From f7555651a83a2cb4394c4a578a3f507ba21f5dd7 Mon Sep 17 00:00:00 2001
From: "r.rana1" <r.rana@f5.com>
Date: Fri, 22 Aug 2025 10:49:43 +0530
Subject: [PATCH 1/3] clarify allowed upload directories

---
 .../nginx-configuration/overview.md           | 47 +++++++++++++++----
 1 file changed, 37 insertions(+), 10 deletions(-)

diff --git a/content/nginxaas-azure/getting-started/nginx-configuration/overview.md b/content/nginxaas-azure/getting-started/nginx-configuration/overview.md
index 6d3f4910a..fce6392fc 100644
--- a/content/nginxaas-azure/getting-started/nginx-configuration/overview.md
+++ b/content/nginxaas-azure/getting-started/nginx-configuration/overview.md
@@ -25,21 +25,48 @@ The topics below provide information on NGINX configuration restrictions and dir
 NGINX configurations stored in GitHub can be applied to existing NGINXaaS for Azure deployments using custom GitHub Action workflows. See [NGINXaaS for Azure Deployment Action](https://github.com/nginxinc/nginx-for-azure-deploy-action) for documentation and examples on how to incorporate these workflows in your GitHub Actions CI/CD pipelines.
 
 ## NGINX filesystem restrictions
-NGINXaaS for Azure places restrictions on the instance's filesystem; only a specific set of directories are allowed to be read from and written to. Below is a table describing what directories the NGINX worker process can read and write to and what directories files can be written to. These files include certificate files and any files uploaded to the deployment, excluding NGINX configuration files.
 
-  {{<bootstrap-table "table table-striped table-bordered">}}
-  | Allowed Directory | NGINX worker process can read/write to | Files can be written to |
-  |------------------ | ----------------- | ----------------- |
-  | /etc/nginx        |                   | &check;           |
-  | /opt              | &check;           | &check;           |
-  | /srv              | &check;           | &check;           |
-  | /tmp              | &check;           |                   |
-  | /var/cache/nginx  | &check;           |                   |
-  | /var/www          | &check;           | &check;           |
+NGINXaaS for Azure places restrictions on the instance’s filesystem; only a specific set of directories are allowed to be read from and written to. Below is a table describing what directories the NGINX worker process can read and write to and what directories files can be written to. These files include certificate files and any files uploaded to the deployment, excluding NGINX configuration files.
+
+{{<bootstrap-table "table table-striped table-bordered">}}
+
+| Directory         | Master Read | Master Write | Worker Read | Worker Write | Recommended Use                  |
+|-------------------|:-----------:|:------------:|:-----------:|:------------:|----------------------------------|
+| /etc/nginx/       |     ✔️      |      ✔️      |     ❌      |      ❌      | Certificates, keys               |
+| /opt/             |     ✔️      |      ✔️      |     ✔️      |      ❌      | Application files                |
+| /srv/             |     ✔️      |      ✔️      |     ✔️      |      ❌      | Application files                |
+| /var/www/         |     ✔️      |      ✔️      |     ✔️      |      ❌      | Static files (e.g. index.html)   |
+
 {{</bootstrap-table>}}
 
+**Uploaded files can be placed in:**
+
+- `/etc/nginx/` (for certificates, keys)
+- `/opt/` (for application files)
+- `/srv/` (for application files)
+- `/var/www/` (for static files)
+
+
 Attempts to access other directories will be denied and result in a `5xx` error.
 
+### Recommended Directory Layout
+
+- **Certificates/Keys:**  
+  Place in `/etc/nginx/` so only the master process can access them. This prevents worker processes from serving them to the internet.
+
+- **Application Files:**  
+  Place in `/opt/` or `/srv/` for files needed by your application.
+
+- **Static Files:**  
+  Place in `/var/www/` so workers can read (but not write) and serve them.
+
+```plaintext
+/etc/nginx/         # Certificates, keys (master only)
+/opt/               # Application files
+/srv/               # Application files
+/var/www/           # Static files (worker read)
+```
+
 ## Disallowed configuration directives
 Some directives are not supported because of specific limitations. If you include one of these directives in your NGINX configuration, you'll get an error.
 

From 2b15838d2a3c22891fa94fa18379f69cfa13b9c5 Mon Sep 17 00:00:00 2001
From: "r.rana1" <r.rana@f5.com>
Date: Fri, 22 Aug 2025 19:38:03 +0530
Subject: [PATCH 2/3] add missing worker-writable directories

