نشر Wallarm OOB من صورة أمازون¶

توفر هذه المقالة التعليمات لنشر Wallarm OOB على AWS باستخدام الصورة الرسمية لآلة أمازون (AMI). الحل الموصوف هنا مصمم لتحليل حركة المرور المعكوسة بواسطة الويب أو خادم الوكيل.

حالات الاستخدام¶

Among all supported Wallarm deployment options, AMI is recommended for Wallarm deployment in these use cases:

• Your existing infrastructure resides on AWS.

• You aim to deploy a security solution as a separate cloud instance, rather than installing it directly on frontend systems like NGINX.

Requirements¶

• An AWS account

• Understanding of AWS EC2, Security Groups

• Any AWS region of your choice, there are no specific restrictions on the region for the Wallarm node deployment

  Wallarm supports both single availability zone (AZ) and multi availability zone deployments. In multi-AZ setups, Wallarm Nodes can be launched in separate availability zones and placed behind a Load Balancer for high availability.

• Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud

• Executing all commands on a Wallarm instance as a superuser (e.g. root)

• No system user named wallarm exists

Installation¶

1. Launch a Wallarm Node instance¶

Launch an EC2 instance using the Wallarm NGINX Node AMI.

Recommended configuration:

• Latest available [AMI version][latest-node-version]

• Any preferred AWS region

• EC2 instance type: t3.medium (for testing) or m4.xlarge (for production), [see cost guidance for details][aws-costs]

• SSH key pair for accessing the instance

• Appropriate VPC and subnet based on your infrastructure

• Security Group inbound access to ports 22, 80, and 443

  Using a security group preconfigured by Wallarm

  When you deploy the instance and create a security group, AWS prompts you to use the one preconfigured by Wallarm. This group already has all the necessary ports open for inbound access.

  ![!Preconfigured security group][img-security-group]

• Security Group outbound access to:

  • https://meganode.wallarm.com to download the Wallarm installer
  • https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud. If access can be configured only via the proxy server, then use the instructions

  • IP addresses below for downloading updates to attack detection rules and [API specifications][api-spec-enforcement-docs], as well as retrieving precise IPs for your [allowlisted, denylisted, or graylisted][ip-lists-docs] countries, regions, or data centers

    US CloudEU Cloud

    node-data0.us1.wallarm.com - 34.96.64.17
    node-data1.us1.wallarm.com - 34.110.183.149
    us1.api.wallarm.com - 35.235.66.155
    34.102.90.100
    34.94.156.115
    35.235.115.105
    

    node-data1.eu1.wallarm.com - 34.160.38.183
    node-data0.eu1.wallarm.com - 34.144.227.90
    api.wallarm.com - 34.90.110.226
    

2. Prepare the Wallarm API token¶

The Wallarm node needs to connect to the Wallarm Cloud using a Wallarm token of the appropriate type. An API token allows you to create a node group in the Wallarm Console UI, helping you organize your node instances more effectively.

Generate a token as follows:

3. Store the token in AWS Secrets Manager (recommended)¶

For secure token handling, store the token in AWS Secrets Manager.

The secret must be in the same AWS region as your Wallarm Node EC2 instance.

1. Store the token in AWS Secrets Manager:

   AWS ConsoleAWS CLI

   1. Open the AWS Secrets Manager console.
   2. Click Store a new secret.
   3. Select Other type of secret.
   4. In Key/value pairs, switch to Plaintext and paste your Wallarm API token.
   5. Click Next, set the secret name to wallarm/api-token, then complete the wizard.

   If you have the AWS CLI installed and configured, run the aws secretsmanager command:

   aws secretsmanager create-secret \
     --region <AWS_REGION> \
     --name wallarm/api-token \
     --description "Wallarm node API token" \
     --secret-string "<YOUR_WALLARM_API_TOKEN>"
   

   ![Secret with Wallarm token in AWS Secrets Manager][img-secret-with-wallarm-token]

2. Grant the EC2 instance access to the secret. Create an IAM policy with least-privilege access to the secret, then attach it to the EC2 instance via an IAM role.

   AWS ConsoleAWS CLI

   1. Open the IAM console → Policies and click Create policy.

   2. Switch to the JSON tab and paste the policy.

      {
      "Version": "2012-10-17",
      "Statement": [
          {
          "Effect": "Allow",
          "Action": [
              "secretsmanager:GetSecretValue"
          ],
          "Resource": "arn:aws:secretsmanager:<REGION>:<ACCOUNT_ID>:secret:wallarm/api-token*"
          }
        ]
      }
      

      Replace <REGION> and <ACCOUNT_ID> with your values.

      If the secret is encrypted with a customer managed KMS key (rather than the default AWS managed key), also add kms:Decrypt permission for that key.

   3. Name the policy (e.g., WallarmSecretsReadOnly) and create it.

   4. Open the IAM console → Roles and click Create role.
   5. Select AWS service → EC2 as the trusted entity, then click Next.
   6. Attach the WallarmSecretsReadOnly policy and complete the wizard.
   7. Open the EC2 console, select your Wallarm Node instance, then go to Actions → Security → Modify IAM role and attach the role you created.

