From 6af44a977e1c7572ec23bb3fc77ed1205bd54aec Mon Sep 17 00:00:00 2001
From: cclohmar <claus@sechpoint.com>
Date: Wed, 18 Mar 2026 14:14:10 +0000
Subject: [PATCH] chore: auto-commit 2026-03-18 14:14

---
 wallarm-deploy-ct.sh | 118 ++++++++++++++++++++-----------------------
 1 file changed, 56 insertions(+), 62 deletions(-)

diff --git a/wallarm-deploy-ct.sh b/wallarm-deploy-ct.sh
index e00162e..edb3068 100644
--- a/wallarm-deploy-ct.sh
+++ b/wallarm-deploy-ct.sh
@@ -1,10 +1,12 @@
 #!/bin/bash
 # ==============================================================================
-# SECHPOINT WALLARM SMART DEPLOYER - V6 (FULL BINARY INSTALL + PORT SELECTION)
+# SECHPOINT WALLARM SMART DEPLOYER - V7 (TRIPLE-VERIFIED CONNECTIVITY)
 # ==============================================================================
 
 YELLOW='\033[1;33m'; GREEN='\033[0;32m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m'; BOLD='\033[1m'
 LOG_FILE="/var/log/wallarm-deploy.log"
+
+# Cloud Endpoints
 EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com")
 US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")
 
@@ -14,69 +16,78 @@ exec > >(tee -a "$LOG_FILE") 2>&1
 
 clear
 echo -e "${BLUE}${BOLD}==========================================================${NC}"
-echo -e "${BLUE}${BOLD}      Wallarm Full Binary & Container Deployer V6       ${NC}"
+echo -e "${BLUE}${BOLD}      Wallarm Full Binary & Container Deployer V7       ${NC}"
 echo -e "${BLUE}${BOLD}==========================================================${NC}"
 
-# --- 1. PRE-FLIGHT & CONNECTIVITY ---
+# --- 1. PRE-FLIGHT & TRIPLE CONNECTIVITY CHECK ---
 
 check_connectivity() {
-    echo -e "\n${YELLOW}[1/5] Testing Cloud & Registry Connectivity...${NC}"
+    echo -e "\n${YELLOW}[1/5] Testing Connectivity Matrix...${NC}"
     
+    # A. Cloud Selection & Test
     read -p "  Wallarm Cloud (US/EU) [US]: " CLOUD_SEL
     CLOUD_SEL=${CLOUD_SEL^^}; CLOUD_SEL=${CLOUD_SEL:-US}
-    
     local nodes_to_test=("${US_DATA_NODES[@]}")
     [[ "$CLOUD_SEL" == "EU" ]] && nodes_to_test=("${EU_DATA_NODES[@]}")
 
-    echo "  Testing $CLOUD_SEL Cloud Endpoints..."
     for node in "${nodes_to_test[@]}"; do
         if curl -skI --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
-            echo -e "    ${GREEN}[PASS]${NC} Reached $node"
+            echo -e "    ${GREEN}[PASS]${NC} Wallarm Cloud: $node"
         else
-            echo -e "    ${RED}[FAIL]${NC} Cannot reach $node"
+            echo -e "    ${RED}[FAIL]${NC} Wallarm Cloud: $node (Check Firewall/Proxy)"
         fi
     done
-    
     API_HOST=$([[ "$CLOUD_SEL" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")
 
-    echo -n "  Testing Docker Hub Registry Path... "
+    # B. Test Docker Registry (For Images)
     REGISTRY_STATUS=$(curl -skI --connect-timeout 5 -o /dev/null -w "%{http_code}" "https://registry-1.docker.io/v2/")
-
     if [[ "$REGISTRY_STATUS" == "200" || "$REGISTRY_STATUS" == "401" ]]; then
         REGISTRY_REACHABLE=true
-        echo -e "${GREEN}REACHABLE${NC} ($REGISTRY_STATUS)"
+        echo -e "    ${GREEN}[PASS]${NC} Docker Registry (Status: $REGISTRY_STATUS)"
     else
         REGISTRY_REACHABLE=false
-        echo -e "${RED}OFFLINE${NC} ($REGISTRY_STATUS)"
-        if ! ls *.tar >/dev/null 2>&1; then
-            echo -e "  ${RED}✗ FATAL: No registry and no local .tar found.${NC}"; exit 1
-        fi
+        echo -e "    ${RED}[FAIL]${NC} Docker Registry (Status: $REGISTRY_STATUS)"
+    fi
+
+    # C. Test Docker Download Server (For Engine Binaries)
+    DOWNLOAD_REACHABLE=true
+    if ! curl -skI --connect-timeout 5 "https://download.docker.com" > /dev/null 2>&1; then
+        DOWNLOAD_REACHABLE=false
+        echo -e "    ${RED}[WARN]${NC} Docker Download Server (Blocked)"
+    else
+        echo -e "    ${GREEN}[PASS]${NC} Docker Download Server"
+    fi
+
+    # Final Gatekeeper
+    if [ "$REGISTRY_REACHABLE" = false ] && ! ls *.tar >/dev/null 2>&1; then
+        echo -e "${RED}✗ FATAL: No registry access and no local .tar image found.${NC}"; exit 1
     fi
 }
 
