A guide to using Nemesida WAF as Docker containers.
- Filtering node
- Nemesida AI MLC
- Nemesida WAF WEB
- Nemesida WAF Scanner
- Docker Compose
To deploy the filtering node container one has to do the following:
Currently, the image is only available with latest version of Nginx stable.
1. Load an image containing the dynamic module and Nemesida AI MLA:
# docker pull nemesida/nwaf-dyn
2. Create a directory for the dynamic module configuration files:
# mkdir -p /opt/nwaf/waf-config
3. Create file first-launch
in the configuration files directory:
# touch /opt/nwaf/waf-config/first-launch
4. Run the container with dynamic module image using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 -p 5672:5672 nemesida/nwaf-dyn
The container will terminate by creating a basic set of configuration files in the configuration files directory.
5. Edit the configuration files according to the instructions.
6. Run the container with dynamic module image using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 -p 5672:5672 nemesida/nwaf-dyn
where:
--rm
– container removal after closedown;-d
– container running in background mode;-v /opt/nwaf/waf-config:/nginx.configs
– mounting the directory with configuration files inside the container.
Currently, the image is only available with latest version of Nginx stable.
1. Load an image containing the dynamic module:
# docker pull nemesida/nwaf-dyn-ce
2. Create a directory for dynamic module configuration files:
# mkdir -p /opt/nwaf/waf-config
3. Create file first-launch
in the configuration files directory:
# touch /opt/nwaf/waf-config/first-launch
4. Run the container with dynamic module image using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 -p 5672:5672 nemesida/nwaf-dyn-ce
The container will terminate by creating a basic set of configuration files in the configuration files directory.
5. Edit the configuration files according to the instructions.
6. Run the container with dynamic module image using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 -p 5672:5672 nemesida/nwaf-dyn-ce
where:
--rm
– container removal after closedown;-d
– container running in background mode;-v /opt/nwaf/waf-config:/nginx.configs
– mounting the directory with configuration files inside the container.
1. Before updating the image with a filtering node, verify if the container is running. To do this, view the container ID (CONTAINER ID column) using the command:
# docker ps -a
2. If the container is running, stop it using the command:
# docker stop /container ID/
3. With the container stopped, delete the image:
# docker image rm nemesida/nwaf-dyn
4. Load an image containing the dynamic module and Nemesida AI MLA:
# docker pull nemesida/nwaf-dyn
5. Run the container with dynamic module image using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 -p 5672:5672 nemesida/nwaf-dyn
After the update, previous versions of the configuration files will be placed in old
subdirectory.
1. Before updating the image with a filtering node, verify if the container is running. To do this, view the container ID (CONTAINER ID column) using the command:
# docker ps -a
2. If the container is running, stop it using the command:
# docker stop /container ID/
3. With the container stopped, delete the image:
# docker image rm nemesida/nwaf-dyn-ce
4. Load an image containing the dynamic module:
# docker pull nemesida/nwaf-dyn-ce
5. Run the container with dynamic module image using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 -p 5672:5672 nemesida/nwaf-dyn-ce
After the update, previous versions of the configuration files will be placed in old
subdirectory.
Used only in the commercial version of Nemesida WAF.
To deploy the Nemesida AI MLC container, follow these steps:
1. Download the image containing the Nemesida AI MLC module:
# docker pull nemesida/nwaf-mlc
2. Create a directory for Nemesida AI MLC configuration files:
# mkdir -p /opt/nwaf/mlc-config
3. In the configuration files directory, create the first-launch
file:
# touch /opt/nwaf/mlc-config/first-launch
4. Launch the container with the Nemesida AI MLC image using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/mlc-config:/nwaf_mlc.configs nemesida/nwaf-mlc
The container will finish its work on its own by creating a basic set of configuration files in the configuration files directory.
5. Edit the configuration files according to the instructions.
The values for the
rmq_host
parameter are stored in the configuration file of the container with the dynamic module/opt/waf/waf-config/rabbitmq_password
.
6. Launch the container with the dynamic module image using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/mlc-config:/nwaf_mlc.configs nemesida/nwaf-mlc
where:
--rm
– deleting the container after completion of work;-d
– running the container in the background;-v /opt/nwaf/mlc-config:/nwaf_mlc.configs nemesida/nwaf-mlc
– mounting a directory with configuration files inside the container.
1. Before updating the Nemesida AI MLC image, check whether the container is running. To do this, you need to look at the container ID (CONTAINER ID column) using the command:
# docker ps -a
2. If the container is running, stop it using the command:
# docker stop /container ID/
3. When the container is stopped, delete the image:
# docker image rm nemesida/nwaf-mlc
4. Download the image containing the Nemesida AI MLC module:
# docker pull nemesida/nwaf-mlc
5. Launch the container with the dynamic module image using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/mlc-config:/nwaf_mlc.configs nemesida/nwaf-mlc
After the update, the previous versions of the configuration files will be placed in the old
subdirectory.
To deploy Nemesida WAF API and Nemesida WAF Cabinet Docker container one has to do the following:Designed for all plans.
