From 88d51d1e4f5b4138934b9e840acf09c9ec538fb6 Mon Sep 17 00:00:00 2001 From: SechPoint Date: Fri, 13 Mar 2026 08:48:33 +0000 Subject: [PATCH] update --- README.md | 117 +----------- .../{install.sh => deploy.sh} | 0 container-deployment/install_app1.sh | 129 ------------- container-deployment/install_app2.sh | 120 ------------- container-deployment/pre-flight-chck.sh | 63 ------- pre-deployment-test.sh | 169 +++++++++--------- 6 files changed, 95 insertions(+), 503 deletions(-) rename container-deployment/{install.sh => deploy.sh} (100%) delete mode 100644 container-deployment/install_app1.sh delete mode 100644 container-deployment/install_app2.sh delete mode 100644 container-deployment/pre-flight-chck.sh diff --git a/README.md b/README.md index df8d060..8bd06c3 100644 --- a/README.md +++ b/README.md @@ -6,117 +6,14 @@ This repository contains automated scripts to deploy the Wallarm Filtering Node --- -## ๐Ÿšฆ Step 1: Network Pre-Check (Crucial) +## ๐Ÿšฆ Step 1: Mandatory Pre-Flight Diagnostic -Before attempting any installation, you **must** verify that the server has egress access to Wallarm's Cloud and the official NGINX repositories. Banks often block these by default. +Before attempting any installation, you **must** verify the environment. Banks often have strict egress filters. This script verifies sudo access, required tools, and connectivity to Wallarm Cloud IPs. -1. **Navigate to the script:** +**Run the interactive diagnostic:** ```bash -cd ~/wallarm/ -``` - -2. **Run the audit:** - -```bash -chmod +x network-pre-check.sh - -sudo ./network-pre-check.sh -``` - -3. **Result:** If you see any **RED** "FAIL" messages, contact the network team to whitelist the listed IPs/Hostnames on Port 443. **Do not proceed until all checks are GREEN.** ---- -## ๐Ÿ› ๏ธ Step 2: Choose Your Deployment Method - -Depending on your architecture, choose **one** of the following methods. -### Option A: Virtual Machine (Native NGINX Module) -*Best for: Maximum performance, high-traffic production, or existing NGINX servers.* -1. **Configure:** Open the install script and set your `TOKEN` and `USE_CASE` (in-line or out-of-band). -```bash -nano ~/wallarm/installation-vm/install.sh -``` -2. **Run:** -```bash -chmod +x ~/wallarm/installation-vm/install.sh - -sudo ~/wallarm/installation-vm/install.sh -``` - -### Option B: Containerized (Docker / Podman) - -*Best for: Rapid PoC, testing, or environments where you don't want to modify the host OS packages.* -1. **Configure:** Open the install script and set your `TOKEN` and `UPSTREAM` IP. - -```bash -nano ~/wallarm/installation-docker/install.sh -``` - -2. **Run:** -```bash -chmod +x ~/wallarm/installation-docker/install.sh - -sudo ~/wallarm/installation-docker/install.sh -``` - -**Observation on scaling the Docker / Podman (Containerized) deployment** -You can run multiple instances by changing the `NODE_NAME` and `TRAFFIC_PORT`/`MONITOR_PORT` variables. This allows you to serve different backends on one host. - ---- -## โš™๏ธ Configuration Variables -Inside each `install.sh` script, you will find a **Configuration** section at the top. You must update these: - -|**Variable**|**Description**|**Example**| -|---|---|---| -|`NODE_NAME`|A unique identifier for the instance (useful for containerized deployments).