Her Şey Dahil Installer

[img-wl-console-users]:             ../../images/check-user-no-2fa.png
[wallarm-status-instr]:             ../../admin-en/configure-statistics-service.md
[memory-instr]:                     ../../admin-en/configuration-guides/allocate-resources-for-node.md
[waf-directives-instr]:             ../../admin-en/configure-parameters-en.md
[ptrav-attack-docs]:                ../../attacks-vulns-list.md#path-traversal
[attacks-in-ui-image]:           ../../images/admin-guides/test-attacks-quickstart.png
[waf-mode-instr]:                   ../../admin-en/configure-wallarm-mode.md
[logging-instr]:                    ../../admin-en/configure-logging.md
[proxy-balancer-instr]:             ../../admin-en/using-proxy-or-balancer-en.md
[process-time-limit-instr]:         ../../admin-en/configure-parameters-en.md#wallarm_process_time_limit
[configure-proxy-balancer-instr]:   ../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
[update-instr]:                     ../../updating-migrating/nginx-modules.md
[install-postanalytics-docs]:        ../../../admin-en/installation-postanalytics-en/
[dynamic-dns-resolution-nginx]:     ../../admin-en/configure-dynamic-dns-resolution-nginx.md
[waf-mode-recommendations]:          ../../about-wallarm/deployment-best-practices.md#follow-recommended-onboarding-steps
[ip-lists-docs]:                    ../../user-guides/ip-lists/overview.md
[versioning-policy]:                ../../updating-migrating/versioning-policy.md#version-list
[install-postanalytics-instr]:      ../../admin-en/installation-postanalytics-en.md
[waf-installation-instr-latest]:     /installation/nginx/dynamic-module/
[img-node-with-several-instances]:  ../../images/user-guides/nodes/wallarm-node-with-two-instances.png
[img-create-wallarm-node]:      ../../images/user-guides/nodes/create-cloud-node.png
[nginx-custom]:                 ../../faq/nginx-compatibility.md#is-wallarm-filtering-node-compatible-with-the-custom-build-of-nginx
[node-token]:                       ../../quickstart/getting-started.md#deploy-the-wallarm-filtering-node
[api-token]:                        ../../user-guides/settings/api-tokens.md
[platform]:                         ../supported-deployment-options.md
[inline-docs]:                      ../inline/overview.md
[oob-docs]:                         ../oob/overview.md
[oob-advantages-limitations]:       ../oob/overview.md#limitations
[web-server-mirroring-examples]:    ../oob/web-server-mirroring/overview.md#configuration-examples-for-traffic-mirroring
[img-grouped-nodes]:                ../../images/user-guides/nodes/grouped-nodes.png
[wallarm-token-types]:              ../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
[ip-lists-docs]:                    ../../user-guides/ip-lists/overview.md
[download-aio-step]:                #step-3-download-all-in-one-wallarm-installer
[enable-traffic-analysis-step]:     #step-5-enable-wallarm-node-to-analyze-traffic
[restart-nginx-step]:               #step-6-restart-nginx
[separate-postanalytics-installation-aio]:  ../../admin-en/installation-postanalytics-en.md
[api-spec-enforcement-docs]:        ../../api-specification-enforcement/overview.md
[link-wallarm-health-check]:        ../../admin-en/uat-checklist-en.md

# Tüm Bileşenli Kurulum Aracıyla Dağıtım

Bir **tüm bileşenli kurulum aracı**, farklı ortamlarda NGINX için dinamik modül olarak Wallarm node'un kurulumu sürecini standartlaştırmak ve kolaylaştırmak amacıyla tasarlanmıştır. Bu kurulum aracı, işletim sisteminizin ve NGINX sürümünüzün otomatik olarak tespit edilmesini sağlar ve gerekli tüm bağımlılıkları yükler.

**Tüm bileşenli kurulum aracı**, aşağıdaki işlemleri otomatik olarak gerçekleştirerek basit bir node kurulumu süreci sunar:

1. İşletim sisteminizi ve NGINX sürümünüzü kontrol eder.
1. Tespit edilen işletim sistemi ve NGINX sürümü için Wallarm depolarını ekler.
1. Bu depolardan Wallarm paketlerini kurar.
1. Kurulan Wallarm modülünü NGINX'inize bağlar.
1. Sağlanan token yardımıyla filtrasyon nodunu Wallarm Cloud'a bağlar.

## Kullanım Senaryoları

Among all supported [Wallarm deployment options][platform], this solution is the recommended one for the following **use cases**:

* Your infrastructure is based on bare metal or virtual machines without using container-based methods. Typically, these setups are managed with Infrastructure as Code (IaC) tools like Ansible or SaltStack.
* Your services are built around NGINX. Wallarm can extend its functionalities using the all-in-one installer.

