A guide to using Nemesida WAF as Docker containers.

Deploying a Nemesida WAF Docker container

To deploy the Nemesida WAF Container one has to do the following:

Nemesida WAFNemesida WAF Free

1. Load an image containing the dynamic module Nemesida WAF and Nemesida AI:

# docker pull nemesida/nwaf-dyn-1.18

2. Create a directory for Nemesida WAF configuration files:

# mkdir -p /opt/nwaf/waf-config

3. Create file first-launch in the configuration files directory:

# touch /opt/nwaf/waf-config/first-launch

4. Run the container with Nemesida WAF image using the command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 nemesida/nwaf-dyn-1.18

The container will terminate by creating a basic set of configuration files in the configuration files directory.

5. Edit the configuration files according to the instructions on page Nemesida WAF and Nemesida AI.

6. Run the container with Nemesida WAF image using the command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 nemesida/nwaf-dyn-1.18

where:

  • --rm – container removal after closedown;
  • -d – container running in background mode;
  • -v /opt/nwaf/waf-config:/nginx.configs – mounting the directory with configuration files inside the container.

1. Load an image containing the dynamic module Nemesida WAF:

# docker pull nemesida/nwaf-dyn-free-1.18

2. Create a directory for Nemesida WAF configuration files:

# mkdir -p /opt/nwaf/waf-config

3. Create file first-launch in the configuration files directory:

# touch /opt/nwaf/waf-config/first-launch

4. Run the container with Nemesida WAF image using the command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 nemesida/nwaf-dyn-free-1.18

The container will terminate by creating a basic set of configuration files in the configuration files directory.

5. Edit the configuration files according to the instructions on page Nemesida WAF.

6. Run the container with Nemesida WAF image using the command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 nemesida/nwaf-dyn-free-1.18

where:

    • --rm – container removal after closedown;
    • -d – container running in background mode;
    • -v /opt/nwaf/waf-config:/nginx.configs – mounting the directory with configuration files inside the container.

Nemesida WAF image update
Nemesida WAFNemesida WAF Free

1. Before updating Nemesida WAF image, verify if the container is running. To do this, view the container ID (CONTAINER ID column) using the command:

# docker ps -a

2. If the container is running, stop it using the command:

# docker stop /container ID/

3. With the container stopped, delete the image:

# docker image rm nemesida/nwaf-dyn-1.18

4. Load an image containing the dynamic module Nemesida WAF and Nemesida AI:

# docker pull nemesida/nwaf-dyn-1.18

5. Run the container with Nemesida WAF image using the command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 nemesida/nwaf-dyn-1.18

After the update, previous versions of the configuration files will be placed in old subdirectory.

1. Before updating Nemesida WAF image, verify if the container is running. To do this, view the container ID (CONTAINER ID column) using the command:

# docker ps -a

2. If the container is running, stop it using the command:

# docker stop /container ID/

3. With the container stopped, delete the image:

# docker image rm nemesida/nwaf-dyn-free-1.18

4. Load an image containing the dynamic module Nemesida WAF:

# docker pull nemesida/nwaf-dyn-free-1.18

5. Run the container with Nemesida WAF image using the command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/waf-config:/nginx.configs -p 80:80 nemesida/nwaf-dyn-free-1.18

After the update, previous versions of the configuration files will be placed in old subdirectory.

Nemesida WAF API and Nemesida WAF Cabinet Docker container deployment
To deploy Nemesida WAF API and Nemesida WAF Cabinet Docker container one has to do the following:
1. Load the image containing the Nemesida WAF API modules and the Nemesida WAF Cabinet:

# docker pull nemesida/nwaf-api-cabinet

2. Create two directories:

  • For configuration files (for example, api-cab-config):
    # mkdir -p /opt/nwaf/api-cab-config
  • For database (for example, api-cab-base):
    # mkdir /opt/nwaf/api-cab-base

3. Create file first-launch in the configuration files directory:

# touch /opt/nwaf/api-cab-config/first-launch

4. Run the container with Nemesida WAF API image + Nemesida WAF Cabinet, using commands:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -v /opt/nwaf/api-cab-base:/var/lib/postgresql -p 8080:8080 -p 8090:80 nemesida/nwaf-api-cabinet

where:

  • --rm – container removal after closedown;
  • -d – container running in background mode;
  • -v /opt/nwaf/api-cab-config:/nwaf-api – mounting the directory with configuration files inside the container;
  • -v /opt/nwaf/api-cab-base:/var/lib/postgresql – mounting the directory with database inside the container;
  • -p 8080:8080 – container port 8080 forwarding to the external port 8080;
  • -p 8090:80 – container port 80 forwarding to the external port 8090.

One can view the container ID using the command (CONTAINER ID column):

# docker ps -a

5. Allow access to reading for all for the directory api-cab-config:

# chmod -R 0555 /opt/nwaf/api-cab-config

6. Run the migration and account creation command and follow the script instructions:

# docker exec -ti /container ID/ bash -with "bash /opt/migrate.sh"

One can stop the container using the command:

# docker stop /container ID/

7. Make changes to the configuration files according to the instructions on the documentation pages Nemesida WAF API and Nemesida WAF Cabinet.

