تنصيب Wallarm من صورة GCP الآلية¶

هذه المقالة توفر الإرشادات لتنصيب Wallarm على GCP باستخدام الصورة الآلية الرسمية.

حالات الاستخدام¶

Among all supported Wallarm deployment options, GCP Machine Image is recommended for Wallarm deployment in these use cases:

• Your existing infrastructure resides on GCP.

• You aim to deploy a security solution as a separate cloud instance, rather than installing it directly on frontend systems like NGINX.

Requirements¶

• A GCP account

• Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud

• Access to https://us1.api.wallarm.com:444 for working with US Wallarm Cloud or to https://api.wallarm.com:444 for working with EU Wallarm Cloud. If access can be configured only via the proxy server, then use the instructions

• Access to the IP addresses below for downloading updates to attack detection rules and [API specifications][api-spec-enforcement-docs], as well as retrieving precise IPs for your [allowlisted, denylisted, or graylisted][ip-lists-docs] countries, regions, or data centers

  US CloudEU Cloud

  34.96.64.17
  34.110.183.149
  35.235.66.155
  34.102.90.100
  34.94.156.115
  35.235.115.105
  

  34.160.38.183
  34.144.227.90
  34.90.110.226
  

• Executing all commands on a Wallarm instance as a superuser (e.g. root)

1. Launch a filtering node instance¶

Launch the instance via the Google Cloud UI¶

To launch the filtering node instance via the Google Cloud UI, please open the Wallarm node image on the Google Cloud Marketplace and click GET STARTED.

The instance will launch with a preinstalled filtering node. To see detailed information on launching instances in the Google Cloud, please proceed to the official Google Cloud Platform documentation.

Launch the instance via Terraform or other tools¶

When using a tool like Terraform to launch the filtering node instance using Wallarm GCP image, you may need to provide the name of this image in the Terraform configuration.

• Image name has the following format:

  wallarm-node-195710/wallarm-node-<IMAGE_VERSION>-build
  

• To launch the instance with the filtering node version 5.x, please use the following image name:

  wallarm-node-195710/wallarm-node-6-1-0-20250508-144827
  

To get the image name, you can also follow these steps:

1. Install Google Cloud SDK.

2. Execute the command gcloud compute images list with the following parameters:

   gcloud compute images list --project wallarm-node-195710 --filter="name~'wallarm-node-6-1-*'" --no-standard-images
   

3. Copy the version value from the name of the latest available image and paste the copied value into the provided image name format. For example, the filtering node version 4.10 image will have the following name:

   wallarm-node-195710/wallarm-node-6-1-0-20250508-144827
   

2. Configure the filtering node instance¶

Perform the following actions to configure the launched filtering node instance:

1. Navigate to the VM instances page in the Compute Engine section of the menu.

2. Select the launched filtering node instance and click the Edit button.

3. Allow the required types of incoming traffic by ticking the corresponding checkboxes in the Firewalls setting.

4. If necessary, you can restrict connecting to the instance with the project SSH keys and use a custom SSH key pair for connecting to this instance. To do this, perform the following actions:

   1. Tick the Block project-wide checkbox in the SSH Keys setting.
   2. Click the Show and edit button in the SSH Keys setting to expand the field for entering an SSH key.

   3. Generate a pair of public and private SSH keys. For example, you can use the ssh-keygen and PuTTYgen utilities.

      

   4. Copy an open key in OpenSSH format from the interface of the used key generator (in the current example, the generated public key should be copied from the Public key for pasting into OpenSSH authorized_keys file area of the PuTTYgen interface) and paste it into the field containing the Enter entire key data hint.

   5. Save the private key. It will be required for connecting to the configured instance in the future.

5. Click the Save button at the bottom of the page to apply the changes.

3. Connect to the filtering node instance via SSH¶

To see detailed information about ways of connecting to instances, proceed to this link.

