#!/bin/bash # ============================================================================== # Wallarm Native Deployer: NGINX Dynamic Module (Official Repo) # Supports: RHEL/Alma/Rocky (9.x) & Ubuntu/Debian # ============================================================================== # --- User Configuration --- USE_CASE="in-line" # Options: "in-line" or "out-of-band" TOKEN="vPHB+Ygn1ia/wg+NV49tOq3Ndf10K0sO6MgU+FzQdx7M8bW93UpAV7zfq0cZF/+3" REGION="EU" # US or EU UPSTREAM="10.0.0.14" # --- Colors --- YELLOW='\033[1;33m' GREEN='\033[0;32m' RED='\033[0;31m' NC='\033[0m' # --- ROOT CHECK --- if [[ $EUID -ne 0 ]]; then echo -e "${RED}❌ ERROR: Run as root.${NC}"; exit 1 fi # --- PHASE 0: Official NGINX Repo Setup --- echo -e "${YELLOW}🛠️ Step 0: Setting up Official NGINX Repository...${NC}" if [ -f /etc/redhat-release ]; then yum install -y yum-utils cat < /etc/yum.repos.d/nginx.repo [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/mainline/centos/\$releasever/\$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true EOF yum install -y nginx elif [ -f /etc/debian_version ]; then apt update && apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null CODENAME=$(lsb_release -cs) DISTRO=$(lsb_release -is | tr '[:upper:]' '[:lower:]') echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/$DISTRO/ $CODENAME nginx" | tee /etc/apt/sources.list.d/nginx.list apt update && apt install -y nginx else echo -e "${RED}❌ Unsupported OS${NC}"; exit 1 fi systemctl enable --now nginx # --- PHASE 1: Wallarm All-In-One Installer --- echo -e "${YELLOW}📦 Step 1: Running Wallarm All-in-One Installer...${NC}" API_HOST=$( [[ "$REGION" == "US" ]] && echo "us1.api.wallarm.com" || echo "api.wallarm.com" ) # Download the latest installer (4.10 branch) curl -O https://meganode.wallarm.com/native/all-in-one/wallarm-4.10.10.x86_64-linux.sh chmod +x wallarm-4.10.10.x86_64-linux.sh ./wallarm-4.10.10.x86_64-linux.sh \ --no-interactive \ --token "$TOKEN" \ --host "$API_HOST" \ --nginx-bundle # --- PHASE 2: Logic-Based Configuration --- echo -e "${YELLOW}⚙️ Step 2: Building NGINX Config for $USE_CASE Mode...${NC}" # Ensure module is loaded if ! grep -q "load_module" /etc/nginx/nginx.conf; then sed -i '1i load_module modules/ngx_http_wallarm_module.so;' /etc/nginx/nginx.conf fi if [[ "$USE_CASE" == "in-line" ]]; then # Standard Reverse Proxy with Blocking capability cat < /etc/nginx/conf.d/wallarm-proxy.conf server { listen 80; server_name _; wallarm_mode monitoring; # Change to 'block' after testing location / { proxy_pass http://$UPSTREAM; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; } } EOF elif [[ "$USE_CASE" == "out-of-band" ]]; then # OOB (Passive) Mode using Nginx Mirror cat < /etc/nginx/conf.d/wallarm-proxy.conf server { listen 80; server_name _; location / { # Mirror traffic to a background internal location for Wallarm mirror /mirror; proxy_pass http://$UPSTREAM; } location = /mirror { internal; # Wallarm processes mirrored traffic here wallarm_mode monitoring; wallarm_upstream_connect_timeout 2s; proxy_pass http://127.0.0.1:1; # Dummy upstream } } EOF fi # Add Wallarm Monitoring status location (standard for both) cat < /etc/nginx/conf.d/wallarm-status.conf server { listen 90; server_name localhost; location /wallarm-status { wallarm_status on; wallarm_mode off; allow 127.0.0.1; deny all; } } EOF # --- PHASE 3: Validation --- echo -e "${YELLOW}🚀 Step 3: Validating and Restarting...${NC}" nginx -t && systemctl restart nginx echo -e "\n${GREEN}✅ DEPLOYMENT SUCCESSFUL ($USE_CASE)${NC}" echo -e "--------------------------------------------------" echo -e "NGINX Version: $(nginx -v 2>&1)" echo -e "Wallarm Status: curl http://localhost:90/wallarm-status" echo -e "--------------------------------------------------"