From 14dadd073597af1a051989da7d0dfe9a7eb32811 Mon Sep 17 00:00:00 2001 From: SechPoint Date: Wed, 11 Mar 2026 12:03:08 +0000 Subject: [PATCH] Initial commit of Wallarm deployment toolkit --- .DS_Store | Bin 0 -> 6148 bytes README.md | 124 ++++++++++++++++++++- container-deployment/install.sh | 120 +++++++++++++++++++++ container-deployment/install_app1.sh | 129 ++++++++++++++++++++++ container-deployment/install_app2.sh | 120 +++++++++++++++++++++ container-deployment/pre-flight-chck.sh | 63 +++++++++++ network-pre-check.sh | 0 vm-deployment/auto-config.sh | 45 ++++++++ vm-deployment/install.sh | 136 ++++++++++++++++++++++++ wallarm/notes.md | 4 + 10 files changed, 736 insertions(+), 5 deletions(-) create mode 100644 .DS_Store create mode 100644 container-deployment/install.sh create mode 100644 container-deployment/install_app1.sh create mode 100644 container-deployment/install_app2.sh create mode 100644 container-deployment/pre-flight-chck.sh create mode 100644 network-pre-check.sh create mode 100644 vm-deployment/auto-config.sh create mode 100644 vm-deployment/install.sh create mode 100644 wallarm/notes.md diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..6856856d1d3960908e22376810fb5fabf87e89a2 GIT binary patch literal 6148 zcmeHKIZnht5Uhp`RwCJefN(xQzz?j|@&Y~ptO<||MjQc|Bi_Z+s6G(fRfl46 zJI`;C4(k#%N&zV_SKu_48?XP@^gsIlIY}!iAO(&}0bA{Ec3VEFYU|>0UTYiumhL&< sbT`g}!Xe5rG0HI)UXCv!Df61ox!)B|i9u&P=tTVtxGpj&@ZSpj0E&wlVgLXD literal 0 HcmV?d00001 diff --git a/README.md b/README.md index 047477f..df8d060 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,122 @@ -# Sample GitLab Project +# ๐Ÿ›ก๏ธ Wallarm Deployment Toolkit -This sample project shows how a project in GitLab looks for demonstration purposes. It contains issues, merge requests and Markdown files in many branches, -named and filled with lorem ipsum. +This repository contains automated scripts to deploy the Wallarm Filtering Node in various environments. Whether you are using a virtual machine (NGINX Dynamic Module) or a containerized environment (Docker/Podman), these scripts ensure a "Bank-Grade" configuration. -You can look around to get an idea how to structure your project and, when done, you can safely delete this project. +**Repository:** `https://git.sechpoint.app/customer-engineering/wallarm` -[Learn more about creating GitLab projects.](https://docs.gitlab.com/ee/gitlab-basics/create-project.html) +--- + +## ๐Ÿšฆ Step 1: Network Pre-Check (Crucial) + +Before attempting any installation, you **must** verify that the server has egress access to Wallarm's Cloud and the official NGINX repositories. Banks often block these by default. + +1. **Navigate to the script:** + +```bash +cd ~/wallarm/ +``` + +2. **Run the audit:** + +```bash +chmod +x network-pre-check.sh + +sudo ./network-pre-check.sh +``` + +3. **Result:** If you see any **RED** "FAIL" messages, contact the network team to whitelist the listed IPs/Hostnames on Port 443. **Do not proceed until all checks are GREEN.** +--- +## ๐Ÿ› ๏ธ Step 2: Choose Your Deployment Method + +Depending on your architecture, choose **one** of the following methods. +### Option A: Virtual Machine (Native NGINX Module) +*Best for: Maximum performance, high-traffic production, or existing NGINX servers.