Links

Upgrade your Reverse Proxy /API Gateway when an Agent is Installed

One of the possible deployments for open-appsec is a Linux agent installed on top of a supported Reverse Proxy.
If you wish to upgrade the Reverse Proxy while the agent is installed, follow the steps described in this documentation page.
NGINX
Kong Gateway
Step 1: Delete the agent module's load_module line
  • Via command line access to the machine with the NGINX server and the agent, edit the following file: /etc/nginx/nginx.conf
  • Delete the following line: load_module /usr/share/nginx/modules/ngx_cp_attachment_module.so;
Step 2: Comment out the agent module's configuration lines
  • Edit all files in the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/*
    • Comment out (add '#' in the beginning of the line) all the lines that begin with: cp-nano-nginx-attachment
  • If you added manually additional lines in other server configuration files - comment them out as well.
Step 3: Run a test command
Run the command 'nginx -t'. You should see it print out "test is successful".
Step 4: Upgrade the NGINX's software version
Run any commands you intended to run in order to upgrade the NGINX's software version
Step 5: Stop and start the agent, while triggering deployment of a new attachment
Run the following commands: cpnano -q rm /etc/cp/conf/manifest.json cpnano -r
Step 6: Verify the agent has restarted
After one minute that the agent has restarted successfully using the following command: cpnano -s Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes.
Step 7: Undo the changes done in step 2
Remove the "comment out" character ('#') from all the lines it was added to in step 2 (In the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/* )
Step 1: Delete the agent module's load_module line
  • Via command line access to the machine with the NGINX server and the agent, edit the following file: TBD
  • Delete the following line: load_module TBD
Step 2: Comment out the agent module's configuration lines
  • Edit all files in the paths TBD
    • Comment out (add '#' in the beginning of the line) all the lines that begin with: TBD
  • If you added manually additional lines in other server configuration files - comment them out as well.
Step 3: Run a test command
Run the command 'TBD'. You should see it print out "test is successful".
Step 4: Upgrade the Kong Gateway's software version
Run any commands you intended to run in order to upgrade the Kong Gateway's software version
Step 5: Stop and start the agent, while triggering deployment of a new attachment
Run the following commands: cpnano -q rm /etc/cp/conf/manifest.json cpnano -r
Step 6: Verify the agent has restarted
After one minute that the agent has restarted successfully use the following command: cpnano -s Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes.
Step 7: Undo the changes done in step 2
Remove the "comment out" character ('#') from all the lines it was added to in step 2 (In the paths TBD or TBD)

NGINX

Step 1: Delete the agent module's load_module line
  • Via command line access to the machine with the NGINX server and the agent, edit the following file: /etc/nginx/nginx.conf
  • Delete the following line: load_module /usr/share/nginx/modules//ngx_cp_attachment_module.so;
Step 2: Comment out the agent module's configuration lines
  • Edit all files in the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/*
    • Comment out (add '#' in the beginning of the line) all the lines that begin with: cp-nano-nginx-attachment
  • If you added manually additional lines in other server configuration files - comment them out as well.
Step 3: Run a test command
Run the command 'nginx -t'. You should see it print out "test is successful".
Step 4: Upgrade the NGINX's software version
Run any commands you intended to run in order to upgrade the NGINX's software version
Step 5: Stop and start the agent, while triggering deployment of a new attachment
Run the following commands: cpnano -q rm /etc/cp/conf/manifest.json cpnano -r
Step 6: Verify the agent has restarted
After one minute that the agent has restarted successfully using the following command: cpnano -s Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes.
Step 7: Undo the changes done in step 2
Remove the "comment out" character ('#') from all the lines it was added to in step 2 (In the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/* )