Introduction
SWAG (Secure Web Application Gateway) sets up an NGINX web server and reverse proxy with PHP support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.
open-appsec is an open-source Web Application & API Security solution, which provides automatic and preemptive security using machine learning. Deploying open-appsec on top of your SWAG-based web server/reverse proxy will help you to make sure that your web application is protected against zero-day and OWASP-TOP-10 attacks.
Zero-day attacks pose a significant threat to web applications, encompassing potential dangers that demand urgent attention. These attacks exploit vulnerabilities unknown to developers and security professionals, leaving organizations susceptible to malicious activities. The peril arises from the absence of available patches or security measures, granting attackers an advantage to infiltrate systems undetected. Zero-day attacks can compromise sensitive data, and user privacy, or even lead to financial loss and reputational damage.
As signatures for new attacks by design can only be created after new attacks have been published, a traditional WAF solution that relies solely on signatures will never protect preemptively against zero-day attacks. open-appsec does not rely on signatures, so that it can provide true preemptive zero-day protection with significant extra security on top of the fail2ban already included in the SWAG. open-appsec reduces the administrative effort as well as the number of false positives significantly while providing stronger protection even for unknown attacks.
Among many other platforms, open-appsec can be deployed also on Docker or similar containerized platforms integrating with NGINX on Docker, as well as SWAG, as this is also based on NGINX.
Note: open-appsec’s deployment on SWAG isn’t officially supported and maintained. However, in this blog, we will explain how to deploy open-appsec in SWAG in different options for self-compilation per OS and version.
This blog refers to SWAG version 2.5.0 and open-appsec agent version 1.2317-rc1.
Prerequisites:
To deploy open-appsec on SWAG container, please make sure that the application is set up correctly following SWAG’s instructions.
In addition, validate that you have a Linux machine with Docker software installed (or similar compatible Container runtime).
Steps to add open-appsec to SWAG Docker container:
1. Pull the open-appsec agent image or add/use it as part of the deployment CI’s container management system:
docker pull ghcr.io/openappsec/agent:latest
2. Run the open-appsec agent container with the next steps:
a. Create the following empty directories to be used later for volume mounts in the docker run command for the agent:
<path-to-persistent-location-for-agent-config>
<path-to-persistent-location-for-agent-data-files>
<path-to-persistent-location-for-agent-debugs-and-logs>
b. Run the following command:
docker run -d --name=agent-container \
--ipc=host \
-v=<path to persistent location for agent config>:/etc/cp/conf \
-v=<path to persistent location for agent data file >:/etc/cp/data \
-v=<path to persistent location for agent debugs and logs> \
:/var/log/nano_agent -e https_proxy=<user:password@Proxy address:port> \
-it \
ghcr.io/openappsec/agent:latest /cp-nano-agent --token <token>
Using “--token” and connecting to central management, will allow you to use cloud-hosted central management for assets and policies, cloud logging, graphical dashboards, events analysis, and the ability to manage multiple deployments/clusters in a scalable way. To get the token, follow this documentation.
Alternatively, For configuration using a local policy file for instructions, follow this documentation.
3. Follow the steps to compile the attachment code:
a. Before compiling, ensure that the latest development versions of the libraries are installed:
pcre-dev, libxml2-dev, zlib-dev, openssl-dev, geoip-dev, cmake, linux-headers, libxslt-dev, gd-dev, and perl-dev
b. Clone the attachment repository:
git clone https://github.com/openappsec/attachment.git
c. In lscr.io/linuxserver/swag:latest container run:
nginx -V &> /tmp/nginx.ver
d. Run Configuration script:
cd attachment
./attachments/nginx/ngx_module/nginx_version_configuration.sh --conf \ /tmp/nginx.ver build_out
e. Run CMake command:
cmake -DCMAKE_INSTALL_PREFIX=build_out
f. Run make command:
make install
4. After compiling, deploy the attachment on your SWAG container:
a. Copy the associated libraries to “/usr/lib” on your SWAG container.
The NGINX plugin uses the libraries below. They can be found under the lib directory in the CMake output:
shmem_ipc, compression_utils, nginx_attachment_util
b. Copy the NGINX attachment file “lib/libngx_module.so” to the following path on your SWAG container:
“/usr/lib/nginx/modules/”
c. Load the attachment on your SWAG container by adding the following command to the main nginx.conf file:
load_module /usr/lib/nginx/modules/libngx_module.so
d. Run the following command to test the NGINX configuration:
nginx -t
e. In the agent container (step 2) run the below command to get the agent status:
open-appsec-ctl --status
5. We recommend saving the enhanced SWAG image, which now contains the open-appsec attachment, as a new container image for later use:
docker commit [your-swag-container-name-or-ID] [your-registry-name]/swag-attachment:[your-tag]
6. If you’ve added the token in step 2.b and connected to central management:
a. In the open-appsec portal, navigate to the 'Agents' tab and make sure that the agent is connected.
b. Complete the connection by adding assets (steps are described here).
7. To see open-appsec in action:
a. Make sure the reverse proxy is set up (default for SWAG, see more details here).
b. Curl the following request (replace with your SWAG container IP and Port)
http://<IP>:<PORT>/?shell_cmd=cat/etc/passwd
c. If your policy is set to 'Prevent', this request will be blocked, otherwise, it will be detected.
d. You’ll find the request in the open-appsec portal under 'Monitoring' tab and under 'Logs' (the location of logs was defined in step 2.a).
For more details on the installation and configuration options, please follow our documentation.
To learn more about open-appsec, please visit our different hands-on labs, our deployment tutorials, and our White Paper.
Click here to find more details about SWAG.