Upgrade your Reverse Proxy /API Gateway when an Agent is Installed
One of the possible deployments for open-appsec is a Linux agent installed on top of a supported Reverse Proxy.
If you wish to upgrade the Reverse Proxy while the agent is installed, follow the steps described in this documentation page.
NGINX
Kong Gateway
- Locate your nginx modules folder path by running: nginx -V and look for the value of the "--modules-path" parameter. It is usually /usr/share/nginx/modules or /usr/lib/nginx/modules
- Via command line access to the machine with the NGINX server and the agent, edit the following file: /etc/nginx/nginx.conf
- Delete the following line (look for the path located previously): load_module /<modules folder path>/ngx_cp_attachment_module.so;
- Edit all files in the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/*
- Comment out (add '#' in the beginning of the line) all the lines, if exist, that begin with: cp-nano-nginx-attachment
- If you added manually additional lines in other server configuration files - comment them out as well.
Run the command 'nginx -t'. You should see it print out "test is successful".
Run any commands you intended to run in order to upgrade the NGINX's software version
Run the following commands:
cpnano -q
rm -rf /etc/cp/packages
rm /etc/cp/conf/manifest.json
cpnano -r
After one minute that the agent has restarted successfully using the following command:
cpnano -s
Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes.
Remove the "comment out" character ('#') from all the lines it was added to in step 2 (In the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/* )
Run the following commands:
nginx -s reload
systemctl restart nginx
Step 1: Delete the agent module's load_module line
- Locate your nginx modules folder path by running: /usr/local/openresty/nginx/sbin/nginx -V and look for the value of the "--modules-path" parameter. It is usually /usr/share/nginx/modules or /usr/lib/nginx/modules
- Via command line access to the machine with the NGINX server and the agent, edit the following file: /usr/local/kong/nginx.conf
- Delete the following lines (look for the path located previously): load_module /<modules folder path>/open_appsec_ngx_module.so; cp_worker_processes auto;
Step 2: Run a test command
Run the command '/usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf -t'. You should see it print out "test is successful".
Step 3: Upgrade the Kong Gateway's software version
Run any commands you intended to run in order to upgrade the Kong Gateway's software version
Step 4: Backup your declarative policy (optional)
If you are using a declarative policy, copy your local configuration to a new folder by running:
open-appsec-ctl --list-policies
cp <output of list-policies-command> <your backup folder>
Step 5: Stop the agent and re-deploy attachment
Run the following commands:
open-appsec-ctl -q
rm /etc/cp/conf/manifest.json
Run the open-appsec install command:
wget https://downloads.openappsec.io/open-appsec-install && chmod +x open-appsec-install
./open-appsec-install --auto
Step 6: Restore you declarative policy (optional)
Copy your backed up declarative policy to the original folder:
cp <your backed up declarative policy file> <output of list-policies-command>
Step 7: Verify the agent has restarted
After one minute that the agent has restarted successfully use the following command:
open-appsec-ctl -s
Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes.
Last modified 2mo ago