customer-engineering/wallarm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: auto-commit 2026-03-30 07:02

Browse source
This commit is contained in:
administrator 2026-03-30 07:02:34 +01:00
parent 6b8186f496
commit 044c386234
1 changed files with 95 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

141
README.md
View file

@ -4,13 +4,14 @@ A comprehensive solution for deploying Wallarm filtering nodes on virtual machin
## Features
- **Automated Preflight Checks** - Validates system readiness, network connectivity, and resource availability
- **Smart Artifact Management** - GitLab-first approach with local fallback support
- **Multiple Node Support** - Deploy multiple Wallarm instances on the same VM with unique port configurations
- **Interactive Configuration** - User-friendly prompts for cloud region, ports, tokens, and upstream applications
- **Comprehensive Validation** - Network tests, port availability checks, and deployment verification
- **Persistence & Management** - Automatic service creation, start scripts, and health monitoring
- **Clean Uninstallation** - Safe removal of containers, images, and configuration files
- **Automated Preflight Checks** Validates system readiness, network connectivity, and resource availability
- **Smart Artifact Management** GitLab/Forgejo-first approach with local fallback support
- **Multiple Node Support** Deploy multiple Wallarm instances on the same VM with unique port configurations
- **Interactive Configuration** User-friendly prompts for cloud region, ports, token, and upstream applications
- **Comprehensive Validation** Network tests, port availability checks, and deployment verification
- **Persistence & Management** Automatic service creation, start scripts, and health monitoring
- **PostDeployment Reconfiguration** Easily update trusted proxy IPs and change operation mode without redeploying
- **Clean Uninstallation** Safe removal of containers, images, and configuration files
## Prerequisites
@ -23,7 +24,7 @@ A comprehensive solution for deploying Wallarm filtering nodes on virtual machin
### Software Dependencies
- **Bash**: Version 4.0+ (included with most Linux distributions)
- **curl**: For downloading artifacts and connectivity testing
- **curl** or **wget**: For downloading scripts and artifacts
- **sudo**: For Docker installation and system configuration
- **systemd** or **sysvinit**: For service management
@ -31,20 +32,19 @@ A comprehensive solution for deploying Wallarm filtering nodes on virtual machin
### 1. Download the Scripts
Use the wrapper script to download all necessary tools:
```bash
# Download the preflight check script
curl -sL "https://git.sechpoint.app/customer-engineering/wallarm/-/raw/main/wallarm-ct-check.sh" > wallarm-ct-check.sh
chmod +x wallarm-ct-check.sh
# Download the deployment script
curl -sL "https://git.sechpoint.app/customer-engineering/wallarm/-/raw/main/wallarm-ct-deploy.sh" > wallarm-ct-deploy.sh
chmod +x wallarm-ct-deploy.sh
# Download the uninstall script (optional)
curl -sL "https://git.sechpoint.app/customer-engineering/wallarm/-/raw/main/wallarm-ct-uninstall.sh" > wallarm-ct-uninstall.sh
chmod +x wallarm-ct-uninstall.sh
curl -fsSL "https://git.sechpoint.app/customer-engineering/wallarm/raw/branch/main/setup.sh" | bash
```
This will download and make executable:
- `wallarm-ct-check.sh` Preflight validation
- `wallarm-ct-deploy.sh` Main deployment script
- `wallarm-ct-reconfigure.sh` Modify configuration after deployment
- `wallarm-ct-uninstall.sh` Remove a Wallarm node
### 2. Run Preflight Check
```bash
@ -61,17 +61,37 @@ The preflight check will:
### 3. Deploy Wallarm Node
```bash
