nginx · russokj · Sep 18, 2025 · Aug 22, 2025 · Aug 22, 2025 · Aug 22, 2025
@@ -25,21 +25,48 @@ The topics below provide information on NGINX configuration restrictions and dir
 NGINX configurations stored in GitHub can be applied to existing NGINXaaS for Azure deployments using custom GitHub Action workflows. See [NGINXaaS for Azure Deployment Action](https://github.com/nginxinc/nginx-for-azure-deploy-action) for documentation and examples on how to incorporate these workflows in your GitHub Actions CI/CD pipelines.
 
 ## NGINX filesystem restrictions
-NGINXaaS for Azure places restrictions on the instance's filesystem; only a specific set of directories are allowed to be read from and written to. Below is a table describing what directories the NGINX worker process can read and write to and what directories files can be written to. These files include certificate files and any files uploaded to the deployment, excluding NGINX configuration files.
 
-  {{<bootstrap-table "table table-striped table-bordered">}}
-  | Allowed Directory | NGINX worker process can read/write to | Files can be written to |
-  |------------------ | ----------------- | ----------------- |
-  | /etc/nginx        |                   | &check;           |
-  | /opt              | &check;           | &check;           |
-  | /srv              | &check;           | &check;           |
-  | /tmp              | &check;           |                   |
-  | /var/cache/nginx  | &check;           |                   |
-  | /var/www          | &check;           | &check;           |
+NGINXaaS for Azure places restrictions on the instance’s filesystem; only a specific set of directories are allowed to be read from and written to. Below is a table describing what directories the NGINX worker process can read and write to and what directories files can be written to. These files include certificate files and any files uploaded to the deployment, excluding NGINX configuration files.
+
+{{<bootstrap-table "table table-striped table-bordered">}}
+
+| Directory         | Master Read | Master Write | Worker Read | Worker Write | Recommended Use                  |
+|-------------------|:-----------:|:------------:|:-----------:|:------------:|----------------------------------|
+| /etc/nginx/       |     ✔️      |      ✔️      |     ❌      |      ❌      | Certificates, keys               |
+| /opt/             |     ✔️      |      ✔️      |     ✔️      |      ❌      | Application files                |
+| /srv/             |     ✔️      |      ✔️      |     ✔️      |      ❌      | Application files                |
+| /var/www/         |     ✔️      |      ✔️      |     ✔️      |      ❌      | Static files (e.g. index.html)   |
+
 {{</bootstrap-table>}}
 
+**Uploaded files can be placed in:**
+
+- `/etc/nginx/` (for certificates, keys)
+- `/opt/` (for application files)
+- `/srv/` (for application files)
+- `/var/www/` (for static files)
+
+
 Attempts to access other directories will be denied and result in a `5xx` error.
 
+### Recommended Directory Layout
+
+- **Certificates/Keys:**  
+  Place in `/etc/nginx/` so only the master process can access them. This prevents worker processes from serving them to the internet.
+
+- **Application Files:**  
+  Place in `/opt/` or `/srv/` for files needed by your application.
+
+- **Static Files:**  
+  Place in `/var/www/` so workers can read (but not write) and serve them.
+
+```plaintext
+/etc/nginx/         # Certificates, keys (master only)
+/opt/               # Application files
+/srv/               # Application files
+/var/www/           # Static files (worker read)
+```
+
 ## Disallowed configuration directives
 Some directives are not supported because of specific limitations. If you include one of these directives in your NGINX configuration, you'll get an error.