nginx · rnitzan · Apr 19, 2026 · Apr 19, 2026 · Apr 19, 2026 · Apr 19, 2026
@@ -0,0 +1,32 @@
+---
+nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation.md
+---
+
+```dockerfile
+# syntax=docker/dockerfile:1
+
+# Supported OS_VER's are 3.21/3.22
+ARG OS_VER="3.22"
+
+# Base image
+FROM alpine:${OS_VER}
+
+# Install F5 DoS ebpf manager for NGINX and create required nginx user
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \
+    --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \
+    set -x \
+    # Create nginx user/group first, to be consistent throughout Docker variants \
+    && addgroup -S -g 101 nginx \
+    && adduser -S -u 101 -G nginx -h /nonexistent -s /sbin/nologin nginx \
+    && wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
+    && printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories \
+    && apk update \
+    && apk add app-protect-dos-ebpf-manager \
+    && rm -rf /var/cache/apk/*
+
+STOPSIGNAL SIGQUIT
+
+CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"]
+```
@@ -0,0 +1,26 @@
+---
+nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation.md
+---
+
+```dockerfile
+# For AmazonLinux 2023:
+FROM amazonlinux:2023
+
+# Install F5 DoS ebpf manager for NGINX and create required nginx user
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+    --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+     set -x \
+     && dnf -y install ca-certificates shadow-utils \
+     && groupadd --system --gid 101 nginx \
+     && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+     && curl -o  /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo \
+     && dnf install -y app-protect-dos-ebpf-manager \
+     && dnf clean all \
+     && rm -rf /var/cache/dnf
+
+STOPSIGNAL SIGQUIT
+
+CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"]
+```
@@ -0,0 +1,48 @@
+---
+nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/learn-about-deployment.md
+---
+
+```dockerfile
+# syntax=docker/dockerfile:1
+FROM amazonlinux:2023
+
+# Install prerequisite packages:
+RUN dnf -y install ca-certificates
+
+# Add NGINX/NAP WAF/NAP DOS repositories:
+RUN curl -o /etc/yum.repos.d/plus-amazonlinux2023.repo https://cs.nginx.com/static/files/plus-amazonlinux2023.repo && \
+    curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo && \
+    curl -o /etc/yum.repos.d/app-protect-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-amazonlinux2023.repo && \
+    curl -o /etc/yum.repos.d/dependencies.amazonlinux2023.repo https://cs.nginx.com/static/files/dependencies.amazonlinux2023.repo
+
+# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which include NGINX Plus):
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+    --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+    set -x \
+    && dnf -y install ca-certificates shadow-utils \
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && dnf -y install app-protect app-protect-dos \
+    && rm /etc/yum.repos.d/plus-amazonlinux2023.repo \
+    && rm /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo \
+    && dnf clean all \
+    && rm -rf /var/cache/dnf \
+    && rm -rf /var/cache/yum \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
+
+RUN nginx -v && admd -v
+RUN echo "RELEASE:" && cat /opt/app_protect/RELEASE && echo "VERSION:" && cat /opt/app_protect/VERSION
+
+# Copy configuration files:
+COPY entrypoint.sh /root/
+RUN chmod +x /root/entrypoint.sh
+
+EXPOSE 80
+
+STOPSIGNAL SIGQUIT
+
+CMD ["sh", "/root/entrypoint.sh"]
+```
@@ -0,0 +1,40 @@
+---
+nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation.md
+---
+
+```dockerfile
+# Where can be bullseye/bookworm
+FROM debian:bullseye
+
+# Install F5 DoS for NGINX
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+    --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+    set -x \
+    # Create nginx user/group first, to be consistent throughout Docker variants \
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && DEBIAN_FRONTEND=noninteractive apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        apt-transport-https \
+        lsb-release \
+        ca-certificates \
+        wget \
+        gnupg2 \
+        debian-archive-keyring \
+    && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key \
+        | gpg --dearmor \
+        | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \
+    && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian $(lsb_release -cs) nginx-plus" \
+        > /etc/apt/sources.list.d/nginx-app-protect-dos.list \
+    && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \
+    && DEBIAN_FRONTEND=noninteractive apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y app-protect-dos-ebpf-manager \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+STOPSIGNAL SIGQUIT
+
+CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"]
+```
@@ -0,0 +1,51 @@
+---
+nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/learn-about-deployment.md
+---
+
+```dockerfile
+# Where version can be: bullseye/bookworm
+FROM debian:bullseye
+
+# Install prerequisite packages:
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring && \
+    wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \
+    wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor | tee /usr/share/keyrings/app-protect-security-updates.gpg > /dev/null
+
+# Add NGINX Plus, NGINX App Protect and F5 DoS for NGINX repository:
+RUN printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \
+    && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect-dos.list \
+    && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list \
+    && printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/app-protect-security-updates.list
+
+# Download the apt configuration to `/etc/apt/apt.conf.d`:
+RUN wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx
