nginx · JTorreG · May 28, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
@@ -0,0 +1,8 @@
+{{< banner "warning" "LTS documentation" >}}
+
+The documentation in this section is for **NGINX Ingress Controller LTS (Long-Term Support)**. 
+
+To view the documentation for the mainline version of NGINX Ingress Controller, please visit the [NGINX Ingress Controller documentation]({{< ref "/nic/" >}}).
+
+
+{{< /banner >}}
@@ -0,0 +1,12 @@
+---
+# The title is the product name
+title: NGINX Ingress Controller LTS
+# The URL is the base of the deployed path, becoming "docs.nginx.com/<url>/<other-pages>"
+url: /nginx-ingress-controller/lts/
+# The cascade directive applies its nested parameters down the page tree until overwritten
+cascade:
+  f5-banner:
+    enabled: true
+    md: /_banners/nic-lts.md
+f5-product: INGRESS
+---
@@ -0,0 +1,23 @@
+---
+title: Changelog
+url: /nginx-ingress-controller/changelog
+weight: 10200
+f5-landing-page: true
+f5-content-type: reference
+f5-product: INGRESS
+---
+
+This changelog lists all of the information for F5 NGINX Ingress Controller LTS.
+
+
+{{< details summary="NGINX Ingress Controller LTS compatibility matrix" open=false >}}
+
+{{< include "/nic/compatibility-tables/nic-k8s.md" >}}
+
+### Supported F5 WAF for NGINX versions
+
+{{<call-out "note" "Note">}}To use F5 WAF for NGINX with NGINX Ingress Controller LTS, you must have NGINX Plus.{{< /call-out >}}
+
+{{< include "/nic/compatibility-tables/nic-nap.md" >}}
+
+{{< /details >}}
@@ -0,0 +1,22 @@
+---
+title: Community and contributing
+weight: 10000
+f5-content-type: reference
+f5-product: INGRESS
+---
+
+There are a few ways to get involved with the F5 NGINX Ingress Controller LTS community and contribute to the project.
+
+# Community
+
+- Our [GitHub issues page](https://github.com/nginx/kubernetes-ingress/issues) or [GitHub discussions page](https://github.com/nginx/kubernetes-ingress/discussions) offers more space for an asynchronous technical discussion.
+
+- You can can also get help through the [NGINX Community Forum](https://community.nginx.org/).
+
+# Contribute
+
+Please see our [contributing guide](https://github.com/nginx/kubernetes-ingress/blob/main/CONTRIBUTING.md) to get involved with code or documentation.
+
+# License
+
+[Apache License, Version 2.0](https://github.com/nginx/kubernetes-ingress/blob/main/LICENSE)
@@ -0,0 +1,5 @@
+---
+title: Configuration
+weight: 500
+url: /nginx-ingress-controller/configuration
+---
@@ -0,0 +1,265 @@
+---
+title: Deploy a Policy for access control
+weight: 900
+toc: true
+f5-content-type: how-to
+f5-product: INGRESS
+---
+
+This topic describes how to use F5 NGINX Ingress Controller LTS to apply and update a Policy for access control. You can use access control policies with [VirtualServer custom resources]({{< ref "/nic/lts/configuration/virtualserver-and-virtualserverroute-resources.md" >}}) or with [Ingress resources]({{< ref "/nic/lts/configuration/ingress-resources/basic-configuration.md" >}}) using the `nginx.org/policies` annotation.
+
+---
+
+## Before you begin
+
+You should have a [working NGINX Ingress Controller LTS]({{< ref "/nic/lts/install/helm.md" >}}) instance.
+
+For ease of use in shell commands, set the following shell variables:
+
+1. The public IP address for your NGINX Ingress Controller LTS instance.
+
+```shell
+IC_IP=<ip-address>
+```
+
+2. The HTTP port of the same instance.
+
+```shell
+IC_HTTP_PORT=<port number>
+```
+
+3. The HTTPS port of the same instance (used for the [Ingress resource example](#use-access-control-with-ingress-resources)).
+
+```shell
+IC_HTTPS_PORT=<port number>
+```
+
+---
+
+## Use access control with VirtualServer resources
+
+### Deploy the example application
+
+Create the file _webapp.yaml_ with the following contents:
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/webapp.yaml" >}}
+
+Apply it using `kubectl`:
+
+```shell
+kubectl apply -f webapp.yaml
+```
+
+---
+
+### Deploy a Policy to create a deny rule
+
+Create a file named _access-control-policy-deny.yaml_. The highlighted _deny_ field will be used by the example application, and should be changed to the subnet of your machine.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/access-control-policy-deny.yaml" "hl_lines=7-8" >}}
+
+Apply the policy:
+
+```shell
+kubectl apply -f access-control-policy-deny.yaml
+```
+
+---
+
+### Configure load balancing
+
+Create a file named _virtual-server.yaml_ for the VirtualServer resource. The _policies_ field references the access control Policy created in the previous section.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/virtual-server.yaml" "hl_lines=7-8" >}}
+
+Apply the policy:
+
+```shell
+kubectl apply -f virtual-server.yaml
+```
+
+---
+
+## Test the example application
+
+Use `curl` to attempt to access the application:
+
+```shell
+curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
+```
+
+```text
+<html>
+<head><title>403 Forbidden</title></head>
+<body>
+<center><h1>403 Forbidden</h1></center>
+</body>
+</html>
+```
+
+The *403* response is expected, successfully blocking your machine.