8. Run the container with Nemesida WAF API and Nemeida WAF Cabinet using the command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -v /opt/nwaf/api-cab-base:/var/lib/postgresql -p 8080:8080 -p 8090:80 nemesida/nwaf-api-cabinet

where:

  • --rm – container removal after closedown;
  • -d – container running in background mode;
  • -v /opt/nwaf/api-cab-config:/nwaf-api – mounting the directory with configuration files inside the container;
  • -v /opt/nwaf/api-cab-base:/var/lib/postgresql – mounting the directory with database inside the container;
  • p 8080:8080 – container port 8080 forwarding to the external port 8080;
  • -p 8090:80 – container port 80 forwarding to the external port 8090.

Nemesida WAF API and Nemesida WAF Cabinet image update
1. Before updating Nemesida WAF API and Nemesida WAF Cabinet image, verify if the container is runnung. To do this, view the container ID (CONTAINER ID column) using the command:

# docker ps -a

2. If the container is running, stop it using the command:

# docker stop /container ID/

3. With the container stopped, delete the image:

# docker image rm nemesida/nwaf-api-cabinet

4. Load the image containing the Nemesida WAF API modules and the Nemesida WAF Cabinet:

# docker pull nemesida/nwaf-api-cabinet

5. Run the container with Nemesida WAF API image + Nemesida WAF Cabinet, using command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -v /opt/nwaf/api-cab-base:/var/lib/postgresql -p 8080:8080 -p 8090:80 nemesida/nwaf-api-cabinet

Nemesida WAF Signtest Docker container deployment
To deploy Nemesida WAF Signtest Docker container one has to do the following: 1. Load the image containing the Nemesida WAF Signtest:

# docker pull nemesida/nwaf-st

2. Create two directories:

  • For configuration files (for example, nwaf-signtest-config):
    # mkdir -p /opt/nwaf/nwaf-signtest-config
  • For database (for example, nwaf-signtest-base):
    # mkdir /opt/nwaf/nwaf-signtest-base

3. Create file first-launch in the configuration files directory:

# touch /opt/nwaf/nwaf-signtest-config/first-launch

4. Run the container with Nemesida WAF Signtest, using commands:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/nwaf-signtest-config:/nwaf-signtest -v /opt/nwaf/nwaf-signtest-base:/var/lib/postgresql -p 8081:8088 -p 82:80 nemesida/nwaf-st

where:

  • --rm – container removal after closedown;
  • -d – container running in background mode;
  • -v /opt/nwaf/nwaf-signtest-config:/nwaf-signtest – mounting the directory with configuration files inside the container;
  • -v /opt/nwaf/nwaf-signtest-base:/var/lib/postgresql – mounting the directory with database inside the container;
  • -p 8081:8088 – container port 8088 forwarding to the external port 8081;
  • -p 82:80 – container port 80 forwarding to the external port 82.

One can view the container ID using the command (CONTAINER ID column):

# docker ps -a

5. Allow access to reading for all for the directory nwaf-signtest-config:

# chmod -R 0555 /opt/nwaf/nwaf-signtest-config

6. Run the migration and account creation command and follow the script instructions:

# docker exec -ti /container ID/ bash -with "bash /opt/migrate.sh"

One can stop the container using the command:

# docker stop /container ID/

7. Make changes to the configuration files according to the instructions on the documentation pages Nemesida WAF Signtest.

8. Run the container with Nemesida WAF Signtest using the command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/nwaf-signtest-config:/nwaf-signtest -v /opt/nwaf/nwaf-signtest-base:/var/lib/postgresql -p 8081:8088 -p 82:80 nemesida/nwaf-st

where:

  • --rm – container removal after closedown;
  • -d – container running in background mode;
  • -v /opt/nwaf/nwaf-signtest-config:/nwaf-signtest – mounting the directory with configuration files inside the container;
  • -v /opt/nwaf/nwaf-signtest-base:/var/lib/postgresql – mounting the directory with database inside the container;
  • -p 8081:8088 – container port 8088 forwarding to the external port 8081;
  • -p 82:80 – container port 80 forwarding to the external port 82.

Nemesida WAF Signtest image update
1. Before updating Nemesida WAF Signtest image, verify if the container is running. To do this, view the container ID (CONTAINER ID column) using the command:

# docker ps -a

2. If the container is running, stop it using the command:

# docker stop /container ID/

3. With the container stopped, delete the image:

# docker image rm nemesida/nwaf-st

4. Load the image containing the Nemesida WAF Signtest:

# docker pull nemesida/nwaf-st

5. Run the container with Nemesida WAF Signtest, using command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/nwaf-signtest-config:/nwaf-signtest -v /opt/nwaf/nwaf-signtest-base:/var/lib/postgresql -p 8081:8088 -p 82:80 nemesida/nwaf-st

Nemesida WAF Scanner Docker container deployment

For correct work of the Nemesida WAF Scanner module, you need to provide access to the web application bypassing the Nemesida WAF.

