open-appsec Agents receive the HTTP data from open-appsec Attachments integrating with the Proxy server. This allows the Agents to inspect traffic, once inspection is done, the resulting decision (e.g. to allow traffic or to block it) is returned back to the Attachment for the actual enforcement.
When you are providing your own proxy configuration it is therefor critical to make sure that it contains the relevant settings for the proxy to load the attachment.
How do I get the attachment for my proxy?
Linux embedded deployments
The attachment module is automatically downloaded specifically matching your proxy type and version and operating system when you run the open-appsec-install tool to install open-appsec.
Here you find lists of all supported/pre-compiled attachments per supported OS versions for each available integration: NGINX, Kong, APISIX
Docker and Kubernetes deployments
We provide "enhanced" versions of the containers for all supported proxies that open-appsec can integrate with. These containers already include the open-appsec attachment.
Compiling the attachment yourself
You can also compile the attachment yourself, this allows you to deploy on currently unsupported versions of the supported proxies or on unsupported operating systems. You can also build your own customized proxy containers. Source code and instructions are available here:
How to load the open-appsec attachment in the proxy configuration
Please follow the instructions provided below for your specific deployment type explaining what needs to be included in your local proxy configuration in order to load the open-appsec attachment module.
When installing open-appsec on Linux embedded the open-appsec-install command will automatically patch the existing nginx.conf file to add the line for loading the module.
In the nginx-attachment container provided by open-appsec for containerized deployments this is already included in the file /etc/nginx/nginx.conf.
In the NGINX configuration file nginx.conf make sure to have the open-appsec attachment loaded as an NGINX module.
The open-appsec attachment module is usually located in this path:
/usr/lib/nginx/modules/
Make sure the following line exists as the first line in the nginx.conf file in order to load the open-appsec attachment module:
In the open-appsec-agent-unified container provided by open-appsec for Docker deployments the line to load the attachment module is already included in the file /etc/nginx/nginx.conf.
In the NGINX configuration file nginx.conf make sure to have the open-appsec attachment loaded as an NGINX module.
The open-appsec attachment module is usually located in this path:
/usr/lib/nginx/modules/
Make sure the following line exists as the first line in the nginx.conf file in order to load the open-appsec attachment module:
When installing open-appsec on Linux embedded the open-appsec-install command will automatically patch the existing nginx.conf file to add this line.
In the kong-attachment container provided by open-appsec for containerized deployments this is already included in the file /usr/local/kong/nginx.conf.
Kong is based on OpenResty, in OpenResty's NGINX configuration file nginx.conf make sure to have the open-appsec attachment loaded as an NGINX module.
The open-appsec attachment module is usually located in this path:
/usr/lib64/nginx/modules/
Make sure the following line exists as the first line in the nginx.conf file in order to load the open-appsec attachment module:
When installing open-appsec on Linux embedded the open-appsec-install command will automatically patch the existing nginx.conf file to add this line.
In the apisix-attachment container provided by open-appsec for containerized deployments this is already included in the file /usr/local/apisix/conf/nginx.conf.
APISIX is build on OpenResty. In OpenResty's NGINX configuration file nginx.conf make sure to have the open-appsec attachment loaded as an NGINX module.
The open-appsec attachment module is usually located in this path:
/usr/lib/nginx/modules/
Make sure the following line exists as the first line in the nginx.conf file in order to load the open-appsec attachment module:
(Note that in APISIX the nginx.conf file is automatically generated, so you cannot adjust its contents directly)
When installing Envoy on Docker:
As an envoy.yaml configuration file is not included in the Envoy container make sure to have the above configuration added yourself to that file!
In the Envoy configuration file, which is typically called envoy.yaml make sure to have the open-appsec attachment loaded as a filter for HTTP traffic.
The open-appsec attachment is usually located here:
/usr/lib/libenvoy_attachment.so
In the configuration example below you can see the relevant lines 16 to 25 which must be added for loading the open-appsec attachment filter for Envoy:
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
http_filters:
## The following 10 lines are required to load the envoy attachment filter for open-appsec
- name: envoy.filters.http.golang
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config
library_id: cp_nano_filter
library_path: "/usr/lib/libenvoy_attachment.so"
plugin_name: cp_nano_filter
plugin_config:
"@type": type.googleapis.com/xds.type.v3.TypedStruct
value:
prefix_localreply_body: "Configured local reply from go"
##
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
