Add WAF dockerfile and make targets

Author: ciarams87

Makefile

@@ -5,7 +5,9 @@ CHART_DIR = $(SELF_DIR)charts/nginx-gateway-fabric
 NGINX_CONF_DIR = internal/controller/nginx/conf
 NJS_DIR = internal/controller/nginx/modules/src
 KIND_CONFIG_FILE = $(SELF_DIR)config/cluster/kind-cluster.yaml
+NAP_WAF_ALPINE_VERSION = 3.19
 NGINX_DOCKER_BUILD_PLUS_ARGS = --secret id=nginx-repo.crt,src=$(SELF_DIR)nginx-repo.crt --secret id=nginx-repo.key,src=$(SELF_DIR)nginx-repo.key
+NGINX_DOCKER_BUILD_NAP_WAF_ARGS = --build-arg ALPINE_VERSION=$(NAP_WAF_ALPINE_VERSION) --build-arg INCLUDE_NAP_WAF=true
 BUILD_AGENT = local
 
 PROD_TELEMETRY_ENDPOINT = oss.edge.df.f5.com:443
@@ -43,6 +45,7 @@ HELM_SCHEMA_VERSION = 0.18.1
 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric
 NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx
 NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus
+NGINX_PLUS_WAF_PREFIX ?= $(PREFIX)/nginx-plus-waf## The name of the nginx plus image with NAP WAF. For example: nginx-gateway-fabric/nginx-plus-waf
 TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0
 TARGET ?= local## The target of the build. Possible values: local and container
 OUT_DIR ?= build/out## The folder where the binary will be stored
@@ -77,6 +80,9 @@ build-images: build-ngf-image build-nginx-image ## Build the NGF and nginx docke
 .PHONY: build-images-with-plus
 build-images-with-plus: build-ngf-image build-nginx-plus-image ## Build the NGF and NGINX Plus docker images
 
+.PHONY: build-images-nap-waf
+build-images-with-nap-waf: build-ngf-image build-nginx-plus-image-with-nap-waf ## Build the NGF and NGINX Plus with WAF docker images
+
 .PHONY: build-prod-ngf-image
 build-prod-ngf-image: TELEMETRY_ENDPOINT=$(PROD_TELEMETRY_ENDPOINT)
 build-prod-ngf-image: build-ngf-image ## Build the NGF docker image for production
@@ -99,6 +105,13 @@ build-prod-nginx-plus-image: build-nginx-plus-image ## Build the custom nginx pl
 build-nginx-plus-image: check-for-docker ## Build the custom nginx plus image
 	docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS))  -f $(SELF_DIR)build/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
 
+.PHONY: build-nginx-plus-image-with-nap-waf
+build-nginx-plus-image-with-nap-waf: check-for-docker ## Build the custom nginx plus image with NAP WAF. Note that arm is NOT supported.
+	@if [ $(GOARCH) = "arm64" ]; then \
+		echo "\033[0;31mIMPORTANT:\033[0m The nginx-plus-waf image cannot be built for arm64 architecture and will be built for amd64."; \
+	fi
+	docker build --platform linux/amd64 $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) $(strip $(NGINX_DOCKER_BUILD_NAP_WAF_ARGS)) -f $(SELF_DIR)build/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_WAF_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
+
 .PHONY: check-for-docker
 check-for-docker: ## Check if Docker is installed
 	@docker -v || (code=$$?; printf "\033[0;31mError\033[0m: there was a problem with Docker\n"; exit $$code)

build/Dockerfile.nginxplus

@@ -1,14 +1,20 @@
 # syntax=docker/dockerfile:1.16
+
+# renovate: datasource=docker depName=alpine
+ARG ALPINE_VERSION=3.21
+
 FROM scratch AS nginx-files
 
 # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 <local_file> <container_file>
 ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
 
-FROM alpine:3.21
+FROM alpine:${ALPINE_VERSION}
 
 ARG NGINX_PLUS_VERSION=R34
 # renovate: datasource=github-tags depName=nginx/agent extractVersion=^v?(?<version>.*)$
 ARG NGINX_AGENT_VERSION=3.0.0
+ARG APP_PROTECT_VERSION=34.5.342
+ARG INCLUDE_NAP_WAF=false
 ARG NJS_DIR
 ARG NGINX_CONF_DIR
 ARG BUILD_AGENT
@@ -20,6 +26,10 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
     && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \
     && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
     && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+    && if [ "${INCLUDE_NAP_WAF}" = "true" ]; then \
+           printf "%s\n" "https://pkgs.nginx.com/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+           && apk add --no-cache app-protect-module-plus~=${APP_PROTECT_VERSION}; \
+       fi \
     && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-agent=${NGINX_AGENT_VERSION}
 
 RUN apk add --no-cache libcap bash \
@@ -45,4 +55,5 @@ USER 101:1001
 
 LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}"
 
+ENV USE_NAP_WAF=${INCLUDE_NAP_WAF}
 ENTRYPOINT ["/agent/entrypoint.sh"]

build/entrypoint.sh

@@ -27,6 +27,11 @@ trap 'handle_quit' QUIT
 
 rm -rf /var/run/nginx/*.sock
 
+# Bootstrap the necessary app protect files
+if [ "${USE_NAP_WAF:-false}" = "true" ]; then
+    touch /opt/app_protect/bd_config/policy_path.map
+fi
+
 # Launch nginx
 echo "starting nginx ..."