Skip to content

Commit faf6c58

Browse files
committed
update
1 parent 09d8a53 commit faf6c58

File tree

11 files changed

+519
-625
lines changed

11 files changed

+519
-625
lines changed
Lines changed: 42 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -1,74 +1,75 @@
1-
**Note**: To complete this step, make sure that `gpg` is installed on your system. You can install NGINX Agent using various command-line tools like `curl` or `wget`. If your NGINX Instance Manager host is not set up with valid TLS certificates, you can use the insecure flags provided by those tools. See the following examples:
1+
---
2+
docs: DOCS-1031
3+
files:
4+
- content/nim/nginx-app-protect/setup-waf-config-management.md
5+
---
6+
7+
{{<note>}}Make sure `gpg` is installed on your system before continuing. You can install NGINX Agent using command-line tools like `curl` or `wget`.{{</note>}}
8+
9+
If your NGINX Instance Manager host doesn't use valid TLS certificates, you can use the insecure flags to bypass verification. Here are some example commands:
210

311
{{<tabs name="install-agent-api">}}
412

513
{{%tab name="curl"%}}
614

7-
- Secure:
15+
- **Secure:**
816

917
```bash
10-
curl https://<NMS_FQDN>/install/nginx-agent | sudo sh
18+
curl https://<NIM_FQDN>/install/nginx-agent | sudo sh
1119
```
1220

13-
- Insecure:
21+
- **Insecure:**
1422

1523
```bash
16-
curl --insecure https://<NMS_FQDN>/install/nginx-agent | sudo sh
24+
curl --insecure https://<NIM_FQDN>/install/nginx-agent | sudo sh
1725
```
1826

19-
You can add your NGINX instance to an existing instance group or create one using `--instance-group` or `-g` flag when installing NGINX Agent.
20-
21-
The following example shows how to download and run the script with the optional `--instance-group` flag adding the NGINX instance to the instance group **my-instance-group**:
22-
23-
```bash
24-
curl https://<NMS_FQDN>/install/nginx-agent > install.sh; chmod u+x install.sh
25-
sudo ./install.sh --instance-group my-instance-group
26-
```
27+
To add the instance to a specific instance group during installation, use the `--instance-group` (or `-g`) flag:
2728

28-
By default, the install script attempts to use a secure connection when downloading packages. If, however, the script cannot create a secure connection, it uses an insecure connection instead and logs the following warning message:
29+
```shell
30+
curl https://<NIM_FQDN>/install/nginx-agent -o install.sh
31+
chmod u+x install.sh
32+
sudo ./install.sh --instance-group <instance group>
33+
```
2934

30-
``` text
31-
Warning: An insecure connection will be used during this nginx-agent installation
32-
```
35+
By default, the install script uses a secure connection to download packages. If it can’t establish one, it falls back to an insecure connection and logs this message:
3336

34-
To require a secure connection, you can set the optional flag `skip-verify` to `false`.
37+
```text
38+
Warning: An insecure connection will be used during this nginx-agent installation
39+
```
3540

36-
The following example shows how to download and run the script with an enforced secure connection:
41+
To enforce a secure connection, set the `--skip-verify` flag to false:
3742

38-
```bash
39-
curl https://<NMS_FQDN>/install/nginx-agent > install.sh chmod u+x install.sh; chmod u+x install.sh
40-
sudo sh ./install.sh --skip-verify false
41-
```
43+
```shell
44+
curl https://<NIM_FQDN>/install/nginx-agent -o install.sh
45+
chmod u+x install.sh
46+
sudo ./install.sh --skip-verify false
47+
```
4248

