Upgrading the Docker NGINX-based image¶

These instructions describe the steps to upgrade the running Docker NGINX-based image to the latest version 6.x.

To upgrade the end‑of‑life node (3.6 or lower), please use the different instructions.

Requirements¶

• Docker installed on your host system

• Access to https://hub.docker.com/r/wallarm/node to download the Docker image. Please ensure the access is not blocked by a firewall

• Access to the account with the Administrator role in Wallarm Console in the US Cloud or EU Cloud

• Access to https://us1.api.wallarm.com if working with US Wallarm Cloud or to https://api.wallarm.com if working with EU Wallarm Cloud. Please ensure the access is not blocked by a firewall

• Access to the IP addresses below for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers

  US CloudEU Cloud

  34.96.64.17
  34.110.183.149
  35.235.66.155
  34.102.90.100
  34.94.156.115
  35.235.115.105
  

  34.160.38.183
  34.144.227.90
  34.90.110.226
  

Step 1: Download the updated filtering node image¶

docker pull wallarm/node:6.0.0

Step 2: Stop the running container¶

docker stop <RUNNING_CONTAINER_NAME>

Step 3: Run the container using the new image¶

1. If upgrading from version 5.x or earlier, please note the following important changes:

   • If you previously configured the postanalytics memory via the TARANTOOL_MEMORY_GB environment variable, rename it to SLAB_ALLOC_ARENA.

   • If you are running the Docker container with mounted custom NGINX configuration files:

     • The include paths in /etc/nginx/nginx.conf have changed to align with Alpine Linux directory conventions:

       ...
       
       - include /etc/nginx/modules-enabled/*.conf;
       + include /etc/nginx/modules/*.conf;
       
       ...
       
       http {
       -     include /etc/nginx/sites-enabled/*;
       +     include /etc/nginx/http.d/*;
       }
       

     • In /etc/nginx/conf.d/wallarm-status.conf, the default value of the allow directive (used to define permitted IP addresses) has changed:

       ...
       
       - allow 127.0.0.8/8;
       + allow 127.0.0.0/8;
       
       ...
       

     • The path for mounting virtual host configuration files has changed from /etc/nginx/sites-enabled/default to /etc/nginx/http.d.

2. Proceed to Wallarm Console → Settings → API Tokens and generate a token with the Node deployment/Deployment usage type.

3. Copy the generated token.

4. Run the container using the new image and apply the updated configuration.

   There are two options for running the container using the updated image:

   • With the environment variables
   • In the mounted configuration file

Step 4: Test the filtering node operation¶

1. Send the request with test Path Traversal attack to a protected resource address:

   curl http://localhost/etc/passwd
   

   If traffic is configured to be proxied to example.com, include the -H "Host: example.com" header in the request.

2. Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

   

3. Optionally, test other aspects of the node functioning.

Step 5: Delete the filtering node of the previous version¶

If the deployed image of the version 6.x operates correctly, you can delete the filtering node of the previous version in Wallarm Console → Nodes.

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send