## Gereksinimler

* Access to the account with the **Administrator** role in Wallarm Console for the [US Cloud](https://us1.my.wallarm.com/) or [EU Cloud](https://my.wallarm.com/).
* Supported OS:

    * Debian 10, 11 and 12.x
    * Ubuntu LTS 18.04, 20.04, 22.04
    * CentOS 7, 8 Stream, 9 Stream
    * Alma/Rocky Linux 9
    * Oracle Linux 9.x
    * RHEL 8.x
    * RHEL 9.x
    * Oracle Linux 8.x
    * Redox
    * SuSe Linux
    * Others (the list is constantly widening, contact [Wallarm support team](mailto:support@wallarm.com) to check if your OS is in the list)

* Access to `https://meganode.wallarm.com` to download all-in-one Wallarm installer. Ensure the access is not blocked by a firewall.
* Access to `https://us1.api.wallarm.com` for working with US Wallarm Cloud or to `https://api.wallarm.com` for working with EU Wallarm Cloud. If access can be configured only via the proxy server, then use the [instructions][configure-proxy-balancer-instr].
* Access to the IP addresses below for downloading updates to attack detection rules and [API specifications][api-spec-enforcement-docs], as well as retrieving precise IPs for your [allowlisted, denylisted, or graylisted][ip-lists-docs] countries, regions, or data centers

    === "US Cloud"
        ```
        34.96.64.17
        34.110.183.149
        35.235.66.155
        34.102.90.100
        34.94.156.115
        35.235.115.105
        ```
    === "EU Cloud"
        ```
        34.160.38.183
        34.144.227.90
        34.90.110.226
        ```
* Executing all commands as a superuser (e.g. `root`).

## Adım 1: NGINX ve bağımlılıkların kurulumu

Install the latest NGINX version of:

* **NGINX `stable`** (the latest supported version is v1.28.0) - see how to install it in the NGINX [documentation](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/).
* **NGINX Mainline** (the latest supported version is v1.27.5) - see how to install it in the NGINX [documentation](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/).
* **NGINX Plus** (the latest supported version is NGINX Plus R33) - see how to install it in the NGINX [documentation](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-plus/).
* **Distribution-Provided NGINX** - to install, use the following commands:

    === "Debian"
        ```bash
        sudo apt update 
        sudo apt -y install --no-install-recommends nginx
        ```
    === "Ubuntu"
        ```bash
        sudo apt-get update
        sudo apt-get install nginx
        ```
    === "CentOS"
        ```bash
        sudo yum -y update 
        sudo yum install -y nginx
        ```
    === "AlmaLinux, Rocky Linux or Oracle Linux 8.x"
        ```bash
        sudo yum -y update 
        sudo yum install -y nginx
        ```
    === "RHEL 8.x"
        ```bash
        sudo yum -y update 
        sudo yum install -y nginx
        ```

## Adım 2: Wallarm tokenini hazırlayın

To install node, you will need a Wallarm token of the [appropriate type][wallarm-token-types]. To prepare a token:

=== "API token"

    1. Open Wallarm Console → **Settings** → **API tokens** in the [US Cloud](https://us1.my.wallarm.com/settings/api-tokens) or [EU Cloud](https://my.wallarm.com/settings/api-tokens).
    1. Find or create API token with the `Node deployment/Deployment` usage type.
    1. Copy this token.

=== "Node token"

    1. Open Wallarm Console → **Nodes** in the [US Cloud](https://us1.my.wallarm.com/nodes) or [EU Cloud](https://my.wallarm.com/nodes).
    1. Do one of the following: 
        * Create the node of the **Wallarm node** type and copy the generated token.
        * Use existing node group - copy token using node's menu → **Copy token**.

## Adım 3: Tüm bileşenli Wallarm kurulum aracını indirin

Wallarm suggests all-in-one installations for the following processors:

* x86_64
* ARM64 (beta)

To download all-in-one Wallarm installation script, execute the command:

=== "x86_64 version"
    ```bash
    curl -O https://meganode.wallarm.com/6.1/wallarm-6.1.0.x86_64-glibc.sh
    ```
=== "ARM64 version (beta)"
    ```bash
    curl -O https://meganode.wallarm.com/6.1/wallarm-6.1.0.aarch64-glibc.sh
    ```

## Adım 4: Tüm bileşenli Wallarm kurulum aracını çalıştırın

1. Run downloaded script:

    === "API token"
        ```bash
        # If using the x86_64 version:
        sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.1.0.x86_64-glibc.sh

        # If using the ARM64 version:
        sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.1.0.aarch64-glibc.sh
        ```        

        The `WALLARM_LABELS` variable sets group into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI).

