Skip to content

Example of NGINX configuration for traffic mirroring

Starting with NGINX 1.13 you can mirror the traffic to an additional backend. This article provides you with the example configuration required for NGINX to mirror the traffic and for the node to process mirrored traffic.

Step 1: Configure NGINX to mirror the traffic

For NGINX to mirror the traffic:

  1. Configure the ngx_http_mirror_module module by setting the mirror directive in the location or server block.

    The example below will mirror requests received at location / to location /mirror-test.

  2. To send the mirrored traffic to the Wallarm node, list the headers to be mirrored and specify the IP address of the machine with the node in the location the mirror directive points.

location / {
        mirror /mirror-test;
        mirror_request_body on;
        root   /usr/share/nginx/html;
        index  index.html index.htm; 

location /mirror-test {
        proxy_set_header X-SERVER-PORT $server_port;
        proxy_set_header X-SERVER-ADDR $server_addr;
        proxy_set_header HOST $http_host;
        proxy_set_header X-Forwarded-For $realip_remote_addr;
        proxy_set_header X-Forwarded-Port $realip_remote_port;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Request-ID $request_id;

Step 2: Configure Wallarm node to filter mirrored traffic

For the Wallarm node to process mirrored traffic, set the following configuration:

wallarm_force server_addr $http_x_server_addr;
wallarm_force server_port $http_x_server_port;
#Change to the address of the mirroring server
real_ip_header    X-Forwarded-For;
#real_ip_recursive on;
wallarm_force response_status 0;
wallarm_force response_time 0;
wallarm_force response_size 0;
  • The real_ip_header directive is required to have Wallarm Console display the IP addresses of the attackers.

  • The wallarm_force_response_* directives are required to disable analysis of all requests except for copies received from the mirrored traffic.

  • Since malicious requests cannot be blocked, the Wallarm node always analyzes requests in the monitoring mode even if the wallarm_mode directive or Wallarm Cloud sets the safe or regular blocking mode (aside from the mode set to off).

Processing of mirrored traffic is supported only by the NGINX-based nodes. You can set the provided configuration as follows:

  • If installing the node from DEB/RPM packages - in the /etc/nginx/conf.d/default.conf NGINX configuration file.

  • If deploying the node from the AWS or GCP cloud image - in the /etc/nginx/nginx.conf NGINX configuration file.

  • If deploying the node from the Docker image - mount the file with the provided configuration to the container.

  • If running the node as Ingress controller - mount the ConfigMap with the provided configuration to a pod.