NGINX
This document describes how Curiefense can be integrated into an existing NGINX-based reverse proxy.
This guide describes a basic integration, and it cannot cover the wide variety of possible use cases and configurations.
For specific questions about this, or other Curiefense-related topics, feel free to join our Slack at https://join.slack.com/t/curiefense/shared_invite/zt-nc8lyrjo-JJoY2mwrqNOfkmoA6ycTHg.
This page describes the installation of the Curiefense filtering component for an environment where NGINX is running in a container.
sudo apt install libhyperscan5
cd /tmp
git clone https://github.com/curiefense/curiefense
cp -r /tmp/curiefense/curiefense/curieproxy/lua /
cp /tmp/curiefense/curiefense/curieproxy/lua/shared-objects/grasshopper.so /usr/local/openresty/luajit/lib/lua/5.1/
Next, build the Curiefense shared object. This needs to be done on a Linux system that runs the same major
libc
and libhyperscan
versions as your NGINX server. - Then run the following:cd /tmp/curiefense/curiefense/curieproxy/rustcargo build --releasemv target/release/libcuriefense_lua.so target/release/curiefense.so
- Move the new
curiefense.so
file on the build machine to this location on the proxy machine:/usr/local/openresty/luajit/lib/lua/5.1/curiefense.so
mkdir -p /config/current
cp -r /tmp/curiefense/curiefense/images/confserver/bootstrap/confdb-initial-data/master/config/ /config/current/
In the http block of the configuration, the following directives must be set:
# set the package path for the Curiefense logic
lua_package_path '/lua/?.lua;;';
# access log is now completely handled by Curiefense, stored in the $request_map variable
log_format curiefenselog escape=none '$request_map';
# Curiefense specific variables.
# Make sure request_map exists
map $status $request_map { default '-'; }
For each server block that must be protected with Curiefense:
server {
# original configuration directives
(...)
# Logging: choose one option.
# -- If curielogger is used:
access_log syslog:server=unix:/dev/log curiefenselog;
# -- If curielogger is not used:
access_log logs/access.log curiefenselog;
location / {
# add these in each location block:
access_by_lua_block {
local session = require "lua.session_nginx"
session.inspect(ngx)
}
log_by_lua_block {
local session = require "lua.session_nginx"
session.log(ngx)
}
# original location directives
(...)
}
}
The default configuration does not block any requests, so the following steps should be performed to ensure proper integration:
- Traffic should be served as usual.
- No errors appear in the error logs.
- JSON data appears in the access logs.
Last modified 1yr ago