Links

Install open-appsec for Docker

Currently local declarative management for open-appsec on Docker is not available yet. This will be added soon. Until then connect your installation to the WebUI (SaaS Management) directly, as explained below.

Prerequisites

  • Access to a SaaS tenant on my.openappsec.io (WebUI for SaaS management) Follow the instructions available here:
  • Agent profile created for open-appsec Docker deployment in SaaS tenant Follow the instructions available here. Once done, don't forget to copy the profile token after policy installation as this is needed in the installation steps further below:
  • Linux machine with Docker software installed (or similar compatible Container runtime)

Installation

NGINX
Kong Gateway
Make sure to meet the prerequisites on top of this page and to have the profile token available. Make sure you installed the policy after profile creation.
Follow these steps to install an NGINX with open-appsec using containers (e.g. on Docker) or using your deployment CI:
Step 1: Pull the open-appsec agent image or add/use it as part of the deployment CI’s container management system:
docker pull ghcr.io/openappsec/agent:latest
Step 2: Run the open-appsec agent container with this command (replace with the token):
docker run -d --name=open-appsec-agent --ipc=host -it ghcr.io/openappsec/agent:latest /cp-nano-agent --token <token> -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent -e https_proxy=<user:[email protected] address:port>
Note: The last 4 parameters are optional but recommended, fill in the proper values for storage locations and proxy if required or just remove the parameters.
Step 3: Create (or replace) the NGINX container by first pulling the open-appsec NGINX container, which already contains the open-appsec attachment. Alternatively add/use it as part of the deployment CI’s container management system:
docker pull ghcr.io/openappsec/nginx-attachment:latest
Step 4: Run the open-appsec NGINX container, make sure to add the --ipc=host parameter, here’s an example command:
docker run –d --name open-appsec-nginx --ipc=host -p 80:80 ghcr.io/openappsec/nginx-attachment:latest
For general NGINX configuration please check the relevant NGINX documentation.
Step 5: Make sure both containers are running, use docker ps to verify.
Step 6: Navigate to the Agents tab and make sure that the new Agent is successfully connected.
Step 7: Create one or more assets defining the specific resources that open-appsec should protect and don't forget to install policy afterwards. All required steps are explained here:
Make sure to meet the prerequisites on top of this page and to have the profile token available. Make sure you installed the policy after profile creation.
Follow these steps to install Kong with open-appsec using containers (e.g. on Docker) or using your deployment CI:
Step 1: Pull the open-appsec agent image or add/use it as part of the deployment CI’s container management system:
docker pull ghcr.io/openappsec/agent:latest
Step 2: Run the open-appsec agent container with this command (replace with the token):
docker run -d --name=open-appsec-agent --ipc=host -it ghcr.io/openappsec/agent:latest /cp-nano-agent --token <token> -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent -e https_proxy=<user:[email protected] address:port>
Note: The last 4 parameters are optional but recommended, fill in the proper values for storage locations and proxy if required or just remove the parameters.
Step 3: Create (or replace) the Kong container by pulling the enhanced open-appsec Kong container, which already contains the open-appsec attachment. Alternatively add/use it as part of the deployment CI’s container management system:
For Kong (open-source version):
docker pull ghcr.io/openappsec/kong-attachment:latest
For Kong Gateway (enterprise version):
docker pull ghcr.io/openappsec/kong-gateway-attachment:latest
Step 4: Run the open-appsec Kong container, make sure to add the --ipc=host parameter, here’s an example command:
For Kong (open-source version):
docker run -d --name kong --ipc=host -p 8000:8000 -p 8443:8443 -p 127.0.0.1:8001:8001 -p 127.0.0.1:8444:8444 ghcr.io/openappsec/kong-attachment:latest
For Kong Gateway (enterprise version):
docker run -d --name kong-gateway --ipc=host -p 8000:8000 -p 8443:8443 -p 127.0.0.1:8001:8001 -p 127.0.0.1:8444:8444 ghcr.io/openappsec/kong-gateway-attachment:latest
For general Kong configuration details please check the relevant Kong documentation available here: https://docs.konghq.com
Step 5: Make sure both containers are running, use docker ps to verify.
Step 6: Navigate to the Agents tab and make sure that the new Agent is successfully connected.
Step 7: Create one or more assets defining the specific resources that open-appsec should protect and don't forget to install policy afterwards. All required steps are explained here:
Now your open-appsec installation on Docker is completed and your configured web app or api assets are protected!