To deploy Nemesida WAF Scanner Docker container one has to do the following: 1. Load the image containing the Nemesida WAF Scanner:

# docker pull nemesida/nwaf-scanner

2. Create a directory for Nemesida WAF Scanner configuration files:

# mkdir -p /opt/nwaf/nwaf-scanner

3. Create file first-launch in the configuration files directory:

# touch /opt/nwaf/nwaf-scanner/first-launch

4. Run the container with Nemesida WAF Scanner using the command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/nwaf-scanner/:/nwaf-scanner nemesida/nwaf-scanner

where:

  • --rm – container removal after closedown;
  • -d – container running in background mode;
  • -v /opt/nwaf/nwaf-scanner:/nwaf-scanner – mounting the directory with configuration files inside the container.

To view the container ID (the CONTAINER ID column), use the command:

# docker ps -a

You can stop the container with the command:

# docker stop /container ID/

5. Make changes to the configuration files according to the instructions on the documentation page Nemesida WAF Scanner.

6. Make changes to the configuration files for connecting to database of modules Nemesida WAF API and the Nemesida WAF Cabinet modules to interact with Nemesida WAF Scanner:

  • In file /opt/nwaf/api-cab-config/postgresql/main/postgresql.conf:
listen_addresses = '*'
  • In file /opt/nwaf/api-cab-config/postgresql/main/pg_hba.conf:
host    all             all             0.0.0.0/0            md5

7. Run the container with Nemesida WAF API, Nemesida WAF Cabinet and Nemesida WAF Scanner, using commands:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/api-cab-config:/nwaf-api -v /opt/nwaf/api-cab-base:/var/lib/postgresql -p 8080:8080 -p 8090:80 -p 5432:5432 nemesida/nwaf-api-cabinet

where:

  • --rm – container removal after closedown;
  • -d – container running in background mode;
  • -v /opt/nwaf/api-cab-config:/nwaf-api – mounting the directory with configuration files inside the container;
  • -v /opt/nwaf/api-cab-base:/var/lib/postgresql – mounting the directory with database inside the container;
  • p 8080:8080 – container port 8080 forwarding to the external port 8080;
  • -p 8090:80 – container port 80 forwarding to the external port 8090;
  • -p 5432:5432 – container port 5432 forwarding to the external port 5432.
# docker run --rm -d -v /opt/nwaf/nwaf-scanner/:/nwaf-scanner nemesida/nwaf-scanner

where:

  • --rm – container removal after closedown;
  • -d – container running in background mode;
  • -v /opt/nwaf/nwaf-scanner:/nwaf-scanner – mounting the directory with configuration files inside the container.

8. To start the scan process, run the command:

docker exec -ti /container ID/ bash -c "/usr/bin/nws"

Nemesida WAF Scanner image update
1. Before updating Nemesida WAF Scanner image, verify if the container is running. To do this, view the container ID (CONTAINER ID column) using the command:

# docker ps -a

2. If the container is running, stop it using the command:

# docker stop /container ID/

3. With the container stopped, delete the image:

# docker image rm nemesida/nwaf-scanner

4. Load the image containing the Nemesida WAF Scanner modules:

# docker pull nemesida/nwaf-scanner

5. Run the container with Nemesida WAF Scanner, using command:

# iptables -t filter -N DOCKER
# docker run --rm -d -v /opt/nwaf/nwaf-scanner/:/nwaf-scanner nemesida/nwaf-scanner 

Deploying a Docker container with Docker Compose
To deploy containers with modules Nemesida WAF, Nemesida WAF API, Nemesida WAF Cabinet and Nemesida WAF Signtest, you must perform the following steps:

1. Install the Docker Compose;

2. Download the docker-compose.yml file with launch parameters;

3. Create directories for Nemesida WAF config files relative to loaded docker-compose.yml:

# mkdir -p ./nwaf/{waf-config,api-cab-config,api-cab-base,nwaf-signtest-config,nwaf-signtest-base}

4. Create a first-launch file in the configuration file directories:

# touch ./nwaf/{waf-config,api-cab-config,nwaf-signtest-config}/first-launch

5. Run Docker Compose using the commands:

# iptables -t filter -N DOCKER
# docker-compose up --build -d

6. For directories nwaf-api-cab-config and nwaf-signtest-config, allow read access for everyone:

# chmod -R 0555 /opt/nwaf/nwaf-api-cab-config
# chmod -R 0555 /opt/nwaf/nwaf-signtest-config

7. Perform migrations and create users for the Nemesida WAF Cabinet and Nemesida WAF Signtest modules:

# docker-compose exec nwaf-api-cabinet "/bin/bash" "/opt/migrate.sh"
# docker-compose exec nwaf-signtest "/bin/bash" "/opt/migrate.sh"

8. Stop Docker Compose:

# docker-compose down

9. Make changes to the configuration files according to the instructions on the documentation pages Nemesida WAF and Nemesida AI, Nemesida WAF API, Nemesida WAF Cabinet и Nemesida WAF Signtest;

10. Run Docker Compose using the commands:

# iptables -t filter -N DOCKER
# docker-compose up -d