Install With Docker (Centrally Managed)
Prerequisites
Access to a SaaS tenant on my.openappsec.io (WebUI for SaaS management) Follow the instructions available here:
Agent profile created for open-appsec Docker deployment in SaaS tenant Follow the instructions available here. Once done, don't forget to copy the profile token after policy installation as this is needed in the installation steps further below:
Linux machine with:
Docker software installed (or similar compatible Container runtime)
Root Permissions
Installation
Make sure to meet the prerequisites on top of this page and to have the profile token available. Make sure you enforce the policy after profile creation.
Follow these steps to deploy open-appsec and NGINX reverse proxy (including open-appsec attachment) with separate containers (e.g. on Docker) or implement this using your deployment CI pipeline: (This is the standard deployment, an alternative option to deploy with a single, unified container is available as well, see "NGINX - Unified" tab.)
Step 1: Pull the open-appsec agent image or add/use it as part of the deployment CI’s container management system:
Step 2: Create the following empty directories to be used later for volume mounts in the docker run command for the agent.
Creation of the folders above and the volume mounts shown in the next step with -v is optional but strongly recommended for having persistence of the important agent information (data, config, logs).
Step 3: Run the open-appsec agent container with this command:
Replace the <token> parameter with the token you copied from the profile in the WebUI before (see Prerequisites section above).
The https_proxy environment variable allows you to configure an HTTP(S) proxy server to be used by the agent. It is optional and can be removed if not needed.
The optional no-upgrade flag to the cp-nano-agent command will start the agent without an initial upgrade.
The optional user_email environment variable allows you to associate your email address with your specific deployment by replacing <your-email-address> with your own email address.
This allows the open-appsec team to provide you easy assistance in case of any issues you might have with your specific deployment in the future and also to provide you information proactively regarding open-appsec in general or regarding your specific deployment. This is an optional parameter and can be removed. If we send automatic emails there will also be an opt-out option included for receiving similar communication in the future.
Step 3: Create (or replace) the NGINX container by first pulling the open-appsec NGINX container, which already contains the open-appsec attachment. Alternatively, add/use it as part of the deployment CI’s container management system:
Step 4: Run the open-appsec NGINX container, make sure to add the --ipc=host parameter, here’s an example command:
For general NGINX configuration please check the relevant NGINX documentation
Step 5: Make sure both containers are running, use docker ps to verify.
Step 6: Navigate to the Agents tab and ensure the new Agent is successfully connected.
Step 7: Create one or more assets defining the specific resources that open-appsec should protect and don't forget to install the policy afterward. All required steps are explained here:
Protect Additional AssetsNow your open-appsec installation on Docker is completed and your configured web app or API assets are protected!
Last updated