-# --- 2. ENGINE SETUP (Manual Binary Download & Install) ---
+# --- 2. ENGINE SETUP (Smart Binary Install) ---
 
 setup_manual_engine() {
-    echo -e "\n${YELLOW}[2/5] Setting up Docker Engine (Manual Binaries)...${NC}"
+    echo -e "\n${YELLOW}[2/5] Setting up Docker Engine...${NC}"
     
     if command -v docker > /dev/null 2>&1 && sudo docker info > /dev/null 2>&1; then
-        echo -e "  ${GREEN}✓${NC} Docker is already installed and running."
+        echo -e "  ${GREEN}✓${NC} Docker is already active."
     else
-        echo "  Docker not found. Proceeding with static binary installation..."
-        
-        # Determine Architecture
         ARCH=$(uname -m)
-        BINARY_URL="https://download.docker.com/linux/static/stable/$ARCH/docker-24.0.7.tgz"
+        BINARY_FILE="docker-static.tgz"
         
-        echo "  Downloading Docker Binaries ($ARCH)..."
-        curl -L "$BINARY_URL" -o docker-static.tgz || { echo -e "${RED}Download failed.${NC}"; exit 1; }
+        if [ "$DOWNLOAD_REACHABLE" = true ]; then
+            echo "  Downloading Docker Binaries ($ARCH)..."
+            curl -L "https://download.docker.com/linux/static/stable/$ARCH/docker-24.0.7.tgz" -o $BINARY_FILE
+        elif ls docker-static.tgz >/dev/null 2>&1; then
+            echo "  Download blocked. Using local $BINARY_FILE..."
+        else
+            echo -e "  ${RED}✗ FATAL: Download server blocked and no local $BINARY_FILE found.${NC}"; exit 1
+        fi
         
-        echo "  Extracting and moving binaries to /usr/bin/..."
-        tar xzvf docker-static.tgz > /dev/null
+        tar xzvf $BINARY_FILE > /dev/null
         sudo cp docker/* /usr/bin/
-        rm -rf docker docker-static.tgz
+        rm -rf docker $BINARY_FILE
         
-        echo "  Creating systemd service..."
         sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
 [Unit]
 Description=Docker Engine
@@ -85,52 +96,41 @@ After=network-online.target
 Type=notify
 ExecStart=/usr/bin/dockerd
 Restart=on-failure
-LimitNOFILE=infinity
 [Install]
 WantedBy=multi-user.target
 EOF
-        sudo systemctl daemon-reload
-        sudo systemctl enable --now docker
-        
-        # Wait for daemon to wake up
+        sudo systemctl daemon-reload && sudo systemctl enable --now docker
         sleep 5
-        sudo docker info > /dev/null 2>&1 || { echo -e "${RED}Engine failed to start.${NC}"; exit 1; }
-        echo -e "  ${GREEN}✓${NC} Docker Engine manually installed and started."
+        echo -e "  ${GREEN}✓${NC} Engine initialized."
     fi
 }
 
 # --- 3. INPUT & WORKSPACE ---
 
 get_user_input() {
-    echo -e "\n${YELLOW}[3/5] Configuration Setup...${NC}"
-    
-    read -p "  Enter Inbound Traffic Port [80]: " IN_PORT
-    IN_PORT=${IN_PORT:-80}
+    echo -e "\n${YELLOW}[3/5] Instance Configuration...${NC}"
+    read -p "  Enter Inbound Port [80]: " IN_PORT; IN_PORT=${IN_PORT:-80}
     MON_PORT=$((IN_PORT + 10))
-    echo -e "  ${YELLOW}i${NC} Monitoring port set to: ${BOLD}$MON_PORT${NC}"
+    echo -e "  ${YELLOW}i${NC} Monitoring Port: ${BOLD}$MON_PORT${NC}"
 