|`wallarm-prod-01`| -|`TRAFFIC_PORT`|The host port where the node listens for incoming application traffic.|`8000`| -|`MONITOR_PORT`|The host port used to expose Wallarm metrics (Prometheus/JSON format).|`9000`| -|`TOKEN`|The unique API Token generated in the Wallarm Console.|`vPHB+Ygn...`| -|`REGION`|The Wallarm Cloud location associated with your account (`EU` or `US`).|`US`| -|`UPSTREAM`|The internal IP or hostname of the application server being protected.|`10.0.0.14`| -|`USE_CASE`|(VM only) Sets the mode: `in-line` (active filtering) or `out-of-band` (monitoring).|`in-line`| - ---- -### Deployment Flow Overview - -When you deploy the node using these variables, the traffic typically flows as follows: -1. **Incoming Traffic:** Hits the `TRAFFIC_PORT`. -2. **Filtering:** The node uses the `TOKEN` to sync security rules from the Wallarm Cloud (based on your `REGION`). -3. **Forwarding:** Valid traffic is sent to the `UPSTREAM` IP. -4. **Monitoring:** System health and security metrics are pulled via the `MONITOR_PORT`. ---- -## ๐Ÿงช Post-Installation Test - -Once the script finishes, verify the WAF is working by sending a "fake" attack: - -```bash -# Replace localhost with your server IP if testing remotely - -curl -I http://localhost/etc/passwd -``` - -## ๐Ÿ“Š Sizing & Performance Specs - -For a standard deployment (Postanalytics + NGINX on one host), we recommend the following: -### Resource Allocation & Performance - -| **Resource** | **Primary Consumer** | **Performance Note** | -| ------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | -| **CPU** (2 Cores) | **NGINX & Postanalytics** | One core typically handles the NGINX filtering, while the second manages `wstore` (local data analytics). This setup safely handles ~1,000 RPS. | -| **RAM** (4 GB) | **`wstore` (Tarantool)** | Wallarm uses an in-memory circular buffer for request analysis. At 4GB, you can store roughly 15โ€“20 minutes of request metadata for analysis. | -| **Storage** (50 GB) | **Log Buffering** | Required for local attack logs and the postanalytics module. SSD is mandatory to prevent I/O wait times from slowing down request processing. | - ---- - -### Scaling Indicators - -If you notice your traffic increasing beyond these specs, here is when you should consider upgrading: - -- **High CPU Usage (>70%):** Usually indicates you have reached the RPS limit for your core count or are processing highly complex, nested payloads (like large JSON or Base64-encoded data). - -- **Memory Pressure:** If you see `wstore` dropping data before the 15-minute mark, it means your traffic volume (data per minute) is exceeding the 4GB buffer. - -- **Disk Latency:** If you see "I/O Wait" in your system monitoring, it will directly cause latency for your end users, as NGINX cannot clear its buffers fast enough. - -> [!TIP] - -> **Performance Note:** One CPU core typically handles **500 RPS**. In a 2-core setup, one core is dedicated to NGINX (filtering) and one core to `wstore` (local analytics). For production spikes, we recommend 2x headroom. \ No newline at end of file +# Download and run the pre-flight test +curl -sL "[https://git.sechpoint.app/customer-engineering/wallarm/-/raw/main/pre-deployment-test.sh](https://git.sechpoint.app/customer-engineering/wallarm/-/raw/main/pre-deployment-test.sh)" -o