customer-engineering/wallarm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: auto-commit 2026-03-30 06:33

Browse source
This commit is contained in:
administrator 2026-03-30 06:33:38 +01:00
parent f1a31beadd
commit 19866a97a9
2 changed files with 353 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

101
wallarm-ct-deploy.sh
View file

@ -594,6 +594,63 @@ collect_configuration() {
fi
done
# Get trusted proxy IPs for real IP configuration
local trusted_proxies=""
echo -e "\n${CYAN}${BOLD}Real Client IP Configuration:${NC}"
echo -e "${YELLOW}For Wallarm to see the real client IP, specify the IP address(es) of trusted proxies"
echo -e "(e.g., load balancers, firewalls, CDNs) that forward traffic to this node.${NC}"
echo -e "${YELLOW}You can enter:${NC}"
echo -e " - Single IP: 10.0.0.10"
echo -e " - CIDR range: 10.0.0.0/24"
echo -e " - Multiple entries separated by spaces: 10.0.0.10 10.0.1.0/24 192.168.1.1"
echo -e "${YELLOW}If unsure, you can leave empty and configure later${NC}"
read -r -p "$(echo -e "${YELLOW}Trusted proxy IPs/CIDRs (space-separated): ${NC}")" trusted_proxies_input
# Validate and clean up the input
local validated_proxies=()
if [[ -n "$trusted_proxies_input" ]]; then
# Split input by spaces
IFS=' ' read -ra proxy_array <<< "$trusted_proxies_input"
for proxy in "${proxy_array[@]}"; do
# Trim whitespace
proxy=$(echo "$proxy" | xargs)
if [[ -n "$proxy" ]]; then
# Validate IP or CIDR
if [[ "$proxy" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]{1,2})?$ ]]; then
# Basic IP format validation
IFS='/' read -r ip cidr <<< "$proxy"
IFS='.' read -r o1 o2 o3 o4 <<< "$ip"
if [[ $o1 -le 255 && $o2 -le 255 && $o3 -le 255 && $o4 -le 255 ]]; then
if [[ -z "$cidr" ]] || [[ $cidr -ge 0 && $cidr -le 32 ]]; then
validated_proxies+=("$proxy")
else
echo -e "${RED}Invalid CIDR prefix length for $proxy (must be 0-32)${NC}"
fi
else
echo -e "${RED}Invalid IP octets in $proxy${NC}"
fi
else
echo -e "${RED}Invalid IP/CIDR format: $proxy${NC}"
echo -e "${YELLOW}Example valid formats: 10.0.0.10, 10.0.0.0/24, 192.168.1.1${NC}"
fi
fi
done
if [[ ${#validated_proxies[@]} -eq 0 ]]; then
echo -e "${YELLOW}No valid proxy IPs provided. Will skip set_real_ip_from configuration.${NC}"
echo -e "${YELLOW}You can manually edit /etc/nginx/conf.d/wallarm.conf later to add set_real_ip_from directives.${NC}"
trusted_proxies=""
else
trusted_proxies="${validated_proxies[*]}"
echo -e "${GREEN}Trusted proxies configured: $trusted_proxies${NC}"
fi
else
echo -e "${YELLOW}No trusted proxies specified. The node will see the last hop IP only.${NC}"
echo -e "${YELLOW}For real client IP detection, you'll need to manually configure set_real_ip_from in nginx config.${NC}"
fi
# Generate instance name and directory
local instance_name
instance_name="wallarm-$(hostname -s | tr '[:upper:]' '[:lower:]')-$(date +%Y%m%d)"
@ -606,6 +663,11 @@ collect_configuration() {
log_message "SUCCESS" " Ingress Port: $ingress_port"
log_message "SUCCESS" " Monitoring Port: $monitoring_port"
log_message "SUCCESS" " Upstream: $upstream_ip:$upstream_port"
if [[ -n "$trusted_proxies" ]]; then
log_message "SUCCESS" " Trusted Proxies: $trusted_proxies"
else
log_message "INFO" " Trusted Proxies: Not configured (will need manual setup)"
fi
log_message "SUCCESS" " Instance: $instance_name"
log_message "SUCCESS" " Directory: $instance_dir"
@ -617,6 +679,7 @@ collect_configuration() {
WALLARM_TOKEN="$wallarm_token"
INSTANCE_NAME="$instance_name"
INSTANCE_DIR="$instance_dir"
TRUSTED_PROXIES="$trusted_proxies"
}
# ==============================================================================
@ -1474,14 +1537,35 @@ Re-run the script after providing the image."
