customer-engineering/wallarm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wallarm/vm-deployment/install.sh
SechPoint 14dadd0735 Initial commit of Wallarm deployment toolkit
2026-03-11 12:03:08 +00:00

136 lines
No EOL
4.3 KiB
Bash
Raw Blame History

#!/bin/bash
# ==============================================================================
# Wallarm Native Deployer: NGINX Dynamic Module (Official Repo)
# Supports: RHEL/Alma/Rocky (9.x) & Ubuntu/Debian
# ==============================================================================
# --- User Configuration ---
USE_CASE="in-line" # Options: "in-line" or "out-of-band"
TOKEN="vPHB+Ygn1ia/wg+NV49tOq3Ndf10K0sO6MgU+FzQdx7M8bW93UpAV7zfq0cZF/+3"
REGION="EU" # US or EU
UPSTREAM="10.0.0.14"
# --- Colors ---
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
RED='\033[0;31m'
NC='\033[0m'
# --- ROOT CHECK ---
if [[ $EUID -ne 0 ]]; then
echo -e "${RED}❌ ERROR: Run as root.${NC}"; exit 1
fi
# --- PHASE 0: Official NGINX Repo Setup ---
echo -e "${YELLOW}🛠️ Step 0: Setting up Official NGINX Repository...${NC}"
if [ -f /etc/redhat-release ]; then
yum install -y yum-utils
cat <<EOF > /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/mainline/centos/\$releasever/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
yum install -y nginx
elif [ -f /etc/debian_version ]; then
apt update && apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
CODENAME=$(lsb_release -cs)
DISTRO=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/$DISTRO/ $CODENAME nginx" | tee /etc/apt/sources.list.d/nginx.list
apt update && apt install -y nginx
else
echo -e "${RED}❌ Unsupported OS${NC}"; exit 1
fi
systemctl enable --now nginx
# --- PHASE 1: Wallarm All-In-One Installer ---
echo -e "${YELLOW}📦 Step 1: Running Wallarm All-in-One Installer...${NC}"
API_HOST=$( [[ "$REGION" == "US" ]] && echo "us1.api.wallarm.com" || echo "api.wallarm.com" )
# Download the latest installer (4.10 branch)
curl -O https://meganode.wallarm.com/native/all-in-one/wallarm-4.10.10.x86_64-linux.sh
chmod +x wallarm-4.10.10.x86_64-linux.sh
./wallarm-4.10.10.x86_64-linux.sh \
--no-interactive \
--token "$TOKEN" \
--host "$API_HOST" \
--nginx-bundle
# --- PHASE 2: Logic-Based Configuration ---
echo -e "${YELLOW}⚙️ Step 2: Building NGINX Config for $USE_CASE Mode...${NC}"
# Ensure module is loaded
if ! grep -q "load_module" /etc/nginx/nginx.conf; then
sed -i '1i load_module modules/ngx_http_wallarm_module.so;' /etc/nginx/nginx.conf
fi
if [[ "$USE_CASE" == "in-line" ]]; then
# Standard Reverse Proxy with Blocking capability
cat <<EOF > /etc/nginx/conf.d/wallarm-proxy.conf
server {
listen 80;
server_name _;
wallarm_mode monitoring; # Change to 'block' after testing
location / {
proxy_pass http://$UPSTREAM;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
}
EOF
elif [[ "$USE_CASE" == "out-of-band" ]]; then
# OOB (Passive) Mode using Nginx Mirror
cat <<EOF > /etc/nginx/conf.d/wallarm-proxy.conf
server {
listen 80;
server_name _;
location / {
# Mirror traffic to a background internal location for Wallarm
mirror /mirror;
proxy_pass http://$UPSTREAM;
}
location = /mirror {
internal;
# Wallarm processes mirrored traffic here
wallarm_mode monitoring;
wallarm_upstream_connect_timeout 2s;
proxy_pass http://127.0.0.1:1; # Dummy upstream
}
}
EOF
fi
# Add Wallarm Monitoring status location (standard for both)
cat <<EOF > /etc/nginx/conf.d/wallarm-status.conf
server {
listen 90;
server_name localhost;
location /wallarm-status {
wallarm_status on;
wallarm_mode off;
allow 127.0.0.1;
deny all;
}
}
EOF
# --- PHASE 3: Validation ---
echo -e "${YELLOW}🚀 Step 3: Validating and Restarting...${NC}"
nginx -t && systemctl restart nginx
echo -e "\n${GREEN}✅ DEPLOYMENT SUCCESSFUL ($USE_CASE)${NC}"
echo -e "--------------------------------------------------"
echo -e "NGINX Version: $(nginx -v 2>&1)"
echo -e "Wallarm Status: curl http://localhost:90/wallarm-status"
echo -e "--------------------------------------------------"
Reference in a new issue View git blame Copy permalink