Configuring access rights to files needed for node operation¶

The wallarm-worker and nginx services are usually automatically provided with the permission to read the content of the files needed for the filtering node operation, such as proton.db and custom ruleset file. However, if testing shows no access, read the description below of how the permissions are provided and how they can be configured manually.

Configuring file access¶

Parameters providing the access to files needed for the node operation may be set explicitly in the node.yaml file. This file is automatically created after running the register-node script. Default path to the file is /etc/wallarm/node.yaml. This path can be changed via the wallarm_api_conf directive.

The node.yaml file may contain the following file access parameters:

Parameter	Description
`syncnode.owner`	Owner for the files needed for the filtering node operation.
`syncnode.group`	Group for the files needed for the filtering node operation.
`syncnode.mode`	Access rights to the files needed for the filtering node operation.

The algorithm searches for the file permissions performing the following steps (goes to the next step only if the previous one did not give the result):

Explicitly configured syncnode.(TYPE).(user,group,mode) parameters in the node.yaml file.

(TYPE) allows you to specify the particular file the parameter is set for. Possible values are proton.db or lom.

lom value meaning

Pay your attention that the lom value points to the custom ruleset file /etc/wallarm/custom_ruleset.
Explicitly configured syncnode.(user,group,mode) parameters in the node.yaml file.
For NGINX-based installation, value of the nginx_group in the /usr/share/wallarm-common/engine/* file.

All installed engine packages provide the file /usr/share/wallarm-common/engine/* containing nginx_group=<VALUE>.

Each package with the module sets the value for the group parameter depending on the NGINX for which it was intended:
- The modules for NGINX from nginx.org set group to nginx.
- The modules for NGINX distributives set group to www-data.
- The custom modules use values provided by a client.
Defaults:
- owner: root
- group: wallarm
- mode: 0640

Note that you only need to configure access rights explicitly if the result achieved by the algorithm automatically does not suit your needs. After configuring access rights, make sure that the wallarm-worker and nginx services can read the content of the files needed for the filtering node operation.

Configuration example¶

Note that besides file access parameters (syncnode section, described in this article), the node.yaml file will also contain parameters providing filtering node the access to the Cloud (general and api sections).

Example of the valid node.yaml contents:

hostname: example-node-name
uuid: ea1xa0xe-xxxx-42a0-xxxx-b1b446xxxxxx
secret: b827axxxxxxxxxxxcbe45c855c71389a2a5564920xxxxxxxxxxxxxxxxxxc4613260

api:
    host: api.wallarm.com
    port: 443
    ca_verify: true

syncnode:
    owner: root
    group: wallarm
    mode: 0640