コンテンツにスキップ

All-in-Oneインストーラーでのデプロイ

All-in-Oneインストーラーは、Linuxベースの環境でインラインでのトラフィックフィルタリングを行うために、NGINXの動的モジュールとしてWallarmノードをインストールするよう設計されています。このインストーラーは、お使いのOSとNGINXのバージョンを自動的に判別し、必要な依存関係をすべてインストールします。

All-in-Oneインストーラーは、次の処理を自動で実行することで、ノードのインストールを簡単にします。

  1. OSとNGINXのバージョンを確認します。

  2. 検出されたOSとNGINXのバージョンに対応するWallarmリポジトリを追加します。

  3. これらのリポジトリからWallarmパッケージをインストールします。

  4. インストール済みのWallarmモジュールをNGINXに接続します。

  5. 提供されたトークンを使用してフィルタリングノードをWallarm Cloudに接続します。

ユースケース

Among all supported Wallarm deployment options, this solution is the recommended one for the following use cases:

  • Your infrastructure is based on bare metal or virtual machines without using container-based methods. Typically, these setups are managed with Infrastructure as Code (IaC) tools like Ansible or SaltStack.

  • Your services are built around NGINX. Wallarm can extend its functionalities using the all-in-one installer.

要件

  • Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud.

  • Supported OS:

    • Debian 10, 11 and 12.x
    • Ubuntu LTS 18.04, 20.04, 22.04
    • CentOS 7, 8 Stream, 9 Stream
    • Alma/Rocky Linux 9
    • Oracle Linux 9.x
    • RHEL 8.x
    • RHEL 9.x
    • Oracle Linux 8.x
    • Redox
    • SuSe Linux
    • Others (the list is constantly widening, contact Wallarm support team to check if your OS is in the list)
  • Access to https://meganode.wallarm.com to download all-in-one Wallarm installer. Ensure the access is not blocked by a firewall.

  • Access to https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud. If access can be configured only via the proxy server, then use the instructions.

  • Access to the IP addresses and their corresponding hostnames (if any) listed below. This is needed for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers

    node-data0.us1.wallarm.com - 34.96.64.17
    node-data1.us1.wallarm.com - 34.110.183.149
    us1.api.wallarm.com - 35.235.66.155
    34.102.90.100
    34.94.156.115
    35.235.115.105
    
    node-data1.eu1.wallarm.com - 34.160.38.183
    node-data0.eu1.wallarm.com - 34.144.227.90
    api.wallarm.com - 34.90.110.226
    
  • Executing all commands as a superuser (e.g. root).

手順1: NGINXと依存関係をインストールします

Install the latest NGINX version of:

  • NGINX stable (the latest supported version is v1.28.0) - see how to install it in the NGINX documentation.

  • NGINX Mainline (the latest supported version is v1.27.5) - see how to install it in the NGINX documentation.

  • NGINX Plus (the latest supported version is NGINX Plus R33) - see how to install it in the NGINX documentation.

  • Distribution-Provided NGINX - to install, use the following commands:

    sudo apt update 
    sudo apt -y install --no-install-recommends nginx
    
    sudo apt-get update
    sudo apt-get install nginx
    
    sudo yum -y update 
    sudo yum install -y nginx
    
    sudo yum -y update 
    sudo yum install -y nginx
    
    sudo yum -y update 
    sudo yum install -y nginx
    

手順2: Wallarmトークンを準備します

To install node, you will need a Wallarm token of the appropriate type. To prepare a token:

  1. Open Wallarm Console → SettingsAPI tokens in the US Cloud or EU Cloud.
  2. Find or create API token with the Node deployment/Deployment usage type.
  3. Copy this token.
  1. Open Wallarm Console → Nodes in the US Cloud or EU Cloud.
  2. Do one of the following:
    • Create the node of the Wallarm node type and copy the generated token.
    • Use existing node group - copy token using node's menu → Copy token.

手順3: All-in-OneのWallarmインストーラーをダウンロードします

Wallarm suggests all-in-one installations for the following processors:

  • x86_64

  • ARM64 (beta)

To download all-in-one Wallarm installation script, execute the command:

curl -O https://meganode.wallarm.com/6.6/wallarm-6.6.1.x86_64-glibc.sh
curl -O https://meganode.wallarm.com/6.6/wallarm-6.6.1.aarch64-glibc.sh

手順4: All-in-OneのWallarmインストーラーを実行します

  1. Run downloaded script:

    # If using the x86_64 version:
    sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.6.1.x86_64-glibc.sh
    
    # If using the ARM64 version:
    sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.6.1.aarch64-glibc.sh
    

    The WALLARM_LABELS variable sets group into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI).

