OpenShift installation
Last updated 2023-03-29
IMPORTANT
This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.
The Next-Gen WAF agent can be deployed on the Red Hat OpenShift Container Platform.
Installation
Installing the Next-Gen WAF module and agent in an OpenShift container is similar to a typical Red Hat installation. However, the primary difference for an OpenShift container installation is all processes must run under a non root account. To meet this requirement, the only extra step is configuring the module and agent to use a socket file that the non root account has read/write access to.
Installing the agent
Follow the agent installation instructions for Red Hat.
Configuring the agent
There are three options for configuring the socket file location. Use the option that works best for your container build process. The examples below use a directory that a non root user would have access to. You can specify a different location, but ensure your non root user account has the read/write permissions to that location.
You can set the
SIGSCI_RPC_ADDRESSenvironment variable in your Dockerfile:ENV SIGSCI_RPC_ADDRESS unix:/tmp/sigsci.sockYou can export the
SIGSCI_RPC_ADDRESSenvironment variable in a script when your container starts:$ export SIGSCI_RPC_ADDRESS=unix:/tmp/sigsci.sockYou can set the
rpc-addressconfiguration option in your agent configuration file (by default at/etc/sigsci/agent.conf):rpc-address="unix:/tmp/sigsci.sock"
Additional agent configuration options are listed on the agent configuration page.
Installing and configuring the module
Install and configure your module following one of these sets of instructions.
Apache module install
Follow the Apache module installation instructions for Red Hat.
In your Apache configuration file (httpd.conf), add the AgentHost directive after the Next-Gen WAF module is called:
AgentHost "/tmp/sigsci.sock"NGINX module install
Follow the NGINX module installation instructions for Red Hat.
Update the sigsci.agenthost directive in the module's configuration file located at /opt/sigsci/nginx/sigsci.conf. You will need to remove -- to uncomment the line:
sigsci.agenthost = "unix:/tmp/sigsci.sock"Example Dockerfile
Below is an example section of a Dockerfile that installs the Next-Gen WAF agent and module (for Apache HTTPD Server) and configures them to use a socket file location accessible to a non root account.
12345678910111213141516171819202122232425262728...
# Add the package repositoryRUN echo "[sigsci_release]" > /etc/yum.repos.d/sigsci.repo && \ echo "name=sigsci_release" >> /etc/yum.repos.d/sigsci.repo && \ echo "baseurl=https://yum.signalsciences.net/release/el/7/\$basearch" >> /etc/yum.repos.d/sigsci.repo && \ echo "repo_gpgcheck=1" >> /etc/yum.repos.d/sigsci.repo && \ echo "gpgcheck=0" >> /etc/yum.repos.d/sigsci.repo && \ echo "enabled=1" >> /etc/yum.repos.d/sigsci.repo && \ echo "gpgkey=https://yum.signalsciences.net/release/gpgkey" >> /etc/yum.repos.d/sigsci.repo && \ echo "sslverify=1" >> /etc/yum.repos.d/sigsci.repo && \ echo "sslcacert=/etc/pki/tls/certs/ca-bundle.crt" >> /etc/yum.repos.d/sigsci.repo
# Install the Next-Gen WAF agentRUN yum -y install sigsci-agent
# Configure the Next-Gen WAF agentENV SIGSCI_RPC_ADDRESS=unix:/tmp/sigsci.sock
# Install the Next-Gen WAF moduleRUN yum install -y sigsci-module-apache
# Configure your web server with the Next-Gen WAF module# In this example, we enable the module with ApacheRUN echo "LoadModule signalsciences_module /etc/httpd/modules/mod_signalsciences.so" >> /etc/httpd/conf/httpd.conf && \ echo 'AgentHost "/tmp/sigsci.sock"' >> /etc/httpd/conf/httpd.conf
...Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