4. Generate a token to connect an instance to the Wallarm Cloud¶

The local Wallarm filtering node needs to connect with the Wallarm Cloud using a Wallarm token of the appropriate type. An API token allows you to create a node group in the Wallarm Console UI, which helps in organizing your node instances effectively.

Generate a token as follows:

5. ربط عقدة التصفية بسحابة Wallarm¶

ترتبط عقدة النموذج السحابي بالسحابة عبر السيناريو cloud-init.py. يقوم هذا السيناريو بتسجيل العقدة مع سحابة Wallarm باستخدام الرمز المقدم، يعينها عالميًا على وضع المراقبة، ويضبط العقدة لتوجيه حركة المرور الشرعية بناءً على علم --proxy-pass. يكتمل الإعداد بإعادة تشغيل NGINX.

قم بتشغيل سيناريو cloud-init.py على النموذج المُنشأ من صورة السحابة كالآتي:

sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/usr/share/wallarm-common/cloud-init.py -t <TOKEN> -m monitoring --proxy-pass <PROXY_ADDRESS> -H us1.api.wallarm.com

sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/usr/share/wallarm-common/cloud-init.py -t <TOKEN> -m monitoring --proxy-pass <PROXY_ADDRESS>

• WALLARM_LABELS='group=<GROUP>' يحدد اسم مجموعة العقد (قائمة أو، إذا لم تكن موجودة، سيتم إنشائها). يطبق هذا فقط إذا كنت تستخدم رمز API.

• <TOKEN> هو قيمة الرمز المنسوخ.

• <PROXY_ADDRESS> هو عنوان لعقدة Wallarm لوكيل حركة المرور الشرعية إليها. يمكن أن يكون عنوان IP لنموذج تطبيق، موازنة حمل، أو اسم DNS، إلخ، بناءً على هندسة الشبكة الخاصة بك.

6. تكوين إرسال حركة المرور إلى نموذج Wallarm¶

Update targets of your load balancer to send traffic to the Wallarm instance. For details, please refer to the documentation on your load balancer.

7. اختبار تشغيل Wallarm¶

1. The request with test Path Traversal attack to an address of either the load balancer or the machine with the Wallarm node:

   curl http://<ADDRESS>/etc/passwd
   

2. Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.
   

   Since Wallarm operates in the monitoring mode, the Wallarm node does not block the attack but registers it.

3. Optionally, test other aspects of the node functioning.

8. تعديل التكوين النهائي للحل المنصب¶

The deployment is now complete. The filtering node may require some additional configuration after deployment.

Wallarm settings are defined using the NGINX directives or the Wallarm Console UI. Directives should be set in the following files on the Wallarm instance:

• /etc/nginx/sites-enabled/default defines the configuration of NGINX

• /etc/nginx/conf.d/wallarm.conf defines the global configuration of Wallarm filtering node

• /etc/nginx/conf.d/wallarm-status.conf defines the filtering node monitoring service configuration

• /opt/wallarm/wstore/wstore.yaml with the postanalytics service (wstore) settings

You can modify the listed files or create your own configuration files to define the operation of NGINX and Wallarm. It is recommended to create a separate configuration file with the server block for each group of the domains that should be processed in the same way (e.g. example.com.conf). To see detailed information about working with NGINX configuration files, proceed to the official NGINX documentation.

Below there are a few of the typical settings that you can apply if needed:

• Wallarm node auto-scaling

• Displaying the client's real IP

• Allocating resources for Wallarm nodes

• Limiting the single request processing time

• Limiting the server reply waiting time

• Limiting the maximum request size

• Wallarm node logging

To apply the settings, restart NGINX on the Wallarm instance:

sudo systemctl restart nginx

Each configuration file change requires NGINX to be restarted to apply it.

هل كانت هذه الصفحة مفيدة؟

كيف يمكننا تحسين هذه المقالة؟ (خياري)

المعلومات غير واضحة أو محيرة

معلومات غير كافية

معلومات قديمة أو غير صحيحة

0/240

يرسل