./wallarm-ct-deploy.sh
sudo ./wallarm-ct-deploy.sh
```
The deployment script will:
1. Read preflight check results
2. Prompt for configuration (ports, upstream application, Wallarm token)
2. Prompt for configuration (ports, upstream application, Wallarm token, trusted proxies)
3. Install Docker if not present
4. Download and load Wallarm Docker image
5. Configure and start the Wallarm container
6. Verify deployment with health checks
## Required Information Before Deployment
To ensure a smooth deployment, have the following information ready before starting the script:
| Item | Description | Example | Notes |
|------|-------------|---------|-------|
| **Inbound Port** | The port on which the Wallarm node will listen for incoming HTTP traffic. | `80` (HTTP) or `8080` | Must be unused on the server. If port 80 is already in use, choose another. |
| **Application Server (Upstream) IP/Hostname** | The IP address or hostname of the backend application that Wallarm will forward traffic to. | `192.168.1.100` or `app.internal.local` | Must be reachable from the server where Wallarm runs. Use `127.0.0.1` if the application runs on the same machine. |
| **Application Server Port** | The port on which the backend application listens. | `8080` | Must be open and listening. |
| **Wallarm Node Token** | A token obtained from the Wallarm Console when creating a new "Wallarm node". | `base64_encoded_string` | Copy it exactly. It will be pasted during the deployment process. |
| **Trusted Proxy IPs/CIDRs** (Optional) | The IP address(es) of any load balancers, firewalls, or CDNs that sit in front of the Wallarm node and set the `X-Real-IP` header. | `10.0.0.10` or `192.168.0.0/24` | If the node is directly accessible from the internet (no proxy in front), leave empty. If there is a proxy, you must list its IP(s) so that Wallarm can extract the real client IP. Multiple entries can be space-separated. |
| **Wallarm Cloud Region** | Which Wallarm cloud to use US or EU. | `US` or `EU` | The script will test connectivity to both and only show reachable ones. |
| **Operation Mode** (Optional, can be changed later) | The initial operation mode. `monitoring` only logs attacks, `block` actively blocks. | `monitoring` (recommended for first deployment) | The script defaults to `monitoring`. You can change it later using the reconfigure script. |
### Additional Preparation Steps
- **Ensure the backend application is running** and reachable from the Wallarm server. Test with `telnet <upstream_ip> <upstream_port>`.
- **If you plan to use a custom domain**, be prepared to configure DNS to point to the servers public IP (or the load balancer) the Wallarm node itself does not require a domain for basic setup.
- **If the server is behind a firewall**, open the inbound port (e.g., 80) to allow traffic from the internet or the load balancer.
## Detailed Usage
### Workflow Overview
@ -122,23 +142,47 @@ You can deploy multiple Wallarm nodes on the same virtual machine by:
- Each instance requires ~2GB disk space
- Consider CPU allocation (1 vCPU core per 2-3 instances for moderate traffic)
## Reconfiguration Script (`wallarm-ct-reconfigure.sh`)
After deployment, you may need to adjust:
- **Trusted proxy IPs/CIDRs** When the network topology changes (new load balancer, CDN, firewall)
- **Operation mode** Switch from `monitoring` to `block` after verifying correct operation
The reconfigure script safely modifies the `nginx.conf` of an existing instance, creates a backup, and restarts the container.
**Usage**:
```bash
sudo ./wallarm-ct-reconfigure.sh
```
It will detect installed instances, show current settings, and guide you through the changes.
