Blocking with NGINX¶
By default, blocking by IP address is turned off. To activate it, proceed to the following steps:
-
Go to the folder that contains the NGINX configuration files:
-
In the current folder, create a file named
wallarm-acl.confwith the following content:wallarm_acl_db default { wallarm_acl_path <path-to-wallarm-acl-folder>; wallarm_acl_mapsize 64m; } server { listen 127.0.0.9:80; server_name localhost; allow 127.0.0.0/8; deny all; access_log off; location /wallarm-acl { wallarm_acl default; wallarm_acl_api on; } }In the configuration above,
<path-to-wallarm-acl-folder>is a path to an empty directory, in which thenginxuser can create subdirectories and files for storing access control lists.Checking the
nginxuser rightsRun the following command to check whether the
nginxuser has rights to perform actions on the directory:
In this command,
<path-to-directory>is the path to the directory, access to which you need to check.Due to the
sudo -u nginxprefix, this command is executed using thenginxuser.The command first checks whether the user has permission to read the directory (the
[ -r <path-to-directory> ]part). Next, it checks whether the user has permission to write into the directory (the[ -w <path-to-directory> ]part).If the
nginxuser has permission to read and write into the directory specified in the command, the terminal outputs theOKmessage. The specified directory can be used as awallarm_acl_pathvalue.If the
nginxuser does not have the required permission, the terminal output is empty.Example:
Directories that are valid for access control list storage depend on the filter node installation method you used and your OS. The valid directories to specify in the
wallarm_acl_pathdirective are as follows:-
Dynamic NGINX module:
-
Dynamic NGINX module from OS repositories:
-
NGINX Plus module:
-
-
Turn on blocking for the particular vhosts and/or locations by adding the following lines to their configuration files:
-
Add the following lines to the
/etc/wallarm/node.yamlfile: -
Restart NGINX:
-
Activate the denylist synchronization.
One way to do this is to uncomment the line containing
sync-blacklistas a substring in the/etc/cron.d/wallarm-node-nginxfile by removing the#symbol at the beginning of the line.You can also do this by running the following command:
Using the
sedcommandSed is a stream editor.
By default, sed writes to standard output. The
-ioption means that the file will be edited in-place.The
-eEoption comprises two options:- The
-eoption means the following:- The first non‑option parameter will be used as a script to run on the input.
- The second non‑option parameter will be used as an input file.
- The
-Eoption means that the script following this option uses the extended regular expression syntax.
The script that follows the options replaces the lines that satisfy the
^#(.*sync-blacklist.*)regular expression with the string that satisfies the subexpression in parenthesis in the/etc/cron.d/wallarm-node-nginxfile. The\1back‑reference of the sed command means that the subexpression in the first parenthesis should be used as a replacement.The line that satisfies the
^#(.*sync-blacklist.*)regular expression
* starts with the#symbol.
* containssync-blacklistas a substring.The replacement for the described line is the substring of this line without the
#symbol at the beginning of the line.This command uncomments the line that enables denylist synchronization. Thus, the denylist synchronization will be activated.
You can learn more about sed by proceeding with the link.
- The
-
You can add IP addresses to the allowlist to skip checking of the denylist upon receiving a request from them. For example, the following lines in the vhost or location configuration file add the
1.2.3.4/32IP address pool to its allowlist:After saving the edited configuration file, please do not forget to restart NGINX: