Upgrading Wallarm NGINX modules¶
These instructions describe the steps to upgrade the Wallarm NGINX modules 4.x to version 4.4. Wallarm NGINX modules are the modules installed in accordance with one of the following instructions:
To upgrade the end‑of‑life node (3.6 or lower), please use the different instructions.
Requirements¶
-
Access to the account with the Administrator role in Wallarm Console in the US Cloud or EU Cloud
-
Access to
https://us1.api.wallarm.com
if working with US Wallarm Cloud or tohttps://api.wallarm.com
if working with EU Wallarm Cloud. Please ensure the access is not blocked by a firewall
Upgrade procedure¶
-
If filtering node and postanalytics modules are installed on the same server, then follow the instructions below to upgrade all packages.
-
If filtering node and postanalytics modules are installed on different servers, first upgrade the postanalytics module following these instructions and then perform the steps below for filtering node modules.
Step 1: Upgrade NGINX to the latest version¶
Upgrade NGINX to the latest version using the relevant instructions:
DEB-based distributions:
sudo apt update
sudo apt -y install nginx
RPM-based distributions:
sudo yum update
sudo yum install -y nginx
For NGINX Plus, please follow the official upgrade instructions.
For NGINX installed from Debian/CentOS repository, please skip this step. The installed NGINX version will be upgraded later along with the Wallarm modules.
If your infrastructure needs to use a specific version of NGINX, please contact the Wallarm technical support to build the Wallarm module for a custom version of NGINX.
Step 2: Add new Wallarm repository¶
Delete the previous Wallarm repository address and add a repository with a new Wallarm node version package. Please use the commands for the appropriate platform.
CentOS and Amazon Linux 2.0.2021x and lower
sudo yum remove wallarm-node-repo
sudo yum clean all
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/7/4.4/x86_64/wallarm-node-repo-4.4-0.el7.noarch.rpm
sudo yum remove wallarm-node-repo
sudo yum clean all
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/8/4.4/x86_64/wallarm-node-repo-4.4-0.el8.noarch.rpm
Debian and Ubuntu
-
Open the file with the Wallarm repository address in the installed text editor. In these instructions, vim is used.
sudo vim /etc/apt/sources.list.d/wallarm.list
-
Comment out or delete the previous repository address.
-
Add a new repository address:
Unsupported by NGINX stable and NGINX Plus
Official NGINX versions (stable and Plus) and, as a result, Wallarm node 4.4 and above cannot be installed on Debian 10.x (buster). Please use this OS only if NGINX is installed from Debian/CentOS repositories.
deb http://repo.wallarm.com/debian/wallarm-node buster/4.4/
deb http://repo.wallarm.com/debian/wallarm-node bullseye/4.4/
deb http://repo.wallarm.com/ubuntu/wallarm-node bionic/4.4/
deb http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/
Step 3: Upgrade Wallarm packages¶
Filtering node and postanalytics on the same server¶
-
Execute the following command to upgrade the filtering node and postanalytics modules:
sudo apt update sudo apt dist-upgrade
The error "signatures couldn't be verified"
If added GPG keys expired, the following error would be returned:
W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999 E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:
curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add - sudo apt update sudo apt dist-upgrade
Upgrading Wallarm dependencies
The
sudo apt dist-upgrade
command upgrades both the Wallarm packages and filtering node dependencies. It is the recommended upgrade option providing correct operation of the newer filtering node version.sudo apt update sudo apt dist-upgrade
The error "signatures couldn't be verified"
If added GPG keys expired, the following error would be returned:
W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999 E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:
curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add - sudo apt update sudo apt dist-upgrade
Upgrading Wallarm dependencies
The
sudo apt dist-upgrade
command upgrades both the Wallarm packages and filtering node dependencies. It is the recommended upgrade option providing correct operation of the newer filtering node version.sudo yum update
sudo yum update
-
If the package manager asks for confirmation to rewrite the content of the configuration file
/etc/cron.d/wallarm-node-nginx
, send the optionY
.The
/etc/cron.d/wallarm-node-nginx
content should be updated for the new script counting RPS to be downloaded.By default, the package manager uses the option
N
but the optionY
is required for correct RPS counting.
Filtering node and postanalytics on different servers¶
Sequence of steps to upgrade the filtering node and postanalytics modules
If the filtering node and postanalytics modules are installed on different servers, then it is required to upgrade the postanalytics packages before updating the filtering node packages.
-
Upgrade postanalytics packages following these instructions.
-
Upgrade Wallarm node packages:
sudo apt update sudo apt dist-upgrade
The error "signatures couldn't be verified"
If added GPG keys expired, the following error would be returned:
W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999 E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:
curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add - sudo apt update sudo apt dist-upgrade
Upgrading Wallarm dependencies
The
sudo apt dist-upgrade
command upgrades both the Wallarm packages and filtering node dependencies. It is the recommended upgrade option providing correct operation of the newer filtering node version.sudo apt update sudo apt dist-upgrade
The error "signatures couldn't be verified"
If added GPG keys expired, the following error would be returned:
W: GPG error: http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release:The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1111FQQW999 E: The repository 'http://repo.wallarm.com/ubuntu/wallarm-node focal/4.4/ Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
To fix the problem, please import new GPG keys for the Wallarm packages and then upgrade the packages using the following commands:
curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add - sudo apt update sudo apt dist-upgrade
Upgrading Wallarm dependencies
The
sudo apt dist-upgrade
command upgrades both the Wallarm packages and filtering node dependencies. It is the recommended upgrade option providing correct operation of the newer filtering node version.sudo yum update
sudo yum update
-
If the package manager asks for confirmation to rewrite the content of the configuration file
/etc/cron.d/wallarm-node-nginx
, send the optionY
.The
/etc/cron.d/wallarm-node-nginx
content should be updated for the new script counting RPS to be downloaded.By default, the package manager uses the option
N
but the optionY
is required for correct RPS counting.
Step 4: Restart NGINX¶
sudo systemctl restart nginx
sudo service nginx restart
sudo systemctl restart nginx
sudo systemctl restart nginx
Step 5: Test Wallarm node operation¶
-
Send the request with test Path Traversal attack to a protected resource address:
curl http://localhost/etc/passwd
-
Open Wallarm Console → Events section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.
Settings customization¶
The Wallarm modules are updated to version 4.4. Previous filtering node settings will be applied to the new version automatically. To make additional settings, use the available directives.
Common customization options:
-
Using the balancer of the proxy server behind the filtering node
-
Limiting the single request processing time in the directive
wallarm_process_time_limit
-
Limiting the server reply waiting time in the NGINX directive
proxy_read_timeout
-
Limiting the maximum request size in the NGINX directive
client_max_body_size