     INSTANCE_DIR="/opt/wallarm/poc_$IN_PORT"
     NODE_NAME="wallarm-node-$IN_PORT"
 
-    read -p "  Upstream App IP [127.0.0.1]: " UPSTREAM_IP
-    UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1}
-    read -p "  Upstream App Port [8080]: " UPSTREAM_PORT
-    UPSTREAM_PORT=${UPSTREAM_PORT:-8080}
+    read -p "  Upstream App IP [127.0.0.1]: " UPSTREAM_IP; UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1}
+    read -p "  Upstream App Port [8080]: " UPSTREAM_PORT; UPSTREAM_PORT=${UPSTREAM_PORT:-8080}
     read -p "  Paste Wallarm Token: " TOKEN
 
-    # Port Collision Check
     if sudo netstat -tulpn | grep -E ":$IN_PORT |:$MON_PORT " > /dev/null 2>&1; then
-        echo -e "  ${RED}✗ FATAL: Port $IN_PORT or $MON_PORT is already in use.${NC}"; exit 1
+        echo -e "  ${RED}✗ FATAL: Port conflict detected.${NC}"; exit 1
     fi
 }
 
 # --- 4. DEPLOYMENT & PERSISTENCE ---
 
 execute_deployment() {
-    echo -e "\n${YELLOW}[4/5] Launching Wallarm Instance...${NC}"
+    echo -e "\n${YELLOW}[4/5] Launching Container...${NC}"
     sudo mkdir -p "$INSTANCE_DIR"
 
-    # Nginx Config
     sudo tee "$INSTANCE_DIR/nginx.conf" > /dev/null <<EOF
 server {
     listen 80;
@@ -145,16 +145,13 @@ server {
 server { listen 90; location /wallarm-status { wallarm_status on; allow all; } }
 EOF
 
-    # Image Logic
     if [ "$REGISTRY_REACHABLE" = true ]; then
-        echo "  Pulling wallarm/node:latest..."
         sudo docker pull wallarm/node:latest
     else
-        echo "  Registry offline. Loading local .tar..."
+        echo "  Loading local .tar image..."
         sudo docker load < *.tar
     fi
 
-    # The Persistence Script
     sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
 #!/bin/bash
 sudo docker rm -f $NODE_NAME 2>/dev/null
@@ -170,20 +167,17 @@ EOF
 
 # --- 5. VERIFY ---
 
-verify_and_test() {
+verify() {
     echo -e "\n${YELLOW}[5/5] Final Verification...${NC}"
     sleep 15
     if curl -s "http://localhost:$MON_PORT/wallarm-status" | grep -q "requests"; then
-        echo -e "\n${GREEN}${BOLD}✅ SUCCESS: Wallarm Node is active on Port $IN_PORT${NC}"
-        echo -e "Monitoring available at: http://localhost:$MON_PORT/wallarm-status\n"
-        
-        echo -e "${YELLOW}⚔️ Simulating SQLi Attack...${NC}"
-        curl -s -o /dev/null -w "Result: HTTP %{http_code}\n" "http://localhost:$IN_PORT/?id='OR+1=1--"
+        echo -e "\n${GREEN}${BOLD}✅ SUCCESS: Wallarm Active on Port $IN_PORT${NC}"
+        echo -e "  Monitor: http://localhost:$MON_PORT/wallarm-status"
+        curl -s -o /dev/null -w "  Attack Test: HTTP %{http_code}\n" "http://localhost:$IN_PORT/?id='OR+1=1--"
     else
-        echo -e "\n${RED}❌ FAILED: Container started but status page is unreachable.${NC}"
+        echo -e "\n${RED}❌ FAILED: Node not responding.${NC}"
         sudo docker logs $NODE_NAME | tail -n 5
     fi
 }
 
-# --- RUN ---
-check_connectivity; setup_manual_engine; get_user_input; execute_deployment; verify_and_test
\ No newline at end of file
+check_connectivity; setup_manual_engine; get_user_input; execute_deployment; verify
\ No newline at end of file