open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snort Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page

Was this helpful?

  1. Deployment and Upgrade

Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed

PreviousLoad the Attachment in Proxy ConfigurationNextIntegration in GitOps CD (K8s)

Last updated 1 year ago

Was this helpful?

One of the possible deployments for open-appsec is a Linux agent installed on top of a .

If you wish to upgrade the Reverse Proxy while the agent is installed, follow the steps described in this documentation page.

Step 1: Delete the agent module's load_module line

  • Locate your nginx modules folder path by running: nginx -V and look for the value of the "--modules-path" parameter. It is usually /usr/share/nginx/modules or /usr/lib/nginx/modules

  • Via command line access to the machine with the NGINX server and the agent, edit the following file: /etc/nginx/nginx.conf

  • Delete the following line (look for the path located previously): load_module /<modules folder path>/ngx_cp_attachment_module.so;

Step 2: Comment out the agent module's configuration lines

  • Edit all files in the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/*

    • Comment out (add '#' in the beginning of the line) all the lines, if exist, that begin with: cp-nano-nginx-attachment

  • If you added manually additional lines in other server configuration files - comment them out as well.

Step 3: Run a test command

Run the command 'nginx -t'. You should see it print out "test is successful".

Step 4: Upgrade the NGINX's software version

Run any commands you intended to run in order to upgrade the NGINX's software version

Step 5: Stop and start the agent, while triggering deployment of a new attachment

Run the following commands: cpnano -q rm -rf /etc/cp/packages rm /etc/cp/conf/manifest.json cpnano -r

Step 6: Verify the agent has restarted

After one minute that the agent has restarted successfully using the following command: cpnano -s

Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes.

Step 7: Undo the changes done in step 2

Remove the "comment out" character ('#') from all the lines it was added to in step 2 (In the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/* )

Step 8: NGINX reload

Run the following commands: nginx -s reload systemctl restart nginx

Step 1: Delete the agent module's load_module line

  • Locate your nginx modules folder path by running: /usr/local/openresty/nginx/sbin/nginx -V and look for the value of the "--modules-path" parameter. It is usually /usr/share/nginx/modules or /usr/lib/nginx/modules

  • Via command line access to the machine with the NGINX server and the agent, edit the following file: /usr/local/kong/nginx.conf

  • Delete the following lines (look for the path located previously): load_module /<modules folder path>/open_appsec_ngx_module.so; cp_worker_processes auto;

Step 2: Run a test command

Run the command '/usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf -t'. You should see it print out "test is successful".

Step 3: Upgrade the Kong Gateway's software version

Run any commands you intended to run in order to upgrade the Kong Gateway's software version

Step 4: Backup your declarative policy (optional)

If you are using a declarative policy, copy your local configuration to a new folder by running:

open-appsec-ctl --list-policies cp <output of list-policies-command> <your backup folder>

Step 5: Stop the agent and re-deploy attachment

Run the following commands: open-appsec-ctl -q rm /etc/cp/conf/manifest.json

Run the open-appsec install command: wget https://downloads.openappsec.io/open-appsec-install && chmod +x open-appsec-install ./open-appsec-install --auto

Step 6: Restore you declarative policy (optional)

Copy your backed up declarative policy to the original folder: cp <your backed up declarative policy file> <output of list-policies-command>

Step 7: Verify the agent has restarted

After one minute that the agent has restarted successfully use the following command: open-appsec-ctl -s Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes.

supported Reverse Proxy