5.210.0-r1.apk_ | +| Amazon Linux 2023 | _app-protect-module-oss-1.27.4+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.amzn2023.ngx.x86_64.rpm_ | +| Debian 11 | _app-protect-module-oss_1.27.4+5.210.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~bullseye_amd64.deb_ | _app-protect_34+5.210.0-1\~bullseye_amd64.deb_ | +| Debian 12 | _app-protect-module-oss_1.27.4+5.210.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~bookworm_amd64.deb_ | _app-protect_34+5.210.0-1\~bookworm_amd64.deb_ | +| Oracle Linux 8.1 | _app-protect-module-oss-1.27.4+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.el8.ngx.x86_64.rpm_ | +| Ubuntu 20.04 | _app-protect-module-oss_1.27.4+5.210.0-1\~focal_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~focal_amd64.deb_ | _app-protect_34+5.210.0-1\~focal_amd64.deb_ | +| Ubuntu 22.04 | _app-protect-module-oss_1.27.4+5.210.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~jammy_amd64.deb_ | _app-protect_34+5.210.0-1\~jammy_amd64.deb_ | +| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.210.0-1\~noble_amd64.deb_ | _app-protect-module-plus_34+5.210.0-1\~noble_amd64.deb_ | _app-protect_34+5.210.0-1\~noble_amd64.deb_ | +| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.el8.ngx.x86_64.rpm_ | +| RHEL 9 | _app-protect-module-oss-1.27.4+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.el9.ngx.x86_64.rpm_ | + +{{< /table >}} \ No newline at end of file diff --git a/content/waf/configure/converters.md b/content/waf/configure/converters.md index fc5170486..dc79fb05b 100644 --- a/content/waf/configure/converters.md +++ b/content/waf/configure/converters.md @@ -12,7 +12,7 @@ nd-content-type: how-to nd-product: NAP-WAF --- -F5 WAF for NGINX has multiple tools for converting existing resources or configuration files for use from a BIG-IP for use from a BIG-IP environment. +This document describes the tools F5 WAF for NGINX has to convert existing resources or configuration files from a BIG-IP environment for use with F5 WAF for NGINX. {{< call-out "important" >}} @@ -139,7 +139,7 @@ total 848 ## User Defined Signatures converter -The User Defined Signatures converter tool is used to a User Defined Signatures file from XML to JSON format. +The User Defined Signatures converter tool is used to convert a User Defined Signatures file from XML to JSON format. It is a script located on on the path `/opt/app_protect/bin/convert-signatures`. diff --git a/content/waf/policies/jwt-protection.md b/content/waf/policies/jwt-protection.md index 9d62ac1d1..8edb1239d 100644 --- a/content/waf/policies/jwt-protection.md +++ b/content/waf/policies/jwt-protection.md @@ -55,16 +55,21 @@ The header and claims are JSON objects, Base64 encoded, separated by `.` delimit ### Supported algorithms -Currently supported: `RS256` (RSA/SHA-256). +JWT protection currently supports the following algorithms: -- Example JWT header: +- `RSA`: RS256, RS384, RS512 +- `PSS`: PS256, PS384, PS512 +- `ECDSA`: ES256, ES256K, ES384, ES512 +- `EdDSA` - ```json - { - "alg": "RS256", - "typ": "JWT" - } - ``` +This is a header example: + +```json +{ +"alg": "RS256", +"typ": "JWT" +} +``` ### Configure for JWT protection