From f171b1046a29baf47de8f6cecb963a365aedb019 Mon Sep 17 00:00:00 2001 From: Michael Pleshakov Date: Wed, 13 Jan 2021 11:48:17 -0800 Subject: [PATCH 1/2] Document increased reload time for APUserSig --- docs-web/app-protect/configuration.md | 2 ++ docs-web/app-protect/troubleshooting.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs-web/app-protect/configuration.md b/docs-web/app-protect/configuration.md index c75d23d3e2..1ba1951f74 100644 --- a/docs-web/app-protect/configuration.md +++ b/docs-web/app-protect/configuration.md @@ -128,6 +128,8 @@ spec: You can define App Protect [User Defined Signatures](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-signature-definitions) for your Ingress resources by creating an `APUserSig` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). +> **Note**: `APUserSig` resources increase the reload time of NGINX Plus compared with `APPolicy` and `APLogConf` resources. See [NGINX Fails to Start or Reload](/nginx-ingress-controller/app-protect/troubleshooting/#nginx-fails-to-start-or-reload). + To add the [User Defined Signatures](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-signature-definitions) to an Ingress resource: 1. Create an `APUserSig` Custom resource manifest. diff --git a/docs-web/app-protect/troubleshooting.md b/docs-web/app-protect/troubleshooting.md index 44a3f7d739..7acf6300fc 100644 --- a/docs-web/app-protect/troubleshooting.md +++ b/docs-web/app-protect/troubleshooting.md @@ -130,4 +130,6 @@ This timeout should be more than enough to verify configurations. However, when You can increase this timeout by setting the `nginx-reload-timeout` [cli-argument](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-nginx-reload-timeout). +When using the User Defined Signature feature, an update to an `APUserSig` requires more reload time from NGINX Plus compared with the other AppProtect resources. As a consequence, we recommend increasing the `nginx-reload-timeout` to 30 seconds if you're planning to use this feature. + If you are using external references in your Nginx App Protect policies, verify if the servers hosting the referenced resources are available and that their response time is as short as possible (see the Check the Availability of APPolicy External References section). If the references are not available during the Ingress Controller startup, the pod will fail to start. In case the resources are not available during a reload, the reload will fail, and NGINX Plus will use the previous correct configuration. From d507df8a20fee845e3a7b8c9a015a9602d4de2c6 Mon Sep 17 00:00:00 2001 From: Michael Pleshakov Date: Thu, 14 Jan 2021 14:58:00 -0800 Subject: [PATCH 2/2] Update docs-web/app-protect/configuration.md Co-authored-by: Jodie Putrino --- docs-web/app-protect/configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs-web/app-protect/configuration.md b/docs-web/app-protect/configuration.md index 1ba1951f74..fd860e2d07 100644 --- a/docs-web/app-protect/configuration.md +++ b/docs-web/app-protect/configuration.md @@ -128,7 +128,7 @@ spec: You can define App Protect [User Defined Signatures](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-signature-definitions) for your Ingress resources by creating an `APUserSig` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -> **Note**: `APUserSig` resources increase the reload time of NGINX Plus compared with `APPolicy` and `APLogConf` resources. See [NGINX Fails to Start or Reload](/nginx-ingress-controller/app-protect/troubleshooting/#nginx-fails-to-start-or-reload). +> **Note**: `APUserSig` resources increase the reload time of NGINX Plus compared with `APPolicy` and `APLogConf` resources. Refer to [NGINX Fails to Start or Reload](/nginx-ingress-controller/app-protect/troubleshooting/#nginx-fails-to-start-or-reload) for more information. To add the [User Defined Signatures](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-signature-definitions) to an Ingress resource: @@ -186,4 +186,4 @@ spec: - name: Unix/Linux softwareVersion: 15.1.0 tag: Fruits -``` \ No newline at end of file +```