Install open-appsec for Linux
The fastest and easiest way to deploy and configure open-appsec is using an interactive CLI tool which will guide you through the most commonly required customizations.
Prerequisites
Root permissions
wget
command-line tool installed on your linux machineExecution permissions on the
/tmp
directory.Linux machine with:
A supported OS and NGINX, Kong, or APISIX version already installed. Here you find lists of all supported/pre-compiled attachments per supported OS versions for each available integration: - NGINX attachment compatibility - APISIX attachment compatibility - Kong attachment compatibility
In case your version is not supported yet, you can also build the attachment yourself from source code, see here.
Installation
Download the installer for Linux using these commands:
wget https://downloads.openappsec.io/open-appsec-install && chmod +x open-appsec-install
You can show the installer version and available options by running the following command to show the help info:
./open-appsec-install -h
This interactive installer provides 2 alternative modes for automatic vs. manual installation:
Mode 1: Automatic installation of open-appsec and adding attachment (plugin) to NGINX/Kong/APISIX
This is the recommended deployment mode for deploying open-appsec on Linux for most deployments, as this is fully automatic and compatible with most, typically used environments.
In this mode open-appsec will automatically be installed with all required components and the attachment will be added and activated in the existing configuration for NGINX/Kong (traditional integration)/APISIX.
The resulting configuration will be locally, declaratively managed using local_policy.yaml
configuration file.
Run this command to start the installation:
The following command will automatically install the open-appsec attachment to the NGINX, APISIX or Kong proxy, configure it to be loaded and also install the open-appsec agent with default local declarative configuration.
./open-appsec-install --auto

As part of the installation, a default configuration file for declarative, local management of open-appsec will be created in the following path:
/etc/cp/conf/local_policy.yaml
Optional open-appsec installer parameters
--token
allows connecting directly to SaaS management, to get the token please follow the instructions here.--prevent
will set the default rule in the default policy file toprevent-learn
instead ofdetect-learn
, but the recommendation is to keepdetect-learn
as the default rule.--kong-plugin
ONLY use this when deploying open-appsec with the Lua-based open-appsec attachment, this will skip the automatic installation of the traditional attachment, which is not required in this case.
Mode 2: Download of software components and presenting manual installation instructions
In this mode all required components based on your NGINX, Kong or APISIX version, OS version, Platform will be downloaded to your machine and instructions are presented for manual installation.
./open-appsec-install --download
Optionally you can add a --tmpdir <path>
option to specify an alternative path for the downloaded software components (default path is /tmp/openappsec/ )

Once the download has finished, follow these steps for manual installation:
Step 1: Deploying the attachment on an existing alpine NGINX/Kong server
Copy the associated libraries as shown in the output of the script
Copy the nginx attachment file as shown in the output for Step 1
Load the attachment on your NGINX by adding the following line to your
nginx.conf
Step 2: Installing open-appsec agent
Run the following commands:
/tmp/open-appsec/openappsec/install-cp-nano-agent.sh --install --hybrid_mode
/tmp/open-appsec/openappsec/install-cp-nano-service-http-transaction-handler.sh --install
/tmp/open-appsec/openappsec/install-cp-nano-attachment-registration-manager.sh --install
Step 3 Validate configuration
Run the following command to validate the nginx configuration:
nginx -t
You should see an output confirming that the syntax is "ok" similar to this:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart the NGINX service so that the updated nginx configuration is applied and the open-appsec attachment module is loaded:
service nginx restart
Congratulations, you successfully installed and activated open-appsec integrated with your existing NGINX, Kong or APISIX installation.
Now you might want to have a look at our interactive CLI tool:
Using the open-appsec-ctl ToolLast updated
Was this helpful?