* +1. **Configure:** Open the install script and set your `TOKEN` and `USE_CASE` (in-line or out-of-band). +```bash +nano ~/wallarm/installation-vm/install.sh +``` +2. **Run:** +```bash +chmod +x ~/wallarm/installation-vm/install.sh + +sudo ~/wallarm/installation-vm/install.sh +``` + +### Option B: Containerized (Docker / Podman) + +*Best for: Rapid PoC, testing, or environments where you don't want to modify the host OS packages.* +1. **Configure:** Open the install script and set your `TOKEN` and `UPSTREAM` IP. + +```bash +nano ~/wallarm/installation-docker/install.sh +``` + +2. **Run:** +```bash +chmod +x ~/wallarm/installation-docker/install.sh + +sudo ~/wallarm/installation-docker/install.sh +``` + +**Observation on scaling the Docker / Podman (Containerized) deployment** +You can run multiple instances by changing the `NODE_NAME` and `TRAFFIC_PORT`/`MONITOR_PORT` variables. This allows you to serve different backends on one host. + +--- +## โš™๏ธ Configuration Variables +Inside each `install.sh` script, you will find a **Configuration** section at the top. You must update these: + +|**Variable**|**Description**|**Example**| +|---|---|---| +|`NODE_NAME`|A unique identifier for the instance (useful for containerized deployments).|`wallarm-prod-01`| +|`TRAFFIC_PORT`|The host port where the node listens for incoming application traffic.|`8000`| +|`MONITOR_PORT`|The host port used to expose Wallarm metrics (Prometheus/JSON format).|`9000`| +|`TOKEN`|The unique API Token generated in the Wallarm Console.|`vPHB+Ygn...`| +|`REGION`|The Wallarm Cloud location associated with your account (`EU` or `US`).|`US`| +|`UPSTREAM`|The internal IP or hostname of the application server being protected.|`10.0.0.14`| +|`USE_CASE`|(VM only) Sets the mode: `in-line` (active filtering) or `out-of-band` (monitoring).|`in-line`| + +--- +### Deployment Flow Overview + +When you deploy the node using these variables, the traffic typically flows as follows: +1. **Incoming Traffic:** Hits the `TRAFFIC_PORT`. +2. **Filtering:** The node uses the `TOKEN` to sync security rules from the Wallarm Cloud (based on your `REGION`). +3. **Forwarding:** Valid traffic is sent to the `UPSTREAM` IP. +4. **Monitoring:** System health and security metrics are pulled via the `MONITOR_PORT`. +--- +## ๐Ÿงช Post-Installation Test + +Once the script finishes, verify the WAF is working by sending a "fake" attack: + +```bash +# Replace localhost with your server IP if testing remotely + +curl -I http://localhost/etc/passwd +``` + +## ๐Ÿ“Š Sizing & Performance Specs + +For a standard deployment (Postanalytics + NGINX on one host), we recommend the following: +### Resource Allocation & Performance + +| **Resource** | **Primary Consumer** | **Performance Note** | +| ------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | +| **CPU** (2 Cores) | **NGINX & Postanalytics** | One core typically handles the NGINX filtering, while the second manages `wstore` (local data analytics). This setup safely handles ~1,000 RPS. | +| **RAM** (4 GB) | **`wstore` (Tarantool)** | Wallarm uses an in-memory circular buffer for request analysis. At 4GB, you can store roughly 15โ€“20 minutes of request metadata for analysis. | +| **Storage** (50 GB) | **Log Buffering** | Required for local attack logs and the postanalytics module. SSD is mandatory to prevent I/O wait times from slowing down request processing. | + +--- + +### Scaling Indicators + +If you notice your traffic increasing beyond these specs, here is when you should consider upgrading: + +- **High CPU Usage (>70%):** Usually indicates you have reached the RPS limit for your core count or are processing highly