Forum Discussion

Ajdin_Herić's avatar
Ajdin_Herić
Icon for Nimbostratus rankNimbostratus
Aug 10, 2023

NGINX Management Suite and NGINX Ingress controller with App protect

Hello everyone,

I am new to NGINX Plus and currently I have trial license for NGINX Ingress controler with NGINX AppProtect and DoS, and also for NGINS Management Suite Instance Manager.

I have successfully installed both components, and now I am trying to connect Management Suite and NGINX ingress controller so I can manage WAF from Management Suite.

As I understand I have to install NGINX agent in NGINX Ingress Controller containter so it connects to Management Suite. So far, I didn't have luck on completing this. 

Did anyone had a chance to configure this and can you send please some instructions?

Thank you very much,

Ajdin

    • Ajdin_Herić's avatar
      Ajdin_Herić
      Icon for Nimbostratus rankNimbostratus

      Thank you for the response. I have seen this guide and this guide does not help me to install agent on NGINX Ingress Controller. My goal is to install agent on NGINX Ingress controller container on Kubernetes cluster. 

      Here is guide for installation in container environment:

      https://docs.nginx.com/nginx-management-suite/nginx-agent/nginx-agent-in-container/

      I manage to install it using base image of ingress controller, but I need to run it in unprivileged mode. Here is Dokerfile I created for creating image with agent installed on it:

      FROM nginx-plus-repository.bhtelecom.ba/nginx-ic-nap-dos/nginx-plus-ingress:3.2.0
      USER 0
      RUN apt-get update \
      && apt-get install curl \
      && apt-get install -y gpg \
      && curl --insecure https://172.30.20.70/install/nginx-agent | sh
      RUN sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
      && sed -i 's,/var/lib/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
      && sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/ngi>
      && chown -R nginx:nginx /var/cache/nginx \
      && chmod -R go+rw /var/cache/nginx \
      && chown -R nginx:nginx /etc/nginx \
      && chmod -R go+rw /etc/nginx \
      && chown -R nginx:nginx /var/log/nginx \
      && chmod -R go+rw /var/log/nginx \
      && chown -R nginx:nginx /var/run/nginx-agent \
      && chmod -R go+w /var/run/nginx-agent \
      && ln -sf /dev/stdout /var/log/nginx-agent/agent.log
      RUN mkdir scripts
      COPY commands.sh /scripts/commands.sh
      RUN ["chmod", "+x", "/scripts/commands.sh"]
      ENTRYPOINT ["/scripts/commands.sh"]

      Here is command.sh:

      #!/bin/bash
      nginx-agent &
      /nginx-ingress -nginx-plus -nginx-configmaps=$POD_NAMESPACE/nginx-plus-config --ingress-class=nginx-plus-ic -default-server-tls-secret=$POD_NAMESPACE/nginx-plus-default-server-cert -enable-cert-manager -enable-app-protect -enable-app-pr>

      Nginx agent is not starting because nginx user with ID 101 and I get following error:

      "Unable to load properties from config files (/etc/nginx-agent/nginx-agent.conf, /var/lib/nginx-agent/agent-dynamic.conf) - error loading config file /etc/nginx-agent/nginx-agent.conf: open /etc/nginx-agent/nginx-agent.conf: permission denied"

      It looks like chown command is not taking effect in Dockerfile.

      Did anyone have any experience installing agent on NGINX Ingress controller to manage AppProtect WAF from Management Suite Instance Manager?

      Thank you and kind regards,

      Ajdin

       

      • AubreyKingF5's avatar
        AubreyKingF5
        Icon for Moderator rankModerator

        Looking to see if I can find someone internal.

        Also..

        "Unable to load properties from config files (/etc/nginx-agent/nginx-agent.conf, /var/lib/nginx-agent/agent-dynamic.conf) - error loading config file /etc/nginx-agent/nginx-agent.conf: open /etc/nginx-agent/nginx-agent.conf: permission denied"

        There was nowhere that you set permissions for /etc/nginx-agent, etc., in the error. Did you add nxinx-agent to a group that has access? Are you sure dir perms are right for the nginx-agent user to read?