Skip to content

Upgrading Wallarm NGINX modules

These instructions describe the steps to upgrade the Wallarm NGINX modules 4.x to version 4.4. Wallarm NGINX modules are the modules installed in accordance with one of the following instructions:

To upgrade the end‑of‑life node (3.6 or lower), please use the different instructions.

Requirements

  • Access to the account with the Administrator role in Wallarm Console in the US Cloud or EU Cloud

  • Access to https://us1.api.wallarm.com if working with US Wallarm Cloud or to https://api.wallarm.com if working with EU Wallarm Cloud. Please ensure the access is not blocked by a firewall

Upgrade procedure

  • If filtering node and postanalytics modules are installed on the same server, then follow the instructions below to upgrade all packages.

  • If filtering node and postanalytics modules are installed on different servers, first upgrade the postanalytics module following these instructions and then perform the steps below for filtering node modules.

Step 1: Upgrade NGINX to the latest version

Upgrade NGINX to the latest version using the relevant instructions:

DEB-based distributions:

sudo apt update
sudo apt install nginx

RPM-based distributions:

sudo yum update
sudo yum install nginx

For NGINX Plus, please follow the official upgrade instructions.

For NGINX installed from Debian/CentOS repository, please skip this step. The installed NGINX version will be upgraded later along with Wallarm modules.

If your infrastructure needs to use a specific version of NGINX, please contact the Wallarm technical support to build the API Security module for a custom version of NGINX.

Step 2: Add new Wallarm repository

Delete the previous Wallarm repository address and add a repository with a new Wallarm node version package. Please use the commands for the appropriate platform.

CentOS and Amazon Linux 2.0.2021x and lower

sudo yum remove wallarm-node-repo
sudo yum clean all
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/7/4.4/x86_64/wallarm-node-repo-4.4-0.el7.noarch.rpm
sudo yum remove wallarm-node-repo
sudo yum clean all
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/8/4.4/x86_64/wallarm-node-repo-4.4-0.el8.noarch.rpm

Debian and Ubuntu

  1. Open the file with the Wallarm repository address in the installed text editor. In these instructions, vim is used.

    sudo vim /etc/apt/sources.list.d/wallarm.list
    
  2. Comment out or delete the previous repository address.

  3. Add a new repository address:

    Please use this option only if NGINX is installed from Debian/CentOS repositories. Official NGINX versions and as a result Wallarm node 4.4 and above cannot be installed on Debian 10.x (buster).

    deb http://repo.wallarm.com/debian/wallarm-node buster/4.4/
    
    deb http://repo.wallarm.com/debian/wallarm-node bullseye/4.4/
    
    deb http://repo.wallarm.com/ubuntu/wallarm-node bionic/4.4/
    
    deb http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/
    

Step 3: Upgrade Wallarm API Security packages

Filtering node and postanalytics on the same server

  1. Execute the following command to upgrade the filtering node and postanalytics modules:

    sudo apt update
    sudo apt dist-upgrade
    

    The error "signatures couldn't be verified"

    If added GPG keys expired, the following error would be returned:

    W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following
    signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999
    E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    

    To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:

    curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
    sudo apt update
    sudo apt dist-upgrade
    
    sudo apt update
    sudo apt dist-upgrade
    

    The error "signatures couldn't be verified"

    If added GPG keys expired, the following error would be returned:

    W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following
    signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999
    E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    

    To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:

    curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
    sudo apt update
    sudo apt dist-upgrade
    
    sudo yum update
    
    sudo yum update
    
  2. If the package manager asks for confirmation to rewrite the content of the configuration file /etc/cron.d/wallarm-node-nginx, send the option Y.

    The /etc/cron.d/wallarm-node-nginx content should be updated for the new script counting RPS to be downloaded.

    By default, the package manager uses the option N but the option Y is required for correct RPS counting.

Filtering node and postanalytics on different servers

Sequence of steps to upgrade the filtering node and postanalytics modules

If the filtering node and postanalytics modules are installed on different servers, then it is required to upgrade the postanalytics packages before updating the filtering node packages.

  1. Upgrade postanalytics packages following these instructions.

  2. Upgrade Wallarm node packages:

    sudo apt update
    sudo apt dist-upgrade
    

    The error "signatures couldn't be verified"

    If added GPG keys expired, the following error would be returned:

    W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following
    signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999
    E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    

    To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:

    curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
    sudo apt update
    sudo apt dist-upgrade
    
    sudo apt update
    sudo apt dist-upgrade
    

    The error "signatures couldn't be verified"

    If added GPG keys expired, the following error would be returned:

    W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following
    signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999
    E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    

    To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:

    curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
    sudo apt update
    sudo apt dist-upgrade
    
    sudo yum update
    
    sudo yum update
    
  3. If the package manager asks for confirmation to rewrite the content of the configuration file /etc/cron.d/wallarm-node-nginx, send the option Y.

    The /etc/cron.d/wallarm-node-nginx content should be updated for the new script counting RPS to be downloaded.

    By default, the package manager uses the option N but the option Y is required for correct RPS counting.

Step 4: Restart NGINX

sudo systemctl restart nginx
sudo service nginx restart
sudo systemctl restart nginx
sudo systemctl restart nginx

Step 5: Test Wallarm node operation

  1. Send the request with test Path Traversal attack to a protected resource address:

    curl http://localhost/etc/passwd
    
  2. Open Wallarm Console → Events section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

    Attacks in the interface

Settings customization

Wallarm API Security modules are updated to version 4.4. Previous filtering node settings will be applied to the new version automatically. To make additional settings, use the available directives.

Common customization options: