Docker
CloudGuard AppSec for containers (Docker) protects vulnerable applications and APIs running in an environment in which the Reverse Proxy is deployed in a docker environment.
In environments where the NGINX server is a container that acts as a reverse proxy for upstream containers and any other upstream deployments, you can either use a Nano-Agent as a different container to receive a stream of all HTTP data from the NGINX container, or alternatively, deploy a unified docker image that includes an NGINX and Nano-Agent. If you prefer the separated approach, the separated NGINX server in the provided docker will load a standard loadable module that communicates with a Nano-Agent container.
- An environment using a docker orchestration tool to deploy its Reverse Proxy server.
- The environment does not require an existing reverse proxy, but this guide does not include instructions on deploying a new reverse proxy server as these vary from environment to environment. However we do provide a link below to simple deployment instructions from the official NGINX docker hub repository.
Unified Single Docker
Separate NGINX and Nano-Agent Dockers
Use this option to deploy a single docker image that unifies the reverse proxy as an NGINX server you can maintain on your own, with an embedded Nano-Agent.
If you prefer to fully maintain a separate NGINX docker, use the separate dockers deployment option.
As part of your CI, use the checkpoint/infinity-next-appsec-standalone registry to pull the unified NGINX and Nano-Agent image.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section. you will need it during agent deployment.
Run the agent with this command:
docker run -d --name=agent-container -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent -v=<path to persistent location for nginx server conf files>:/etc/nginx/conf.d/ -e https_proxy=<user:[email protected] address:port> -it <agent-image> /infinity-next-appsec-standalone --token <token>
–e https_proxy parameter is optional and used only in case the outbound traffic reaches the internet through a proxy server.Deploy the unified container.
To make sure that it is running, run:
docker ps.There are no steps 5 and 6 in this deployment option
Use this option to deploy if you prefer to maintain the reverse proxy function in a separate container to the Nano Agent. The Reverse proxy is deployed via a docker image that includes an NGINX server with the minimal attachment code required to work with a Nano-Agent docker.
As part of your CI, use the checkpoint/infinity-next-nano-agent registry to pull the Nano-Agent image.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section. you will need it during agent deployment.
Run the agent with this command:
docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent –e https_proxy=<user:[email protected] address:port> -it <agent-image> /cp-nano-agent --token <token>
–e https_proxy parameter is optional and used only in case the outbound traffic reaches the internet through a proxy server.Replace the NGINX container using the checkpoint/infinity-next-nginx registry to pull the following NGINX image for this deployment.
As part of creating your reverse proxy for this environment, make sure that the reverse proxy is deployed with the correct downstream and upstream routing.
Change your existing NGINX docker run command and add the
--ipc=host parameter.If you are installing NGINX for the first time and have no prior knowledge of deployment methods, an example of simple deployment instructions can be found in the official NGINX docker hub repository.
Deploy the two containers.
To make sure that it is running, run:
docker ps.To configure SSL certificates in NGINX follow these guides:
Following the steps above, the agent will install and connect automatically. CloudGuard AppSec web portal should display a successful connection message:
Last modified 10d ago