---
 .../nginx-configuration/overview.md           | 23 +++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/content/nginxaas-azure/getting-started/nginx-configuration/overview.md b/content/nginxaas-azure/getting-started/nginx-configuration/overview.md
index fce6392fc..504144755 100644
--- a/content/nginxaas-azure/getting-started/nginx-configuration/overview.md
+++ b/content/nginxaas-azure/getting-started/nginx-configuration/overview.md
@@ -36,6 +36,8 @@ NGINXaaS for Azure places restrictions on the instance’s filesystem; only a sp
 | /opt/             |     ✔️      |      ✔️      |     ✔️      |      ❌      | Application files                |
 | /srv/             |     ✔️      |      ✔️      |     ✔️      |      ❌      | Application files                |
 | /var/www/         |     ✔️      |      ✔️      |     ✔️      |      ❌      | Static files (e.g. index.html)   |
+| /tmp/             |     ✔️      |      ✔️      |     ✔️      |      ✔️      | Temporary files                  |
+| /var/cache/nginx/ |     ✔️      |      ✔️      |     ✔️      |      ✔️      | Cache data                       |
 
 {{</bootstrap-table>}}
 
@@ -46,25 +48,32 @@ NGINXaaS for Azure places restrictions on the instance’s filesystem; only a sp
 - `/srv/` (for application files)
 - `/var/www/` (for static files)
 
-
 Attempts to access other directories will be denied and result in a `5xx` error.
 
 ### Recommended Directory Layout
 
 - **Certificates/Keys:**  
-  Place in `/etc/nginx/` so only the master process can access them. This prevents worker processes from serving them to the internet.
+  Place in `/etc/nginx/` so only the master process can access them. This prevents worker processes from reading private keys and potentially serving them to the internet.
 
 - **Application Files:**  
-  Place in `/opt/` or `/srv/` for files needed by your application.
+  Place in `/opt/` or `/srv/` for files needed by your application that workers need to read but not modify.
 
 - **Static Files:**  
-  Place in `/var/www/` so workers can read (but not write) and serve them.
+  Place in `/var/www/` for content like HTML, CSS, and images that workers need to serve but should not modify.
+
+- **Cache Data:**  
+  Use `/var/cache/nginx/` for NGINX cache storage where workers need both read and write access.
+
+- **Temporary Files:**  
+  Use `/tmp/` for temporary data that workers may need to create and modify.
 
 ```plaintext
 /etc/nginx/         # Certificates, keys (master only)
-/opt/               # Application files
-/srv/               # Application files
-/var/www/           # Static files (worker read)
+/opt/               # Application files (worker read-only)
+/srv/               # Application files (worker read-only)
+/var/www/           # Static files (worker read-only)
+/var/cache/nginx/   # Cache data (worker read/write)
+/tmp/               # Temporary files (worker read/write)
 ```
 
 ## Disallowed configuration directives

From 89f904c0d5db1fdcf024b76a086853e036c8d5a3 Mon Sep 17 00:00:00 2001
From: "r.rana1" <r.rana@f5.com>
Date: Fri, 22 Aug 2025 20:04:33 +0530
Subject: [PATCH 3/3] add App Protect directory to filesystem

---
 .../getting-started/nginx-configuration/overview.md         | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/content/nginxaas-azure/getting-started/nginx-configuration/overview.md b/content/nginxaas-azure/getting-started/nginx-configuration/overview.md
index 504144755..bce721e49 100644
--- a/content/nginxaas-azure/getting-started/nginx-configuration/overview.md
+++ b/content/nginxaas-azure/getting-started/nginx-configuration/overview.md
@@ -38,6 +38,7 @@ NGINXaaS for Azure places restrictions on the instance’s filesystem; only a sp
 | /var/www/         |     ✔️      |      ✔️      |     ✔️      |      ❌      | Static files (e.g. index.html)   |
 | /tmp/             |     ✔️      |      ✔️      |     ✔️      |      ✔️      | Temporary files                  |
 | /var/cache/nginx/ |     ✔️      |      ✔️      |     ✔️      |      ✔️      | Cache data                       |
+| /etc/app_protect/ |     ✔️      |      ✔️      |     ✔️      |      ❌      | App Protect policies, logs       |
 
 {{</bootstrap-table>}}
 
@@ -47,6 +48,7 @@ NGINXaaS for Azure places restrictions on the instance’s filesystem; only a sp
 - `/opt/` (for application files)
 - `/srv/` (for application files)
 - `/var/www/` (for static files)
+- `/etc/app_protect/` (for App Protect policies and log configurations)
 
 Attempts to access other directories will be denied and result in a `5xx` error.
 
@@ -67,6 +69,9 @@ Attempts to access other directories will be denied and result in a `5xx` error.
 - **Temporary Files:**  
   Use `/tmp/` for temporary data that workers may need to create and modify.
 
+- **App Protect Policies:**  
+  Place in `/etc/app_protect/` for App Protect security policies and log configurations that workers need to read.
+
 ```plaintext
 /etc/nginx/         # Certificates, keys (master only)
 /opt/               # Application files (worker read-only)
@@ -74,6 +79,7 @@ Attempts to access other directories will be denied and result in a `5xx` error.
 /var/www/           # Static files (worker read-only)
 /var/cache/nginx/   # Cache data (worker read/write)
 /tmp/               # Temporary files (worker read/write)
+/etc/app_protect/   # App Protect policies (worker read-only)
 ```
 
 ## Disallowed configuration directives