nginx
diff --git a/‎deployments/common/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 12 additions & 0 deletions b/‎deployments/common/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎deployments/helm-chart/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 12 additions & 0 deletions b/‎deployments/helm-chart/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎docs/content/configuration/policy-resource.md‎
Lines changed: 7 additions & 4 deletions b/‎docs/content/configuration/policy-resource.md‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎examples/custom-resources/waf/waf.yaml‎
Lines changed: 2 additions & 2 deletions b/‎examples/custom-resources/waf/waf.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎internal/configs/configurator.go‎
Lines changed: 2 additions & 2 deletions b/‎internal/configs/configurator.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎internal/configs/ingress.go‎
Lines changed: 10 additions & 6 deletions b/‎internal/configs/ingress.go‎
Lines changed: 10 additions & 6 deletions
diff --git a/‎internal/configs/version1/templates_test.go‎
Lines changed: 0 additions & 1 deletion b/‎internal/configs/version1/templates_test.go‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎internal/configs/version2/http.go‎
Lines changed: 1 addition & 1 deletion b/‎internal/configs/version2/http.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/configs/version2/nginx-plus.virtualserver.tmpl‎
Lines changed: 6 additions & 2 deletions b/‎internal/configs/version2/nginx-plus.virtualserver.tmpl‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎internal/configs/version2/templates_test.go‎
Lines changed: 1 addition & 1 deletion b/‎internal/configs/version2/templates_test.go‎
Lines changed: 1 addition & 1 deletion
@@ -156,6 +156,18 @@ spec:
                           type: boolean
                         logDest:
                           type: string
+                    securityLogs:
+                      type: array
+                      items:
+                        description: SecurityLog defines the security log of a WAF policy.
+                        type: object
+                        properties:
+                          apLogConf:
+                            type: string
+                          enable:
+                            type: boolean
+                          logDest:
+                            type: string
             status:
               description: PolicyStatus is the status of the policy resource
               type: object
 
@@ -156,6 +156,18 @@ spec:
                           type: boolean
                         logDest:
                           type: string
+                    securityLogs:
+                      type: array
+                      items:
+                        description: SecurityLog defines the security log of a WAF policy.
+                        type: object
+                        properties:
+                          apLogConf:
+                            type: string
+                          enable:
+                            type: boolean
+                          logDest:
+                            type: string
             status:
               description: PolicyStatus is the status of the policy resource
               type: object
 
@@ -355,17 +355,20 @@ For `kubectl get` and similar commands, you can also use the short name `pol` in
 
 The WAF policy configures NGINX Plus to secure client requests using App Protect policies.
 
-For example, the following policy will enable the referenced APPolicy and APLogConf with the configured log destination:
+For example, the following policy will enable the referenced APPolicy. You can configure multiple APLogConfs with log destinations:
 ```yaml
 waf:
   enable: true
   apPolicy: "default/dataguard-alarm"
-  securityLog:
-    enable: true
+  securityLogs:
+  - enable: true
     apLogConf: "default/logconf"
     logDest: "syslog:server=syslog-svc.default:514"
+  - enable: true
+    apLogConf: "default/logconf"
+    logDest: "syslog:server=syslog-svc-secondary.default:514"    
 ```
-
+> Note: The field `waf.securityLog` is deprecated and will be removed in future releases.It will be ignored if `waf.securityLogs` is populated.
 > Note: The feature is implemented using the NGINX Plus [NGINX App Protect Module](https://docs.nginx.com/nginx-app-protect/configuration/).
 
 {{% table %}}
 
@@ -6,7 +6,7 @@ spec:
   waf:
     enable: true
     apPolicy: "default/dataguard-alarm"
-    securityLog:
-      enable: true
+    securityLogs:
+    - enable: true
       apLogConf: "default/logconf"
       logDest: "syslog:server=syslog-svc.default:514"
@@ -125,7 +125,8 @@ type Configurator struct {
 // NewConfigurator creates a new Configurator.
 func NewConfigurator(nginxManager nginx.Manager, staticCfgParams *StaticConfigParams, config *ConfigParams,
 	templateExecutor *version1.TemplateExecutor, templateExecutorV2 *version2.TemplateExecutor, isPlus bool, isWildcardEnabled bool,
-	labelUpdater collector.LabelUpdater, isPrometheusEnabled bool, latencyCollector latCollector.LatencyCollector, isLatencyMetricsEnabled bool) *Configurator {
+	labelUpdater collector.LabelUpdater, isPrometheusEnabled bool, latencyCollector latCollector.LatencyCollector, isLatencyMetricsEnabled bool,
+) *Configurator {
 	metricLabelsIndex := &metricLabelsIndex{
 		ingressUpstreams:             make(map[string][]string),
 		virtualServerUpstreams:       make(map[string][]string),
@@ -1444,7 +1445,6 @@ func (cnf *Configurator) DeleteAppProtectLogConf(resource *unstructured.Unstruct
 func (cnf *Configurator) RefreshAppProtectUserSigs(
 	userSigs []*unstructured.Unstructured, delPols []string, ingExes []*IngressEx, mergeableIngresses []*MergeableIngresses, vsExes []*VirtualServerEx,
 ) (Warnings, error) {
-
 	allWarnings, err := cnf.addOrUpdateIngressesAndVirtualServers(ingExes, mergeableIngresses, vsExes)
 	if err != nil {
 		return allWarnings, err
 
