Configuring access rights to files needed for node operation¶
The wallarm-worker
and nginx
services are usually automatically provided with the permission to read the content of the files needed for the filtering node operation, such as proton.db and custom ruleset file. However, if testing shows no access, read the description below of how the permissions are provided and how they can be configured manually.
Configuring file access¶
Parameters for node operation can be explicitly set in node.yaml
, automatically generated by the register-node
script.
-
For Docker NGINX-based image, cloud image and all-in-one installer installations, find the file at
/opt/wallarm/etc/wallarm/node.yaml
, unless overridden by thewallarm_api_conf
directive. -
For other installations, the
node.yaml
location may vary or be overridden by thewallarm_api_conf
directive. Use search or check thewallarm_api_conf
value to locate the file.
The node.yaml
file may contain the following file access parameters:
Parameter | Description |
---|---|
syncnode.owner | Owner for the files needed for the filtering node operation. |
syncnode.group | Group for the files needed for the filtering node operation. |
syncnode.mode | Access rights to the files needed for the filtering node operation. |
The algorithm searches for the file permissions performing the following steps (goes to the next step only if the previous one did not give the result):
-
Explicitly configured
syncnode.(TYPE).(user,group,mode)
parameters in thenode.yaml
file.(TYPE)
allows you to specify the particular file the parameter is set for. Possible values areproton.db
orlom
.lom
value meaningPay your attention that the
lom
value points to the custom ruleset file/etc/wallarm/custom_ruleset
(/opt/wallarm/etc/wallarm/custom_ruleset
for Docker NGINX-based image or all-in-one installer installations). -
Explicitly configured
syncnode.(user,group,mode)
parameters in thenode.yaml
file. -
For NGINX-based installation, value of the
nginx_group
in the/usr/share/wallarm-common/engine/*
file.All installed engine packages provide the file
/usr/share/wallarm-common/engine/*
containingnginx_group=<VALUE>
.Each package with the module sets the value for the
group
parameter depending on the NGINX for which it was intended:- The modules for NGINX from nginx.org set
group
tonginx
. - The modules for NGINX distributives set
group
towww-data
. - The custom modules use values provided by a client.
- The modules for NGINX from nginx.org set
-
Defaults:
owner
:root
group
:wallarm
mode
:0640
Note that you only need to configure access rights explicitly if the result achieved by the algorithm automatically does not suit your needs. After configuring access rights, make sure that the wallarm-worker
and nginx
services can read the content of the files needed for the filtering node operation.
Configuration example¶
Note that besides file access parameters (syncnode
section, described in this article), the node.yaml
file will also contain parameters providing filtering node the access to the Cloud (general and api
sections).
Example of the valid node.yaml
contents: