simplify waf setup for nginx/openresty

[buixor]

No description provided.

[aws-amplify-eu-west-1]

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-1070.d1to60jd2gb6y6.amplifyapp.com

[Copilot]

Pull request overview

This PR streamlines the AppSec/WAF enablement guidance across Nginx/OpenResty/HAProxy bouncer docs and refreshes several AppSec quickstarts to reduce duplication and make setup more “copy/paste” oriented.

Changes:

• Updated Nginx/OpenResty/HAProxy SPOA bouncer docs to recommend enabling the WAF and to point readers to the dedicated AppSec quickstarts instead of embedding full steps.
• Simplified AppSec quickstarts (Nginx/OpenResty, HAProxy SPOA, WordPress, NPMplus) with more direct, step-based instructions and clearer “verify + metrics” sections.
• Reorganized HAProxy SPOA AppSec forwarding content to emphasize configuration reference + quickstart linkage.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
crowdsec-docs/unversioned/bouncers/openresty.mdx	Rewords AppSec/WAF enablement section and points to the Nginx/OpenResty AppSec quickstart.
crowdsec-docs/unversioned/bouncers/nginx.mdx	Same as OpenResty: encourages WAF enablement via the dedicated quickstart.
crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx	Reframes AppSec forwarding section as config reference and links to HAProxy quickstart.
crowdsec-docs/docs/appsec/quickstart/wordpress.mdx	Major rewrite to shorter, step-based setup + verification flow.
crowdsec-docs/docs/appsec/quickstart/npmplus.mdx	Simplifies the Docker Compose based flow and verification steps.
crowdsec-docs/docs/appsec/quickstart/nginxopenresty.mdx	Condenses setup into 4 steps with idempotent config edit + verification.
crowdsec-docs/docs/appsec/quickstart/haproxy_spoa.mdx	Condenses HAProxy SPOA WAF setup and moves limitations into a dedicated section.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The warning to keep listen_addr on 127.0.0.1 conflicts with step 3 where the plugin may need to reach AppSec on a non-local address ("if CrowdSec runs elsewhere"). Suggest rephrasing to: keep AppSec bound to loopback by default, and if WordPress/AppSec are on different hosts, bind AppSec only to a private interface and restrict access with firewall/Docker network rules (never expose it publicly).

[Copilot]

The text says binding AppSec to 0.0.0.0:7422 in Docker is "not" exposed to the internet, but that depends on the compose file (it becomes internet-reachable if port 7422 is published or host networking is used). Recommend clarifying that listen_addr: 0.0.0.0:7422 is only safe when the container port is not published and access is restricted to the Docker network / firewall rules, and to double-check there is no 7422: port mapping.

Suggested change

	The first two blocks parse NPMplus access logs; the third turns on the AppSec Component on `0.0.0.0:7422` (needed because CrowdSec is inside a container — exposure is still limited to the Docker network, **not** the internet).
	:::info
	The first two blocks parse NPMplus access logs; the third turns on the AppSec Component on `0.0.0.0:7422` so it can be reached from other containers. This is only safe as long as port `7422` is **not** published externally (for example, there is no `7422:` entry in `ports:` and you are not using host networking), and access is restricted to the Docker network and any host firewall rules.
	:::info
	Double-check your `compose.yaml` does not publish `7422` and that nothing else exposes the AppSec listener outside the Docker network.