Migrating allowlists and denylists from Wallarm node 2.18 and lower to 4.4¶

Starting with Wallarm node 3.x, the method of IP address allowlist and denylist configuration has been changed. This document instructs how to migrate allowlists and denylists configured in Wallarm node 2.18 or lower to the latest Wallarm node.

What has changed?¶

Configuration of IP address allowlist and denylist has been changed as follows:

• The wallarm_acl_* NGINX directives, acl Envoy parameters, and WALLARM_ACL_* environment variables have been deprecated. Now, IP lists are configured as follows:

  • Additional steps to enable IP allowlisting or denylisting functionality are not required. The Wallarm node downloads IP addresses lists from the Wallarm Cloud by default and applies downloaded data when processing incoming requests.
  • Blocking page and error code returned in the response to the blocked request are configured using the wallarm_block_page directive instead of wallarm_acl_block_page.

• Allowlisted and denylisted IP addresses are managed via Wallarm Console.

• IP addresses of Wallarm Vulnerability Scanner are allowlisted by default. Manual allowlisting of Scanner IP addresses is no longer required.

Procedure for allowlist and denylist configuration migration¶

1. Inform Wallarm technical support that you are updating filtering node modules up to the latest version and ask to enable new IP lists logic for your Wallarm account.

   When new IP lists logic is enabled, please open Wallarm Console and ensure that the section IP lists is available.

2. If updating the multi-tenant Wallarm node, please delete the scripts used to synchronize the IP address denylist and the multi-tenant node 2.18 or lower. Starting with version 3.2, manual integration of IP lists is no longer required.

3. Update the filtering node modules up to version 4.4 following appropriate instructions.

4. Remove the allowlist of Wallarm Scanner IP addresses from filtering node configuration files. Starting with the filtering node 3.x, Scanner IP addresses are allowlisted by default. In previous Wallarm node versions, the allowlist could be configured by the following methods:

   • Disabled filtration mode for Scanner IP addresses (for example: NGINX configuration, K8s sidecar container, K8s Ingress controller).
   • NGINX directive allow.

5. If listed methods are used to allowlist other IP addresses that should not be blocked by the filtering node, please move them to the allowlist in Wallarm Console.

6. If you have used the directive wallarm_acl_block_page to configure the blocking page and error code returned when the denylisted IP originated the request, please replace the directive name by wallarm_block_page and update its value following the instructions.

7. Remove the NGINX and Envoy environment variables WALLARM_ACL_* from the docker run commands.

8. (Optional) Remove the NGINX directives wallarm_acl_* and acl Envoy parameters from filtering node configuration files.