Upgrading the Docker NGINX- or Envoy-based image¶

These instructions describe the steps to upgrade the running Docker NGINX- or Envoy-based image 4.x to the version 4.10.

Using credentials of already existing Wallarm node

We do not recommend using the already existing Wallarm node of the previous version. Please follow these instructions to create a new filtering node of the version 4.10 and deploy it as the Docker container.

To upgrade the end‑of‑life node (3.6 or lower), please use the different instructions.

Requirements¶

Docker installed on your host system
Access to https://hub.docker.com/r/wallarm/node to download the Docker image. Please ensure the access is not blocked by a firewall
Access to the account with the Administrator role in Wallarm Console in the US Cloud or EU Cloud
Access to https://us1.api.wallarm.com if working with US Wallarm Cloud or to https://api.wallarm.com if working with EU Wallarm Cloud. Please ensure the access is not blocked by a firewall
Access to the IP addresses of Google Cloud Storage listed within the link. When you allowlist, denylist, or graylist entire countries, regions, or data centers instead of individual IP addresses, the Wallarm node retrieves precise IP addresses related to the entries in the IP lists from the aggregated database hosted on Google Storage.

Step 1: Download the updated filtering node image¶

NGINX-based imageEnvoy-based image

docker pull wallarm/node:4.10.4-1

docker pull wallarm/envoy:4.8.0-1

Step 2: Review recent architectural updates (for NGINX-based Docker image)¶

The latest update has introduced architectural changes that may impact users, especially those mounting custom configuration files during container initiation due to alterations in the paths of certain files. Please familiarize yourself with these changes to ensure proper configuration and usage of the new image.

Step 3: Stop the running container¶

docker stop <RUNNING_CONTAINER_NAME>

Step 4: Run the container using the new image¶

Proceed to Wallarm Console → Nodes and create Wallarm node.
Copy the generated token.
Run the updated image using the copied token and making necessary adjustments to the paths for the mounted files if required by the recent changes to the image.

There are two options for running the container using the updated image:
- With the environment variables specifying basic filtering node configuration
  - Instructions for the NGINX-based Docker container →
  - Instructions for the Envoy-based Docker container →
- In the mounted configuration file specifying advanced filtering node configuration
  - Instructions for the NGINX-based Docker container →
  - Instructions for the Envoy-based Docker container →

Step 5: Test the filtering node operation¶

Send the request with test Path Traversal attack to a protected resource address:
```
curl http://localhost/etc/passwd
```
Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

Step 6: Delete the filtering node of the previous version¶

If the deployed image of the version 4.10 operates correctly, you can delete the filtering node of the previous version in Wallarm Console → Nodes.