@@ -76,7 +76,8 @@ type MergeableIngresses struct {
 }
 
 func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosResource *appProtectDosResource, isMinion bool,
-	baseCfgParams *ConfigParams, isPlus bool, isResolverConfigured bool, staticParams *StaticConfigParams, isWildcardEnabled bool) (version1.IngressNginxConfig, Warnings) {
+	baseCfgParams *ConfigParams, isPlus bool, isResolverConfigured bool, staticParams *StaticConfigParams, isWildcardEnabled bool,
+) (version1.IngressNginxConfig, Warnings) {
 	hasAppProtect := staticParams.MainAppProtectLoadModule
 	hasAppProtectDos := staticParams.MainAppProtectDosLoadModule
 
@@ -290,7 +291,8 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes
 }
 
 func generateJWTConfig(owner runtime.Object, secretRefs map[string]*secrets.SecretReference, cfgParams *ConfigParams,
-	redirectLocationName string) (*version1.JWTAuth, *version1.JWTRedirectLocation, Warnings) {
+	redirectLocationName string,
+) (*version1.JWTAuth, *version1.JWTRedirectLocation, Warnings) {
 	warnings := newWarnings()
 
 	secretRef := secretRefs[cfgParams.JWTKey]
@@ -326,7 +328,8 @@ func generateJWTConfig(owner runtime.Object, secretRefs map[string]*secrets.Secr
 }
 
 func addSSLConfig(server *version1.Server, owner runtime.Object, host string, ingressTLS []networking.IngressTLS,
-	secretRefs map[string]*secrets.SecretReference, isWildcardEnabled bool) Warnings {
+	secretRefs map[string]*secrets.SecretReference, isWildcardEnabled bool,
+) Warnings {
 	warnings := newWarnings()
 
 	var tlsEnabled bool
@@ -427,7 +430,8 @@ func upstreamRequiresQueue(name string, ingEx *IngressEx, cfg *ConfigParams) (n
 }
 
 func createUpstream(ingEx *IngressEx, name string, backend *networking.IngressBackend, stickyCookie string, cfg *ConfigParams,
-	isPlus bool, isResolverConfigured bool, isLatencyMetricsEnabled bool) version1.Upstream {
+	isPlus bool, isResolverConfigured bool, isLatencyMetricsEnabled bool,
+) version1.Upstream {
 	var ups version1.Upstream
 	labels := version1.UpstreamLabels{
 		Service:           backend.Service.Name,
@@ -534,8 +538,8 @@ func upstreamMapToSlice(upstreams map[string]version1.Upstream) []version1.Upstr
 
 func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, apResources *AppProtectResources,
 	dosResource *appProtectDosResource, baseCfgParams *ConfigParams, isPlus bool, isResolverConfigured bool,
-	staticParams *StaticConfigParams, isWildcardEnabled bool) (version1.IngressNginxConfig, Warnings) {
-
+	staticParams *StaticConfigParams, isWildcardEnabled bool,
+) (version1.IngressNginxConfig, Warnings) {
 	var masterServer version1.Server
 	var locations []version1.Location
 	var upstreams []version1.Upstream
 
@@ -39,7 +39,6 @@ var (
 )
 
 var ingCfg = IngressNginxConfig{
-
 	Servers: []Server{
 		{
 			Name:         "test.example.com",
 
@@ -123,7 +123,7 @@ type WAF struct {
 	Enable              string
 	ApPolicy            string
 	ApSecurityLogEnable bool
-	ApLogConf           string
+	ApLogConf           []string
 }
 
 // Dos defines Dos configuration.
 
@@ -191,7 +191,9 @@ server {
 
         {{ if .ApSecurityLogEnable }}
     app_protect_security_log_enable on;
-    app_protect_security_log {{ .ApLogConf }};
+        {{ range $logconf := .ApLogConf }}
+    app_protect_security_log {{ $logconf }};
+        {{ end }}
         {{ end }}
     {{ end }}
 
@@ -370,7 +372,9 @@ server {
 
             {{ if .ApSecurityLogEnable }}
         app_protect_security_log_enable on;
-        app_protect_security_log {{ .ApLogConf }};
+            {{ range $logconf := .ApLogConf }}
+        app_protect_security_log {{ $logconf }};
+            {{ end }}
             {{ end }}
         {{ end }}
 
 
@@ -150,7 +150,7 @@ var virtualServerCfg = VirtualServerConfig{
 		WAF: &WAF{
 			ApPolicy:            "/etc/nginx/waf/nac-policies/default-dataguard-alarm",
 			ApSecurityLogEnable: true,
-			ApLogConf:           "/etc/nginx/waf/nac-logconfs/default-logconf",
+			ApLogConf:           []string{"/etc/nginx/waf/nac-logconfs/default-logconf"},
 		},
 		Snippets: []string{"# server snippet"},
 		InternalRedirectLocations: []InternalRedirectLocation{
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,6 @@ var (`
`39`	`39`	`)`
`40`	`40`
`41`	`41`	`var ingCfg = IngressNginxConfig{`
`42`		`-`
`43`	`42`	`Servers: []Server{`
`44`	`43`	`{`
`45`	`44`	`Name: "test.example.com",`
Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ type WAF struct {`
`123`	`123`	`Enable string`
`124`	`124`	`ApPolicy string`
`125`	`125`	`ApSecurityLogEnable bool`
`126`		`- ApLogConf string`
	`126`	`+ ApLogConf []string`
`127`	`127`	`}`
`128`	`128`
`129`	`129`	`// Dos defines Dos configuration.`