    === "Node token"
        ```bash
        # If using the x86_64 version:
        sudo sh wallarm-6.1.0.x86_64-glibc.sh

        # If using the ARM64 version:
        sudo sh wallarm-6.1.0.aarch64-glibc.sh
        ```

1. Select [US Cloud](https://us1.my.wallarm.com/) or [EU Cloud](https://my.wallarm.com/).
1. Enter Wallarm token.

İleri adımlardaki komutlar, x86_64 ve ARM64 kurulumu için aynıdır.

## Adım 5: Wallarm node'unu trafiği analiz edecek şekilde etkinleştirin

By default, the deployed Wallarm Node does not analyze incoming traffic.

To enable traffic analysis, perform the following configuration:

=== "In-line"
    If you deploy the Wallarm Node for [in-line][inline-docs] traffic analysis and proxying of legitimate traffic, update the [NGINX configuration file](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/), typically located at `/etc/nginx/sites-available/default`.

    The following minimal configuration adjustments are necessary:

    1. Set the Wallarm Node to `wallarm_mode monitoring;`. This mode is recommended for initial deployments and testing.

        Wallarm also supports more modes like blocking and safe blocking, which you can [read more][waf-mode-instr].
    1. Determine where the node should forward legitimate traffic by adding the `proxy_pass` directive in the required locations. This could be to the IP of an application server, a load balancer, or a DNS name.
    1. If present, remove the `try_files` directive from the modified locations to ensure traffic is directed to Wallarm without local file interference.

    ```diff
    server {
        ...
    +   wallarm_mode monitoring;
        location / { 
    +        proxy_pass http://example.com;
    -        # try_files $uri $uri/ =404;
        }
        ...
    }
    ```
=== "Out-of-Band"
    If you deploy the Wallarm Node for [out-of-band][oob-docs] traffic analysis, update the [NGINX configuration file](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/), typically located at `/etc/nginx/sites-available/default`.

    The following minimal configuration adjustments are necessary:

    1. For the Wallarm node to accept mirrored traffic, set the following configuration in the `server` NGINX block:

        ```
        server {
            listen 80;
            ...

            wallarm_force server_addr $http_x_server_addr;
            wallarm_force server_port $http_x_server_port;
            # Change 222.222.222.22 to the address of the mirroring server
            #set_real_ip_from  222.222.222.22;
            #real_ip_header    X-Forwarded-For;
            #real_ip_recursive on;
            wallarm_force response_status 0;
            wallarm_force response_time 0;
            wallarm_force response_size 0;
        }
        ```

        * The `set_real_ip_from` and `real_ip_header` directives are required to have Wallarm Console [display the IP addresses of the attackers][proxy-balancer-instr].
        * The `wallarm_force_response_*` directives are required to disable analysis of all requests except for copies received from the mirrored traffic.
    1. For the Wallarm node to analyze the mirrored traffic, set the `wallarm_mode` directive to `monitoring`:

        ```
        server {
            listen 80;
            listen [::]:80 ipv6only=on;
            wallarm_mode monitoring;

            ...
        }
        ```

        Since malicious requests [cannot][oob-advantages-limitations] be blocked, the only [mode][waf-mode-instr] Wallarm accepts is monitoring. For in-line deployment, there are also safe blocking and blocking modes but even if you set the `wallarm_mode` directive to a value different from monitoring, the node continues to monitor traffic and only record malicious traffic (aside from the mode set to off).
    1. If present, remove the `try_files` directive from the NGINX locations to ensure traffic is directed to Wallarm without local file interference:

        ```diff
        server {
            ...
            location / {
        -        # try_files $uri $uri/ =404;
            }
            ...
        }
        ```

Depending on your specific traffic routing rules and requirements, further customize both [NGINX](https://nginx.org/en/docs/dirindex.html) and [Wallarm configurations][waf-directives-instr] as needed.