complex, nested payloads (like large JSON or Base64-encoded data). + +- **Memory Pressure:** If you see `wstore` dropping data before the 15-minute mark, it means your traffic volume (data per minute) is exceeding the 4GB buffer. + +- **Disk Latency:** If you see "I/O Wait" in your system monitoring, it will directly cause latency for your end users, as NGINX cannot clear its buffers fast enough. + +> [!TIP] + +> **Performance Note:** One CPU core typically handles **500 RPS**. In a 2-core setup, one core is dedicated to NGINX (filtering) and one core to `wstore` (local analytics). For production spikes, we recommend 2x headroom. \ No newline at end of file diff --git a/container-deployment/install.sh b/container-deployment/install.sh new file mode 100644 index 0000000..f16b2c3 --- /dev/null +++ b/container-deployment/install.sh @@ -0,0 +1,120 @@ +#!/bin/bash +# ============================================================================== +# Wallarm PoC: Multi-Instance Safe Deployer (Podman/Docker) +# ============================================================================== + +# --- Instance Configuration --- +NODE_NAME="wallarm-01" +TRAFFIC_PORT="8000" +MONITOR_PORT="9000" + +# --- UPSTREAM SETTINGS --- +UPSTREAM_IP="10.0.0.14" # Internal Application IP +UPSTREAM_PORT="6042" # Internal Application Port + +# --- CLOUD SETTINGS --- +TOKEN="YOUR_NODE_TOKEN_HERE" +REGION="EU" # US or EU + +# --- Colors --- +YELLOW='\033[1;33m' +GREEN='\033[0;32m' +RED='\033[0;31m' +NC='\033[0m' + +echo -e "${YELLOW}๐Ÿ” PHASE 0: Pre-Flight Connectivity Checks...${NC}" + +# 1. Root Check +[[ $EUID -ne 0 ]] && { echo -e "${RED}โŒ ERROR: Run as root.${NC}"; exit 1; } + +# 2. Specific Upstream Port Check +echo -n "Verifying connectivity to $UPSTREAM_IP on port $UPSTREAM_PORT... " +if ! timeout 3 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then + echo -e "${RED}FAILED${NC}" + echo -e "${RED}โŒ ERROR: The VM cannot reach the application on port $UPSTREAM_PORT.${NC}" + echo -e "${YELLOW}Action: Ask the bank's Network Team to open egress to $UPSTREAM_IP:$UPSTREAM_PORT.${NC}" + exit 1 +else + echo -e "${GREEN}OK${NC}" +fi + +# 3. Wallarm Cloud Check +API_HOST=$( [[ "$REGION" == "US" ]] && echo "us1.api.wallarm.com" || echo "api.wallarm.com" ) +if ! curl -s --connect-timeout 5 "https://$API_HOST" > /dev/null; then + echo -e "${RED}โŒ ERROR: Cannot reach Wallarm Cloud ($API_HOST). Check Proxy settings.${NC}" + exit 1 +fi + +# --- PHASE 1: Engine Setup --- +if [ -f /etc/redhat-release ]; then + ENGINE="podman" + dnf install -y epel-release + dnf install -y podman podman-docker podman-compose wget curl + systemctl enable --now podman.socket + # Open OS Firewalld for incoming traffic + firewall-cmd --permanent --add-port=$TRAFFIC_PORT/tcp + firewall-cmd --permanent --add-port=$MONITOR_PORT/tcp + firewall-cmd --reload +elif [ -f /etc/debian_version ]; then + ENGINE="docker" + apt update && apt install -y docker.io docker-compose wget curl + systemctl enable --now docker +else + echo -e "${RED}โŒ Unsupported OS${NC}"; exit 1 +fi + +COMPOSE_CMD=$([[ "$ENGINE" == "podman" ]] && echo "podman-compose" || echo "docker-compose") + +# --- PHASE 2: Instance Workspace --- +INSTANCE_DIR="/opt/wallarm/$NODE_NAME" +mkdir -p "$INSTANCE_DIR" + +# Generate Nginx Config using the specific Upstream Port +cat < "$INSTANCE_DIR/nginx.conf" +server { + listen 80; + wallarm_mode monitoring; + + location / { + proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + } +} +server { + listen 90; + location /wallarm-status { + wallarm_status on; + allow all; + } +} +EOF + +# Compose File with SELinux ( :Z ) flag +cat < "$INSTANCE_DIR/conf.yml" +version: '3.8' +services: + $NODE_NAME: + image: docker.io/wallarm/node:4.10-latest + container_name: $NODE_NAME + restart: always + ports: + - "$TRAFFIC_PORT:80" + - "$MONITOR_PORT:90" + environment: + - WALLARM_API_TOKEN=$TOKEN + - WALLARM_API_HOST=$API_HOST + volumes: + - ./nginx.conf:/etc/nginx/http.d/default.conf:ro,Z +EOF + +# --- PHASE 3: Launch --- +echo -e "${YELLOW}๐Ÿš€ Launching Wallarm Instance...${NC}" +cd "$INSTANCE_DIR" +$COMPOSE_CMD -f conf.yml up -d + +echo -e "\n${GREEN}โœ… DEPLOYMENT COMPLETE${NC}" +echo -e "External Port: $TRAFFIC_PORT -> Internal: $UPSTREAM_IP:$UPSTREAM_PORT" +echo -e "View real-time logs: $ENGINE logs -f $NODE_NAME" \ No newline at end of file diff --git a/container-deployment/install_app1.sh b/container-deployment/install_app1.sh new file mode 100644 index 0000000..c9ac4b2 --- /dev/null +++ b/container-deployment/install_app1.sh @@ -0,0 +1,129 @@ +#!/bin/bash +# ============================================================================== +# Wallarm PoC: Interactive "KISS" Deployer (Keystone Bank Edition) +# ============================================================================== + +YELLOW='\033[1;33m' +GREEN='\033[0;32m' +RED='\033[0;31m' +NC='\033[0m' + +clear +echo -e "${YELLOW}====================================================${NC}" +echo -e "${YELLOW} Wallarm Guided Instance Deployer (US Cloud) ${NC}" +echo -e "${YELLOW}====================================================${NC}\n" + +# --- 1. THE ID --- +echo -e "Existing Instances in /opt/wallarm/:" +ls /opt/wallarm/ 2>/dev/null || echo "None" +echo "" + +read -p "Enter Instance ID number (e.g., 1, 2, 3): " INSTANCE_ID + +NODE_NAME=$(printf "wallarm-%02d" $INSTANCE_ID) +TRAFFIC_PORT=$((8000 + INSTANCE_ID)) +MONITOR_PORT=$((9000 + INSTANCE_ID)) + +# --- 2. CONFIGURATION --- +read -p "Enter Upstream IP (App Server): " UPSTREAM_IP +read -p "Enter Upstream Port [default 80]: " UPSTREAM_PORT +UPSTREAM_PORT=${UPSTREAM_PORT:-80} + +# Hardcoded US Endpoints +API_HOST="us1.api.wallarm.com" +DATA_NODE="node-data0.us1.wallarm.com" + +read -p "Paste Wallarm Token (US Cloud): " TOKEN + +# --- 3. PRE-FLIGHT VALIDATION --- +echo -e "\n${YELLOW}๐Ÿ” Starting Pre-Flight Connectivity Checks...${NC}" + +# A. Internal Check +echo -n "Checking App Server ($UPSTREAM_IP:$UPSTREAM_PORT)... " +if ! timeout 2 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then + echo -e "${RED}FAILED${NC}"; exit 1 +else + echo -e "${GREEN}OK${NC}" +fi + +# B. Wallarm API Check +echo -n "Checking Wallarm API ($API_HOST)... " +if ! curl -s --connect-timeout 5 "https://$API_HOST" > /dev/null; then + echo -e "${RED}FAILED${NC}"; exit 1 +else + echo -e "${GREEN}OK${NC}" +fi + +# C. Wallarm Data Node Check (Critical for events) +echo -n "Checking Wallarm Data Node ($DATA_NODE)... " +if ! timeout 3 bash -c "cat < /dev/null > /dev/tcp/$DATA_NODE/443" 2>/dev/null; then + echo -e "${RED}FAILED${NC}" + echo -e "${RED}โŒ ERROR: Data transmission to Wallarm is blocked.${NC}" + echo -e "${YELLOW}Action: Whitelist IPs 34.96.64.17 and 34.110.183.149 on Port 443.${NC}"; exit 1 +else + echo -e "${GREEN}OK${NC}" +fi + +# --- 4. ENGINE SETUP --- +if [ -f /etc/redhat-release ]; then + ENGINE="podman" + dnf install -y epel-release podman podman-docker podman-compose wget curl &>/dev/null + systemctl enable --now podman.socket &>/dev/null + firewall-cmd --permanent --add-port=$TRAFFIC_PORT/tcp --add-port=$MONITOR_PORT/tcp &>/dev/null + firewall-cmd --reload &>/dev/null +else + ENGINE="docker" + apt update && apt install -y docker.io docker-compose wget curl &>/dev/null + systemctl enable --now docker &>/dev/null +fi +COMPOSE_CMD=$([[ "$ENGINE" == "podman" ]] && echo "podman-compose" || echo "docker-compose") + +# --- 5. WORKSPACE & CONFIG --- +INSTANCE_DIR="/opt/wallarm/$NODE_NAME" +mkdir -p "$INSTANCE_DIR" + +cat < "$INSTANCE_DIR/nginx.conf" +server { + listen 80; + wallarm_mode monitoring; + location / { + proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + } +} +server { listen 90; location /wallarm-status { wallarm_status on; allow all; } } +EOF + +cat < "$INSTANCE_DIR/conf.yml" +version: '3.8' +services: + $NODE_NAME: + image: docker.io/wallarm/node:4.10-latest + container_name: $NODE_NAME + restart: always + ports: ["$TRAFFIC_PORT:80", "$MONITOR_PORT:90"] + environment: + - WALLARM_API_TOKEN=$TOKEN + - WALLARM_API_HOST=$API_HOST + volumes: ["./nginx.conf:/etc/nginx/http.d/default.conf:ro,Z"] +EOF + +# --- 6. LAUNCH --- +echo -e "${YELLOW}๐Ÿš€ Launching $NODE_NAME...${NC}" +cd "$INSTANCE_DIR" +$COMPOSE_CMD -f conf.yml up -d + +# --- 7. VERIFICATION --- +echo -e "\n${YELLOW}โณ Waiting for handshake...${NC}" +sleep 5 +if curl -s "http://localhost:$MONITOR_PORT/wallarm-status" | grep -q "requests"; then + echo -e "${GREEN}โœ… SUCCESS: $NODE_NAME IS LIVE AND INSPECTING TRAFFIC${NC}" +else + echo -e "${RED}โš ๏ธ WARNING: Handshake slow. Check: $ENGINE logs $NODE_NAME${NC}" +fi + +echo -e "--------------------------------------------------" +echo -e "Traffic URL: http://:$TRAFFIC_PORT" +echo -e "--------------------------------------------------" \ No newline at end of file diff --git a/container-deployment/install_app2.sh b/container-deployment/install_app2.sh new file mode 100644 index 0000000..f16b2c3 --- /dev/null +++ b/container-deployment/install_app2.sh @@ -0,0 +1,120 @@ +#!/bin/bash +# ============================================================================== +# Wallarm PoC: Multi-Instance Safe Deployer (Podman/Docker) +# ============================================================================== + +# --- Instance Configuration --- +NODE_NAME="wallarm-01" +TRAFFIC_PORT="8000" +MONITOR_PORT="9000" + +# --- UPSTREAM SETTINGS --- +UPSTREAM_IP="10.0.0.14" # Internal Application IP +UPSTREAM_PORT="6042" # Internal Application Port + +# --- CLOUD SETTINGS --- +TOKEN="YOUR_NODE_TOKEN_HERE" +REGION="EU" # US or EU + +# --- Colors --- +YELLOW='\033[1;33m' +GREEN='\033[0;32m' +RED='\033[0;31m' +NC='\033[0m' + +echo -e "${YELLOW}๐Ÿ” PHASE 0: Pre-Flight Connectivity Checks...${NC}" + +# 1. Root Check +[[ $EUID -ne 0 ]] && { echo -e "${RED}โŒ ERROR: Run as root.${NC}"; exit 1; } + +# 2. Specific Upstream Port Check +echo -n "Verifying connectivity to $UPSTREAM_IP on port $UPSTREAM_PORT... " +if ! timeout 3 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then + echo -e "${RED}FAILED${NC}" + echo -e "${RED}โŒ ERROR: The VM cannot reach the application on port $UPSTREAM_PORT.${NC}" + echo -e "${YELLOW}Action: Ask the bank's Network Team to open egress to $UPSTREAM_IP:$UPSTREAM_PORT.${NC}" + exit 1 +else + echo -e "${GREEN}OK${NC}" +fi + +# 3. Wallarm Cloud Check +API_HOST=$( [[ "$REGION" == "US" ]] && echo "us1.api.wallarm.com" || echo "api.wallarm.com" ) +if ! curl -s --connect-timeout 5 "https://$API_HOST" > /dev/null; then + echo -e "${RED}โŒ ERROR: Cannot reach Wallarm Cloud ($API_HOST). Check Proxy settings.