## Uninstallation (`wallarm-ct-uninstall.sh`)
To completely remove a Wallarm node and optionally Docker:
```bash
sudo ./wallarm-ct-uninstall.sh
```
## Artifact Sources (Priority Order)
The system uses a smart fallback approach for artifact retrieval:
### 1. **Primary Source**: GitLab Repository
### 1. **Primary Source**: GitLab/Forgejo Repository
- URL: `https://git.sechpoint.app/customer-engineering/wallarm`
- Contains: Docker binaries and Wallarm images with SHA256 checksums
- Benefits: Version control, access control, audit trail
### 2. **Secondary Source**: Local Directories
- `./binaries/` - Docker static binaries (`docker-29.2.1.tgz`)
- `./images/` - Wallarm Docker images (`wallarm-node-6.11.0-rc1.tar.gz`)
- Benefits: Air-gapped environments, faster deployment
- `./binaries/` Docker static binaries (`docker-29.2.1.tgz`)
- `./images/` Wallarm Docker images (`wallarm-node-6.11.0-rc1.tar.gz`)
- Benefits: Airgapped environments, faster deployment
### 3. **Tertiary Source**: Current Directory
- Any `docker-*.tgz` or `wallarm-node-*.tar.gz` files in script location
- Benefits: Ad-hoc deployments, testing scenarios
- Benefits: Adhoc deployments, testing scenarios
### 4. **Fallback Source**: Internal Proxy Servers
- Original infrastructure URLs (with embedded credentials)
@ -203,13 +247,24 @@ WALLARM_INSECURE_SSL=0 ./wallarm-ct-check.sh
**Usage**:
```bash
# Interactive deployment
./wallarm-ct-deploy.sh
sudo ./wallarm-ct-deploy.sh
# Deployment with pre-filled environment
WALLARM_TOKEN="your_token_here" ./wallarm-ct-deploy.sh
# Deployment with pre-filled environment (optional)
WALLARM_TOKEN="your_token_here" sudo ./wallarm-ct-deploy.sh
```
# Skip preflight check verification (not recommended)
SKIP_PREFLIGHT=1 ./wallarm-ct-deploy.sh
### `wallarm-ct-reconfigure.sh`
**Purpose**: Modify configuration of an existing Wallarm node
**Key Functions**:
- Update `set_real_ip_from` (trusted proxy IPs/CIDRs)
- Change `wallarm_mode` (monitoring/block)
- Create backup of current configuration
- Restart container to apply changes
**Usage**:
```bash
sudo ./wallarm-ct-reconfigure.sh
```
### `wallarm-ct-uninstall.sh`
@ -225,13 +280,13 @@ SKIP_PREFLIGHT=1 ./wallarm-ct-deploy.sh
**Usage**:
```bash
# Interactive uninstallation
./wallarm-ct-uninstall.sh
sudo ./wallarm-ct-uninstall.sh
# Force removal without prompts (use with caution)
FORCE=1 ./wallarm-ct-uninstall.sh
FORCE=1 sudo ./wallarm-ct-uninstall.sh
# Remove Docker binaries (if no other containers exist)
REMOVE_DOCKER=1 ./wallarm-ct-uninstall.sh
REMOVE_DOCKER=1 sudo ./wallarm-ct-uninstall.sh
```
## Troubleshooting
@ -252,7 +307,7 @@ uname -m
cat /etc/os-release
```
#### 2. Deployment Fails - Port Conflicts
#### 2. Deployment Fails Port Conflicts
```bash
# Check for listening ports
sudo ss -tlnp | grep ':80\|:90\|:8080'
@ -324,7 +379,7 @@ Ensure your upstream firewall/load balancer includes:
### Version Updates
When updating Wallarm node version:
1. Pull new image from GitLab or official registry
1. Pull new image from GitLab/Forgejo or official registry
2. Stop existing container
3. Deploy new container with updated image
4. Verify functionality before removing old container
@ -351,29 +406,23 @@ This software is provided "AS IS", without warranty of any kind, express or impl
### Support
- This is an unsupported deployment tool
- No official support, maintenance, or updates are guaranteed
- Community contributions are welcome via GitLab repository
- Community contributions are welcome via the Forgejo repository
## Contributing
Contributions to improve the Wallarm deployment system are welcome:
1. Fork the repository on GitLab
1. Fork the repository on Forgejo
2. Create a feature branch
3. Make changes with comprehensive testing
4. Submit a merge request with description
## License
Proprietary - See disclaimer section for usage terms.
Proprietary See disclaimer section for usage terms.
## Contact & Support
- **Repository**: https://git.sechpoint.app/customer-engineering/wallarm
- **Issues**: Use GitLab issue tracker for bug reports
- **Issues**: Use the issue tracker for bug reports
- **Documentation**: [Wallarm Official Documentation](https://docs.wallarm.com/)
---
*Last Updated: 2026-03-24*
*Version: 1.2*
*For use with Wallarm Node 6.11.0-rc1 and Docker 29.2.1*