From 74b760078f7b7de3eb86552376ac760fe3470906 Mon Sep 17 00:00:00 2001 From: Ekaterina Goverdovskaya Date: Wed, 17 Dec 2025 22:34:05 +0200 Subject: [PATCH 1/3] DOCS-3469 Added info about SSL/TLS certificates --- docs/6.x/admin-en/ssl-certificates.md | 1 + .../installation/cloud-platforms/aws/ami.md | 1 + .../inline/compute-instances/aws/aws-ami.md | 2 +- .../compute-instances/gcp/machine-image.md | 1 + .../compute-instances/linux/all-in-one.md | 1 + docs/6.x/installation/nginx/all-in-one.md | 1 + docs/6.x/installation/packages/aws-ami.md | 2 +- .../packages/gcp-machine-image.md | 1 + docs/latest/admin-en/ssl-certificates.md | 65 +++++++++++++++++++ .../sending-traffic-to-node-inline.md | 7 +- mkdocs-6.x.yml | 1 + 11 files changed, 80 insertions(+), 3 deletions(-) create mode 100644 docs/6.x/admin-en/ssl-certificates.md create mode 100644 docs/latest/admin-en/ssl-certificates.md diff --git a/docs/6.x/admin-en/ssl-certificates.md b/docs/6.x/admin-en/ssl-certificates.md new file mode 100644 index 0000000000..a1279fd9cf --- /dev/null +++ b/docs/6.x/admin-en/ssl-certificates.md @@ -0,0 +1 @@ +--8<-- "latest/admin-en/ssl-certificates.md" diff --git a/docs/6.x/installation/cloud-platforms/aws/ami.md b/docs/6.x/installation/cloud-platforms/aws/ami.md index 47b5a76d75..662a185eca 100644 --- a/docs/6.x/installation/cloud-platforms/aws/ami.md +++ b/docs/6.x/installation/cloud-platforms/aws/ami.md @@ -36,5 +36,6 @@ [nginx-native-node]: ../../../installation/nginx-native-node-internals.md [wallarm-logs]: ../../../admin-en/configure-logging.md [log-level]: ../../../installation/native-node/all-in-one-conf.md#loglevel +[ssl-certificates]: ../../../admin-en/ssl-certificates.md --8<-- "latest/installation/inline/compute-instances/aws/aws-ami.md" \ No newline at end of file diff --git a/docs/6.x/installation/inline/compute-instances/aws/aws-ami.md b/docs/6.x/installation/inline/compute-instances/aws/aws-ami.md index 3a4ddeb892..f159e6bcdd 100644 --- a/docs/6.x/installation/inline/compute-instances/aws/aws-ami.md +++ b/docs/6.x/installation/inline/compute-instances/aws/aws-ami.md @@ -43,6 +43,6 @@ search: [wallarm-logs]: ../../../../admin-en/configure-logging.md [log-level]: ../../../../installation/native-node/all-in-one-conf.md#loglevel [link-wallarm-health-check]: ../../../../admin-en/uat-checklist-en.md - +[ssl-certificates]: ../../../../admin-en/ssl-certificates.md --8<-- "latest/installation/inline/compute-instances/aws/aws-ami.md" \ No newline at end of file diff --git a/docs/6.x/installation/inline/compute-instances/gcp/machine-image.md b/docs/6.x/installation/inline/compute-instances/gcp/machine-image.md index ccbdeac29a..7acc00dac3 100644 --- a/docs/6.x/installation/inline/compute-instances/gcp/machine-image.md +++ b/docs/6.x/installation/inline/compute-instances/gcp/machine-image.md @@ -30,5 +30,6 @@ search: [ip-lists-docs]: ../../../../user-guides/ip-lists/overview.md [api-spec-enforcement-docs]: ../../../../api-specification-enforcement/overview.md [inline-docs]: ../../overview.md +[ssl-certificates]: ../../../../admin-en/ssl-certificates.md --8<-- "latest/installation/inline/compute-instances/gcp/machine-image.md" \ No newline at end of file diff --git a/docs/6.x/installation/inline/compute-instances/linux/all-in-one.md b/docs/6.x/installation/inline/compute-instances/linux/all-in-one.md index 530981ca86..dec9731e4c 100644 --- a/docs/6.x/installation/inline/compute-instances/linux/all-in-one.md +++ b/docs/6.x/installation/inline/compute-instances/linux/all-in-one.md @@ -44,5 +44,6 @@ search: [vuln-detection-docs]: ../../../../about-wallarm/detecting-vulnerabilities.md [masking-sensitive-data-rule]: ../../../../user-guides/rules/sensitive-data-rule.md [link-wallarm-health-check]: ../../../../admin-en/uat-checklist-en.md +[ssl-certificates]: ../../../../admin-en/ssl-certificates.md --8<-- "latest/installation/inline/compute-instances/linux/all-in-one.md" diff --git a/docs/6.x/installation/nginx/all-in-one.md b/docs/6.x/installation/nginx/all-in-one.md index bdef39f1c6..f9ba02d95d 100644 --- a/docs/6.x/installation/nginx/all-in-one.md +++ b/docs/6.x/installation/nginx/all-in-one.md @@ -41,5 +41,6 @@ [vuln-detection-docs]: ../../about-wallarm/detecting-vulnerabilities.md [masking-sensitive-data-rule]: ../../user-guides/rules/sensitive-data-rule.md [link-wallarm-health-check]: ../../admin-en/uat-checklist-en.md +[ssl-certificates]: ../../admin-en/ssl-certificates.md --8<-- "latest/installation/inline/compute-instances/linux/all-in-one.md" diff --git a/docs/6.x/installation/packages/aws-ami.md b/docs/6.x/installation/packages/aws-ami.md index c25a69e35e..ab79c41847 100644 --- a/docs/6.x/installation/packages/aws-ami.md +++ b/docs/6.x/installation/packages/aws-ami.md @@ -41,6 +41,6 @@ search: [nginx-native-node]: ../../installation/nginx-native-node-internals.md [wallarm-logs]: ../../admin-en/configure-logging.md [log-level]: ../../installation/native-node/all-in-one-conf.md#loglevel - +[ssl-certificates]: ../../admin-en/ssl-certificates.md --8<-- "latest/installation/inline/compute-instances/aws/aws-ami.md" \ No newline at end of file diff --git a/docs/6.x/installation/packages/gcp-machine-image.md b/docs/6.x/installation/packages/gcp-machine-image.md index 5699ccb221..9940c3bd96 100644 --- a/docs/6.x/installation/packages/gcp-machine-image.md +++ b/docs/6.x/installation/packages/gcp-machine-image.md @@ -31,5 +31,6 @@ search: [api-spec-enforcement-docs]: ../../api-specification-enforcement/overview.md [inline-docs]: ../inline/overview.md [link-wallarm-health-check]: ../../admin-en/uat-checklist-en.md +[ssl-certificates]: ../../admin-en/ssl-certificates.md --8<-- "latest/installation/inline/compute-instances/gcp/machine-image.md" \ No newline at end of file diff --git a/docs/latest/admin-en/ssl-certificates.md b/docs/latest/admin-en/ssl-certificates.md new file mode 100644 index 0000000000..d1fed158ef --- /dev/null +++ b/docs/latest/admin-en/ssl-certificates.md @@ -0,0 +1,65 @@ +[nginx-sidecar]: ../installation/kubernetes/sidecar-proxy/deployment.md +[ssl-termination]: ../installation/kubernetes/sidecar-proxy/customization.md#ssltls-termination +[nginx-aio]: ../installation/inline/compute-instances/linux/all-in-one.md +[nginx-docker]: ../admin-en/installation-docker-en.md + + +# SSL/TLS Certificate Management + +This article explains what certificates are required, how to manage certificates, how Wallarm nodes handle HTTPS traffic, and where and how to terminate SSL/TLS. + +## Certificate requirements + +* Supported format: PEM for both certificate and private key files. +* Key types and sizes: Any key size supported by OpenSSL/NGINX, including 2048-bit, 4096-bit, and ECDSA keys. +* Cipher suites: Defined and managed through standard NGINX/OpenSSL configuration. + +## Certificate issuance and management + +Wallarm does not issue, manage, or automatically renew certificates. All certificates must be provided and managed by clients. + +You need to: + +1. Issue a certificate from a trusted Certificate Authority (CA). +1. Deploy the certificate to Wallarm nodes. +1. Renew the certificate before it expires. + +To automate these actions, you can use external tools, e.g., [Certbot](https://certbot.eff.org/), [HashiCorp Vault](https://developer.hashicorp.com/vault), [Kubernetes cert-manager](https://cert-manager.io/), [Ansible playbooks](https://docs.ansible.com/projects/ansible/devel/playbook_guide/playbooks_intro.html), or others. + +## SSL/TLS termination + +SSL/TLS certificates protect network communications between: + +* Wallarm