${NC}" + exit 1 +fi + +# --- PHASE 1: Engine Setup --- +if [ -f /etc/redhat-release ]; then + ENGINE="podman" + dnf install -y epel-release + dnf install -y podman podman-docker podman-compose wget curl + systemctl enable --now podman.socket + # Open OS Firewalld for incoming traffic + firewall-cmd --permanent --add-port=$TRAFFIC_PORT/tcp + firewall-cmd --permanent --add-port=$MONITOR_PORT/tcp + firewall-cmd --reload +elif [ -f /etc/debian_version ]; then + ENGINE="docker" + apt update && apt install -y docker.io docker-compose wget curl + systemctl enable --now docker +else + echo -e "${RED}โŒ Unsupported OS${NC}"; exit 1 +fi + +COMPOSE_CMD=$([[ "$ENGINE" == "podman" ]] && echo "podman-compose" || echo "docker-compose") + +# --- PHASE 2: Instance Workspace --- +INSTANCE_DIR="/opt/wallarm/$NODE_NAME" +mkdir -p "$INSTANCE_DIR" + +# Generate Nginx Config using the specific Upstream Port +cat < "$INSTANCE_DIR/nginx.conf" +server { + listen 80; + wallarm_mode monitoring; + + location / { + proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + } +} +server { + listen 90; + location /wallarm-status { + wallarm_status on; + allow all; + } +} +EOF + +# Compose File with SELinux ( :Z ) flag +cat < "$INSTANCE_DIR/conf.yml" +version: '3.8' +services: + $NODE_NAME: + image: docker.io/wallarm/node:4.10-latest + container_name: $NODE_NAME + restart: always + ports: + - "$TRAFFIC_PORT:80" + - "$MONITOR_PORT:90" + environment: + - WALLARM_API_TOKEN=$TOKEN + - WALLARM_API_HOST=$API_HOST + volumes: + - ./nginx.conf:/etc/nginx/http.d/default.conf:ro,Z +EOF + +# --- PHASE 3: Launch --- +echo -e "${YELLOW}๐Ÿš€ Launching Wallarm Instance...${NC}" +cd "$INSTANCE_DIR" +$COMPOSE_CMD -f conf.yml up -d + +echo -e "\n${GREEN}โœ… DEPLOYMENT COMPLETE${NC}" +echo -e "External Port: $TRAFFIC_PORT -> Internal: $UPSTREAM_IP:$UPSTREAM_PORT" +echo -e "View real-time logs: $ENGINE logs -f $NODE_NAME" \ No newline at end of file diff --git a/container-deployment/pre-flight-chck.sh b/container-deployment/pre-flight-chck.sh new file mode 100644 index 0000000..3e8264c --- /dev/null +++ b/container-deployment/pre-flight-chck.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# ============================================================================== +# Wallarm Pre-Flight Check +# Purpose: Validate Environment before Container Deployment +# ============================================================================== + +UPSTREAM_IP="10.0.0.14" +UPSTREAM_PORT="80" +WALLARM_API="api.wallarm.com" + +YELLOW='\033[1;33m' +GREEN='\033[0;32m' +RED='\033[0;31m' +NC='\033[0m' + +echo -e "${YELLOW}๐Ÿ” Starting Pre-Flight Checks...${NC}\n" + +# 1. Check Root +[[ $EUID -ne 0 ]] && echo -e "${RED}โŒ Fail: Must run as root${NC}" || echo -e "${GREEN}โœ… Pass: Root privileges${NC}" + +# 2. Check OS (CentOS/RHEL focus) +if [ -f /etc/redhat-release ]; then + echo -e "${GREEN}โœ… Pass: CentOS/RHEL detected ($(cat /etc/redhat-release))${NC}" +else + echo -e "${YELLOW}โš ๏ธ Warn: Not a RedHat-based system. Script 1 may need tweaks.${NC}" +fi + +# 3. Check SELinux Status +SE_STATUS=$(getenforce) +if [ "$SE_STATUS" == "Enforcing" ]; then + echo -e "${YELLOW}โš ๏ธ Note: SELinux is Enforcing. Ensure volume mounts use the :Z flag.