# docker pull nemesida/nwaf-web
2. Create two directories:
- For configuration files (for example,
api-cab-config
):# mkdir -p /opt/nwaf/api-cab-config
- For database (for example,
api-cab-base
):# mkdir /opt/nwaf/api-cab-base
3. Create file first-launch
in the configuration files directory:
# touch /opt/nwaf/api-cab-config/first-launch
4. Run the container with Nemesida WAF API image and Nemesida WAF Cabinet, using commands:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -v /opt/nwaf/api-cab-base:/var/lib/postgresql -p 8080:8080 -p 8090:80 nemesida/nwaf-web
where:
--rm
– container removal after closedown;-d
– container running in background mode;-v /opt/nwaf/api-cab-config:/nwaf-api
– mounting the directory with configuration files inside the container;-v /opt/nwaf/api-cab-base:/var/lib/postgresql
– mounting the directory with database inside the container;-p 8080:8080
– container port8080
forwarding to the external port8080
;-p 8090:80
– container port80
forwarding to the external port8090
.
View the container ID using the command (CONTAINER ID column):
# docker ps -a
5. Allow access to reading for all for the directory api-cab-config
:
# chmod -R 0555 /opt/nwaf/api-cab-config
6. Run the migration and account creation command and follow the script instructions:
# docker exec -ti /container ID/ bash -with "bash /opt/migrate.sh"
Stop the container using the command:
# docker stop /container ID/
7. Make changes to the configuration files according to the instructions on the documentation pages Nemesida WAF API and Nemesida WAF Cabinet.
8. Run the container with Nemesida WAF API and Nemeida WAF Nemesida WAF Cabinet using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -v /opt/nwaf/api-cab-base:/var/lib/postgresql -p 8080:8080 -p 8090:80 nemesida/nwaf-web
where:
--rm
– container removal after closedown;-d
– container running in background mode;-v /opt/nwaf/api-cab-config:/nwaf-api
– mounting the directory with configuration files inside the container;-v /opt/nwaf/api-cab-base:/var/lib/postgresql
– mounting the directory with database inside the container;-p 8080:8080
– container port8080
forwarding to the external port8080
;-p 8090:80
– container port80
forwarding to the external port8090
.
# docker pull nemesida/nwaf-web-pg
2. Create a directory for configuration files:
# mkdir -p /opt/nwaf/api-cab-config
3. Create file first-launch
in the configuration files directory:
# touch /opt/nwaf/api-cab-config/first-launch
4. Run the container with Nemesida WAF API image + Nemesida WAF Cabinet, using commands:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -p 8080:8080 -p 8090:80 nemesida/nwaf-web-pg
where:
--rm
– container removal after closedown;-d
– container running in background mode;-v /opt/nwaf/api-cab-config:/nwaf-api
– mounting the directory with configuration files inside the container;-p 8080:8080
– container port8080
forwarding to the external port8080
;-p 8090:80
– container port80
forwarding to the external port8090
.
5. Create a database, user and a password to connect the Nemesida WAF API and Nemesida WAF Cabinet modules:
# su - postgres -c "psql -c \"CREATE DATABASE waf;\"" # su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'YOUR_PASSWORD';\"" # su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf to nw_api;\"" # su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\"" # su - postgres -c "psql -c \"CREATE DATABASE cabinet;\"" # su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'YOUR_PASSWORD';\"" # su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet to nw_cabinet;\"" # su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""
6. Allow external connections to the database by making changes to the pg_hba.conf
file:
# IPv4 local connections: host all all 0.0.0.0/0 md5
View the container ID using the command (CONTAINER ID column):
# docker ps -a
7. Allow access to reading for all for the directory api-cab-config
:
# chmod -R 0555 /opt/nwaf/api-cab-config
8. Run the migration and account creation command and follow the script instructions:
# docker exec -ti /container ID/ bash -with "bash /opt/migrate.sh"
Stop the container using the command:
# docker stop /container ID/
9. Make changes to the configuration files according to the instructions on the documentation pages Nemesida WAF API and Nemesida WAF Cabinet.
10. Run the container with Nemesida WAF API and Nemeida WAF Nemesida WAF Cabinet using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -p 8080:8080 -p 8090:80 nemesida/nwaf-web-pg
where:
--rm
– container removal after closedown;-d
– container running in background mode;-v /opt/nwaf/api-cab-config:/nwaf-api
– mounting the directory with configuration files inside the container;-p 8080:8080
– container port8080
forwarding to the external port8080
;-p 8090:80
– container port80
forwarding to the external port8090
.
