Disabling IP Address Blocking for the Wallarm Scanner¶
Note that if you use the blocking mode of the filter node (the wallarm_mode
directive) by default when detecting malicious requests, you must explicitly specify for the Wallarm scanner a list of IP addresses from which requests should not be blocked.
Suppose the following blocking settings are set in the NGINX configuration file:
geo $wallarm_mode_real {
default block; # Default blocking mode enabled
1.1.1.1/24 monitoring; # Monitoring mode (cancels blocking)
2.2.2.2 off; # Blocking mode for the address disabled
...
}
...
wallarm_mode $wallarm_mode_real;
...
The off
directive is used keep each IP address reserved for the Wallarm scanner from being blocked.
The Wallarm Scanner IP Addresses
Lists of the IP addresses for the scanner:
To avoid overloading the NGINX configuration file, you can make a list of the IP addresses for the scanner in a separate file and then add its contents to the configuration file using the include
directive.
For example, create the /etc/nginx/scanner-ip-list
file:
# The list of the Wallarm scanner IP addresses
3.3.3.3 off;
4.4.4.4 off;
5.5.5.5 off;
...
# Add all the required IP addresses here
Now use the include
directive to include this list in the required block of the configuration file:
geo $wallarm_mode_real {
default block;
1.1.1.1/24 monitoring;
2.2.2.2 off;
include /etc/nginx/scanner-ip-list;
}
...
wallarm_mode $wallarm_mode_real;
Using Additional Traffic Filtering Facilities
Note that if you use additional facilities (software or hardware) to automatically filter and block traffic, it is also recommended that you configure a whitelist with the IP addresses for the Wallarm scanner.