+
+# Update the repository and install the most recent versions of the F5 WAF and F5 DoS for NGINX packages (which includes NGINX Plus):
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+    --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+    set -x \
+    # Create nginx user/group first, to be consistent throughout Docker variants \
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && DEBIAN_FRONTEND=noninteractive apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y app-protect app-protect-dos \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
+
+RUN nginx -v && admd -v
+RUN echo "RELEASE:" && cat /opt/app_protect/RELEASE && echo "VERSION:" && cat /opt/app_protect/VERSION
+
+COPY entrypoint.sh /root/
+RUN chmod +x /root/entrypoint.sh
+
+EXPOSE 80
+
+STOPSIGNAL SIGQUIT
+
+CMD ["sh", "/root/entrypoint.sh"]
+```
@@ -1,10 +1,14 @@
 ---
 nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/learn-about-deployment.md
+- content/nap-dos/deployment-guide/kubernetes.md
+- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation.md
 ---
 
 ```dockerfile
 
-# Where can be bullseye/bookworm
+# Where can be bullseye/bookworm/trixie
 FROM debian:bullseye
 
 # Install F5 DoS for NGINX

@@ -0,0 +1,33 @@
+---
+nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation.md
+---
+
+```dockerfile
+# For UBI 10
+FROM registry.access.redhat.com/ubi10
+
+ARG RHEL_ORG
+ARG RHEL_ACTIVATION_KEY
+
+# Install F5 DoS ebpf manager for NGINX and create required nginx user
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+    --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+    set -x \
+    # Create nginx user/group first, to be consistent throughout Docker variants \
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm \
+    && dnf -y install ca-certificates \
+    && curl -o /etc/yum.repos.d/app-protect-dos-10.repo https://cs.nginx.com/static/files/app-protect-dos-10.repo \
+    && dnf -y install app-protect-dos-ebpf-manager \
+    && rm /etc/yum.repos.d/app-protect-dos-10.repo \
+    && dnf clean all \
+    && rm -rf /var/cache/yum
+
+STOPSIGNAL SIGQUIT
+
+CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"]
+```
+
@@ -0,0 +1,50 @@
+---
+nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/learn-about-deployment.md
+- content/nap-dos/deployment-guide/kubernetes.md
+- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation.md
+---
+
+```dockerfile
+# For UBI 10
+FROM registry.access.redhat.com/ubi10
+
+ARG RHEL_ORG
+ARG RHEL_ACTIVATION_KEY
+
+# Install F5 DoS for NGINX
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+    --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+    --mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \
+    subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \
+    && subscription-manager refresh \
+    && subscription-manager attach --auto || true \
+    && subscription-manager repos --enable=rhel-10-for-x86_64-baseos-rpms \
+    && subscription-manager repos --enable=rhel-10-for-x86_64-appstream-rpms \
+    && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm \
+    && dnf -y install ca-certificates \
+    && curl -o /etc/yum.repos.d/plus-10.repo https://cs.nginx.com/static/files/plus-10.repo \
+    && curl -o /etc/yum.repos.d/app-protect-dos-10.repo https://cs.nginx.com/static/files/app-protect-dos-10.repo \
+    && dnf -y install app-protect-dos \
+    && cat license.jwt > /etc/nginx/license.jwt \
+    && rm /etc/yum.repos.d/plus-10.repo \
+    && rm /etc/yum.repos.d/app-protect-dos-10.repo \
+    && dnf clean all \
+    && rm -rf /var/cache/yum \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
+
+# Copy configuration files:
+COPY nginx.conf custom_log_format.json /etc/nginx/
+COPY entrypoint.sh /root/
+RUN chmod +x /root/entrypoint.sh
+
+EXPOSE 80
+
+STOPSIGNAL SIGQUIT
+
+CMD ["sh", "/root/entrypoint.sh"]
+
+```
+
@@ -0,0 +1,32 @@
+---
+nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation.md
+---
+
+```dockerfile
+# For UBI 8
+FROM registry.access.redhat.com/ubi8
+
+ARG RHEL_ORG
+ARG RHEL_ACTIVATION_KEY
+
+# Install F5 DoS ebpf manager for NGINX and create required nginx user
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+    --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+    set -x \
+    # Create nginx user/group first, to be consistent throughout Docker variants \
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
+    && dnf -y install ca-certificates \
+    && curl -o /etc/yum.repos.d/app-protect-dos-8.repo https://cs.nginx.com/static/files/app-protect-dos-8.repo \
+    && dnf -y install app-protect-dos-ebpf-manager \
+    && rm /etc/yum.repos.d/app-protect-dos-8.repo \
+    && dnf clean all \
+    && rm -rf /var/cache/yum
+
+STOPSIGNAL SIGQUIT
+
+CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"]
+```
@@ -0,0 +1,32 @@
+---
+nd-product: F5DOSN
+nd-files:
+- content/nap-dos/deployment-guide/kubernetes-with-L4-accelerated-mitigation.md
+---
+
+```dockerfile
+# For UBI 9
+FROM registry.access.redhat.com/ubi9
+
+ARG RHEL_ORG
+ARG RHEL_ACTIVATION_KEY
+
+# Install F5 DoS ebpf manager for NGINX and create required nginx user
+RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
+    --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
+    set -x \
+    # Create nginx user/group first, to be consistent throughout Docker variants \
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
+    && dnf -y install ca-certificates \
+    && curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \
+    && dnf -y install app-protect-dos-ebpf-manager \
+    && rm /etc/yum.repos.d/app-protect-dos-9.repo \
+    && dnf clean all \
+    && rm -rf /var/cache/yum
+
+STOPSIGNAL SIGQUIT
+
+CMD ["bash", "-c", "/usr/bin/ebpf_manager_dos 2>&1 | tee /shared/ebpf_dos.log"]
+```