    # If using the x86_64 version:
    sudo sh wallarm-6.6.1.x86_64-glibc.sh
    
    # If using the ARM64 version:
    sudo sh wallarm-6.6.1.aarch64-glibc.sh
    
  2. Select US Cloud or EU Cloud.

  3. Enter Wallarm token.

以降の手順で使用するコマンドは、x86_64およびARM64のインストールで同一です。

手順5: トラフィック解析のためにWallarmノードを有効化します

By default, the deployed Wallarm Node does not analyze incoming traffic.

To enable traffic analysis and proxying of legitimate traffic, update the NGINX configuration file, typically located at /etc/nginx/sites-available/default.

The following minimal configuration adjustments are necessary:

  1. Set the Wallarm Node to wallarm_mode monitoring;. This mode is recommended for initial deployments and testing.

    Wallarm also supports more modes like blocking and safe blocking, which you can read more.

  2. Determine where the node should forward legitimate traffic by adding the proxy_pass directive in the required locations. This could be to the IP of an application server, a load balancer, or a DNS name.

  3. If present, remove the try_files directive from the modified locations to ensure traffic is directed to Wallarm without local file interference.

server {
    ...
+   wallarm_mode monitoring;
    location / { 
+        proxy_pass http://example.com;
-        # try_files $uri $uri/ =404;
    }
    ...
}

手順6: NGINXを再起動します

Restart NGINX using the following command:

sudo systemctl restart nginx

手順7: トラフィックをWallarmノードに送信するよう設定します

Update targets of your load balancer to send traffic to the Wallarm instance. For details, please refer to the documentation on your load balancer.

手順8: Wallarmノードの動作をテストします

  1. Send the request with test Path Traversal attack to a protected resource address:

    curl http://localhost/etc/passwd
    

    If traffic is configured to be proxied to example.com, include the -H "Host: example.com" header in the request.

  2. Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

    Attacks in the interface

  3. Optionally, test other aspects of the node functioning.

手順9: デプロイ済みソリューションを微調整します

デフォルト設定の動的Wallarmモジュールがインストールされています。フィルタリングノードは、デプロイ後に追加の設定が必要になる場合があります。

Wallarmの設定は、NGINXディレクティブまたはWallarm Console UIで定義します。ディレクティブは、Wallarmノードがあるマシン上の次のファイルに設定します。

  • /etc/nginx/sites-available/default(サーバーレベルおよびlocationレベルの設定)

  • /etc/nginx/nginx.conf(httpレベルの設定)

  • /etc/nginx/wallarm-status.conf(Wallarmノードの監視設定。詳細はリンクにあります)

以下に、必要に応じて適用できる代表的な設定をいくつか示します。

起動オプション

As soon as you have the all-in one script downloaded, you can get help on it with:

sudo sh ./wallarm-6.6.1.x86_64-glibc.sh -- -h

Which returns:

...
Usage: setup.sh [options]... [arguments]... [filtering/postanalytics]

OPTION                      DESCRIPTION
-b, --batch                 Batch mode, non-interactive installation.
    --install-only          Initiates the first stage of the all-in-one installer in batch mode. Copies essential configurations, including files and binaries, and sets up NGINX for node installation, bypassing Cloud registration and activation. Requires --batch.
    --skip-ngx-config       Avoids automatic NGINX configuration changes that occur during the --install-only stage in batch mode, suitable for users who prefer manual adjustments later. When used with --install-only, it ensures only essential configurations are copied without altering NGINX settings. Requires --batch.
    --register-only         Initiates the second stage of the all-in-one installer in batch mode, completing the setup by registering the node in the Cloud and starting its service. Requires --batch.
-t, --token TOKEN           Node token, required in a batch mode.
-c, --cloud CLOUD           Wallarm Cloud, one of US/EU, default is EU, only used in a batch mode.
-H, --host HOST             Wallarm API address, for example, api.wallarm.com or us1.api.wallarm.com, only used in a batch mode.
-P, --port PORT             Wallarm API pot, for example, 443.
    --no-ssl                Disable SSL for Wallarm API access.
    --no-verify             Disable SSL certificates verification.
-f, --force                 If there is a node with the same name, create a new instance.
-h, --help
    --version

Batch mode

The --batch option triggers batch (non-interactive) mode, where the script requires configuration options via the --token and --cloud flags, along with the WALLARM_LABELS environment variable if needed. In this mode, the script does not prompt the user for data input step by step as in the default mode; instead, it requires explicit commands for interaction.