+
+---
+
+### Update the Policy to create an allow rule
+
+Update the Policy with the file _access-control-policy-allow.yaml_, setting the _allow_ field to the subnet of your machine.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/access-control-policy-allow.yaml" "hl_lines=7-8" >}}
+
+Apply the Policy:
+
+```shell
+kubectl apply -f access-control-policy-allow.yaml
+```
+
+----
+
+### Verify the Policy update
+
+Attempt to access the application again:
+
+```shell
+curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
+```
+
+```text
+Server address: 10.64.0.13:8080
+Server name: webapp-5cbbc7bd78-wf85w
+```
+
+The successful response demonstrates that the policy has been updated.
+
+---
+
+## Use access control with Ingress resources
+
+You can also apply access control policies to standard Kubernetes Ingress resources using the `nginx.org/policies` annotation. This section walks through a complete example.
+
+### Deploy the cafe application
+
+Create the file _cafe.yaml_ with the following contents:
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/ingress-resources/access-control/cafe.yaml" >}}
+
+Apply it using `kubectl`:
+
+```shell
+kubectl apply -f cafe.yaml
+```
+
+### Configure NGINX to use the X-Real-IP header
+
+Create the file _nginx-config.yaml_ to configure NGINX to trust the `X-Real-IP` header. This ensures the access control policy uses the client IP provided in that header.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/ingress-resources/access-control/nginx-config.yaml" >}}
+
+Apply the ConfigMap:
+
+```shell
+kubectl apply -f nginx-config.yaml
+```
+
+### Deploy a Policy to create an allow rule
+
+Create a file named _access-control-policy-allow.yaml_. The highlighted _allow_ field permits traffic from the `10.0.0.0/8` CIDR range and blocks all other addresses.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/ingress-resources/access-control/access-control-policy-allow.yaml" "hl_lines=7-8" >}}
+
+Apply the policy:
+
+```shell
+kubectl apply -f access-control-policy-allow.yaml
+```
+
+### Create the Ingress resource
+
+Create a file named _cafe-ingress.yaml_ for the Ingress resource. The highlighted `nginx.org/policies` annotation references the access control Policy created in the previous step.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/ingress-resources/access-control/cafe-ingress.yaml" "hl_lines=5-6" >}}
+
+Apply the Ingress:
+
+```shell
+kubectl apply -f cafe-ingress.yaml
+```
+
+### Test the allow policy
+
+1. Send a request with an IP in the allowed `10.0.0.0/8` range using the `X-Real-IP` header:
+
+    ```shell
+    curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure -H "X-Real-IP: 10.0.0.1"
+    ```
+
+    ```text
+    Server address: 10.244.0.6:8080
+    Server name: coffee-7586895968-r26zn
+    ...
+    ```
+
+    The request succeeds because `10.0.0.1` is in the allowed range.
+
+2. Send a request with an IP outside the allowed range:
+
+    ```shell
+    curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure -H "X-Real-IP: 192.168.1.1"
+    ```
+
+    ```text
+    <html>
+    <head><title>403 Forbidden</title></head>
+    <body>
+    <center><h1>403 Forbidden</h1></center>
+    </body>
+    </html>
+    ```
+
+    The *403* response confirms that NGINX blocks clients outside the allowed range.
+
+### Update the Policy to create a deny rule
+
+Update the Policy with the file _access-control-policy-deny.yaml_, which denies traffic from the `10.0.0.0/8` CIDR range and allows all other addresses.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/ingress-resources/access-control/access-control-policy-deny.yaml" "hl_lines=7-8" >}}
+
+Apply the updated Policy:
+
+```shell
+kubectl apply -f access-control-policy-deny.yaml
+```
+
+The Ingress resource picks up the change automatically because the policy name (`webapp-policy`) stays the same.
+
+### Verify the deny policy
+
+1. Send a request with an IP in the now-denied `10.0.0.0/8` range:
+
+    ```shell
+    curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure -H "X-Real-IP: 10.0.0.1"
+    ```
+
+    ```text
+    <html>
+    <head><title>403 Forbidden</title></head>
+    <body>
+    <center><h1>403 Forbidden</h1></center>
+    </body>
+    </html>
+    ```
+
+    The same IP that was previously allowed is now rejected.
+
+2. Send a request with an IP outside the denied range:
+
+    ```shell
+    curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure -H "X-Real-IP: 192.168.1.1"
+    ```
+
+    ```text
+    Server address: 10.244.0.6:8080
+    Server name: coffee-7586895968-r26zn
+    ...
+    ```
+
+    Clients outside the denied range are now allowed through.
@@ -0,0 +1,12 @@
+---
+title: Configuration examples
+toc: true
+weight: 400
+f5-content-type: reference
+f5-product: INGRESS
+---
+
+Our [GitHub repo](https://github.com/nginx/kubernetes-ingress) includes a number of configuration examples:
+
+- [*Examples of Custom Resources*](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources.
+- [*Examples of Ingress Resources*](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations.
@@ -0,0 +1,8 @@
+---
+title: Global configuration
+description:
+weight: 100
+menu:
+  docs:
+    parent: NGINX Ingress Controller LTS
+---