Installing and configuring a partner WAF node¶
Requirements¶
-
Partner account in the Wallarm system and a parther UUID
-
Linked clients and IDs of the partner-client links
-
Execution of commands by the user with the Global administrator or Deploy/Administrator role. The user with the Deploy/Administrator role must be added to the technical client or partner client account depending on which account the WAF node should be created
-
Disabled two‑factor authentication for the user executing the commands
Partner WAF node characteristics¶
Partner WAF node has the following characteristics:
-
Can be installed on the same platforms and according to the same instructions as a regular WAF node.
-
Can be installed on the technical client or partner client level. If you want to provide a client with access to the Wallarm Console, the WAF node must be installed at the corresponding partner client level.
-
Can be configured according to the same instructions as a regular WAF node, except for:
- The directive
wallarm_instance
is used to split settings by clients. Splitting by applications does not work. - To enable blocking of requests by IP addresses, please send a request to Wallarm technical support. After blocking is enabled, to block IP addresses, you need to add them to the blacklist at the technical client account level.
- The directive
Recommendations for a partner WAF node installation¶
-
If the client should access the Wallarm Console, the WAF node should be created within an appropriate partner client account
-
Describe the WAF node configuration in the client's NGINX configuration file
Procedure for a partner WAF node installation¶
-
Select a WAF node installation form and follow the appropriate instructions:
- Module for NGINX
stable
from the NGINX repository - Модуль для NGINX
stable
from the Debian/CentOS repository - Module for NGINX Plus
- Docker container with NGINX modules
- Docker container with Envoy modules
- NGINX Ingress controller
- Sidecar container
- AWS image
- Google Cloud Platform image
- Yandex.Cloud image
- Module for Kong
- Module for NGINX
-
Send a request for switching the WAF node to partner status to the Wallarm technical support. Send the following data with the request:
- Partner UUID obtained when creating a partner account
- Installed WAF node UUID displayed in the Wallarm Console → section Nodes
-
Open the client's NGINX configuration file and specify the partner-client link ID in the
wallarm_instance
directive.Example of the client's NGINX configuration file:
server { listen 80; server_name client1.com; wallarm_mode block; wallarm_instance 13; location / { proxy_pass http://upstream1:8080; } } server { listen 80; server_name client2.com; wallarm_mode monitoring; wallarm_instance 14; location / { proxy_pass http://upstream2:8080; } }
- On the client side, the DNS A records with the partner IP address are configured
- On the partner side, proxying of requests to the addresses of clients (
http://upstream1:8080
for the client with the partner-client link ID 13 andhttp://upstream2:8080
for the client with the partner-client link ID 14) is configured - All incoming requests are processed on the partner address, legitimate requests are sent to
http://upstream1:8080
for the client with the partner-client link ID 13 and tohttp://upstream2:8080
for the client with the partner-client link ID 14
Configuring a partner WAF node¶
To customize the WAF node settings, use the available directives.
Common customization options:
-
Adding Wallarm Scanner addresses to the whitelist in the
block
filtering mode -
Limiting the single request processing time in the directive
wallarm_process_time_limit
-
Limiting the server reply waiting time in the NGINX directive
proxy_read_timeout
-
Limiting the maximum request size in the NGINX directive
client_max_body_size