4349
{{%/tab%}}
4450

4551
{{%tab name="wget"%}}
4652

53+
- **Secure:**
4754

48-
- Secure:
49-
50-
```bash
51-
wget https://<NMS_FQDN>/install/nginx-agent -O - | sudo sh -s --skip-verify false
55+
```shell
56+
wget https://<NIM_FQDN>/install/nginx-agent -O - | sudo sh -s --skip-verify false
5257
```
5358

54-
- Insecure:
59+
- **Insecure:**
5560

56-
```bash
57-
wget --no-check-certificate https://<NMS_FQDN>/install/nginx-agent -O - | sudo sh
61+
```shell
62+
wget --no-check-certificate https://<NIM_FQDN>/install/nginx-agent -O - | sudo sh
5863
```
5964

60-
When you install the NGINX Agent, you can use the `--instance-group` or `-g` flag to add your NGINX instance to an existing instance group or to a new group that you specify.
61-
62-
The following example downloads and runs the NGINX Agent install script with the optional `--instance-group` flag, adding the NGINX instance to the instance group **my-instance-group**:
63-
64-
```bash
65-
wget https://gnms1.npi.f5net.com/install/nginx-agent -O install.sh ; chmod u+x install.sh
66-
sudo ./install.sh --instance-group my-instance-group
67-
```
65+
To add your instance to a group during installation, use the `--instance-group` (or `-g`) flag:
6866

67+
```shell
68+
wget https://<NIM_FQDN>/install/nginx-agent -O install.sh
69+
chmod u+x install.sh
70+
sudo ./install.sh --instance-group <instance group>
71+
```
6972

7073
{{%/tab%}}
71-
{{</tabs>}}
7274

73-
<!-- Do not remove. Keep this code at the bottom of the include -->
74-
<!-- DOCS-1031 -->
75+
{{</tabs>}}

content/includes/nap-waf/build-nginx-image-cmd.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ To build the image, execute the following command in the directory containing th
1010

1111

1212
```shell
13-
sudo docker build --no-cache \
13+
sudo docker build --no-cache --platform linux/amd64 \
1414
--secret id=nginx-crt,src=nginx-repo.crt \
1515
--secret id=nginx-key,src=nginx-repo.key \
1616
-t nginx-app-protect-5 .

content/nap-dos/deployment-guide/learn-about-deployment.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1405,7 +1405,7 @@ You need root permissions to execute the following steps.
14051405
6. Create a Docker image:
14061406
14071407
```shell
1408-
docker build --no-cache -t app-protect-dos .
1408+
docker build --no-cache --platform linux/amd64 -t app-protect-dos .
14091409
```
14101410
14111411
The `--no-cache` option tells Docker to build the image from scratch and ensures the installation of the latest version of NGINX Plus and NGINX App Protect DoS. If the Dockerfile was previously used to build an image without the `--no-cache` option, the new image uses versions from the previously built image from the Docker cache.
@@ -1966,13 +1966,13 @@ Make sure to replace upstream and proxy pass directives in this example with rel
19661966
For CentOS:
19671967
19681968
```shell
1969-
docker build --no-cache -t app-protect-dos .
1969+
docker build --no-cache --platform linux/amd64 -t app-protect-dos .
19701970
```
19711971
19721972
For RHEL:
19731973
19741974
```shell
1975-
docker build --build-arg RHEL_ORGANIZATION=${RHEL_ORGANIZATION} --build-arg RHEL_ACTIVATION_KEY=${RHEL_ACTIVATION_KEY} --no-cache -t app-protect-dos .
1975+
docker build --platform linux/amd64 --build-arg RHEL_ORGANIZATION=${RHEL_ORGANIZATION} --build-arg RHEL_ACTIVATION_KEY=${RHEL_ACTIVATION_KEY} --no-cache -t app-protect-dos .
19761976
```
19771977
19781978
The `--no-cache` option tells Docker to build the image from scratch and ensures the installation of the latest version of NGINX Plus and NGINX App Protect DoS. If the Dockerfile was previously used to build an image without the `--no-cache` option, the new image uses versions from the previously built image from the Docker cache.

content/nap-waf/v4/admin-guide/install.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -939,7 +939,7 @@ If a user other than **nginx** is to be used, note the following:
939939
- For Oracle Linux/Debian/Ubuntu/Alpine/Amazon Linux:
940940
941941
```shell
942-
DOCKER_BUILDKIT=1 docker build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect .
942+
DOCKER_BUILDKIT=1 docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect .
943943
```
944944
945945
The `DOCKER_BUILDKIT=1` enables `docker build` to recognize the `--secret` flag which allows the user to pass secret information to be used in the Dockerfile for building docker images in a safe way that will not end up stored in the final image. This is a recommended practice for the handling of the certificate and private key for NGINX repository access (`nginx-repo.crt` and `nginx-repo.key` files). More information [here](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret).
@@ -1289,7 +1289,7 @@ You need root permissions to execute the following steps.
12891289
- For Oracle Linux/Debian/Ubuntu/Alpine/Amazon Linux:
12901290
12911291
```shell
1292-
DOCKER_BUILDKIT=1 docker build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect-converter .
1292+
DOCKER_BUILDKIT=1 docker build --no-cache --platform linux/amd64 --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t app-protect-converter .
12931293
```
12941294
12951295
The `DOCKER_BUILDKIT=1` enables `docker build` to recognize the `--secret` flag which allows the user to pass secret information to be used in the Dockerfile for building docker images in a safe way that will not end up stored in the final image. This is a recommended practice for the handling of the certificate and private key for NGINX repository access (`nginx-repo.crt` and `nginx-repo.key` files). More information [here](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret).

content/nap-waf/v5/admin-guide/compiler.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,7 @@ curl -s https://private-registry.nginx.com/v2/nap/waf-compiler/tags/list --key <
9898
Run the command below to build your image, where `waf-compiler-<version-tag>:custom` is an example of the image tag:
9999

100100
```shell
101-
sudo docker build --no-cache \
101+
sudo docker build --no-cache --platform linux/amd64 \
102102
--secret id=nginx-crt,src=nginx-repo.crt \
103103
--secret id=nginx-key,src=nginx-repo.key \
104104
-t waf-compiler-<version-tag>:custom .

