Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix mountPath directory for NAP5 policy documentation #7191

Merged
merged 3 commits into from
Jan 23, 2025
Merged

Fix mountPath directory for NAP5 policy documentation #7191

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
427091c
Fix mountPath directory for NAP5 policy documentation
ADubhlaoich Jan 22, 2025
e4beea5
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Jan 22, 2025
33b5e55
Merge branch 'main' into docs/nap-command-fixes
jjngx Jan 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 27 additions & 8 deletions site/content/installation/integrations/app-protect-waf-v5/compile-waf-policies.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
---
docs: DOCS-000
title: Compile NGINX App Protect WAF policies using NGINX Instance Manager
toc: true
weight: 300
toc: true
type: how-to
product: NIC
docs: DOCS-000
---

## Overview
Expand All @@ -15,12 +17,17 @@ By using NGINX Instance Manager to compile WAF policies, the policy bundle can a

The following steps describe how to use the NGINX Instance Manager API to create a new security policy, compile a bundle, then add it to NGINX Ingress Controller.

---

## Before you start

### Requirements
- A working [NGINX Instance Manager](https://docs.nginx.com/nginx-instance-manager/deploy/) instance.
- An [NGINX Instance Manager user](https://docs.nginx.com/nginx-instance-manager/admin-guide/rbac/overview-rbac/) for API requests.
- A NGINX Ingress Controller [deployment with NGINX App Protect WAF]({{< relref "/installation/integrations/app-protect-waf/installation.md" >}}).

---

## Create a new security policy

{{< tip >}} You can skip this step if you intend to use an existing security policy. {{< /tip >}}
Expand Down Expand Up @@ -80,6 +87,8 @@ It is one of two unique IDs we will use to download the bundle: it will be refer

{{< /important >}}

---

## Create a new security bundle

Once you have created (Or selected) a security policy, [create a security bundle](https://docs.nginx.com/nginx-instance-manager/nginx-app-protect/manage-waf-security-policies/#create-security-policy-bundles) using the API. The version in the bundle you create **must** match the WAF compiler version you intend to use.
Expand Down Expand Up @@ -180,6 +189,8 @@ It is one of two unique IDs we will use to download the bundle: it will be refer

{{< /important >}}

---

## Download the security bundle

Use a GET request to download the security bundle using the policy and bundle IDs:
Expand All @@ -196,7 +207,9 @@ curl -X GET -k 'https://127.0.0.1/api/platform/v1/security/policies/6af9f261-658
| jq -r '.content' | base64 -d > security-policy-bundle.tgz
```

## Add volumes and volumeMounts to NGINX Ingress Controller
---

## Add volumes and volumeMounts

To use WAF security bundles, your NGINX Ingress Controller instance must have *volumes* and *volumeMounts*. Precise paths are used to detect when bundles are uploaded to the cluster.

Expand All @@ -210,7 +223,7 @@ persistentVolumeClaim:

volumeMounts:
- name: <volume_mount_name>
mountPath: /etc/nginx/waf/bundles
mountPath: /etc/app_protect/bundles
```

A full example of a deployment file with `volumes` and `volumeMounts` could look like the following:
Expand Down Expand Up @@ -281,7 +294,7 @@ spec:
- NET_BIND_SERVICE
volumeMounts:
- name: bundle-mount
mountPath: /etc/nginx/waf/bundles
mountPath: /etc/app_protect/bundles
env:
- name: POD_NAMESPACE
valueFrom:
Expand All @@ -297,9 +310,11 @@ spec:
- -external-service=nginx-ingress
```

---

## Create WAF policy

To process a bundle, you must create a new WAF policy. This policy is added to `/etc/nginx/waf/bundles`, allowing NGINX Ingress Controller to load it into WAF.
To process a bundle, you must create a new WAF policy. This policy is added to `/etc/app_protect/bundles`, allowing NGINX Ingress Controller to load it into WAF.

The example below shows the required WAF policy, and the *apBundle* and *apLogConf* fields you must use for the security bundle binary file (A tar ball).

Expand All @@ -318,6 +333,8 @@ spec:
logDest: "<security-log-destination-URL>"
```

---

## Create VirtualServer resource and apply policy

Once the WAF policy has been created, link it to your *virtualServer resource*.
Expand All @@ -341,12 +358,14 @@ spec:
pass: webapp
```

---

## Upload the security bundle

To finish adding a security bundle, the binary file to the NGINX Ingress Controller pods.
To finish adding a security bundle, upload the binary file to the NGINX Ingress Controller pods.

```shell
kubectl cp /your/local/path/<bundle_name>.tgz <namespace>/<pod-name>:etc/nginx/waf/bundles<bundle_name>.tgz
kubectl cp /your/local/path/<bundle_name>.tgz <namespace>/<pod-name>:etc/app_protect/bundles<bundle_name>.tgz -c nginx-plus-ingress
```

Once the bundle has been uploaded to the cluster, NGINX Ingress Controller will detect and automatically load the new WAF policy.
Loading