${NC}" +else + echo -e "${GREEN}โœ… Pass: SELinux is $SE_STATUS${NC}" +fi + +# 4. Check Upstream Connectivity (The most important check) +echo -n "Checking connectivity to Upstream ($UPSTREAM_IP:$UPSTREAM_PORT)... " +nc -zv -w5 $UPSTREAM_IP $UPSTREAM_PORT &>/dev/null +if [ $? -eq 0 ]; then + echo -e "${GREEN}โœ… Connected${NC}" +else + echo -e "${RED}โŒ FAILED: Cannot reach Upstream app. Check Routing/Firewalls.${NC}" +fi + +# 5. Check Wallarm Cloud Connectivity +echo -n "Checking connectivity to Wallarm API ($WALLARM_API)... " +curl -s --connect-timeout 5 https://$WALLARM_API &>/dev/null +if [ $? -eq 0 ] || [ $? -eq 45 ]; then # 45 is common if no auth, but shows port 443 is open + echo -e "${GREEN}โœ… Connected${NC}" +else + echo -e "${RED}โŒ FAILED: Cannot reach Wallarm Cloud. Check Proxy/Egress.${NC}" +fi + +# 6. Check Port Availability +for PORT in 8000 9000; do + if lsof -Pi :$PORT -sTCP:LISTEN -t >/dev/null ; then + echo -e "${RED}โŒ FAILED: Port $PORT is already in use.${NC}" + else + echo -e "${GREEN}โœ… Pass: Port $PORT is free${NC}" + fi +done + +echo -e "\n${YELLOW}Pre-flight complete. If all are GREEN, proceed to deployment.${NC}" \ No newline at end of file diff --git a/network-pre-check.sh b/network-pre-check.sh new file mode 100644 index 0000000..e69de29 diff --git a/vm-deployment/auto-config.sh b/vm-deployment/auto-config.sh new file mode 100644 index 0000000..f34c42d --- /dev/null +++ b/vm-deployment/auto-config.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# 1. Define Backend +APP_SERVER="10.0.14.24:80" + +echo "๐Ÿ› ๏ธ Configuring Wallarm Inline Proxy..." + +# 2. Write the configuration +sudo bash -c "cat << 'EOF' > /etc/nginx/sites-available/default +server { + listen 80 default_server; + server_name _; + + wallarm_mode monitoring; + + location / { + proxy_pass http://$APP_SERVER; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + } + + location /wallarm-status { + wallarm_status on; + wallarm_mode off; + allow 127.0.0.1; + deny all; + } +} +EOF" + +# 3. Ensure the site is enabled (Ubuntu requirement) +sudo ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default + +# 4. Test and Reload +echo "๐Ÿ” Testing Nginx..." +if sudo nginx -t; then + sudo systemctl restart nginx + echo "โœ… SUCCESS: Proxying to $APP_SERVER" + curl -X GET "http://localhost" -H "accept: application/json" + curl -I "http://localhost/etc/passwd" +else + echo "โŒ ERROR: Nginx config invalid." + exit 1 +fi \ No newline at end of file diff --git a/vm-deployment/install.sh b/vm-deployment/install.sh new file mode 100644 index 0000000..e1e4ce5 --- /dev/null +++ b/vm-deployment/install.sh @@ -0,0 +1,136 @@ +#!/bin/bash +# ============================================================================== +# Wallarm Native Deployer: NGINX Dynamic Module (Official Repo) +# Supports: RHEL/Alma/Rocky (9.x) & Ubuntu/Debian +# ============================================================================== + +# --- User Configuration --- +USE_CASE="in-line" # Options: "in-line" or "out-of-band" +TOKEN="vPHB+Ygn1ia/wg+NV49tOq3Ndf10K0sO6MgU+FzQdx7M8bW93UpAV7zfq0cZF/+3" +REGION="EU" # US or EU +UPSTREAM="10.0.0.14" + +# --- Colors --- +YELLOW='\033[1;33m' +GREEN='\033[0;32m' +RED='\033[0;31m' +NC='\033[0m' + +# --- ROOT CHECK --- +if [[ $EUID -ne 0 ]]; then + echo -e "${RED}โŒ ERROR: Run as root.${NC}"; exit 1 +fi + +# --- PHASE 0: Official NGINX Repo Setup --- +echo -e "${YELLOW}๐Ÿ› ๏ธ Step 0: Setting up Official NGINX Repository...