content/ngf/overview/custom-policies.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,11 @@ The following table summarizes NGINX Gateway Fabric custom policies:
1717

1818
{{< bootstrap-table "table table-striped table-bordered" >}}
1919

20-
| Policy | Description | Attachment Type | Supported Target Object(s) | Supports Multiple Target Refs | Mergeable | API Version |
21-
|---------------------------------------------------------------------------------------|---------------------------------------------------------|-----------------|-------------------------------|-------------------------------|-----------|-------------|
22-
| [ClientSettingsPolicy]({{< ref "/ngf/how-to/traffic-management/client-settings.md" >}}) | Configure connection behavior between client and NGINX | Inherited | Gateway, HTTPRoute, GRPCRoute | No | Yes | v1alpha1 |
23-
| [ObservabilityPolicy]({{< ref "/ngf/how-to/monitoring/tracing.md" >}}) | Define settings related to tracing, metrics, or logging | Direct | HTTPRoute, GRPCRoute | Yes | No | v1alpha1 |
20+
| Policy | Description | Attachment Type | Supported Target Object(s) | Supports Multiple Target Refs | Mergeable | API Version |
21+
|---------------------------------------------------------------------------------------------|---------------------------------------------------------|-----------------|-------------------------------|-------------------------------|-----------|-------------|
22+
| [ClientSettingsPolicy]({{< ref "/ngf/how-to/traffic-management/client-settings.md" >}}) | Configure connection behavior between client and NGINX | Inherited | Gateway, HTTPRoute, GRPCRoute | No | Yes | v1alpha1 |
23+
| [ObservabilityPolicy]({{< ref "/ngf/how-to/monitoring/tracing.md" >}}) | Define settings related to tracing, metrics, or logging | Direct | HTTPRoute, GRPCRoute | Yes | No | v1alpha2 |
24+
| [UpstreamSettingsPolicy]({{< ref "/ngf/how-to/traffic-management/upstream-settings.md" >}}) | Configure connection behavior between NGINX and backend | Direct | Service | Yes | Yes | v1alpha1 |
2425

