NGINX
This document describes how Curiefense can be integrated into an existing NGINX-based reverse proxy.
This guide describes a basic integration, and it cannot cover the wide variety of possible use cases and configurations. For specific questions about this, or other Curiefense-related topics, feel free to join our Slack at https://join.slack.com/t/curiefense/shared_invite/zt-nc8lyrjo-JJoY2mwrqNOfkmoA6ycTHg.
Scope
This page describes the installation of the Curiefense filtering component for an environment where NGINX is running in a container.
The other components of Curiefense will need to be installed separately, according to the specific instructions for each situation (e.g., Docker and Istio). This can be done either before or after completing the instructions below.
Dependencies
If OpenResty is not installed yet, please follow the instructions on the OpenResty website.
You will also need the Hyperscan library, version 4 or 5. For example, on Ubuntu 20.04:
Curiefense installation
Next, build the Curiefense shared object. This needs to be done on a Linux system that runs the same major libc
and libhyperscan
versions as your NGINX server.
On the build machine, first install the Rust compiler.
Then run the following:
Move the new
curiefense.so
file on the build machine to this location on the proxy machine:/usr/local/openresty/luajit/lib/lua/5.1/curiefense.so
Configuration setup
OpenResty configuration
In the http block of the configuration, the following directives must be set:
For each server block that must be protected with Curiefense:
Testing the installation
The default configuration does not block any requests, so the following steps should be performed to ensure proper integration:
Traffic should be served as usual.
No errors appear in the error logs.
JSON data appears in the access logs.
Last updated