fi
fi
# Create nginx configuration
log_message "INFO" "Creating nginx configuration..."
local nginx_config="$INSTANCE_DIR/nginx.conf"
# Create nginx configuration
log_message "INFO" "Creating nginx configuration..."
local nginx_config="$INSTANCE_DIR/nginx.conf"
sudo tee "$nginx_config" > /dev/null <<EOF
# Start building the configuration file
sudo tee "$nginx_config" > /dev/null <<EOF
server {
listen 80;
server_name _;
EOF
# Add set_real_ip_from directives if trusted proxies are configured
if [[ -n "$TRUSTED_PROXIES" ]]; then
# Add each trusted proxy IP/CIDR as a separate line
for proxy in $TRUSTED_PROXIES; do
sudo tee -a "$nginx_config" > /dev/null <<EOF
set_real_ip_from $proxy;
EOF
done
# Add the real_ip configuration
sudo tee -a "$nginx_config" > /dev/null <<EOF
real_ip_header X-Real-IP;
real_ip_recursive on;
EOF
fi
# Add the rest of the configuration
sudo tee -a "$nginx_config" > /dev/null <<EOF
location / {
proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT;
@ -1489,6 +1573,7 @@ server {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header X-Forwarded-Server \$http_x_forwarded_server;
# Wallarm-specific headers
wallarm_mode monitoring;
@ -1504,8 +1589,12 @@ server {
}
EOF
log_message "SUCCESS" "Nginx configuration created: $nginx_config"
log_message "SUCCESS" "Nginx configuration created: $nginx_config"
if [[ -n "$TRUSTED_PROXIES" ]]; then
log_message "INFO" " Configured trusted proxies: $TRUSTED_PROXIES"
else
log_message "INFO" " No trusted proxies configured - real client IP detection may be limited"
fi
# Create start.sh script for persistence
log_message "INFO" "Creating start script for persistence..."
local start_script="$INSTANCE_DIR/start.sh"

256
wallarm-ct-reconfigure.sh Normal file
View file

@ -0,0 +1,256 @@
#!/bin/bash
# ==============================================================================
# WALLARM RECONFIGURATION SCRIPT - V1.0
# ==============================================================================
# Purpose: Modify nginx configuration of an existing Wallarm node
# Features:
# - Update set_real_ip_from (trusted proxy IPs/CIDRs)
# - Change wallarm_mode (monitoring/block)
# - Backup current config before changes
# - Interactive prompts with validation
# ==============================================================================
set -euo pipefail
# Color definitions
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[1;34m'
CYAN='\033[0;36m'
BOLD='\033[1m'
NC='\033[0m'
# Defaults
INSTANCE_DIR="/opt"
INSTANCE_NAME=""
# Function to find the Wallarm instance directory
find_wallarm_instance() {
local dirs=()
while IFS= read -r dir; do
if [[ -d "$dir" && -f "$dir/nginx.conf" && -f "$dir/start.sh" ]]; then
dirs+=("$dir")
fi
done < <(find "$INSTANCE_DIR" -maxdepth 1 -type d -name "wallarm-*" 2>/dev/null)
if [ ${#dirs[@]} -eq 0 ]; then
echo -e "${RED}No Wallarm instance found in $INSTANCE_DIR.${NC}"
exit 1
elif [ ${#dirs[@]} -eq 1 ]; then
INSTANCE_DIR="${dirs[0]}"
INSTANCE_NAME=$(basename "$INSTANCE_DIR")
echo -e "${GREEN}Found instance: $INSTANCE_NAME${NC}"
else
echo -e "${YELLOW}Multiple Wallarm instances found:${NC}"
for i in "${!dirs[@]}"; do
echo "$((i+1)). $(basename "${dirs[$i]}")"
done