pre-deployment-test.sh +chmod +x pre-deployment-test.sh +./pre-deployment-test.sh \ No newline at end of file diff --git a/container-deployment/install.sh b/container-deployment/deploy.sh similarity index 100% rename from container-deployment/install.sh rename to container-deployment/deploy.sh diff --git a/container-deployment/install_app1.sh b/container-deployment/install_app1.sh deleted file mode 100644 index c9ac4b2..0000000 --- a/container-deployment/install_app1.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/bin/bash -# ============================================================================== -# Wallarm PoC: Interactive "KISS" Deployer (Keystone Bank Edition) -# ============================================================================== - -YELLOW='\033[1;33m' -GREEN='\033[0;32m' -RED='\033[0;31m' -NC='\033[0m' - -clear -echo -e "${YELLOW}====================================================${NC}" -echo -e "${YELLOW} Wallarm Guided Instance Deployer (US Cloud) ${NC}" -echo -e "${YELLOW}====================================================${NC}\n" - -# --- 1. THE ID --- -echo -e "Existing Instances in /opt/wallarm/:" -ls /opt/wallarm/ 2>/dev/null || echo "None" -echo "" - -read -p "Enter Instance ID number (e.g., 1, 2, 3): " INSTANCE_ID - -NODE_NAME=$(printf "wallarm-%02d" $INSTANCE_ID) -TRAFFIC_PORT=$((8000 + INSTANCE_ID)) -MONITOR_PORT=$((9000 + INSTANCE_ID)) - -# --- 2. CONFIGURATION --- -read -p "Enter Upstream IP (App Server): " UPSTREAM_IP -read -p "Enter Upstream Port [default 80]: " UPSTREAM_PORT -UPSTREAM_PORT=${UPSTREAM_PORT:-80} - -# Hardcoded US Endpoints -API_HOST="us1.api.wallarm.com" -DATA_NODE="node-data0.us1.wallarm.com" - -read -p "Paste Wallarm Token (US Cloud): " TOKEN - -# --- 3. PRE-FLIGHT VALIDATION --- -echo -e "\n${YELLOW}๐Ÿ” Starting Pre-Flight Connectivity Checks...${NC}" - -# A. Internal Check -echo -n "Checking App Server ($UPSTREAM_IP:$UPSTREAM_PORT)... " -if ! timeout 2 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then - echo -e "${RED}FAILED${NC}"; exit 1 -else - echo -e "${GREEN}OK${NC}" -fi - -# B. Wallarm API Check -echo -n "Checking Wallarm API ($API_HOST)... " -if ! curl -s --connect-timeout 5 "https://$API_HOST" > /dev/null; then - echo -e "${RED}FAILED${NC}"; exit 1 -else - echo -e "${GREEN}OK${NC}" -fi - -# C. Wallarm Data Node Check (Critical for events) -echo -n "Checking Wallarm Data Node ($DATA_NODE)... " -if ! timeout 3 bash -c "cat < /dev/null > /dev/tcp/$DATA_NODE/443" 2>/dev/null; then - echo -e "${RED}FAILED${NC}" - echo -e "${RED}โŒ ERROR: Data transmission to Wallarm is blocked.${NC}" - echo -e "${YELLOW}Action: Whitelist IPs 34.96.64.17 and 34.110.183.149 on Port 443.${NC}"; exit 1 -else - echo -e "${GREEN}OK${NC}" -fi - -# --- 4. ENGINE SETUP --- -if [ -f /etc/redhat-release ]; then - ENGINE="podman" - dnf install -y epel-release podman podman-docker podman-compose wget curl &>/dev/null - systemctl enable --now podman.socket &>/dev/null - firewall-cmd --permanent --add-port=$TRAFFIC_PORT/tcp --add-port=$MONITOR_PORT/tcp &>/dev/null - firewall-cmd --reload &>/dev/null -else - ENGINE="docker" - apt update && apt install -y docker.io docker-compose wget curl &>/dev/null - systemctl enable --now docker &>/dev/null -fi -COMPOSE_CMD=$([[ "$ENGINE" == "podman" ]] && echo "podman-compose" || echo "docker-compose") - -# --- 5. WORKSPACE & CONFIG --- -INSTANCE_DIR="/opt/wallarm/$NODE_NAME" -mkdir -p "$INSTANCE_DIR" - -cat < "$INSTANCE_DIR/nginx.conf" -server { - listen 80; - wallarm_mode monitoring; - location / { - proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT; - proxy_set_header Host \$host; - proxy_set_header X-Real-IP \$remote_addr; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; - } -} -server { listen 90; location /wallarm-status { wallarm_status on; allow all; } } -EOF - -cat < "$INSTANCE_DIR/conf.yml" -version: '3.8' -services: - $NODE_NAME: - image: docker.io/wallarm/node:4.10-latest - container_name: $NODE_NAME - restart: always - ports: ["$TRAFFIC_PORT:80", "$MONITOR_PORT:90"] - environment: - - WALLARM_API_TOKEN=$TOKEN - - WALLARM_API_HOST=$API_HOST - volumes: ["./nginx.conf:/etc/nginx/http.d/default.conf:ro,Z"] -EOF - -# --- 6. LAUNCH --- -echo -e "${YELLOW}๐Ÿš€ Launching $NODE_NAME...${NC}" -cd "$INSTANCE_DIR" -$COMPOSE_CMD -f conf.yml up -d - -# --- 7. VERIFICATION --- -echo -e "\n${YELLOW}โณ Waiting for handshake...${NC}" -sleep 5 -if curl -s "http://localhost:$MONITOR_PORT/wallarm-status" | grep -q "requests"; then - echo -e "${GREEN}โœ… SUCCESS: $NODE_NAME IS LIVE AND INSPECTING TRAFFIC${NC}" -else - echo -e "${RED}โš ๏ธ WARNING: Handshake slow. Check: $ENGINE logs $NODE_NAME${NC}" -fi - -echo -e "--------------------------------------------------" -echo -e "Traffic URL: http://:$TRAFFIC_PORT" -echo -e "--------------------------------------------------" \ No newline at end of file diff --git a/container-deployment/install_app2.sh b/container-deployment/install_app2.sh deleted file mode 100644 index f16b2c3..0000000 --- a/container-deployment/install_app2.sh +++ /dev/null @@ -1,120 +0,0 @@ -#!/bin/bash -# ============================================================================== -# Wallarm PoC: Multi-Instance Safe Deployer (Podman/Docker) -# ============================================================================== - -# --- Instance Configuration --- -NODE_NAME="wallarm-01" -TRAFFIC_PORT="8000" -MONITOR_PORT="9000" - -# --- UPSTREAM SETTINGS --- -UPSTREAM_IP="10.0.0.14" # Internal Application IP -UPSTREAM_PORT="6042" # Internal Application Port - -# --- CLOUD SETTINGS --- -TOKEN="YOUR_NODE_TOKEN_HERE" -REGION="EU" # US or EU - -# --- Colors --- -YELLOW='\033[1;33m' -GREEN='\033[0;32m' -RED='\033[0;31m' -NC='\033[0m' - -echo -e "${YELLOW}๐Ÿ” PHASE 0: Pre-Flight Connectivity Checks...${NC}" - -# 1. Root Check -[[ $EUID -ne 0 ]] && { echo -e "${RED}โŒ ERROR: Run as root.${NC}"; exit 1; } - -# 2. Specific Upstream Port Check -echo -n "Verifying connectivity to $UPSTREAM_IP on port $UPSTREAM_PORT... " -if ! timeout 3 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then - echo -e "${RED}FAILED${NC}" - echo -e "${RED}โŒ ERROR: The VM cannot reach the application on port $UPSTREAM_PORT.${NC}" - echo -e "${YELLOW}Action: Ask the bank's Network Team to open egress to $UPSTREAM_IP:$UPSTREAM_PORT.