Deploying as an Amazon Machine Image (AMI)

To deploy an Amazon Machine Image with a filter node, perform the following steps:

  1. Log in to your Amazon Web Services account.
  2. Create a pair of SSH keys.
  3. Create a security group.
  4. Launch a filter node instance.
  5. Connect to the filter node instance via SSH.
  6. Connect the filter node to the Wallarm Cloud.
  7. Set up the filter node for using a proxy server.
  8. Set up filtering and proxying rules.
  9. Allocate instance memory for the Wallarm Node.
  10. Restart NGINX.

1. Log In to Your Amazon Web Services Account

Log in to aws.amazon.com.

2. Create a Pair of SSH Keys

During the deploying process, you will need to connect to the virtual machine via SSH. Amazon EC2 allows creating a named pair of public and private SSH keys that can be used to connect to the instance.

To create a key pair, do the following:

  1. Navigate to the “Key pairs” tab on the Amazon EC2 dashboard.
  2. Click the “Create Key Pair” button.
  3. Enter a key pair name and click the “Create” button.

A private SSH key in PEM format will automatically start to download. Save the key to connect to the created instance in the future.

Creating SSH keys

To see detailed information about creating SSH keys, proceed to this link.

3. Create a Security Group

A Security Group defines allowed and forbidden incoming and outgoing connections for virtual machines. The final list of connections depends on the protected application (e.g., allowing all of the incoming connections to the TCP\80 and TCP\443 ports).

Rules for outgoing connections from the security group

When creating a security group, all of the outgoing connections are allowed by default. If you restrict outgoing connections from the filter node, make sure that it is granted access to a Wallarm API server. The choice of a Wallarm API server depends on the Wallarm Cloud you are using:

  • If you are using the EU cloud, your node needs to be granted access to api.wallarm.com:444.
  • If you are using the US cloud, your node needs to be granted access to us1.api.wallarm.com:444.

The filter node requires access to a Wallarm API server for proper operation.

Create a security group for the filter node. To do this, proceed with the following steps:

  1. Navigate to the “Security Groups” tab on the Amazon EC2 dashboard and click the “Create Security Group” button.
  2. Enter a security group name and an optional description into the dialog window that appears.
  3. Select the required VPC.
  4. Configure incoming and outgoing connections rules on the “Inbound” and “Outbound” tabs.
  5. Click the “Create” button to create the security group.

Creating a security group

To see detailed information about creating a security group, proceed to this link.

4. Launch a Filter Node Instance

To launch an instance with the filter node, proceed to this link.

When creating an instance, you need to specify the previously created security group. To do this, perform the following actions:

  1. While working with the Launch Instance Wizard, proceed to the “6. Configure Security Group” instance launch step by clicking the corresponding tab.
  2. Choose the “Select an existing security group” option in the “Assign a security group” setting.
  3. Select the security group from the list that appears.

After specifying all of the required instance settings, click the “Review and Launch” button, make sure that instance is configured correctly, and click the “Launch” button.

In the window that appears, specify the previously created key pair by performing the following actions:

  1. In the first drop-down list, select the “Choose an existing key pair” option.
  2. In the second drop-down list, select the name of the key pair.
  3. Make sure you have access to the private key in PEM format from the key pair you specified in the second drop-down list and tick the checkbox to confirm this.
  4. Click the “Launch Instances” button.

The instance will launch with the preinstalled filter node.

To see detailed information about launching instances in AWS, proceed to this link.

5. Connect to the Filter Node Instance via SSH

You need to use the admin username to connect to the instance.

Using the key to connect via SSH

Use the private key in PEM format that you created earlier to connect to the instance via SSH. This must be the private key from the SSH key pair that you specified when creating an instance.

To see detailed information about ways to connect to an instance, proceed to this link.

6. Connect the Filter Node to the Wallarm Cloud

The filter node interacts with the Wallarm cloud. There are two ways of connecting the node to the cloud:

Required access rights

Make sure that your Wallarm account has the Administrator role enabled and two-factor authentication disabled, therefore allowing you to connect a filter node to the cloud.

You can check the aforementioned parameters by navigating to the user account list in the Wallarm console.

User list in Wallarm console

Connecting Using the Filter Node Token

To connect the node to the cloud using the token, proceed with the following steps:

  1. Create a new node on the Nodes tab of Wallarm web interface.
    1. Click the Create new node button.
    2. In the form that appears, enter the node name into the corresponding field and select the Cloud type of installation from the drop-down list.
    3. Click the Create button.
  2. In the window that appears, click the Copy button next to the field with the token to add the token of the newly created filter node to your clipboard.
  3. On the virtual machine run the addcloudnode script:

    You have to pick which script to run depending on the Cloud you are using.

    EU Cloud
    US Cloud
    # /usr/share/wallarm-common/addcloudnode
    
    # /usr/share/wallarm-common/addcloudnode -H us1.api.wallarm.com
    

  4. Paste the filter node token from your clipboard.

Your filter node will now synchronize with the cloud every 5 seconds according to the default synchronization configuration.

Node and cloud synchronization configuration

After running the addcloudnode script, the /etc/wallarm/syncnode file containing the node and cloud synchronization settings will be created.

To learn more about synchronization configuration file content, proceed to the link.

Connecting Using Your Cloud Account Login and Password

To connect the node to the cloud using your cloud account requisites, proceed with the following steps:

  1. On the virtual machine run the addnode script:

    You have to pick which script to run depending on the Cloud you are using.

