#!/bin/bash # ============================================================================== # Wallarm PoC: Multi-Instance Safe Deployer (Podman/Docker) # ============================================================================== # --- Instance Configuration --- NODE_NAME="wallarm-01" TRAFFIC_PORT="8000" MONITOR_PORT="9000" # --- UPSTREAM SETTINGS --- UPSTREAM_IP="10.0.0.14" # Internal Application IP UPSTREAM_PORT="6042" # Internal Application Port # --- CLOUD SETTINGS --- TOKEN="YOUR_NODE_TOKEN_HERE" REGION="EU" # US or EU # --- Colors --- YELLOW='\033[1;33m' GREEN='\033[0;32m' RED='\033[0;31m' NC='\033[0m' echo -e "${YELLOW}🔍 PHASE 0: Pre-Flight Connectivity Checks...${NC}" # 1. Root Check [[ $EUID -ne 0 ]] && { echo -e "${RED}❌ ERROR: Run as root.${NC}"; exit 1; } # 2. Specific Upstream Port Check echo -n "Verifying connectivity to $UPSTREAM_IP on port $UPSTREAM_PORT... " if ! timeout 3 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then echo -e "${RED}FAILED${NC}" echo -e "${RED}❌ ERROR: The VM cannot reach the application on port $UPSTREAM_PORT.${NC}" echo -e "${YELLOW}Action: Ask the bank's Network Team to open egress to $UPSTREAM_IP:$UPSTREAM_PORT.${NC}" exit 1 else echo -e "${GREEN}OK${NC}" fi # 3. Wallarm Cloud Check API_HOST=$( [[ "$REGION" == "US" ]] && echo "us1.api.wallarm.com" || echo "api.wallarm.com" ) if ! curl -s --connect-timeout 5 "https://$API_HOST" > /dev/null; then echo -e "${RED}❌ ERROR: Cannot reach Wallarm Cloud ($API_HOST). Check Proxy settings.${NC}" exit 1 fi # --- PHASE 1: Engine Setup --- if [ -f /etc/redhat-release ]; then ENGINE="podman" dnf install -y epel-release dnf install -y podman podman-docker podman-compose wget curl systemctl enable --now podman.socket # Open OS Firewalld for incoming traffic firewall-cmd --permanent --add-port=$TRAFFIC_PORT/tcp firewall-cmd --permanent --add-port=$MONITOR_PORT/tcp firewall-cmd --reload elif [ -f /etc/debian_version ]; then ENGINE="docker" apt update && apt install -y docker.io docker-compose wget curl systemctl enable --now docker else echo -e "${RED}❌ Unsupported OS${NC}"; exit 1 fi COMPOSE_CMD=$([[ "$ENGINE" == "podman" ]] && echo "podman-compose" || echo "docker-compose") # --- PHASE 2: Instance Workspace --- INSTANCE_DIR="/opt/wallarm/$NODE_NAME" mkdir -p "$INSTANCE_DIR" # Generate Nginx Config using the specific Upstream Port cat < "$INSTANCE_DIR/nginx.conf" server { listen 80; wallarm_mode monitoring; location / { proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; } } server { listen 90; location /wallarm-status { wallarm_status on; allow all; } } EOF # Compose File with SELinux ( :Z ) flag cat < "$INSTANCE_DIR/conf.yml" version: '3.8' services: $NODE_NAME: image: docker.io/wallarm/node:4.10-latest container_name: $NODE_NAME restart: always ports: - "$TRAFFIC_PORT:80" - "$MONITOR_PORT:90" environment: - WALLARM_API_TOKEN=$TOKEN - WALLARM_API_HOST=$API_HOST volumes: - ./nginx.conf:/etc/nginx/http.d/default.conf:ro,Z EOF # --- PHASE 3: Launch --- echo -e "${YELLOW}🚀 Launching Wallarm Instance...${NC}" cd "$INSTANCE_DIR" $COMPOSE_CMD -f conf.yml up -d echo -e "\n${GREEN}✅ DEPLOYMENT COMPLETE${NC}" echo -e "External Port: $TRAFFIC_PORT -> Internal: $UPSTREAM_IP:$UPSTREAM_PORT" echo -e "View real-time logs: $ENGINE logs -f $NODE_NAME"