2526
{{< /bootstrap-table >}}
2627

content/ngf/overview/product-telemetry.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,8 @@ Telemetry data is collected once every 24 hours and sent to a service managed by
3232
- **Image Build Source:** whether the image was built by GitHub or locally (values are `gha`, `local`, or `unknown`). The source repository of the images is **not** collected.
3333
- **Deployment Flags:** a list of NGINX Gateway Fabric Deployment flags that are specified by a user. The actual values of non-boolean flags are **not** collected; we only record that they are either `true` or `false` for boolean flags and `default` or `user-defined` for the rest.
3434
- **Count of Resources:** the total count of resources related to NGINX Gateway Fabric. This includes `GatewayClasses`, `Gateways`, `HTTPRoutes`,`GRPCRoutes`, `TLSRoutes`, `Secrets`, `Services`, `BackendTLSPolicies`, `ClientSettingsPolicies`, `NginxProxies`, `ObservabilityPolicies`, `UpstreamSettingsPolicies`, `SnippetsFilters`, and `Endpoints`. The data within these resources is **not** collected.
35-
- **SnippetsFilters Info**a list of directive-context strings from applied SnippetFilters and a total count per strings. The actual value of any NGINX directive is **not** collected.
35+
- **SnippetsFilters Info:** a list of directive-context strings from applied SnippetFilters and a total count per strings. The actual value of any NGINX directive is **not** collected.
36+
3637
This data is used to identify the following information:
3738

3839
- The flavors of Kubernetes environments that are most popular among our users.

content/nginx/admin-guide/load-balancer/tcp-udp-load-balancer.md

Lines changed: 21 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -9,26 +9,23 @@ type:
99
- how-to
1010
---
1111

12-
<span id="intro"></span>
13-
## Introduction
12+
## Introduction {#intro}
1413

15-
[Load balancing](https://www.nginx.com/solutions/load-balancing/) refers to efficiently distributing network traffic across multiple backend servers.
14+
[Load balancing](https://www.f5.com/glossary/load-balancer) refers to efficiently distributing network traffic across multiple backend servers.
1615

1716
In F5 NGINX Plus [R5]({{< ref "nginx/releases.md#r5" >}}) and later, NGINX Plus can proxy and load balance Transmission Control Protocol) (TCP) traffic. TCP is the protocol for many popular applications and services, such as LDAP, MySQL, and RTMP.
1817

1918
In NGINX Plus [R9]({{< ref "nginx/releases.md#r9" >}}) and later, NGINX Plus can proxy and load balance UDP traffic. UDP (User Datagram Protocol) is the protocol for many popular non-transactional applications, such as DNS, syslog, and RADIUS.
2019

2120
To load balance HTTP traffic, refer to the [HTTP Load Balancing]({{< ref "http-load-balancer.md" >}}) article.
2221

23-
<span id="prerequisites"></span>
2422
## Prerequisites
2523

2624
- Latest NGINX Plus (no extra build steps required) or latest [NGINX Open Source](https://nginx.org/en/download.html) built with the `--with-stream` configuration flag
2725
- An application, database, or service that communicates over TCP or UDP
2826
- Upstream servers, each running the same instance of the application, database, or service
2927

30-
<span id="proxy_pass"></span>
31-
## Configuring Reverse Proxy
28+
## Configuring reverse proxy {#proxy_pass}
3229

3330
First, you will need to configure _reverse proxy_ so that NGINX Plus or NGINX Open Source can forward TCP connections or UDP datagrams from clients to an upstream group or a proxied server.
3431

@@ -118,8 +115,7 @@ Open the NGINX configuration file and perform the following steps:
118115
}
119116
```
120117

121-
<span id="upstream"></span>
122-
## Configuring TCP or UDP Load Balancing
118+
## Configuring TCP or UDP load balancing {#upstream}
123119

124120
To configure load balancing:
125121

@@ -250,17 +246,15 @@ stream {
250246
}
251247
```
252248

