Curiefense
Curiefense
Overview
Installation
Getting Started with Curiefense
Deployment in Depth
Docker Compose
Istio via Helm
NGINX
Settings
Policies & Rules
Search
Databases
Publish Changes
API
Analytics
Kibana
Grafana
GIT
Version Control
Reference
Services and Container Images
The Challenge Process
Multi-Stage Traffic Filtering
Tags
Release Notes
Powered by GitBook

NGINX

This document describes how Curiefense can be integrated into an existing NGINX-based reverse proxy.

This guide describes a basic integration, and it cannot cover the wide variety of possible use cases and configurations. For specific questions about this, or other Curiefense-related topics, feel free to join our Slack at https://join.slack.com/t/curiefense/shared_invite/zt-nc8lyrjo-JJoY2mwrqNOfkmoA6ycTHg.

Scope

This page describes the installation of the Curiefense filtering component for an environment where NGINX is running in a container.

The other components of Curiefense will need to be installed separately, according to the specific instructions for each situation (e.g., Docker and Istio). This can be done either before or after completing the instructions below.

Dependencies

If OpenResty is not installed yet, please follow the instructions on the OpenResty website.

You will also need the Hyperscan library, version 4 or 5. For example, on Ubuntu 20.04:

sudo apt install libhyperscan5

Curiefense installation

cd /tmp
git clone https://github.com/curiefense/curiefense
cp -r /tmp/curiefense/curiefense/curieproxy/lua /
cp /tmp/curiefense/curiefense/curieproxy/lua/shared-objects/grasshopper.so /usr/local/openresty/luajit/lib/lua/5.1/

Next, build the Curiefense shared object. This needs to be done on a Linux system that runs the same major libc and libhyperscan versions as your NGINX server.

  • On the build machine, first install the Rust compiler.

  • Then run the following:

    cd /tmp/curiefense/curiefense/curieproxy/rust
    cargo build --release
    mv target/release/libcuriefense_lua.so target/release/curiefense.so

  • Move the new curiefense.so file on the build machine to this location on the proxy machine: /usr/local/openresty/luajit/lib/lua/5.1/curiefense.so

Configuration setup

mkdir -p /config/current
cp -r /tmp/curiefense/curiefense/images/confserver/bootstrap/confdb-initial-data/master/config/ /config/current/

OpenResty configuration

In the http block of the configuration, the following directives must be set:

# set the package path for the Curiefense logic
lua_package_path '/lua/?.lua;;';
​
# access log is now completely handled by Curiefense, stored in the $request_map variable
log_format curiefenselog escape=none '$request_map';
​
# Curiefense specific variables.
# Make sure request_map exists
map $status $request_map { default '-'; }

For each server block that must be protected with Curiefense:

server {
    # original configuration directives
    (...)
​
    
    # Logging: choose one option.
 
    # -- If curielogger is used:
    access_log syslog:server=unix:/dev/log curiefenselog;
    
    # -- If curielogger is not used:
    access_log logs/access.log curiefenselog;
​
​
    location / {
        # add these in each location block:
        access_by_lua_block {
            local session = require "lua.session_nginx"
            session.inspect(ngx)
        }
        log_by_lua_block {
            local session = require "lua.session_nginx"
            session.log(ngx)
        }
​
        # original location directives
        (...)
    }
}

Testing the installation

The default configuration does not block any requests, so the following steps should be performed to ensure proper integration:

  • Traffic should be served as usual.

  • No errors appear in the error logs.

  • JSON data appears in the access logs.

Previous
Istio via Helm
Next - Settings
Policies & Rules
Last updated 1 month ago
Contents
Scope
Dependencies
Curiefense installation
Configuration setup
OpenResty configuration
Testing the installation