nodes and the Wallarm Cloud +* Wallarm administrators (workstations) and the Wallarm Cloud Console UI and API + +By securing these channels, SSL/TLS certificates allow Wallarm to safely decrypt and analyze HTTPS traffic to detect and block threats. + +SSL/TLS termination is the process of decrypting encrypted HTTPS traffic at a network endpoint. + +Wallarm needs to have decrypted HTTPS traffic to inspect HTTP data (URL, headers, body), detect threats, and block malicious requests. + +The configuration and location of SSL/TLS termination depend on your Wallarm [deployment type](../installation/nginx-native-node-internals.md). + +### SSL/TLS termination in the NGINX Node + +* [Sidecar][nginx-sidecar] + + By default, the Wallarm Sidecar solution does not handle SSL/TLS termination. It expects an upstream component (e.g., Ingress or Application Gateway) to handle HTTPS while the Sidecar solution receives plain, decrypted HTTP. + + However, if your infrastructure cannot terminate SSL/TLS upstream, you can [enable SSL/TLS termination directly in the Wallarm Sidecar][ssl-termination]. + +* [All-in-one installer][nginx-aio], [Docker image][nginx-docker], and cloud images: + + The NGINX Node handles SSL/TLS termination. In this case, the node acts as an HTTPS endpoint and must be configured with an SSL/TLS certificate and private key. To set up SSL/TLS termination, edit the [NGINX configuration ](https://nginx.org/en/docs/http/configuring_https_servers.html): + + * [`ssl_certificate`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) - specifies the PEM-format certificate file, including the full certificate chain. + * [`ssl_certificate_key`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key) - specifies the PEM-format private key file. + +### SSL/TLS termination in the Native Node + +The Native Node **does not handle SSL/TLS termination** and never acts as an inline traffic endpoint. It always analyzes a copy of traffic, not the original client connection. + +HTTPS traffic must be decrypted before a copy is sent to the Native Node. SSL/TLS termination is performed by an upstream or adjacent component, e.g., a load balancer, reverse proxy, application delivery controller (ADC), ingress controller, a connector. + +The terminating component decrypts HTTPS traffic and sends a decrypted traffic copy to the Native Node for analysis. For configuration details, refer to the documentation of the chosen component. diff --git a/include/waf/installation/sending-traffic-to-node-inline.md b/include/waf/installation/sending-traffic-to-node-inline.md index dcae91d742..8f0713ad87 100644 --- a/include/waf/installation/sending-traffic-to-node-inline.md +++ b/include/waf/installation/sending-traffic-to-node-inline.md @@ -1 +1,6 @@ -Update targets of your load balancer to send traffic to the Wallarm instance. For details, please refer to the documentation on your load balancer. \ No newline at end of file +1. If you have secured the communications between the Wallarm node and the Wallarm Cloud with an SSL/TLS certificate, edit the [NGINX configuration ](https://nginx.org/en/docs/http/configuring_https_servers.html) to set up [SSL/TLS termination][ssl-certificates]: + + * [`ssl_certificate`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) - specifies the PEM-format certificate file, including the full certificate chain. + * [`ssl_certificate_key`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key) - specifies the PEM-format private key file. + +1. Update targets of your load balancer to send traffic to the Wallarm instance. For details, refer to the documentation on your load balancer. \ No newline at end of file diff --git a/mkdocs-6.x.yml b/mkdocs-6.x.yml index 56e5b78dbb..34a08b6202 100644 --- a/mkdocs-6.x.yml +++ b/mkdocs-6.x.yml @@ -343,6 +343,7 @@ nav: - Installing Wallarm Packages from the Local JFrog Artifactory Repository for CentOS: admin-en/integration-guides/repo-mirroring/centos/how-to-use-mirrored-repo.md - Wallarm Node and Cloud Synchronization: admin-en/configure-cloud-node-synchronization-en.md - Access to Wallarm API via Proxy: admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md + - SSL/TLS Certificates: admin-en/ssl-certificates.md - Enabling JA3 fingerprinting: admin-en/enabling-ja3.md - Self-Hosted Node Upgrade: - What is New in Wallarm Node 6.x and 0.14.x: updating-migrating/what-is-new.md From 6d1015095ada2ac8764e8d2bacc9fba3f9f94ee2 Mon Sep 17 00:00:00 2001 From: Ekaterina Goverdovskaya Date: Mon, 12 Jan 2026 13:05:55 +0200 Subject: [PATCH 2/3] DOCS-2204 SSL/TLS termination v2 --- docs/latest/admin-en/ssl-certificates.md | 91 ++++++++++++++++-------- 1 file changed, 60 insertions(+), 31 deletions(-) diff --git a/docs/latest/admin-en/ssl-certificates.md b/docs/latest/admin-en/ssl-certificates.md index d1fed158ef..ff6ccc3a70 100644 --- a/docs/latest/admin-en/ssl-certificates.md +++ b/docs/latest/admin-en/ssl-certificates.md @@ -4,59 +4,88 @@ [nginx-docker]: ../admin-en/installation-docker-en.md -# SSL/TLS Certificate Management +# SSL/TLS Termination and Certificate Management -This article explains what certificates are required, how to manage certificates, how Wallarm nodes handle HTTPS traffic, and where and how to terminate SSL/TLS. +This article explains how and where SSL/TLS termination is performed in Wallarm nodes, including certificate requirements and management. -## Certificate requirements +## SSL/TLS termination -* Supported format: PEM for both certificate and private key files. -* Key types and sizes: Any key size supported by OpenSSL/NGINX, including 2048-bit, 4096-bit, and ECDSA keys. -* Cipher suites: Defined and managed through standard NGINX/OpenSSL configuration. +SSL/TLS termination is the process of decrypting HTTPS traffic at a network component (e.g., a proxy or gateway). Wallarm requires decrypted HTTPS traffic to inspect HTTP data (URLs, headers, and request bodies), detect threats, and block malicious requests. -## Certificate issuance and management - -Wallarm does not issue, manage, or automatically renew certificates. All certificates must be provided and managed by clients. - -You need to: +The configuration and location of SSL/TLS termination depend on your Wallarm [deployment type](../installation/nginx-native-node-internals.md). -1. Issue a certificate from a trusted Certificate Authority (CA). -1. Deploy the certificate to Wallarm nodes. -1. Renew the certificate before it expires. +## SSL/TLS termination in the NGINX Node -To automate these actions, you can use external tools, e.g., [Certbot](https://certbot.eff.org/), [HashiCorp Vault](https://developer.hashicorp.com/vault), [Kubernetes cert-manager](https://cert-manager.io/), [Ansible playbooks](https://docs.ansible.com/projects/ansible/devel/playbook_guide/playbooks_intro.html), or others. +* [Sidecar][nginx-sidecar] -## SSL/TLS termination + By default, Wallarm Sidecar does not handle SSL/TLS termination. It expects an upstream component (e.g., Ingress or Application Gateway) to handle HTTPS, while Wallarm Sidecar receives decrypted HTTP traffic. -SSL/TLS certificates protect network communications between: + However, if your infrastructure cannot terminate SSL/TLS upstream, you can [enable SSL/TLS termination directly in Wallarm Sidecar][ssl-termination]. -* Wallarm nodes and the Wallarm Cloud -* Wallarm administrators (workstations) and the Wallarm Cloud Console UI and API +* [All-in-one installer][nginx-aio], [Docker image][nginx-docker], and cloud images: -By securing these channels, SSL/TLS