Upgrading Wallarm NGINX modules¶

These instructions describe the steps to upgrade the Wallarm NGINX modules 4.x to version 4.4. Wallarm NGINX modules are the modules installed in accordance with one of the following instructions:

• NGINX stable module

• Module for NGINX from CentOS/Debian repositories

• NGINX Plus module

To upgrade the end‑of‑life node (3.6 or lower), please use the different instructions.

Requirements¶

• Access to the account with the Administrator role in Wallarm Console in the US Cloud or EU Cloud

• Access to https://us1.api.wallarm.com if working with US Wallarm Cloud or to https://api.wallarm.com if working with EU Wallarm Cloud. Please ensure the access is not blocked by a firewall

Upgrade procedure¶

• If filtering node and postanalytics modules are installed on the same server, then follow the instructions below to upgrade all packages.

• If filtering node and postanalytics modules are installed on different servers, first upgrade the postanalytics module following these instructions and then perform the steps below for filtering node modules.

Step 1: Upgrade NGINX to the latest version¶

Upgrade NGINX to the latest version using the relevant instructions:

sudo apt update
sudo apt -y install nginx

sudo yum update
sudo yum install -y nginx

If your infrastructure needs to use a specific version of NGINX, please contact the Wallarm technical support to build the Wallarm module for a custom version of NGINX.

Step 2: Add new Wallarm repository¶

Delete the previous Wallarm repository address and add a repository with a new Wallarm node version package. Please use the commands for the appropriate platform.

CentOS and Amazon Linux 2.0.2021x and lower

sudo yum remove wallarm-node-repo
sudo yum clean all
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/7/4.4/x86_64/wallarm-node-repo-4.4-0.el7.noarch.rpm

sudo yum remove wallarm-node-repo
sudo yum clean all
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/8/4.4/x86_64/wallarm-node-repo-4.4-0.el8.noarch.rpm

Debian and Ubuntu

1. Open the file with the Wallarm repository address in the installed text editor. In these instructions, vim is used.

   sudo vim /etc/apt/sources.list.d/wallarm.list
   

2. Comment out or delete the previous repository address.

3. Add a new repository address:

   Debian 10.x (buster)Debian 11.x (bullseye)Ubuntu 18.04 LTS (bionic)Ubuntu 20.04 LTS (focal)

   Unsupported by NGINX stable and NGINX Plus

   Official NGINX versions (stable and Plus) and, as a result, Wallarm node 4.4 and above cannot be installed on Debian 10.x (buster). Please use this OS only if NGINX is installed from Debian/CentOS repositories.

   deb http://repo.wallarm.com/debian/wallarm-node buster/4.4/
   

   deb http://repo.wallarm.com/debian/wallarm-node bullseye/4.4/
   

   deb http://repo.wallarm.com/ubuntu/wallarm-node bionic/4.4/
   

   deb http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/
   

Step 3: Upgrade Wallarm packages¶

Filtering node and postanalytics on the same server¶

1. Execute the following command to upgrade the filtering node and postanalytics modules:

   DebianUbuntuCentOS or Amazon Linux 2.0.2021x and lowerAlmaLinux, Rocky Linux or Oracle Linux 8.x

   sudo apt update
   sudo apt dist-upgrade
   

   The error "signatures couldn't be verified"

   If added GPG keys expired, the following error would be returned:

   W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following
   signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999
   E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed.
   N: Updating from such a repository can't be done securely, and is therefore disabled by default.
   N: See apt-secure(8) manpage for repository creation and user configuration details.
   

   To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:

   curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
   sudo apt update
   sudo apt dist-upgrade
   

   Upgrading Wallarm dependencies

   The sudo apt dist-upgrade command upgrades both the Wallarm packages and filtering node dependencies. It is the recommended upgrade option providing correct operation of the newer filtering node version.

   sudo apt update
   sudo apt dist-upgrade
   

   The error "signatures couldn't be verified"

   If added GPG keys expired, the following error would be returned:

   W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following
   signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999
   E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed.
   N: Updating from such a repository can't be done securely, and is therefore disabled by default.
   N: See apt-secure(8) manpage for repository creation and user configuration details.
   

   To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:

   curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
   sudo apt update
   sudo apt dist-upgrade
   

   Upgrading Wallarm dependencies

   The sudo apt dist-upgrade command upgrades both the Wallarm packages and filtering node dependencies. It is the recommended upgrade option providing correct operation of the newer filtering node version.

   sudo yum update
   

   sudo yum update
   

2. If the package manager asks for confirmation to rewrite the content of the configuration file /etc/cron.d/wallarm-node-nginx, send the option Y.

   The /etc/cron.d/wallarm-node-nginx content should be updated for the new script counting RPS to be downloaded.

   By default, the package manager uses the option N but the option Y is required for correct RPS counting.

Filtering node and postanalytics on different servers¶

1. Upgrade postanalytics packages following these instructions.

2. Upgrade Wallarm node packages:

   DebianUbuntuCentOS or Amazon Linux 2.0.2021x and lowerAlmaLinux, Rocky Linux or Oracle Linux 8.x

   sudo apt update
   sudo apt dist-upgrade
   

   The error "signatures couldn't be verified"

   If added GPG keys expired, the following error would be returned:

   W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following
   signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999
   E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed.
   N: Updating from such a repository can't be done securely, and is therefore disabled by default.
   N: See apt-secure(8) manpage for repository creation and user configuration details.
   

   To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:

   curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
   sudo apt update
   sudo apt dist-upgrade
   

   Upgrading Wallarm dependencies

   The sudo apt dist-upgrade command upgrades both the Wallarm packages and filtering node dependencies. It is the recommended upgrade option providing correct operation of the newer filtering node version.

   sudo apt update
   sudo apt dist-upgrade
   

   The error "signatures couldn't be verified"

   If added GPG keys expired, the following error would be returned:

   W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following
   signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999
   E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed.
   N: Updating from such a repository can't be done securely, and is therefore disabled by default.
   N: See apt-secure(8) manpage for repository creation and user configuration details.
   

   To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:

   curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
   sudo apt update
   sudo apt dist-upgrade
   

   Upgrading Wallarm dependencies

   The sudo apt dist-upgrade command upgrades both the Wallarm packages and filtering node dependencies. It is the recommended upgrade option providing correct operation of the newer filtering node version.

   sudo yum update
   

   sudo yum update
   

3. If the package manager asks for confirmation to rewrite the content of the configuration file /etc/cron.d/wallarm-node-nginx, send the option Y.

   The /etc/cron.d/wallarm-node-nginx content should be updated for the new script counting RPS to be downloaded.

   By default, the package manager uses the option N but the option Y is required for correct RPS counting.

Step 4: Restart NGINX¶

sudo systemctl restart nginx

sudo service nginx restart

sudo systemctl restart nginx

sudo systemctl restart nginx

Step 5: Test Wallarm node operation¶

1. Send the request with test Path Traversal attack to a protected resource address:

   curl http://localhost/etc/passwd
   

2. Open Wallarm Console → Events section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.
   

   

Settings customization¶

The Wallarm modules are updated to version 4.4. Previous filtering node settings will be applied to the new version automatically. To make additional settings, use the available directives.

Common customization options:

• Configuration of the filtration mode

• Logging Wallarm node variables

• Using the balancer of the proxy server behind the filtering node

• Limiting the single request processing time in the directive wallarm_process_time_limit

• Limiting the server reply waiting time in the NGINX directive proxy_read_timeout

• Limiting the maximum request size in the NGINX directive client_max_body_size

• Configuring dynamic DNS resolution in NGINX