read -r -p "Select instance number: " choice
if [[ "$choice" =~ ^[0-9]+$ ]] && [ "$choice" -ge 1 ] && [ "$choice" -le ${#dirs[@]} ]; then
INSTANCE_DIR="${dirs[$((choice-1))]}"
INSTANCE_NAME=$(basename "$INSTANCE_DIR")
else
echo -e "${RED}Invalid selection.${NC}"
exit 1
fi
fi
}
# Validate IP/CIDR format
validate_proxy() {
local proxy="$1"
if [[ "$proxy" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]{1,2})?$ ]]; then
IFS='/' read -r ip cidr <<< "$proxy"
IFS='.' read -r o1 o2 o3 o4 <<< "$ip"
if [ "$o1" -le 255 ] && [ "$o2" -le 255 ] && [ "$o3" -le 255 ] && [ "$o4" -le 255 ]; then
if [ -z "$cidr" ] || ( [ "$cidr" -ge 0 ] && [ "$cidr" -le 32 ] ); then
return 0
fi
fi
fi
return 1
}
# Parse current configuration to get existing values
parse_current_config() {
local config_file="$1"
# Get current wallarm_mode
current_mode=$(grep -oP 'wallarm_mode\s+\K\S+' "$config_file" | head -1)
# Get current set_real_ip_from lines
current_proxies=$(grep -oP 'set_real_ip_from\s+\K\S+' "$config_file")
}
# Update configuration
update_config() {
local config_file="$1"
local backup_file="$config_file.backup.$(date +%Y%m%d_%H%M%S)"
echo -e "${YELLOW}Backing up current config to $backup_file${NC}"
cp "$config_file" "$backup_file"
# Read new values interactively
echo -e "\n${CYAN}${BOLD}Current set_real_ip_from entries:${NC}"
if [ -n "$current_proxies" ]; then
echo "$current_proxies" | while read -r proxy; do
echo " $proxy"
done
else
echo " (none)"
fi
echo -e "\n${YELLOW}Do you want to change the trusted proxy IPs/CIDRs? (y/N)${NC}"
read -r change_proxy
if [[ "$change_proxy" =~ ^[Yy]$ ]]; then
echo -e "${YELLOW}Enter new trusted proxy IPs/CIDRs (space-separated, or empty to remove all):${NC}"
read -r new_proxies_input
new_proxies=()
if [[ -n "$new_proxies_input" ]]; then
IFS=' ' read -ra proxy_array <<< "$new_proxies_input"
for proxy in "${proxy_array[@]}"; do
proxy=$(echo "$proxy" | xargs)
if validate_proxy "$proxy"; then
new_proxies+=("$proxy")
else
echo -e "${RED}Invalid format: $proxy. Skipping.${NC}"
fi
done
fi
else
# Keep existing
while read -r proxy; do
new_proxies+=("$proxy")
done <<< "$current_proxies"
fi
echo -e "\n${CYAN}${BOLD}Current wallarm_mode:${NC} ${current_mode:-not set}"
echo -e "${YELLOW}Do you want to change the wallarm_mode? (y/N)${NC}"
read -r change_mode
if [[ "$change_mode" =~ ^[Yy]$ ]]; then
echo -e "${YELLOW}Select new mode:${NC}"
echo "1. monitoring"
echo "2. block"
read -r mode_choice
case "$mode_choice" in
1) new_mode="monitoring" ;;
2) new_mode="block" ;;
*) echo -e "${RED}Invalid choice, keeping current mode.${NC}"; new_mode="$current_mode" ;;
esac
else
new_mode="$current_mode"
fi
# Now rebuild the config file
# We'll create a temporary file and replace the original
temp_config=$(mktemp)
# Read original config line by line and modify as needed
in_server_block=false
while IFS= read -r line; do
# Detect start of server block
if [[ "$line" =~ ^[[:space:]]*server[[:space:]]*{ ]]; then
in_server_block=true
fi
# If we are inside server block, we may need to replace lines
if $in_server_block; then
# Replace set_real_ip_from lines with new ones
if [[ "$line" =~ ^[[:space:]]*set_real_ip_from[[:space:]]+ ]]; then
# Skip original set_real_ip_from lines (will be added later)
continue
