# Load the Attachment in Proxy Configuration open-appsec **Agents** receive the HTTP data from open-appsec **Attachments** integrating with the Proxy server. This allows the Agents to inspect traffic, once inspection is done, the resulting decision (e.g. to allow traffic or to block it) is returned back to the Attachment for the actual enforcement.\ \ When you are providing your own proxy configuration it is therefor critical to make sure that it contains the relevant settings for the proxy to load the attachment. ## How do I get the attachment for my proxy? ### Linux embedded deployments The attachment module is automatically downloaded specifically matching your proxy type and version and operating system when you run the open-appsec-install tool to install open-appsec. Here you find lists of all supported/pre-compiled attachments per supported OS versions for each available integration: [NGINX](https://downloads.openappsec.io/packages/supported-nginx.txt), [Kong](https://downloads.openappsec.io/packages/supported-kong.txt), [APISIX](https://downloads.openappsec.io/packages/supported-apisix.txt) ### Docker and Kubernetes deployments We provide "enhanced" versions of the containers for all supported proxies that open-appsec can integrate with. These containers already include the open-appsec attachment. ### Compiling the attachment yourself You can also compile the attachment yourself, this allows you to deploy on currently unsupported versions of the supported proxies or on unsupported operating systems. You can also build your own customized proxy containers. Source code and instructions are available here: {% embed url="" %} ## How to load the open-appsec attachment in the proxy configuration Please follow the instructions provided below for your specific deployment type explaining what needs to be included in your local proxy configuration in order to load the open-appsec attachment module. {% tabs %} {% tab title="NGINX" %} {% hint style="success" %} When installing open-appsec on Linux embedded the `open-appsec-install` command will automatically patch the existing `nginx.conf` file to add the line for loading the module. In the `nginx-attachment` container provided by open-appsec for containerized deployments this is already included in the file `/etc/nginx/nginx.conf`. {% endhint %} In the NGINX configuration file `nginx.conf` make sure to have the open-appsec attachment loaded as an NGINX module. The open-appsec attachment module is usually located in this path:\ `/usr/lib/nginx/modules/` Make sure the following line exists **as the first line** in the nginx.conf file in order to load the open-appsec attachment module: `load_module /usr/lib/nginx/modules/ngx_cp_attachment_module.so;` {% endtab %} {% tab title="NGINX Unified" %} {% hint style="success" %} In the `open-appsec-agent-unified` container provided by open-appsec for Docker deployments the line to load the attachment module is already included in the file `/etc/nginx/nginx.conf`. {% endhint %} In the NGINX configuration file `nginx.conf` make sure to have the open-appsec attachment loaded as an NGINX module. The open-appsec attachment module is usually located in this path:\ `/usr/lib/nginx/modules/` Make sure the following line exists **as the first line** in the nginx.conf file in order to load the open-appsec attachment module: `load_module /usr/lib/nginx/modules/ngx_cp_attachment_module.so;` {% endtab %} {% tab title="Kong" %} {% hint style="success" %} When installing open-appsec on Linux embedded the `open-appsec-install` command will automatically patch the existing `nginx.conf` file to add this line. In the `kong-attachment` container provided by open-appsec for containerized deployments this is already included in the file `/usr/local/kong/nginx.conf`. {% endhint %} Kong is based on OpenResty, in OpenResty's NGINX configuration file `nginx.conf` make sure to have the open-appsec attachment loaded as an NGINX module. The open-appsec attachment module is usually located in this path:\ `/usr/lib64/nginx/modules/` Make sure the following line exists **as the first line** in the nginx.conf file in order to load the open-appsec attachment module: `load_module /usr/lib64/nginx/modules/ngx_cp_attachment_module.so;` {% endtab %} {% tab title="APISIX" %} {% hint style="success" %} When installing open-appsec on Linux embedded the `open-appsec-install` command will automatically patch the existing `nginx.conf` file to add this line. In the apisix-attachment container provided by open-appsec for containerized deployments this is already included in the file `/usr/local/apisix/conf/nginx.conf`. {% endhint %} APISIX is build on OpenResty. In OpenResty's NGINX configuration file `nginx.conf` make sure to have the open-appsec attachment loaded as an NGINX module. The open-appsec attachment module is usually located in this path:\ `/usr/lib/nginx/modules/` Make sure the following line exists **as the first line** in the nginx.conf file in order to load the open-appsec attachment module:\ (Note that in APISIX the nginx.conf file is automatically generated, so you cannot adjust its contents directly) `load_module /usr/lib/nginx/modules/ngx_cp_attachment_module.so;` {% endtab %} {% tab title="Envoy (beta)" %} {% hint style="warning" %} When installing Envoy on Docker:\ As an `envoy.yaml` configuration file is not included in the Envoy container make sure to have the above configuration added yourself to that file! {% endhint %} In the Envoy configuration file, which is typically called `envoy.yaml` make sure to have the open-appsec attachment loaded as a filter for HTTP traffic. The open-appsec attachment is usually located here:\ `/usr/lib/libenvoy_attachment.so` In the configuration example below you can see the relevant **lines 16 to 25** which must be added for loading the open-appsec attachment filter for Envoy: {% code lineNumbers="true" %} ```yaml static_resources: listeners: - name: listener_0 address: socket_address: address: 0.0.0.0 port_value: 80 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http http_filters: ## The following 10 lines are required to load the envoy attachment filter for open-appsec - name: envoy.filters.http.golang typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config library_id: cp_nano_filter library_path: "/usr/lib/libenvoy_attachment.so" plugin_name: cp_nano_filter plugin_config: "@type": type.googleapis.com/xds.type.v3.TypedStruct value: prefix_localreply_body: "Configured local reply from go" ## - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router ``` {% endcode %} {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openappsec.io/deployment-and-upgrade/load-the-attachment-in-proxy-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.