nginx · dhurley · Mar 4, 2025 · Nov 13, 2024 · Nov 13, 2024 · Nov 18, 2024
diff --git a/api/grpc/mpi/v1/command.pb.go b/api/grpc/mpi/v1/command.pb.go
diff --git a/api/grpc/mpi/v1/command.pb.validate.go b/api/grpc/mpi/v1/command.pb.validate.go
diff --git a/api/grpc/mpi/v1/command.proto b/api/grpc/mpi/v1/command.proto
@@ -273,6 +273,8 @@ message InstanceMeta {
         INSTANCE_TYPE_NGINX_PLUS = 3;
         // NGINX Unit
         INSTANCE_TYPE_UNIT = 4;
+        // NGINX App Protect
+        INSTANCE_TYPE_NGINX_APP_PROTECT = 5;
     }
     // the types of instances possible
     InstanceType instance_type = 2;
@@ -296,13 +298,15 @@ message InstanceRuntime {
     // the binary path location
     string binary_path = 2 [(buf.validate.field).string.prefix = "/"];
     // the config path location
-    string config_path = 3 [(buf.validate.field).string.prefix = "/"];
+    string config_path = 3 [(buf.validate.field).string.pattern = "^\\/.*|^$"];
     // more detailed runtime objects
     oneof details {
         // NGINX runtime configuration settings like stub_status, usually read from the NGINX config or NGINX process
         NGINXRuntimeInfo nginx_runtime_info = 4;
         // NGINX Plus runtime configuration settings like api value, usually read from the NGINX config, NGINX process or NGINX Plus API
         NGINXPlusRuntimeInfo nginx_plus_runtime_info = 5;
+        // NGINX App Protect runtime information
+        NGINXAppProtectRuntimeInfo nginx_app_protect_runtime_info = 7;
     }
     // List of worker processes
     repeated InstanceChild instance_children = 6;
@@ -350,6 +354,16 @@ message APIDetails {
     string listen =  2;
 }
 
+// A set of runtime NGINX App Protect settings
+message NGINXAppProtectRuntimeInfo {
+    // NGINX App Protect Release 
+    string release = 1;
+    // Attack signature version
+    string attack_signature_version = 2;
+    // Threat campaign version
+    string threat_campaign_version = 3;
+}
+
 // A set of actions that can be performed on an instance
 message InstanceAction {}
 

diff --git a/docs/proto/protos.md b/docs/proto/protos.md
@@ -65,6 +65,7 @@
     - [InstanceRuntime](#mpi-v1-InstanceRuntime)
     - [ManagementPlaneRequest](#mpi-v1-ManagementPlaneRequest)
     - [MetricsServer](#mpi-v1-MetricsServer)
+    - [NGINXAppProtectRuntimeInfo](#mpi-v1-NGINXAppProtectRuntimeInfo)
     - [NGINXPlusAction](#mpi-v1-NGINXPlusAction)
     - [NGINXPlusRuntimeInfo](#mpi-v1-NGINXPlusRuntimeInfo)
     - [NGINXRuntimeInfo](#mpi-v1-NGINXRuntimeInfo)
@@ -954,6 +955,7 @@ Meta-information relating to the reported instance
 | config_path | [string](#string) |  | the config path location |
 | nginx_runtime_info | [NGINXRuntimeInfo](#mpi-v1-NGINXRuntimeInfo) |  | NGINX runtime configuration settings like stub_status, usually read from the NGINX config or NGINX process |
 | nginx_plus_runtime_info | [NGINXPlusRuntimeInfo](#mpi-v1-NGINXPlusRuntimeInfo) |  | NGINX Plus runtime configuration settings like api value, usually read from the NGINX config, NGINX process or NGINX Plus API |
+| nginx_app_protect_runtime_info | [NGINXAppProtectRuntimeInfo](#mpi-v1-NGINXAppProtectRuntimeInfo) |  | NGINX App Protect runtime information |
 | instance_children | [InstanceChild](#mpi-v1-InstanceChild) | repeated | List of worker processes |
 
 
@@ -992,6 +994,23 @@ The metrics settings associated with origins (sources) of the metrics and destin
 
 
 
+<a name="mpi-v1-NGINXAppProtectRuntimeInfo"></a>
+
+### NGINXAppProtectRuntimeInfo
+A set of runtime NGINX App Protect settings
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| release | [string](#string) |  | NGINX App Protect Release |
+| attack_signature_version | [string](#string) |  | Attack signature version |
+| threat_campaign_version | [string](#string) |  | Threat campaign version |
+
+
+
+
+
+
 <a name="mpi-v1-NGINXPlusAction"></a>
 
 ### NGINXPlusAction
@@ -1209,6 +1228,7 @@ the types of instances possible
 | INSTANCE_TYPE_NGINX | 2 | NGINX |
 | INSTANCE_TYPE_NGINX_PLUS | 3 | NGINX Plus |
 | INSTANCE_TYPE_UNIT | 4 | NGINX Unit |
+| INSTANCE_TYPE_NGINX_APP_PROTECT | 5 | NGINX App Protect |
 