Below are examples of commands to run the script in batch mode for node installation, assuming the script has already been downloaded:

# If using the x86_64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.6.1.x86_64-glibc.sh -- --batch -t <TOKEN> -c US

# If using the ARM64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.6.1.aarch64-glibc.sh -- --batch -t <TOKEN> -c US
# If using the x86_64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.6.1.x86_64-glibc.sh -- --batch -t <TOKEN>

# If using the ARM64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.6.1.aarch64-glibc.sh -- --batch -t <TOKEN>

Separate execution of node installation stages

When preparing your own machine image using the all-in-one installer for cloud infrastructure, the standard installation process outlined in this article may not suffice. Instead, you will need to execute specific stages of the all-in-one installer separately to accommodate the requirements of creating and deploying a machine image:

  1. Build machine image: At this stage, it is necessary to download binaries, libraries, and configuration files of the filtering node and create a machine image based on them. Utilizing the --install-only flag, the script copies the required files and modifies NGINX configurations for node operation. If you wish to make manual adjustments, you can opt to bypass the NGINX file modification by using the --skip-ngx-config flag.

  2. Initialize a cloud instance with cloud-init: During instance initialization, the bootstrap phase (cloud registration and service start) can be executed using cloud-init scripts. This stage can be run independently from the build phase by applying the --register-only flag to the /opt/wallarm/setup.sh script copied during the build stage.

This functionality is supported starting from version 4.10.0 of the all-in-one installer in batch mode. The commands below enable the sequential execution of the outlined steps:

# If using the x86_64 version:
curl -O https://meganode.wallarm.com/6.6/wallarm-6.6.1.x86_64-glibc.sh
sudo sh wallarm-6.6.1.x86_64-glibc.sh -- --batch --install-only
sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/setup.sh --batch --register-only -t <TOKEN> -c US

# If using the ARM64 version:
curl -O https://meganode.wallarm.com/6.6/wallarm-6.6.1.aarch64-glibc.sh
sudo sh wallarm-6.6.1.aarch64-glibc.sh -- --batch --install-only
sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/setup.sh --batch --register-only -t <TOKEN> -c US
# If using the x86_64 version:
curl -O https://meganode.wallarm.com/6.6/wallarm-6.6.1.x86_64-glibc.sh
sudo sh wallarm-6.6.1.x86_64-glibc.sh -- --batch --install-only
sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/setup.sh --batch --register-only -t <TOKEN>

# If using the ARM64 version:
curl -O https://meganode.wallarm.com/6.6/wallarm-6.6.1.aarch64-glibc.sh
sudo sh wallarm-6.6.1.aarch64-glibc.sh -- --batch --install-only
sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/setup.sh --batch --register-only -t <TOKEN>

Finally, to complete the installation, you need to enable Wallarm to analyze traffic and restart NGINX.

Separate installation of filtering and postanalytics nodes

The filtering/postanalytics switch provides the option to install the postanalytics module separately. Without this switch, both filtering and postanalytics components are installed together by default.

API Discovery-only mode

You can use the node in API Discovery-only mode (available since version 5.3.7). In this mode, attacks - including those detected by the Node's built-in mechanisms and those requiring additional configuration (e.g., credential stuffing, API specification violation attempts, and malicious activity from denylisted and graylisted IPs) - are detected and blocked locally (if enabled) but not exported to Wallarm Cloud. Since there is no attack data in the Cloud, Threat Replay Testing does not work. Traffic from whitelisted IPs is allowed.

Meanwhile, API Discovery, API session tracking, and security vulnerability detection remain fully functional, detecting relevant security entities and uploading them to the Cloud for visualization.

This mode is for those who want to review their API inventory and identify sensitive data first, and plan controlled attack data export accordingly. However, disabling attack export is rare, as Wallarm securely processes attack data and provides sensitive attack data masking if needed.

To enable API Discovery-only mode:

  1. Create or modify the /etc/wallarm-override/env.list file:

    sudo mkdir /etc/wallarm-override
    sudo vim /etc/wallarm-override/env.list
    

    Add the following variable:

    WALLARM_APID_ONLY=true
    
  2. Follow the node installation procedure.

With the API Discovery-only mode enabled, the /opt/wallarm/var/log/wallarm/wcli-out.log log returns the following message:

{"level":"info","component":"reqexp","time":"2025-01-31T11:59:38Z","message":"requests export skipped (disabled)"}

インストールを最初からやり直す

Wallarmノードのインストールを削除して最初からやり直す必要がある場合は、以下の手順に従ってください。

インストールのやり直しによる影響

インストールをやり直すと、稼働中のWallarmサービスを停止して削除することになり、再インストールが完了するまでトラフィックのフィルタリングが一時停止します。本番環境や重要なトラフィックを扱う環境では、トラフィックがフィルタリングされずリスクが生じるため、注意してください。

既存ノードをアップグレードする場合(例: 4.10から5.0)は、アップグレード手順を参照してください。

  1. Wallarmプロセスを終了し、設定ファイルを削除します:

    sudo systemctl stop wallarm
    sudo rm -rf /opt/wallarm
    
  2. 手順2のセットアップ手順に従って、再インストールを続行します。