## Adım 6: NGINX'i yeniden başlatın

Restart NGINX using the following command:

```bash
sudo systemctl restart nginx

Adım 7: Trafiğin Wallarm node'una gönderilmesini yapılandırın¶

Depending on the deployment approach being used, perform the following settings:

In-lineOut-of-Band

Update targets of your load balancer to send traffic to the Wallarm instance. For details, please refer to the documentation on your load balancer.

Configure your web or proxy server (e.g. NGINX, Envoy) to mirror incoming traffic to the Wallarm node. For configuration details, we recommend to refer to your web or proxy server documentation.

Inside the link, you will find the example configuration for the most popular of web and proxy servers (NGINX, Traefik, Envoy).

Adım 8: Wallarm node'unun çalışmasını test edin¶

Send the request with test Path Traversal attack to a protected resource address:
```
curl http://localhost/etc/passwd
```
If traffic is configured to be proxied to example.com, include the -H "Host: example.com" header in the request.
Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.
Optionally, [test][link-wallarm-health-check] other aspects of the node functioning.

Adım 9: Dağıtılan çözümü ince ayar yapın¶

Varsayılan ayarlarla dinamik Wallarm modülü kurulmuştur. Dağıtım sonrası filtrasyon node'u ek yapılandırma gerektirebilir.

Wallarm ayarları, NGINX direktifleri veya Wallarm Console UI kullanılarak tanımlanır. Direktifler, Wallarm node'unun bulunduğu makinedeki aşağıdaki dosyalarda ayarlanmalıdır:

Sunucu ve konum düzeyindeki ayarlar için /etc/nginx/sites-available/default
http düzeyindeki ayarlar için /etc/nginx/nginx.conf
Wallarm node izleme ayarlarının yapıldığı /etc/nginx/wallarm-status.conf dosyası. Ayrıntılı açıklamaya link üzerinden ulaşılabilir.
Tarantool'dan istatistik toplayan collectd eklentisi ayarlarının yapıldığı /opt/wallarm/etc/collectd/wallarm-collectd.conf.d/wallarm-tarantool.conf

Aşağıda, gerekirse uygulayabileceğiniz tipik ayarlardan bazıları verilmiştir:

Başlatma Seçenekleri¶

As soon as you have the all-in one script downloaded, you can get help on it with:

sudo sh ./wallarm-6.1.0.x86_64-glibc.sh -- -h

Which returns:

...
Usage: setup.sh [options]... [arguments]... [filtering/postanalytics]

OPTION                      DESCRIPTION
-b, --batch                 Batch mode, non-interactive installation.
    --install-only          Initiates the first stage of the all-in-one installer in batch mode. Copies essential configurations, including files and binaries, and sets up NGINX for node installation, bypassing Cloud registration and activation. Requires --batch.
    --skip-ngx-config       Avoids automatic NGINX configuration changes that occur during the --install-only stage in batch mode, suitable for users who prefer manual adjustments later. When used with --install-only, it ensures only essential configurations are copied without altering NGINX settings. Requires --batch.
    --register-only         Initiates the second stage of the all-in-one installer in batch mode, completing the setup by registering the node in the Cloud and starting its service. Requires --batch.
-t, --token TOKEN           Node token, required in a batch mode.
-c, --cloud CLOUD           Wallarm Cloud, one of US/EU, default is EU, only used in a batch mode.
-H, --host HOST             Wallarm API address, for example, api.wallarm.com or us1.api.wallarm.com, only used in a batch mode.
-P, --port PORT             Wallarm API pot, for example, 443.
    --no-ssl                Disable SSL for Wallarm API access.
    --no-verify             Disable SSL certificates verification.
-f, --force                 If there is a node with the same name, create a new instance.
-h, --help
    --version

Batch mode¶

The --batch option triggers batch (non-interactive) mode, where the script requires configuration options via the --token and --cloud flags, along with the WALLARM_LABELS environment variable if needed. In this mode, the script does not prompt the user for data input step by step as in the default mode; instead, it requires explicit commands for interaction.

Below are examples of commands to run the script in batch mode for node installation, assuming the script has already been [downloaded][download-aio-step]:

US CloudEU Cloud

# If using the x86_64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.1.0.x86_64-glibc.sh -- --batch -t <TOKEN> -c US

# If using the ARM64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.1.0.aarch64-glibc.sh -- --batch -t <TOKEN> -c US

# If using the x86_64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.1.0.x86_64-glibc.sh -- --batch -t <TOKEN>

# If using the ARM64 version:
sudo env WALLARM_LABELS='group=<GROUP>' sh wallarm-6.1.0.aarch64-glibc.sh -- --batch -t <TOKEN>

Separate execution of node installation stages¶

When preparing your own machine image using the all-in-one installer for cloud infrastructure, the standard installation process outlined in this article may not suffice. Instead, you will need to execute specific stages of the all-in-one installer separately to accommodate the requirements of creating and deploying a machine image:

