Disabling IP Address Blocking for the Wallarm Scanner¶
Note that if you use the blocking mode of the filter node (the wallarm_mode
directive) by default when detecting malicious requests, you must explicitly specify for the Wallarm scanner a list of IP addresses from which requests should not be blocked.
Suppose the following blocking settings are set in the NGINX configuration file:
geo $wallarm_mode_real {
default block; # Default blocking mode enabled
1.1.1.1/24 monitoring; # Monitoring mode (cancels blocking)
2.2.2.2 off; # Blocking mode for the address disabled
...
}
...
wallarm_mode $wallarm_mode_real;
...
The off
directive is used keep each IP address reserved for the Wallarm scanner from being blocked.
The Wallarm Scanner IP Addresses
Lists of the IP addresses for the scanner:
To avoid overloading the NGINX configuration file, you can make a list of the IP addresses for the scanner in a separate file and then add its contents to the configuration file using the include
directive.
For example, create the /etc/nginx/scanner-ip-list
file:
# The list of the Wallarm scanner IP addresses
3.3.3.3 off;
4.4.4.4 off;
5.5.5.5 off;
...
# Add all the required IP addresses here
Now use the include
directive to include this list in the required block of the configuration file:
geo $wallarm_mode_real {
default block;
1.1.1.1/24 monitoring;
2.2.2.2 off;
include /etc/nginx/scanner-ip-list;
}
...
wallarm_mode $wallarm_mode_real;
Using Additional Traffic Filtering Facilities
Note that if you use additional facilities (software or hardware) to automatically filter and block traffic, it is also recommended that you configure an allowlist with the IP addresses for the Wallarm scanner.