WebsiteManagement PortalPlaygroundGitHub

Deploying open-appsec WAF on AWS ECS

This guide explains how to deploy the open-appsec Web Application Firewall (WAF) on Amazon Elastic Container Service (ECS).

The deployment process and configuration options may change based on updates to Amazon ECS and open-appsec. Please validate the latest requirements and options before deploying.

Prerequisites

For Declarative Configuration

  • Create a local_policy.yaml file with your desired configuration and save it in a local directory.

  • Use this directory in the Docker run command as <path-to-persistent-location-for-local-configuration-file>.

  • You can also download the default local_policy.yaml from the open-appsec GitHub repository. Full details about the file structure can be found here.

For Connecting to WebUI (SaaS)

  • Create an agent profile in your SaaS tenant for the open-appsec Docker deployment.

Create a Profile

Method 1: Manual Setup via the ECS Console

Step 1: Create or Access Your ECS Cluster

  1. Open the ECS Console: Go to the ECS console and either create a new cluster or access an existing cluster.

  2. Create a Cluster (Optional):

    • Choose a launch type.

    • Configure the cluster settings as needed (network, compute options, etc.).

Step 2: Create a New Task Definition

  1. Open Task Definitions: Navigate to "Task Definitions" in the ECS console.

  2. Create New Task Definition:

    • Choose EC2 or Fargate, depending on your cluster type.

  3. Configure Infrastructure Requirements: Define the required CPU, memory, and IAM roles. Be sure to select roles that allow access to necessary AWS services and network resources.

Step 3: Define Container Settings

  1. Add a Container Definition: In the task definition, add a container using the following details:

    • Image URI: ghcr.io/openappsec/agent-unified:<version> (You can use the latest version by using :latest in place of <version>).

  2. Port Mappings: Specify the necessary port mappings. We recommend allowing SSH communication on your deployment to help with debugging, especially if issues arise with the agent.

  3. Volumes (Optional): Add the following volume mounts based on your setup requirements:

    • <host-openappsec-logs>:/var/log/nano_agent

    • <host-openappsec-conf-path>:/etc/cp/conf

    • <host-openappsec-data-path>:/etc/cp/data

    • <host-certs-path>:<container-certs-path>

    • <host-nginx-conf-path>:/etc/nginx/conf.d

    These volumes are optional but recommended for persisting logs, configurations, and data between deployments.

  4. Environment Variables: Add an environment variable for the WebUI token:

    • Key: AGENT_TOKEN

    • Value: <YOUR_PROFILE_TOKEN> copied from the profile created in the prerequisites

Step 4: Docker Configuration

  1. Entry Point: Use the following entry point for the container:

    /cp-nano-agent

  2. Working Directory: Set the working directory to root:

    /

Step 5: Run the Task

  1. Create a Service: After defining the task, you can launch it by creating a service in ECS. This will ensure your open-appsec WAF runs continuously, scaling based on your needs.

  2. Verify: Once the service is up, check the ECS logs and ensure the agent is running properly. You can also monitor logs through your defined volume mounts.

Method 2: Automated Setup via JSON Task Definition

For users who prefer automating their setup, you can use the following ECS task definition in JSON format. This option is especially useful if you are deploying multiple environments or want to automate the process.

ECS Task Definition JSON Example

{
  "containerDefinitions": [
    {
      "name": "openappsec-agent",
      "image": "ghcr.io/openappsec/agent-unified:latest",
      "memory": 512,
      "cpu": 256,
      "environment": [
        {
          "name": "AGENT_TOKEN",
          "value": "<YOUR_PROFILE_TOKEN>"
        }
      ],
      "portMappings": [
        {
          "containerPort": 80,
          "hostPort": 80
        },
        {
          "containerPort": 443,
          "hostPort": 443
        }
      ],
      "mountPoints": [
        {
          "sourceVolume": "openappsec-logs",
          "containerPath": "/var/log/nano_agent"
        },
        {
          "sourceVolume": "openappsec-conf",
          "containerPath": "/etc/cp/conf"
        },
        {
          "sourceVolume": "openappsec-data",
          "containerPath": "/etc/cp/data"
        }
      ],
      "entryPoint": ["/cp-nano-agent"],
      "command": [""],
      "workingDirectory": "/"
    }
  ],
  "volumes": [
    {
      "name": "openappsec-logs",
      "host": {
        "sourcePath": "<host-openappsec-logs>"
      }
    },
    {
      "name": "openappsec-conf",
      "host": {
        "sourcePath": "<host-openappsec-conf-path>"
      }
    },
    {
      "name": "openappsec-data",
      "host": {
        "sourcePath": "<host-openappsec-data-path>"
      }
    }
  ]
}
PreviousBuild open-appsec Based on Source CodeNextManagement Web UI

Last updated

Was this helpful?