${NC}" - exit 1 -else - echo -e "${GREEN}OK${NC}" -fi - -# 3. Wallarm Cloud Check -API_HOST=$( [[ "$REGION" == "US" ]] && echo "us1.api.wallarm.com" || echo "api.wallarm.com" ) -if ! curl -s --connect-timeout 5 "https://$API_HOST" > /dev/null; then - echo -e "${RED}โŒ ERROR: Cannot reach Wallarm Cloud ($API_HOST). Check Proxy settings.${NC}" - exit 1 -fi - -# --- PHASE 1: Engine Setup --- -if [ -f /etc/redhat-release ]; then - ENGINE="podman" - dnf install -y epel-release - dnf install -y podman podman-docker podman-compose wget curl - systemctl enable --now podman.socket - # Open OS Firewalld for incoming traffic - firewall-cmd --permanent --add-port=$TRAFFIC_PORT/tcp - firewall-cmd --permanent --add-port=$MONITOR_PORT/tcp - firewall-cmd --reload -elif [ -f /etc/debian_version ]; then - ENGINE="docker" - apt update && apt install -y docker.io docker-compose wget curl - systemctl enable --now docker -else - echo -e "${RED}โŒ Unsupported OS${NC}"; exit 1 -fi - -COMPOSE_CMD=$([[ "$ENGINE" == "podman" ]] && echo "podman-compose" || echo "docker-compose") - -# --- PHASE 2: Instance Workspace --- -INSTANCE_DIR="/opt/wallarm/$NODE_NAME" -mkdir -p "$INSTANCE_DIR" - -# Generate Nginx Config using the specific Upstream Port -cat < "$INSTANCE_DIR/nginx.conf" -server { - listen 80; - wallarm_mode monitoring; - - location / { - proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT; - proxy_set_header Host \$host; - proxy_set_header X-Real-IP \$remote_addr; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto \$scheme; - } -} -server { - listen 90; - location /wallarm-status { - wallarm_status on; - allow all; - } -} -EOF - -# Compose File with SELinux ( :Z ) flag -cat < "$INSTANCE_DIR/conf.yml" -version: '3.8' -services: - $NODE_NAME: - image: docker.io/wallarm/node:4.10-latest - container_name: $NODE_NAME - restart: always - ports: - - "$TRAFFIC_PORT:80" - - "$MONITOR_PORT:90" - environment: - - WALLARM_API_TOKEN=$TOKEN - - WALLARM_API_HOST=$API_HOST - volumes: - - ./nginx.conf:/etc/nginx/http.d/default.conf:ro,Z -EOF - -# --- PHASE 3: Launch --- -echo -e "${YELLOW}๐Ÿš€ Launching Wallarm Instance...${NC}" -cd "$INSTANCE_DIR" -$COMPOSE_CMD -f conf.yml up -d - -echo -e "\n${GREEN}โœ… DEPLOYMENT COMPLETE${NC}" -echo -e "External Port: $TRAFFIC_PORT -> Internal: $UPSTREAM_IP:$UPSTREAM_PORT" -echo -e "View real-time logs: $ENGINE logs -f $NODE_NAME" \ No newline at end of file diff --git a/container-deployment/pre-flight-chck.sh b/container-deployment/pre-flight-chck.sh deleted file mode 100644 index 3e8264c..0000000 --- a/container-deployment/pre-flight-chck.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash -# ============================================================================== -# Wallarm Pre-Flight Check -# Purpose: Validate Environment before Container Deployment -# ============================================================================== - -UPSTREAM_IP="10.0.0.14" -UPSTREAM_PORT="80" -WALLARM_API="api.wallarm.com" - -YELLOW='\033[1;33m' -GREEN='\033[0;32m' -RED='\033[0;31m' -NC='\033[0m' - -echo -e "${YELLOW}๐Ÿ” Starting Pre-Flight Checks...${NC}\n" - -# 1. Check Root -[[ $EUID -ne 0 ]] && echo -e "${RED}โŒ Fail: Must run as root${NC}" || echo -e "${GREEN}โœ… Pass: Root privileges${NC}" - -# 2. Check OS (CentOS/RHEL focus) -if [ -f /etc/redhat-release ]; then - echo -e "${GREEN}โœ… Pass: CentOS/RHEL detected ($(cat /etc/redhat-release))${NC}" -else - echo -e "${YELLOW}โš ๏ธ Warn: Not a RedHat-based system. Script 1 may need tweaks.