# Linux

## Overview

CloudGuard WAF can be deployed as an add-on for NGINX or Kong, thus providing protection to any applications and APIs served by NGINX Reverse Proxy. 

{% tabs %}
{% tab title="NGINX" %}

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2Fdz1vOFO3cUzt7GjXVxyv%2Fimage.png?alt=media&#x26;token=6e9e3562-b315-4bb0-a2a5-ac2748cec898" alt=""><figcaption></figcaption></figure>
{% endtab %}

{% tab title="Kong" %}

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FV6QoT0oP1FmFcifHBiQr%2Fimage.png?alt=media&#x26;token=3d399f27-b784-4431-a11c-04a96f16af3d" alt=""><figcaption></figcaption></figure>
{% endtab %}
{% endtabs %}

{% hint style="info" %}
The CloudGuard WAF Nano Agent attaches itself to the traffic being **proxied** by the Proxy Server or API server.

If the server serves applications locally, and does not serve as a proxy between an exposed domain and an internal one - the Nano Agent can still inspect the traffic if you change the port for the local applications to a higher port, and add a proxy rule between the exposed listening domain and port, to the same local machine at a higher port.
{% endhint %}

#### Deployment Instructions for NGINX

{% content-ref url="linux/nginx" %}
[nginx](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/linux/nginx)
{% endcontent-ref %}

#### Deployemt Instructions for Kong Using Lua PlugIn