When accessing the web interface of the Nemesida WAF Cabinet module, it is necessary to add the port
8090
. For example:http://Nemesida WAF Cabinet.example.com:8090/waf/personal
# docker ps -a
If the container is running, stop it using the command:
# docker stop /container ID/
# docker image rm nemesida/nwaf-web
2. Load the image containing the Nemesida WAF API modules and the Nemesida WAF Cabinet:
# docker pull nemesida/nwaf-web
3. Run the container with Nemesida WAF API image + Nemesida WAF Cabinet, using command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -v /opt/nwaf/api-cab-base:/var/lib/postgresql -p 8080:8080 -p 8090:80 nemesida/nwaf-web
# docker image rm nemesida/nwaf-web-pg
2. Load the image containing the Nemesida WAF API modules and the Nemesida WAF Cabinet:
# docker pull nemesida/nwaf-web-pg
3. Run the container with Nemesida WAF API image + Nemesida WAF Cabinet, using command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -p 8080:8080 -p 8090:80 nemesida/nwaf-web-pg
To deploy Nemesida WAF Scanner Docker container one has to do the following: 1. Load the image containing the Nemesida WAF Scanner:Designed for the Enterprise plan.
For correct work of the Nemesida WAF Scanner module, you need to provide access to the web application bypassing the Nemesida WAF.
# docker pull nemesida/nwaf-scanner
2. Create a directory for Nemesida WAF Scanner configuration files:
# mkdir -p /opt/nwaf/nwaf-scanner
3. Create file first-launch
in the configuration files directory:
# touch /opt/nwaf/nwaf-scanner/first-launch
4. Run the container with Nemesida WAF Scanner using the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/nwaf-scanner/:/nwaf-scanner nemesida/nwaf-scanner
where:
--rm
– container removal after closedown;-d
– container running in background mode;-v /opt/nwaf/nwaf-scanner:/nwaf-scanner
– mounting the directory with configuration files inside the container.
The container will finish its work on its own by creating a basic set of configuration files in the configuration files directory.
5. Make changes to the configuration files according to the instructions on the documentation page Nemesida WAF Scanner.
View the container ID using the command (CONTAINER ID column):
# docker ps -a
6. Stop the container with the Nemesida WAF API modules and the Nemesida WAF Cabinet with the command:
# docker stop /container ID/
7. Make changes to the configuration files for connecting to database of modules Nemesida WAF API and the Nemesida WAF Cabinet modules to interact with Nemesida WAF Scanner:
- In file
/opt/nwaf/api-cab-config/postgresql/main/postgresql.conf
:
listen_addresses = '*'
- In file
/opt/nwaf/api-cab-config/postgresql/main/pg_hba.conf
:
host all all 0.0.0.0/0 md5
8. Run the container with Nemesida WAF API, Nemesida WAF Cabinet and Nemesida WAF Scanner, using commands:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -v /opt/nwaf/api-cab-base:/var/lib/postgresql -p 8080:8080 -p 8090:80 -p 5432:5432 nemesida/nwaf-web
where:
--rm
– container removal after closedown;-d
– container running in background mode;-v /opt/nwaf/api-cab-config:/nwaf-api
– mounting the directory with configuration files inside the container;-v /opt/nwaf/api-cab-base:/var/lib/postgresql
– mounting the directory with database inside the container;-p 8080:8080
– container port8080
forwarding to the external port8080
;-p 8090:80
– container port80
forwarding to the external port8090
;-p 5432:5432
– container port5432
forwarding to the external port5432
.
# docker run --rm -d -v /opt/nwaf/nwaf-scanner/:/nwaf-scanner nemesida/nwaf-scanner
where:
--rm
– container removal after closedown;-d
– container running in background mode;-v /opt/nwaf/nwaf-scanner:/nwaf-scanner
– mounting the directory with configuration files inside the container.
9. To start the scan process, run the command:
docker exec -ti /container ID/ bash -c "/usr/bin/nws"
# docker ps -a
2. If the container is running, stop it using the command:
# docker stop /container ID/
3. With the container stopped, delete the image:
# docker image rm nemesida/nwaf-scanner
4. Load the image containing the Nemesida WAF Scanner modules:
# docker pull nemesida/nwaf-scanner
5. Run the container with Nemesida WAF Scanner, using command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/nwaf-scanner/:/nwaf-scanner nemesida/nwaf-scanner
1. Install the Docker Compose;
2. Download the docker-compose.yml file with launch parameters;
3. Create directories for Nemesida WAF config files relative to loaded docker-compose.yml
:
# mkdir -p /opt/nwaf/{waf-config,mlc-config,api-cab-config,api-cab-base}
4. Create a first-launch
file in the configuration file directories:
# touch /opt/nwaf/{waf-config,mlc-config,api-cab-config}/first-launch
5. Run Docker Compose using the commands:
# iptables -t filter -N DOCKER # docker-compose up --build -d
6. For directories nwaf-api-cab-config
allow read access for everyone:
# chmod -R 0555 /opt/nwaf/api-cab-config
7. Perform migrations and create users for the Nemesida WAF Cabinet modules:
# docker-compose exec nwaf-web "/bin/bash" "/opt/migrate.sh"
8. Stop Docker Compose:
# docker-compose down
9. Make changes to the configuration files according to the instructions on the documentation pages Dynamic module, Nemesida AI MLC, Nemesida WAF API and Nemesida WAF Cabinet;
10. Run Docker Compose using the commands:
# iptables -t filter -N DOCKER # docker-compose up -d