Upgrade your Reverse Proxy when a Linux/NGINX agent is installed

One of the possible deployments for CloudGuard WAF is a Linux agent installed on top over a supported Reverse Proxy.

If you wish to upgrade the Reverse Proxy while the agent is installed, follow the steps described in this documentation page.

NGINX

Step 1: Delete the agent module's load_module line

  • Locate your nginx modules folder path by running: nginx -V and look for the value of the "--modules-path" parameter. It is usually /usr/share/nginx/modules or /usr/lib/nginx/modules

  • Via command line access to the machine with the NGINX server and the agent, edit the following file: /etc/nginx/nginx.conf

  • Delete the following line (look for the path located previously): load_module /<modules folder path>/ngx_cp_attachment_module.so;

Step 2: Comment out the agent module's configuration lines

  • Edit all files in the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/*

    • Comment out (add '#' in the beginning of the line) all the lines, if exist, that begin with: cp-nano-nginx-attachment

  • If you added manually additional lines in other server configuration files - comment them out as well.

Step 3: Run a test command

Run the command 'nginx -t'. You should see it print out "test is successful".

Step 4: Upgrade the NGINX's software version

Run any commands you intended to run in order to upgrade the NGINX's software version

Step 5: Stop and start the agent, while triggering deployment of a new attachment

Run the following commands: cpnano -q rm -rf /etc/cp/packages rm /etc/cp/conf/manifest.json cpnano -r

Step 6: Verify the agent has restarted

After one minute that the agent has restarted successfully using the following command: cpnano -s

Last update status should state “Succeeded” and Last update should show a time in the scope of the last few minutes.

Step 7: Undo the changes done in step 2

Remove the "comment out" character ('#') from all the lines it was added to in step 2 (In the paths /etc/nginx/conf.d/* or /etc/nginx/sites_enabled/* )

Step 8: NGINX reload

Run the following commands: nginx -s reload systemctl restart nginx

Last updated