   1. Create a trust policy file that allows EC2 to assume the role:

      cat > trust-policy.json << 'EOF'
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": { "Service": "ec2.amazonaws.com" },
            "Action": "sts:AssumeRole"
          }
        ]
      }
      EOF
      

   2. Create the IAM role and attach the policy:

      aws iam create-role \
        --role-name WallarmNodeRole \
        --assume-role-policy-document file://trust-policy.json
      
      aws iam put-role-policy \
        --role-name WallarmNodeRole \
        --policy-name WallarmSecretsReadOnly \
        --policy-document '{
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": ["secretsmanager:GetSecretValue"],
              "Resource": "arn:aws:secretsmanager:<REGION>:<ACCOUNT_ID>:secret:wallarm/api-token*"
            }
          ]
        }'
      

      Replace <REGION> and <ACCOUNT_ID> with your values.

   3. Create an instance profile and attach the role to your EC2 instance:

      aws iam create-instance-profile \
        --instance-profile-name WallarmNodeProfile
      
      aws iam add-role-to-instance-profile \
        --instance-profile-name WallarmNodeProfile \
        --role-name WallarmNodeRole
      
      aws ec2 associate-iam-instance-profile \
        --instance-id <INSTANCE_ID> \
        --iam-instance-profile Name=WallarmNodeProfile
      

4. Connect to the Wallarm Node instance via SSH¶

Use the selected SSH key to connect to your running EC2 instance:

ssh -i <your-key.pem> admin@<your-ec2-public-ip>

You need to use the admin username to connect to the instance.

6. الاتصال بالنسخة السحابية من Wallarm¶

يتصل عقدة النسخة السحابية بالسحابة من Wallarm عبر السكربت cloud-init.py. يقوم هذا السكريبت بتسجيل العقدة مع السحابة من Wallarm باستخدام الرمز المقدم، ويعمل على تحديدها عالميًا إلى وضع المراقبة، ويقوم بتعيين الأوامر wallarm_force في كتلة location / في NGINX لتحليل نسخ حركة المرور المعكوسة فقط. إعادة تشغيل NGINX تنهي الإعداد.

قم بتشغيل السكريبت cloud-init.py على النسخة المنشأة من الصورة السحابية كما يلي:

sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/usr/share/wallarm-common/cloud-init.py -t <TOKEN> -m monitoring -p mirror -H us1.api.wallarm.com

sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/usr/share/wallarm-common/cloud-init.py -t <TOKEN> -m monitoring -p mirror

• WALLARM_LABELS='group=<GROUP>' يحدد اسم مجموعة العقدة (موجودة، أو، إذا لم تكن موجودة، سيتم إنشاؤها). يتم تطبيقه فقط إذا كان يستخدم رمز API.

• <TOKEN> هو القيمة المنسوخة للرمز.

7. تكوين الويب أو خادم الوكيل لعكس حركة المرور إلى عقدة Wallarm¶

1. قم بتكوين خادم الويب أو الوكيل (مثلاً NGINX، Envoy) لعكس حركة المرور الواردة إلى عقدة Wallarm. للحصول على تفاصيل التكوين، نوصي بالرجوع إلى دليل خادم الويب أو الوكيل.

داخل [الرابط][web-server-mirroring-examples]، ستجد التكوين المثالي لأشهر خوادم الويب والوكلاء (NGINX، Traefik، Envoy).

1. قم بتعيين التكوين التالي في ملف /etc/nginx/sites-enabled/default على النسخة بالعقدة:

   location / {
       include /etc/nginx/presets.d/mirror.conf;
   
       # قم بتغيير 222.222.222.22 إلى عنوان خادم العكس
       set_real_ip_from  222.222.222.22;
       real_ip_header    X-Forwarded-For;
   }
   

   أوامر set_real_ip_from وreal_ip_header مطلوبة لعرض عناوين IP للمخترقين في وحدة تحكم Wallarm.

8. اختبار تشغيل Wallarm¶

1. The request with test Path Traversal attack to an address of either the web or proxy server mirroring traffic or the machine with the Wallarm node:

   curl http://<ADDRESS>/etc/passwd
   

2. Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.
   

Since Wallarm OOB operates in the monitoring mode, the Wallarm node does not block the attack but registers it.

9. ضبط الحل المنشور¶

The deployment is now complete. The filtering node may require some additional configuration after deployment.

Wallarm settings are defined using the NGINX directives or the Wallarm Console UI. Directives should be set in the following files on the Wallarm instance:

• /etc/nginx/sites-enabled/default defines the configuration of NGINX

• /etc/nginx/conf.d/wallarm.conf defines the global configuration of Wallarm filtering node

• /etc/nginx/conf.d/wallarm-status.conf defines the filtering node monitoring service configuration

• /opt/wallarm/wstore/wstore.yaml with the postanalytics service (wstore) settings

You can modify the listed files or create your own configuration files to define the operation of NGINX and Wallarm. It is recommended to create a separate configuration file with the server block for each group of the domains that should be processed in the same way (e.g. example.com.conf). To see detailed information about working with NGINX configuration files, proceed to the official NGINX documentation.

Below there are a few of the typical settings that you can apply if needed:

• Wallarm node auto-scaling

• Displaying the client's real IP

• Allocating resources for Wallarm nodes

• Limiting the single request processing time

• Limiting the server reply waiting time

• Limiting the maximum request size

• Wallarm node logging

To apply the settings, restart NGINX on the Wallarm instance:

sudo systemctl restart nginx

Each configuration file change requires NGINX to be restarted to apply it.

هل كانت هذه الصفحة مفيدة؟

كيف يمكننا تحسين هذه المقالة؟ (خياري)

المعلومات غير واضحة أو محيرة

معلومات غير كافية

معلومات قديمة أو غير صحيحة

0/240

يرسل