Installing as a dynamic module with NGINX from Debian/CentOS repositories

You can install NGINX from the Debian/CentOS repositories.

To install NGINX from the repositories, you must:

  1. Add the Debian/CentOS repositories.
  2. Install NGINX with the Wallarm module.
  3. Configure postanalytics.
  4. Connect the Wallarm module.
  5. Set up the filter node for using a proxy server.
  6. Connect the filter node to the Wallarm cloud.
  7. Configure the server addresses of postanalytics.
  8. Configure the filtration mode.
  9. Restart NGINX.

1. Add the repositories

Depending on your operating system, run one of the commands:

Debian 8.x (jessie-backports)
Debian 9.x (stretch)
Debian 9.x (stretch-backports)
CentOS 6.x
CentOS 7.x
apt-key adv --keyserver keys.gnupg.net --recv-keys 72B865FD
echo 'deb http://ftp.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list
echo 'deb http://repo.wallarm.com/debian/wallarm-node jessie/' >/etc/apt/sources.list.d/wallarm.list
echo 'deb http://repo.wallarm.com/debian/wallarm-node jessie-backports/' >>/etc/apt/sources.list.d/wallarm.list
apt-get update
apt-get install dirmngr
apt-key adv --keyserver keys.gnupg.net --recv-keys 72B865FD
echo 'deb http://repo.wallarm.com/debian/wallarm-node stretch/' >/etc/apt/sources.list.d/wallarm.list
apt-get update
apt-get install dirmngr
apt-key adv --keyserver keys.gnupg.net --recv-keys 72B865FD
echo 'deb http://repo.wallarm.com/debian/wallarm-node stretch/'
>/etc/apt/sources.list.d/wallarm.list
echo 'deb http://repo.wallarm.com/debian/wallarm-node stretch-backports/'
>>/etc/apt/sources.list.d/wallarm.list

uncomment the following line in /etc/apt/sources.list:
deb http://deb.debian.org/debian stretch-backports main contrib non-free

apt-get update
yum install --enablerepo=extras -y epel-release centos-release-SCL
rpm -i https://repo.wallarm.com/centos/wallarm-node/6/x86_64/Packages/wallarm-node-repo-1-2.el6.noarch.rpm
yum install -y epel-release
rpm -i https://repo.wallarm.com/centos/wallarm-node/7/x86_64/Packages/wallarm-node-repo-1-2.el7.centos.noarch.rpm

Repository access

Your system must have access to https://repo.wallarm.com to download the packages. Ensure the access is not blocked by a firewall.

2. Install NGINX with the Wallarm module

Debian 8.x (jessie-backports)
Debian 9.x (stretch)
Debian 9.x (stretch-backports)
CentOS 6.x
CentOS 7.x
apt-get install --no-install-recommends nginx wallarm-node libnginx-mod-http-wallarm -t jessie-backports
apt-get install --no-install-recommends nginx wallarm-node libnginx-mod-http-wallarm
apt-get install --no-install-recommends nginx wallarm-node libnginx-mod-http-wallarm -t stretch-backports
yum install nginx wallarm-node nginx-mod-http-wallarm
yum install nginx wallarm-node nginx-mod-http-wallarm

3. Configure postanalytics

Postanalytics uses the in-memory storage Tarantool.

You must set the amount of server RAM allocated to Tarantool.

The amount of memory determines the quality of work of the statistical algorithms. The recommended value is 75% of the total server memory. For example, if the server has 32 GB of memory, the recommended allocation size is 24 GB.

Allocate the operating memory size for Tarantool:

Open for editing the configuration file of Tarantool:

Debian 8.x (jessie)
Debian 9.x (stretch)
CentOS 6.x
CentOS 7.x
vi /etc/default/wallarm-tarantool
vi /etc/default/wallarm-tarantool
vi /etc/sysconfig/wallarm-tarantool
vi /etc/sysconfig/wallarm-tarantool

Set the allocated memory size in the configuration file of Tarantool via the SLAB_ALLOC_ARENA directive.

For example:

SLAB_ALLOC_ARENA=24

Restart Tarantool:

Debian 8.x (jessie)
Debian 9.x (stretch)
CentOS 6.x
CentOS 7.x
systemctl restart wallarm-tarantool
systemctl restart wallarm-tarantool
service wallarm-tarantool restart
systemctl restart wallarm-tarantool

4. Connect the Wallarm module

Copy the configuration files for the system setup:

Debian
CentOS
cp /usr/share/doc/libnginx-mod-http-wallarm/examples/*conf /etc/nginx/conf.d/
cp /usr/share/doc/nginx-mod-http-wallarm/examples/*conf /etc/nginx/conf.d/


5. Set up the filter node for using a proxy server

This setup step is intended for users who use their own proxy server for the operation of the protected web applications.