 
 

diff --git a/internal/watcher/health/health_watcher_service.go b/internal/watcher/health/health_watcher_service.go
@@ -59,7 +59,8 @@ func (hw *HealthWatcherService) AddHealthWatcher(instances []*mpi.Instance) {
 			hw.watchers[instance.GetInstanceMeta().GetInstanceId()] = watcher
 		case mpi.InstanceMeta_INSTANCE_TYPE_AGENT:
 		case mpi.InstanceMeta_INSTANCE_TYPE_UNSPECIFIED,
-			mpi.InstanceMeta_INSTANCE_TYPE_UNIT:
+			mpi.InstanceMeta_INSTANCE_TYPE_UNIT,
+			mpi.InstanceMeta_INSTANCE_TYPE_NGINX_APP_PROTECT:
 			fallthrough
 		default:
 			slog.Warn("Health watcher not implemented", "instance_type",

diff --git a/internal/watcher/instance/instance_watcher_service.go b/internal/watcher/instance/instance_watcher_service.go
@@ -13,13 +13,15 @@ import (
 	"sync"
 	"time"
 
+	"github.com/nginx/agent/v3/pkg/nginxprocess"
+
 	mpi "github.com/nginx/agent/v3/api/grpc/mpi/v1"
+	"github.com/nginx/agent/v3/internal/watcher/process"
+
 	"github.com/nginx/agent/v3/internal/config"
 	"github.com/nginx/agent/v3/internal/datasource/host/exec"
 	"github.com/nginx/agent/v3/internal/logger"
 	"github.com/nginx/agent/v3/internal/model"
-	"github.com/nginx/agent/v3/internal/watcher/process"
-	"github.com/nginx/agent/v3/pkg/nginxprocess"
 )
 
 const defaultAgentPath = "/run/nginx-agent"
@@ -40,16 +42,17 @@ type (
 	}
 
 	InstanceWatcherService struct {
-		processOperator           process.ProcessOperatorInterface
-		nginxConfigParser         nginxConfigParser
-		executer                  exec.ExecInterface
-		agentConfig               *config.Config
-		instanceCache             map[string]*mpi.Instance
-		nginxConfigCache          map[string]*model.NginxConfigContext
-		instancesChannel          chan<- InstanceUpdatesMessage
-		nginxConfigContextChannel chan<- NginxConfigContextMessage
-		processParsers            []processParser
-		cacheMutex                sync.Mutex
+		processOperator              process.ProcessOperatorInterface
+		nginxConfigParser            nginxConfigParser
+		executer                     exec.ExecInterface
+		agentConfig                  *config.Config
+		instanceCache                map[string]*mpi.Instance
+		nginxConfigCache             map[string]*model.NginxConfigContext
+		instancesChannel             chan<- InstanceUpdatesMessage
+		nginxConfigContextChannel    chan<- NginxConfigContextMessage
+		nginxParser                  processParser
+		nginxAppProtectProcessParser processParser
+		cacheMutex                   sync.Mutex
 	}
 
 	InstanceUpdates struct {
@@ -71,16 +74,15 @@ type (
 
 func NewInstanceWatcherService(agentConfig *config.Config) *InstanceWatcherService {
 	return &InstanceWatcherService{
-		agentConfig:     agentConfig,
-		processOperator: process.NewProcessOperator(),
-		processParsers: []processParser{
-			NewNginxProcessParser(),
-		},
-		nginxConfigParser: NewNginxConfigParser(agentConfig),
-		instanceCache:     make(map[string]*mpi.Instance),
-		cacheMutex:        sync.Mutex{},
-		nginxConfigCache:  make(map[string]*model.NginxConfigContext),
-		executer:          &exec.Exec{},
+		agentConfig:                  agentConfig,
+		processOperator:              process.NewProcessOperator(),
+		nginxParser:                  NewNginxProcessParser(),
+		nginxAppProtectProcessParser: NewNginxAppProtectProcessParser(),
+		nginxConfigParser:            NewNginxConfigParser(agentConfig),
+		instanceCache:                make(map[string]*mpi.Instance),
+		cacheMutex:                   sync.Mutex{},
+		nginxConfigCache:             make(map[string]*model.NginxConfigContext),
+		executer:                     &exec.Exec{},
 	}
 }
 
@@ -245,7 +247,7 @@ func (iw *InstanceWatcherService) instanceUpdates(ctx context.Context) (
 	instanceUpdates InstanceUpdates,
 	err error,
 ) {
-	processes, err := iw.processOperator.Processes(ctx)
+	nginxProcesses, nginxAppProtectProcesses, err := iw.processOperator.Processes(ctx)
 	if err != nil {
 		return instanceUpdates, err
 	}
@@ -255,11 +257,14 @@ func (iw *InstanceWatcherService) instanceUpdates(ctx context.Context) (
 	agentInstance := iw.agentInstance(ctx)
 	instancesFound[agentInstance.GetInstanceMeta().GetInstanceId()] = agentInstance
 
-	for _, parser := range iw.processParsers {
-		instances := parser.Parse(ctx, processes)
-		for _, instance := range instances {
-			instancesFound[instance.GetInstanceMeta().GetInstanceId()] = instance
-		}
+	nginxInstances := iw.nginxParser.Parse(ctx, nginxProcesses)
+	for _, instance := range nginxInstances {
+		instancesFound[instance.GetInstanceMeta().GetInstanceId()] = instance
+	}
+
+	nginxAppProtectInstances := iw.nginxAppProtectProcessParser.Parse(ctx, nginxAppProtectProcesses)
+	for _, instance := range nginxAppProtectInstances {
+		instancesFound[instance.GetInstanceMeta().GetInstanceId()] = instance
 	}
 	newInstances, updatedInstances, deletedInstances := compareInstances(iw.instanceCache, instancesFound)