fi
# Replace wallarm_mode line
if [[ "$line" =~ ^[[:space:]]*wallarm_mode[[:space:]]+ ]]; then
# We'll add new line after processing all lines
continue
fi
fi
# Write line to temp file
echo "$line" >> "$temp_config"
# After writing the line, if we are at the end of the server block, we may need to insert new directives
if $in_server_block && [[ "$line" =~ ^[[:space:]]*}$ ]]; then
in_server_block=false
# Insert the new set_real_ip_from lines just before the closing brace
if [ ${#new_proxies[@]} -gt 0 ]; then
for proxy in "${new_proxies[@]}"; do
echo " set_real_ip_from $proxy;" >> "$temp_config"
done
echo " real_ip_header X-Real-IP;" >> "$temp_config"
echo " real_ip_recursive on;" >> "$temp_config"
elif [ -n "$current_proxies" ]; then
# If we removed all proxies, we should also remove the real_ip_header and real_ip_recursive lines
# But that's tricky; we'll just not add them, but they might remain in the file if they were separate.
# Simpler: after rebuild, we need to ensure they are not there. We'll do a final cleanup.
echo -e "${YELLOW}Removing all set_real_ip_from directives.${NC}"
fi
# Insert new wallarm_mode
if [ -n "$new_mode" ]; then
echo " wallarm_mode $new_mode;" >> "$temp_config"
fi
fi
done < "$config_file"
# After building the temp file, we need to ensure any leftover real_ip_header lines are removed if no proxies.
if [ ${#new_proxies[@]} -eq 0 ]; then
# Remove lines containing real_ip_header and real_ip_recursive if they exist
sed -i '/real_ip_header/d' "$temp_config"
sed -i '/real_ip_recursive/d' "$temp_config"
fi
# Replace the original config with the new one
sudo mv "$temp_config" "$config_file"
sudo chmod 644 "$config_file"
echo -e "${GREEN}Configuration updated.${NC}"
}
restart_container() {
local container_name="$1"
echo -e "${YELLOW}Restarting container $container_name to apply changes...${NC}"
if sudo docker ps --format "{{.Names}}" | grep -q "^$container_name$"; then
sudo docker restart "$container_name"
echo -e "${GREEN}Container restarted.${NC}"
else
echo -e "${RED}Container $container_name is not running. Starting it...${NC}"
if [ -f "$INSTANCE_DIR/start.sh" ]; then
sudo "$INSTANCE_DIR/start.sh"
else
echo -e "${RED}No start script found. Please start manually: sudo docker start $container_name${NC}"
exit 1
fi
fi
}
main() {
echo -e "${BLUE}${BOLD}"
echo "╔══════════════════════════════════════════════════════════════╗"
echo "║ WALLARM RECONFIGURATION SCRIPT - V1.0 ║"
echo "║ Modify nginx.conf (trusted proxies / mode) ║"
echo "╚══════════════════════════════════════════════════════════════╝${NC}"
find_wallarm_instance
local config_file="$INSTANCE_DIR/nginx.conf"
if [ ! -f "$config_file" ]; then
echo -e "${RED}Configuration file not found: $config_file${NC}"
exit 1
fi
parse_current_config "$config_file"
update_config "$config_file"
echo -e "${YELLOW}Do you want to restart the container now? (Y/n)${NC}"
read -r restart_choice
if [[ ! "$restart_choice" =~ ^[Nn]$ ]]; then
restart_container "$INSTANCE_NAME"
else
echo -e "${YELLOW}Changes will take effect after container restart.${NC}"
echo -e "You can restart later with: sudo docker restart $INSTANCE_NAME"
fi
echo -e "\n${GREEN}${BOLD}Reconfiguration completed.${NC}"
}
main "$@"