253-
<span id="health"></span>
254-
## Configuring Health Checks
249+
## Configuring health checks {#health}
255250

256251
NGINX can continually test your TCP or UDP upstream servers, avoid the servers that have failed, and gracefully add the recovered servers into the load‑balanced group.
257252

258253
See [TCP Health Checks]({{< ref "nginx/admin-guide/load-balancer/tcp-health-check.md" >}}) for instructions how to configure health checks for TCP.
259254

260255
See [UDP Health Checks]({{< ref "nginx/admin-guide/load-balancer/udp-health-check.md" >}}) for instructions how to configure health checks for UDP.
261256

262-
<span id="on-the-fly-configuration"></span>
263-
## On-the-Fly Configuration
257+
## On-the-fly configuration
264258

265259
Upstream server groups can be easily reconfigured on-the-fly using NGINX Plus REST API. Using this interface, you can view all servers in an upstream group or a particular server, modify server parameters, and add or remove upstream servers.
266260

@@ -355,8 +349,7 @@ To enable on-the-fly configuration:
355349
}
356350
```
357351

358-
<span id="on-the-fly-configuration-example"></span>
359-
### On-the-Fly Configuration Example
352+
### On-the-fly configuration example
360353

361354
```nginx
362355
stream {
@@ -403,23 +396,22 @@ For example, to add a new server to the server group, send a `POST` request:
403396
curl -X POST -d '{ \
404397
"server": "appserv3.example.com:12345", \
405398
"weight": 4 \
406-
}' -s 'http://127.0.0.1/api/6/stream/upstreams/appservers/servers'
399+
}' -s 'http://127.0.0.1/api/9/stream/upstreams/appservers/servers'
407400
```
408401

409402
To remove a server from the server group, send a `DELETE` request:
410403

411404
```shell
412-
curl -X DELETE -s 'http://127.0.0.1/api/6/stream/upstreams/appservers/servers/0'
405+
curl -X DELETE -s 'http://127.0.0.1/api/9/stream/upstreams/appservers/servers/0'
413406
```
414407

415408
To modify a parameter for a specific server, send a `PATCH` request:
416409

417410
```shell
418-
curl -X PATCH -d '{ "down": true }' -s 'http://127.0.0.1/api/6/http/upstreams/appservers/servers/0'
411+
curl -X PATCH -d '{ "down": true }' -s 'http://127.0.0.1/api/9/http/upstreams/appservers/servers/0'
419412
```
420413

421-
<span id="example"></span>
422-
## Example of TCP and UDP Load-Balancing Configuration
414+
## Example of TCP and UDP load-balancing configuration {#example}
423415

424416
This is a configuration example of TCP and UDP load balancing with NGINX:
425417

@@ -471,3 +463,13 @@ The three [`server`](https://nginx.org/en/docs/stream/ngx_stream_upstream_module
471463
- The second server listens on port 53 and proxies all UDP datagrams (the `udp` parameter to the `listen` directive) to an upstream group called **dns_servers**. If the `udp` parameter is not specified, the socket listens for TCP connections.
472464

473465
- The third virtual server listens on port 12346 and proxies TCP connections to **backend4.example.com**, which can resolve to several IP addresses that are load balanced with the Round Robin method.
466+
467+
## See also
468+
469+
- [TCP Health Checks]({{< relref "tcp-health-check.md" >}})
470+
471+
- [UDP Health Checks]({{< relref "udp-health-check.md" >}})
472+
473+
- [Load Balancing DNS Traffic with NGINX and NGINX Plus](https://www.f5.com/company/blog/nginx/load-balancing-dns-traffic-nginx-plus)
474+
475+
- [TCP/UDP Load Balancing with NGINX: Overview, Tips, and Tricks](https://blog.nginx.org/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks)

0 commit comments

Comments
 (0)