- 
                Notifications
    You must be signed in to change notification settings 
- Fork 120
Update NAP Doc - Configure App Protect WAF - Custom Policies #1041
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update NAP Doc - Configure App Protect WAF - Custom Policies #1041
Conversation
This commit updates the NAP user facing documentation with the following change: Based on this issue : nginxinc/nalb-shared#1695, updated the Configure App Protect WAF with the following text - The File path is not optional and is automatically generated in the portal, defaulting to the path “/etc/app_protect/conf/” plus the policy Name with a “.json” extension
| ✅ All required contributors have signed the F5 CLA for this PR. Thank you! | 
| I have hereby read the F5 CLA and agree to its terms | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @kafeelhasan , question:
First, context. We're helping users manage custom policies in a UI.
If I understand correctly, the default file path is /etc/app_protect/conf. If the default file path is OK for the user, why does the user have to enter anything?
Based on my reading of https://docs.nginx.com/nginx-app-protect-waf/v5/configuration-guide/configuration/#file-reference, it looks like the user can create their own file path. So if they want something other than /etc/app_protect/conf, then I think they have to enter that path in the File path text box.
| We have two approvals. Will merge once tests pass. | 
| - Enter the **Name** (as a filename), **File path**, your policy content, and then select **Save**. | ||
|  | ||
| - Be sure to append the filename with ".json". | ||
| - The **File path** is automatically generated with "/etc/app_protect/conf/" as the default policies folder. | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So user must now specify literally the '.json' for the extension to the filename.  Why don't we call the filed 'File name' instead of 'Name'?  Can I assume we check if the extension is missing (or some other value), and fail fast?
For the file path, are we saying they should not specify '/etc/app_protect/conf/' (i.e., enter only a relative path)?   I'm not sure what the 'as the default policies folder' is implying.  This seems to imply we can change the default.  I believe all custom policies MUST be somewhere under this folder.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @russokj based on this discussion - https://github.com/nginxinc/nalb-shared/issues/1695
There is .json extension validation added to the file path, so if user doesn't give .json to the file path, it will ask to give that and save button will be disabled.
In the UI, it is mentioned as name, hence the same in the documentation.
Users need to set a complete file path either with default '/etc/app_protect/conf' or their own. - @happyhd can add more on this point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, I was wrong, the filePath must be started with '/etc/app_protect/conf', so no custom file path setting is allowed. How about:
- Enter the Name, File path, your policy content, and then select Save. The File path must be set with "/etc/app_protect/conf/" plus a file name with ".json" extension.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe they can set any filepath other than /etc/app_protect/conf/..., right? @happyhd

Proposed changes
Checklist
Before sharing this pull request, I completed the following checklist:
Footnotes
Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content. ↩