From d762d40fc6652a100cc10d3611e2cda0b7190cee Mon Sep 17 00:00:00 2001 From: Mike Jang <3287976+mjang@users.noreply.github.com> Date: Fri, 24 Oct 2025 08:23:30 -0700 Subject: [PATCH 1/3] fix: remove app_protect_enforcer_address from virt config --- content/waf/install/virtual-environment.md | 116 ++++++++++++++++++++- 1 file changed, 115 insertions(+), 1 deletion(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 896a04f61..3524c9ef4 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -202,7 +202,121 @@ sudo apt-get install app-protect ## Update configuration files -{{< include "waf/install-update-configuration.md" >}} +Once you have installed F5 WAF for NGINX, you must load it as a module in the main context of your NGINX configuration. + +```nginx +load_module modules/ngx_http_app_protect_module.so; +``` + +And finally, F5 WAF for NGINX can enabled on a _http_, _server_ or _location_ context: + +```nginx +app_protect_enable on; +``` + +{{< call-out "warning" >}} + +You should only enable F5 WAF for NGINX on _proxy_pass_ and _grpc_pass_ locations. + +{{< /call-out >}} + +Here are two examples of how these additions could look in configuration files: + +{{< tabs name="configuration-examples" >}} + +{{% tab name="nginx.conf" %}} + +The default path for this file is `/etc/nginx/nginx.conf`. + +```nginx {hl_lines=[5, 33]} +user nginx; +worker_processes auto; + +# F5 WAF for NGINX +load_module modules/ngx_http_app_protect_module.so; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + # F5 WAF for NGINX + app_protect_enforcer_address 127.0.0.1:50000; + + include /etc/nginx/conf.d/*.conf; +} +``` + +{{% /tab %}} + +{{% tab name="default.conf" %}} + +The default path for this file is `/etc/nginx/conf.d/default.conf`. + +```nginx {hl_lines=[10]} +server { + listen 80; + server_name domain.com; + + + location / { + + # F5 WAF for NGINX + app_protect_enable on; + + client_max_body_size 0; + default_type text/html; + proxy_pass http://127.0.0.1:8080/; + } +} + +server { + listen 8080; + server_name localhost; + + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } +} +``` + +{{% /tab %}} + +{{< /tabs >}} + +Once you have updated your configuration files, you can reload NGINX to apply the changes. You have two options depending on your environment: + +- `nginx -s reload` +- `sudo systemctl reload nginx` ## Post-installation checks From 56f1204d798cd4dec354dcca9ee8bfbf4b2b5d3a Mon Sep 17 00:00:00 2001 From: Mike Jang <3287976+mjang@users.noreply.github.com> Date: Fri, 24 Oct 2025 08:46:03 -0700 Subject: [PATCH 2/3] Update content/waf/install/virtual-environment.md --- content/waf/install/virtual-environment.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 3524c9ef4..d72c92de6 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -260,9 +260,6 @@ http { #gzip on; - # F5 WAF for NGINX - app_protect_enforcer_address 127.0.0.1:50000; - include /etc/nginx/conf.d/*.conf; } ``` From 5548059c9983381965604f5daf4d0b9ef72b5e6d Mon Sep 17 00:00:00 2001 From: Mike Jang <3287976+mjang@users.noreply.github.com> Date: Tue, 28 Oct 2025 07:03:33 -0700 Subject: [PATCH 3/3] Apply suggestions from code review Based on @aknot242 suggestions Co-authored-by: Daniel Edgar --- content/waf/install/virtual-environment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index d72c92de6..4b01e1634 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -228,7 +228,7 @@ Here are two examples of how these additions could look in configuration files: The default path for this file is `/etc/nginx/nginx.conf`. -```nginx {hl_lines=[5, 33]} +```nginx {hl_lines=[5]} user nginx; worker_processes auto; @@ -270,7 +270,7 @@ http { The default path for this file is `/etc/nginx/conf.d/default.conf`. -```nginx {hl_lines=[10]} +```nginx {hl_lines=[9]} server { listen 80; server_name domain.com;