If you do not use a proxy server, skip this step of the setup.

You need to assign new values to the environment variables, which define the proxy server used, to configure Wallarm node for using your proxy server.

Add the following exports of the new values of the environment variables to the /etc/environment file:

  • Add export https_proxy to define a proxy for the https protocol.
  • Add export http_proxy to define a proxy for the http protocol.
  • Add export no_proxy to define the list of the resources proxy should not be used for.

Assign the <scheme>://<proxy_user>:<proxy_pass>@<host>:<port> string values to the https_proxy and http_proxy variables.

  • <scheme> defines the protocol used. It should match the protocol that the current environment variable sets up proxy for.
  • <proxy_user> defines the username for proxy authorization.
  • <proxy_pass> defines the password for proxy authorization.
  • <host> defines a host of the proxy server.
  • <port> defines a port of the proxy server.

Assign a "<res_1>, <res_2>, <res_3>, <res_4>, ..." array value, where <res_1>, <res_2>, <res_3>, and <res_4> are the IP addresses and/or domains, to the no_proxy variable to define a list of the resources which proxy should not be used for. This array should consist of IP addresses and/or domains.

Resources that need to be addressed without a proxy

Add the following IP addresses and domain to the list of the resources that have to be addressed without a proxy for the system to operate correctly: 127.0.0.1, 127.0.0.8, 127.0.0.9, and localhost.

The 127.0.0.8 and 127.0.0.9 IP addresses are used for the operation of the Wallarm filter node.

The example of the correct /etc/environment file contents below demonstrates the following configuration:

  • The https and http protocols use the 1.2.3.4 host and the 1234 port for request proxying.
  • The https and http protocols use the admin username and the 01234 password for proxy authorization.
  • Proxying is disabled for the requests sent to 127.0.0.1, 127.0.0.8, 127.0.0.9, and localhost.
export https_proxy=http://admin:01234@1.2.3.4:1234
export http_proxy=http://admin:01234@1.2.3.4:1234
export no_proxy="127.0.0.1, 127.0.0.8, 127.0.0.9, localhost"

6. Connect the filter node to the Wallarm cloud

The filter node interacts with the Wallarm cloud located on a remote server.

The addnode script connects the filter node to the Wallarm cloud.

  1. Run the script addnode:

    You have to pick the script to run depending on the Cloud you are using.

    EU Cloud
    US Cloud
    sudo /usr/share/wallarm-common/addnode
    sudo /usr/share/wallarm-common/addnode -H us1.api.wallarm.com

  2. Enter the login and password. This is the same login and password that you use to access Wallarm console at https://my.wallarm.com or https://us1.my.wallarm.com/. The profile must have the Administrator role and 2FA should be disabled. If the profile has the Analyst role or has 2FA enabled, the script will error out.

API Access

The API choice for your filter node depends on the Cloud you are using. Please, select the API accordingly:

Ensure the access is not blocked by a firewall.

7. Configure the server addresses of postanalytics

  • Skip this step if you installed postanalytics and the filter node on the same server.
  • Do this step if you installed postanalytics and the filter node on separate servers.

Add the server address of postanalytics to /etc/nginx/conf.d/wallarm.conf:


     upstream wallarm_tarantool {
        server <ip1>:3313;
        server <ip2>:3313;
        ...
        server <ipN>:3313;
    }

    ...

    wallarm_tarantool_upstream wallarm_tarantool;

8. Configure the filtration mode

The filtering and proxying rules are configured in the /etc/nginx/conf.d/wallarm.conf file using the wallarm_mode directive.

Make sure that the line containing the wallarm_mode directive is not commented. If there is the # symbol specified at the beginning of the line, remove it.

Enable the monitoring mode by assigning the monitoring value to the wallarm_mode directive, as shown in the following example:

#
# Wallarm module specific parameters
#

wallarm_mode monitoring;
# wallarm_mode_allow_override on;

9. Restart NGINX

Starting NGINX not under root

If you are running NGINX as a user that is not root, add the user to the wallarm group:

usermod -aG wallarm user_name

where user_name is the user that you use to run NGINX and that is not root.

Debian 8.x (jessie)
Debian 9.x (stretch)
CentOS 6.x
CentOS 7.x
systemctl restart nginx
systemctl restart nginx
service nginx restart
systemctl restart nginx

The installation is complete

Check that the filter node runs and filters the traffic. See Check the filter node operation.

results matching ""

    No results matching ""