${NC}" + +if [ -f /etc/redhat-release ]; then + yum install -y yum-utils + cat < /etc/yum.repos.d/nginx.repo +[nginx-stable] +name=nginx stable repo +baseurl=http://nginx.org/packages/mainline/centos/\$releasever/\$basearch/ +gpgcheck=1 +enabled=1 +gpgkey=https://nginx.org/keys/nginx_signing.key +module_hotfixes=true +EOF + yum install -y nginx +elif [ -f /etc/debian_version ]; then + apt update && apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring + curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null + CODENAME=$(lsb_release -cs) + DISTRO=$(lsb_release -is | tr '[:upper:]' '[:lower:]') + echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/$DISTRO/ $CODENAME nginx" | tee /etc/apt/sources.list.d/nginx.list + apt update && apt install -y nginx +else + echo -e "${RED}โŒ Unsupported OS${NC}"; exit 1 +fi + +systemctl enable --now nginx + +# --- PHASE 1: Wallarm All-In-One Installer --- +echo -e "${YELLOW}๐Ÿ“ฆ Step 1: Running Wallarm All-in-One Installer...${NC}" +API_HOST=$( [[ "$REGION" == "US" ]] && echo "us1.api.wallarm.com" || echo "api.wallarm.com" ) + +# Download the latest installer (4.10 branch) +curl -O https://meganode.wallarm.com/native/all-in-one/wallarm-4.10.10.x86_64-linux.sh +chmod +x wallarm-4.10.10.x86_64-linux.sh + +./wallarm-4.10.10.x86_64-linux.sh \ + --no-interactive \ + --token "$TOKEN" \ + --host "$API_HOST" \ + --nginx-bundle + +# --- PHASE 2: Logic-Based Configuration --- +echo -e "${YELLOW}โš™๏ธ Step 2: Building NGINX Config for $USE_CASE Mode...${NC}" + +# Ensure module is loaded +if ! grep -q "load_module" /etc/nginx/nginx.conf; then + sed -i '1i load_module modules/ngx_http_wallarm_module.so;' /etc/nginx/nginx.conf +fi + +if [[ "$USE_CASE" == "in-line" ]]; then + # Standard Reverse Proxy with Blocking capability + cat < /etc/nginx/conf.d/wallarm-proxy.conf +server { + listen 80; + server_name _; + wallarm_mode monitoring; # Change to 'block' after testing + + location / { + proxy_pass http://$UPSTREAM; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + } +} +EOF +elif [[ "$USE_CASE" == "out-of-band" ]]; then + # OOB (Passive) Mode using Nginx Mirror + cat < /etc/nginx/conf.d/wallarm-proxy.conf +server { + listen 80; + server_name _; + + location / { + # Mirror traffic to a background internal location for Wallarm + mirror /mirror; + proxy_pass http://$UPSTREAM; + } + + location = /mirror { + internal; + # Wallarm processes mirrored traffic here + wallarm_mode monitoring; + wallarm_upstream_connect_timeout 2s; + proxy_pass http://127.0.0.1:1; # Dummy upstream + } +} +EOF +fi + +# Add Wallarm Monitoring status location (standard for both) +cat < /etc/nginx/conf.d/wallarm-status.conf +server { + listen 90; + server_name localhost; + location /wallarm-status { + wallarm_status on; + wallarm_mode off; + allow 127.0.0.1; + deny all; + } +} +EOF + +# --- PHASE 3: Validation --- +echo -e "${YELLOW}๐Ÿš€ Step 3: Validating and Restarting...${NC}" +nginx -t && systemctl restart nginx + +echo -e "\n${GREEN}โœ… DEPLOYMENT SUCCESSFUL ($USE_CASE)${NC}" +echo -e "--------------------------------------------------" +echo -e "NGINX Version: $(nginx -v 2>&1)" +echo -e "Wallarm Status: curl http://localhost:90/wallarm-status" +echo -e "--------------------------------------------------" \ No newline at end of file diff --git a/wallarm/notes.md b/wallarm/notes.md new file mode 100644 index 0000000..9c83179 --- /dev/null +++ b/wallarm/notes.md @@ -0,0 +1,4 @@ +app1: +- url: shorty.sechpoint.app +- ip: 10.0.0.14:80 +- \ No newline at end of file