    EU Cloud
    US Cloud
    # /usr/share/wallarm-common/addnode
    
    # /usr/share/wallarm-common/addnode -H us1.api.wallarm.com
    

  2. Provide your Wallarm account’s login and password when prompted.

API Access

The API choice for your filter node depends on the Cloud you are using. Please, select the API accordingly:

Ensure the access is not blocked by a firewall.

7. Set Up the Filter Node for Using a Proxy Server

This setup step is intended for users who use their own proxy server for the operation of the protected web applications.

If you do not use a proxy server, skip this step of the setup.

You need to assign new values to the environment variables, which define the proxy server used, to configure Wallarm node for using your proxy server.

Add new values of the environment variables to the /etc/environment file:

  • Add https_proxy to define a proxy for the https protocol.
  • Add http_proxy to define a proxy for the http protocol.
  • Add no_proxy to define the list of the resources proxy should not be used for.

Assign the <scheme>://<proxy_user>:<proxy_pass>@<host>:<port> string values to the https_proxy and http_proxy variables.

  • <scheme> defines the protocol used. It should match the protocol that the current environment variable sets up proxy for.
  • <proxy_user> defines the username for proxy authorization.
  • <proxy_pass> defines the password for proxy authorization.
  • <host> defines a host of the proxy server.
  • <port> defines a port of the proxy server.

Assign a "<res_1>, <res_2>, <res_3>, <res_4>, ..." array value, where <res_1>, <res_2>, <res_3>, and <res_4> are the IP addresses and/or domains, to the no_proxy variable to define a list of the resources which proxy should not be used for. This array should consist of IP addresses and/or domains.

Resources that need to be addressed without a proxy

Add the following IP addresses and domain to the list of the resources that have to be addressed without a proxy for the system to operate correctly: 127.0.0.1, 127.0.0.8, 127.0.0.9, and localhost.

The 127.0.0.8 and 127.0.0.9 IP addresses are used for the operation of the Wallarm filter node.

The example of the correct /etc/environment file contents below demonstrates the following configuration:

  • The https and http protocols use the 1.2.3.4 host and the 1234 port for request proxying.
  • The https and http protocols use the admin username and the 01234 password for proxy authorization.
  • Proxying is disabled for the requests sent to 127.0.0.1, 127.0.0.8, 127.0.0.9, and localhost.
https_proxy=http://admin:01234@1.2.3.4:1234
http_proxy=http://admin:01234@1.2.3.4:1234
no_proxy="127.0.0.1, 127.0.0.8, 127.0.0.9, localhost"

8. Set Up Filtering and Proxying Rules

The etc/nginx/conf.d directory contains NGINX and Wallarm filter node configuration files.

By default, this directory contains the following configuration files:

  • The default.conf file defines the configuration of NGINX.
  • The wallarm.conf file defines the global configuration of Wallarm filter node.
  • The wallarm-status.conf file defines the Wallarm monitoring configuration.

You can create your own configuration files to define the operation of NGINX and Wallarm. It is recommended to create a separate configuration file with the server block for each group of the domains that should be processed in the same way.

To see detailed information about working with NGINX configuration files, proceed to the official NGINX documentation.

Wallarm directives define the operation logic of the Wallarm filter node. To see the list of Wallarm directives available, proceed to the Wallarm configuration options page.

A Configuration File Example

Let us suppose that you need to configure the server to work in the following conditions:

  • Only HTTP traffic is processed. There are no HTTPS requests processed.
  • The following domains receive the requests: example.com and www.example.com.
  • All requests must be passed to the server 10.80.0.5.
  • All incoming requests are considered less than 1MB in size (default setting).
  • The processing of a request takes no more than 60 seconds (default setting).
  • Wallarm must operate in the monitor mode.
  • Clients access the filter node directly, without an intermediate HTTP load balancer.

Creating a configuration file

You can create a custom NGINX configuration file (e.g. example.com.conf) or modify the default NGINX configuration file (default.conf).

When creating a custom configuration file, make sure that NGINX listens to the incoming connections on the free port.

To meet the listed conditions, the contents of the configuration file must be the following:


    server {
      listen 80;
      listen [::]:80 ipv6only=on;

      # the domains for which traffic is processed
      server_name example.com; 
      server_name www.example.com;

      # turn on the monitoring mode of traffic processing
      wallarm_mode monitoring; 
      # wallarm_instance 1;

      location / {
        # setting the address for request forwarding
        proxy_pass http://10.80.0.5; 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      }
    }

9. Instance Memory Allocation for the Wallarm Node

Filter node uses the in-memory storage Tarantool.

By default, the amount of RAM allocated to Tarantool is 75% of the total instance memory.

You can change the amount of RAM allocated for Tarantool

To allocate the instance RAM to Tarantool:

  1. Open the Tarantool configuration file:

    # vi /etc/default/wallarm-tarantool
    
  2. Set the amount of allocated RAM in the SLAB_ALLOC_ARENA in GB. For example, to set 24 GB:

    SLAB_ALLOC_ARENA=24

  3. To apply changes, restart the Tarantool daemon:

    # systemctl restart wallarm-tarantool
    

10. Restart NGINX

Restart NGINX by running the following command:

# systemctl restart nginx

The Installation Is Complete

The installation is now complete.

Check that the filter node runs and filters the traffic. See Check the filter node operation.

results matching ""

    No results matching ""