Build machine image: At this stage, it is necessary to download binaries, libraries, and configuration files of the filtering node and create a machine image based on them. Utilizing the --install-only flag, the script copies the required files and modifies NGINX configurations for node operation. If you wish to make manual adjustments, you can opt to bypass the NGINX file modification by using the --skip-ngx-config flag.
Initialize a cloud instance with cloud-init: During instance initialization, the bootstrap phase (cloud registration and service start) can be executed using cloud-init scripts. This stage can be run independently from the build phase by applying the --register-only flag to the /opt/wallarm/setup.sh script copied during the build stage.

This functionality is supported starting from version 4.10.0 of the all-in-one installer in batch mode. The commands below enable the sequential execution of the outlined steps:

US CloudEU Cloud

# If using the x86_64 version:
curl -O https://meganode.wallarm.com/6.1/wallarm-6.1.0.x86_64-glibc.sh
sudo sh wallarm-6.1.0.x86_64-glibc.sh -- --batch --install-only
sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/setup.sh --batch --register-only -t <TOKEN> -c US

# If using the ARM64 version:
curl -O https://meganode.wallarm.com/6.1/wallarm-6.1.0.aarch64-glibc.sh
sudo sh wallarm-6.1.0.aarch64-glibc.sh -- --batch --install-only
sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/setup.sh --batch --register-only -t <TOKEN> -c US

# If using the x86_64 version:
curl -O https://meganode.wallarm.com/6.1/wallarm-6.1.0.x86_64-glibc.sh
sudo sh wallarm-6.1.0.x86_64-glibc.sh -- --batch --install-only
sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/setup.sh --batch --register-only -t <TOKEN>

# If using the ARM64 version:
curl -O https://meganode.wallarm.com/6.1/wallarm-6.1.0.aarch64-glibc.sh
sudo sh wallarm-6.1.0.aarch64-glibc.sh -- --batch --install-only
sudo env WALLARM_LABELS='group=<GROUP>' /opt/wallarm/setup.sh --batch --register-only -t <TOKEN>

Finally, to complete the installation, you need to [enable Wallarm to analyze traffic][enable-traffic-analysis-step] and [restart NGINX][restart-nginx-step].

Separate installation of filtering and postanalytics nodes¶

The filtering/postanalytics switch provides the option to install the postanalytics module [separately][separate-postanalytics-installation-aio]. Without this switch, both filtering and postanalytics components are installed together by default.

API Discovery-only mode¶

You can use the node in API Discovery-only mode (available since version 5.3.7). In this mode, attacks - including those detected by the Node's built-in mechanisms and those requiring additional configuration (e.g., credential stuffing, API specification violation attempts, and malicious activity from denylisted and graylisted IPs) - are detected and blocked locally (if enabled) but not exported to Wallarm Cloud. Since there is no attack data in the Cloud, [Threat Replay Testing][threat-replay-testing-docs] does not work. Traffic from whitelisted IPs is allowed.

Meanwhile, [API Discovery][api-discovery-docs], [API session tracking][api-sessions-docs], and [security vulnerability detection][vuln-detection-docs] remain fully functional, detecting relevant security entities and uploading them to the Cloud for visualization.

This mode is for those who want to review their API inventory and identify sensitive data first, and plan controlled attack data export accordingly. However, disabling attack export is rare, as Wallarm securely processes attack data and provides [sensitive attack data masking][masking-sensitive-data-rule] if needed.

To enable API Discovery-only mode:

Create or modify the /etc/wallarm-override/env.list file:

sudo mkdir /etc/wallarm-override
sudo vim /etc/wallarm-override/env.list

Add the following variable:

WALLARM_APID_ONLY=true

Follow the node installation procedure.

With the API Discovery-only mode enabled, the /opt/wallarm/var/log/wallarm/wcli-out.log log returns the following message:

{"level":"info","component":"reqexp","time":"2025-01-31T11:59:38Z","message":"requests export skipped (disabled)"}

Kurulumu Baştan Başlatma¶

Mevcut Wallarm node kurulumunu silip tekrar başlatmanız gerekirse, aşağıdaki adımları izleyin.

Kurulumu Baştan Başlatmanın Etkisi

Kurulumu baştan başlatmak, halihazırda çalışan Wallarm servislerinin durdurulmasını ve silinmesini içerir; bu da yeniden kurulum tamamlanana kadar trafiğin filtrelenmemesine neden olur. Üretim veya kritik trafik ortamlarında dikkatli olun, çünkü bu durumda trafik filtrelenmemiş olur ve risk altında kalır.

Mevcut bir node'u (örneğin 4.10'dan 5.0'a) yükseltmek için güncelleme talimatlarına bakın.

Wallarm süreçlerini sonlandırın ve yapılandırma dosyalarını kaldırın:
```
sudo systemctl stop wallarm
sudo rm -rf /opt/wallarm
```
2. adımda verilen kurulum talimatlarını izleyerek yeniden kurulum işlemine devam edin.
```