${NC}" -fi - -# 3. Check SELinux Status -SE_STATUS=$(getenforce) -if [ "$SE_STATUS" == "Enforcing" ]; then - echo -e "${YELLOW}โš ๏ธ Note: SELinux is Enforcing. Ensure volume mounts use the :Z flag.${NC}" -else - echo -e "${GREEN}โœ… Pass: SELinux is $SE_STATUS${NC}" -fi - -# 4. Check Upstream Connectivity (The most important check) -echo -n "Checking connectivity to Upstream ($UPSTREAM_IP:$UPSTREAM_PORT)... " -nc -zv -w5 $UPSTREAM_IP $UPSTREAM_PORT &>/dev/null -if [ $? -eq 0 ]; then - echo -e "${GREEN}โœ… Connected${NC}" -else - echo -e "${RED}โŒ FAILED: Cannot reach Upstream app. Check Routing/Firewalls.${NC}" -fi - -# 5. Check Wallarm Cloud Connectivity -echo -n "Checking connectivity to Wallarm API ($WALLARM_API)... " -curl -s --connect-timeout 5 https://$WALLARM_API &>/dev/null -if [ $? -eq 0 ] || [ $? -eq 45 ]; then # 45 is common if no auth, but shows port 443 is open - echo -e "${GREEN}โœ… Connected${NC}" -else - echo -e "${RED}โŒ FAILED: Cannot reach Wallarm Cloud. Check Proxy/Egress.${NC}" -fi - -# 6. Check Port Availability -for PORT in 8000 9000; do - if lsof -Pi :$PORT -sTCP:LISTEN -t >/dev/null ; then - echo -e "${RED}โŒ FAILED: Port $PORT is already in use.${NC}" - else - echo -e "${GREEN}โœ… Pass: Port $PORT is free${NC}" - fi -done - -echo -e "\n${YELLOW}Pre-flight complete. If all are GREEN, proceed to deployment.${NC}" \ No newline at end of file diff --git a/pre-deployment-test.sh b/pre-deployment-test.sh index 8e128cf..d39132f 100644 --- a/pre-deployment-test.sh +++ b/pre-deployment-test.sh @@ -6,99 +6,106 @@ GREEN='\033[0;32m' RED='\033[0;31m' NC='\033[0m' -echo -e "${YELLOW}=== Sechpoint Wallarm Pre-Flight Diagnostic ===${NC}" +# --- Configuration & Globals --- +EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com") +US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com" "node-data1.us1.wallarm.com") -# --- 1. INTERACTIVE INPUT --- -read -p "Enter Application Server IP [127.0.0.1]: " APP_HOST /dev/null -elif [ -f /etc/redhat-release ]; then - echo "OS: RHEL/CentOS detected." - # sudo yum makecache -q && sudo yum install -y curl wget git -q > /dev/null -else - echo "OS: Non-Linux (Mac/Other) detected. Network tests will use 'curl' fallback." -fi - -# --- 3. TOOL VERIFICATION --- -echo -e "\n${YELLOW}[2/4] Verifying Required Tools...${NC}" -for tool in curl wget git; do - if command -v $tool &> /dev/null; then - echo -e "${GREEN}[PASS]${NC} $tool is installed." +check_proxy() { + echo -e "${YELLOW}[1/5] Checking Environment Proxies...${NC}" + if [ -n "$https_proxy" ] || [ -n "$HTTPS_PROXY" ]; then + echo -e "${GREEN}[INFO]${NC} Proxy detected: ${https_proxy:-$HTTPS_PROXY}" else - echo -e "${RED}[FAIL]${NC} $tool is MISSING." + echo -e "[INFO] No system proxy detected." fi -done +} -# --- 4. WALLARM CLOUD CONNECTIVITY --- -echo -e "\n${YELLOW}[3/4] Testing Wallarm Cloud Connectivity (Port 443)...