Adjust example; update docs

README.md

@@ -29,9 +29,6 @@ Compatibility
 > If you plan to add tracing features to an older NGINX version using our
 > module, please check out [the build section](#build) for guidance.
 
-There are two pre-built versions of the module for each version we support, one
-for amd64 (x86\_64) and another for arm64 (aarch64).
-
 There are two tarballs (the actual executable module and, separately, the debug
 symbols) per each combination of: 1) nginx version, 2) architecture, 3) whether
 AppSec is built in or not.  The main tarball contains a single file,
@@ -65,6 +62,19 @@ default tracing behavior to nginx:
 Custom configuration can be specified via the [datadog\_*](doc/API.md) family of
 directives in nginx's configuration file, or via [environment variables][9].
 
+Enabling AppSec
+---------------
+
+To enable AppSec, besides using the correct binary (the relase artifact with
+"-appsec") in the name, it's necessary to edit the nginx configuration:
+
+* Set `datadog_appsec_enabled yes;`.
+* Define one (or more thread pools).
+* Choose which thread pool AppSec will use, either on a global or a per-location
+  basis.
+
+For more information, see [the documentation](doc/API.md).
+
 Build
 -----
 Requirements:

doc/API.md

@@ -351,6 +351,31 @@ for subrequests.
 Controls whether AppSec can be used in requests (provided that the request is
 mapped to a thread pool).
 
+A basic but full example of a configuration file that enables AppSec is:
+
+```nginx
+thread_pool waf_thread_pool threads=2 max_queue=16;
+
+load_module /path/to/ngx_http_datadog_module.so;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    datadog_agent_url http://agent:8126;
+    datadog_appsec_enabled on;
+    datadog_waf_thread_pool_name waf_thread_pool;
+
+    server {
+        listen 80;
+        location / {
+            proxy_pass http://backend:8080;
+        }
+    }
+}
+```
+
 ### `datadog_waf_thread_pool_name` (AppSec builds)
 
 - **syntax** `datadog_waf_thread_pool_name <pool name>`

example/services/nginx/install_datadog.sh

@@ -12,6 +12,15 @@ get_latest_release() {
   curl --silent "https://api.github.com/repos/$1/releases/latest" | jq --raw-output .tag_name
 }
 
+get_nginx_version() {
+  if ! is_installed nginx; then
+    >&2 echo 'Could not execute nginx binary'
+    exit 1
+  fi
+
+  nginx -version 2>&1 | sed 's@.*/@@'
+}
+
 if [ "$BASE_IMAGE" = '' ]; then
   >&2 echo 'This script expects BASE_IMAGE to be in the environment, e.g. "nginx:1.23.1-alpine" or "amazonlinux:2.0.20220121.0".'
   exit 1
@@ -86,11 +95,9 @@ if ! is_installed nginx; then
   fi
 fi
 
-# TODO(@dmehala): nginx version can be different from the base image
 RELEASE_TAG=$(get_latest_release DataDog/nginx-datadog)
-
-base_image_without_colons=$(echo "$BASE_IMAGE" | tr ':' '_')
-tarball="${base_image_without_colons}-${ARCH}-ngx_http_datadog_module.so.tgz"
+NGINX_VERSION=$(get_nginx_version)
+tarball="ngx_http_datadog_module-appsec-${ARCH}-${NGINX_VERSION}.so.tgz"
 
 wget "https://github.com/DataDog/nginx-datadog/releases/download/$RELEASE_TAG/$tarball"
 tar -xzf "$tarball" -C "$nginx_modules_path"

example/services/nginx/nginx.conf

@@ -1,5 +1,6 @@
 # This is the module that was installed by `install_datadog.sh`.
 load_module modules/ngx_http_datadog_module.so;
+thread_pool waf_thread_pool threads=2 max_queue=5;
 
 events {
     worker_connections  1024;
@@ -11,6 +12,9 @@ http {
 
     datadog_service_name "nginx-datadog-example";
 
+    datadog_appsec_enabled on;
+    datadog_waf_thread_pool_name waf_thread_pool;
+
     server {
         listen 80;