${NC}" +get_user_input() { + read -p "Enter Application Server IP (to be protected) [127.0.0.1]: " APP_HOST /dev/null; then + echo -e "${GREEN}[PASS]${NC} $tool is installed." + else + echo -e "${RED}[FAIL]${NC} $tool is MISSING." + fi + done +} + +# The core connectivity logic +test_endpoint() { local target=$1 - local desc=$2 + # -skI = silent, insecure (ignore certs), head-only + if curl -skI --connect-timeout 5 "https://$target" > /dev/null 2>&1 || [ $? -eq 45 ] || [ $? -eq 52 ]; then + echo -e "${GREEN}[PASS]${NC} Reached $target" + else + echo -e "${RED}[FAIL]${NC} BLOCKED: $target" + fi +} + +check_wallarm_cloud() { + echo -e "\n${YELLOW}[4/5] Testing Wallarm Cloud Connectivity (Port 443)...${NC}" + echo "--- EU Cloud ---" + for node in "${EU_DATA_NODES[@]}"; do test_endpoint "$node"; done - if [[ "$OSTYPE" == "darwin"* ]]; then - # Mac Fallback: If curl gets ANY status code, the port is open. - # -I (Head only), -s (Silent), -k (Insecure), --max-time 3 - if curl -Is --connect-timeout 3 "https://$target" > /dev/null 2>&1; then - echo -e "${GREEN}[PASS]${NC} $desc ($target)" - else - echo -e "${RED}[FAIL]${NC} $desc ($target) - BLOCKED" - fi - else - # Linux Native (Still the most reliable for VMs) - if timeout 3 bash -c "cat < /dev/null > /dev/tcp/$target/443" 2>/dev/null; then - echo -e "${GREEN}[PASS]${NC} $desc ($target)" - else - echo -e "${RED}[FAIL]${NC} $desc ($target) - BLOCKED" - fi - fi -} + echo -e "\n--- US Cloud ---" + for node in "${US_DATA_NODES[@]}"; do test_endpoint "$node"; done +} -echo "--- EU Cloud ---" -test_conn "34.160.38.183" "node-data1.eu1" -test_conn "34.144.227.90" "node-data0.eu1" -test_conn "34.90.110.226" "api.wallarm.com" +check_internal_app() { + echo -e "\n${YELLOW}[5/5] Testing Internal App Connectivity...${NC}" + # We test TCP handshake only. + # Curl exit 7 (Refused) and 28 (Timeout) are the main failure triggers. + curl -vsk --connect-timeout 5 "http://$APP_HOST:$APP_PORT" > /dev/null 2>&1 + local exit_code=$? -echo -e "\n--- US Cloud ---" -test_conn "34.96.64.17" "node-data0.us1" -test_conn "34.110.183.149" "node-data1.us1" -test_conn "35.235.66.155" "us1.api.wallarm.com" + # Exit codes 0, 52 (empty reply), 22 (4xx/5xx), 56 (reset) all imply the port is OPEN. + if [[ "$exit_code" =~ ^(0|52|22|56|35)$ ]]; then + echo -e "${GREEN}[PASS]${NC} TCP Connection established to $APP_HOST:$APP_PORT" + else + echo -e "${RED}[FAIL]${NC} CANNOT REACH App at $APP_HOST:$APP_PORT (Error: $exit_code)" + echo " Check firewalls or verify if the service is running on the app server." + fi +} -# --- 5. INTERNAL APP CHECK --- -echo -e "\n${YELLOW}[4/4] Testing Internal App Connectivity...${NC}" -if [[ "$OSTYPE" == "darwin"* ]]; then - # Mac check for the app port specifically - if curl -s --connect-timeout 3 "$APP_HOST:$APP_PORT" > /dev/null 2>&1 || [ $? -eq 52 ] || [ $? -eq 45 ]; then - echo -e "${GREEN}[PASS]${NC} Reached App at $APP_HOST:$APP_PORT" - else - echo -e "${RED}[FAIL]${NC} Cannot reach $APP_HOST on port $APP_PORT" - fi -else - # Linux native check - if timeout 3 bash -c "cat < /dev/null > /dev/tcp/$APP_HOST/$APP_PORT" 2>/dev/null; then - echo -e "${GREEN}[PASS]${NC} Reached App at $APP_HOST:$APP_PORT" - else - echo -e "${RED}[FAIL]${NC} CANNOT REACH $APP_HOST on port $APP_PORT" - fi -fi +# --- Execution --- + +print_header +check_proxy +get_user_input +check_sudo +check_tools +check_wallarm_cloud +check_internal_app echo -e "\n${YELLOW}-------------------------------------------------------" echo -e "PRE-FLIGHT COMPLETE. PLEASE SCREENSHOT THIS OUTPUT."