certificates allow Wallarm to safely decrypt and analyze HTTPS traffic to detect and block threats. + The NGINX Node handles SSL/TLS termination. To configure it, you must issue an SSL/TLS certificate for the protected resource, upload the certificate and private key to the NGINX Node, and edit the [NGINX configuration](https://nginx.org/en/docs/http/configuring_https_servers.html). -SSL/TLS termination is the process of decrypting encrypted HTTPS traffic at a network endpoint. + To learn more about certificate management when SSL/TLS termination is handled by the NGINX Node, see the section below. -Wallarm needs to have decrypted HTTPS traffic to inspect HTTP data (URL, headers, body), detect threats, and block malicious requests. +### Certificate issuance and management -The configuration and location of SSL/TLS termination depend on your Wallarm [deployment type](../installation/nginx-native-node-internals.md). +Wallarm does not issue, manage, or automatically renew certificates. All certificates must be provided and managed by clients. -### SSL/TLS termination in the NGINX Node +You need to: -* [Sidecar][nginx-sidecar] +1. Issue a certificate from a trusted Certificate Authority (CA). - By default, the Wallarm Sidecar solution does not handle SSL/TLS termination. It expects an upstream component (e.g., Ingress or Application Gateway) to handle HTTPS while the Sidecar solution receives plain, decrypted HTTP. + The certificate must meet the following requirements: - However, if your infrastructure cannot terminate SSL/TLS upstream, you can [enable SSL/TLS termination directly in the Wallarm Sidecar][ssl-termination]. + * Supported format: PEM for both certificate and private key files. + * Key types and sizes: Any key size supported by OpenSSL/NGINX, including 2048-bit, 4096-bit, and ECDSA keys. + * Cipher suites: Defined and managed through standard NGINX/OpenSSL configuration. -* [All-in-one installer][nginx-aio], [Docker image][nginx-docker], and cloud images: - - The NGINX Node handles SSL/TLS termination. In this case, the node acts as an HTTPS endpoint and must be configured with an SSL/TLS certificate and private key. To set up SSL/TLS termination, edit the [NGINX configuration ](https://nginx.org/en/docs/http/configuring_https_servers.html): +1. Upload the certificate file and private key to the Wallarm node. +1. Edit the [NGINX configuration](https://nginx.org/en/docs/http/configuring_https_servers.html): * [`ssl_certificate`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) - specifies the PEM-format certificate file, including the full certificate chain. * [`ssl_certificate_key`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key) - specifies the PEM-format private key file. -### SSL/TLS termination in the Native Node + ??? info "Show sample NGINX configuration" + + ``` + server { + listen 80; + server_name test.com; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + server_name test.com; + + ssl_certificate /etc/ssl/certs/example_public.crt; + ssl_certificate_key /etc/ssl/key/private_example.key; + + set_real_ip_from 11.11.11.11; # Replace with the IP address of the proxy in front of NGINX + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + wallarm_mode monitoring; + wallarm_application 100; + + location / { + proxy_pass https://10.100.100.30; # Replace with the IP address of the origin server + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } + ``` + +1. Monitor the certificate's validity and renew it before expiration. + +To automate these actions, you can use external tools, e.g., [Certbot](https://certbot.eff.org/), [HashiCorp Vault](https://developer.hashicorp.com/vault), [Kubernetes cert-manager](https://cert-manager.io/), [Ansible playbooks](https://docs.ansible.com/projects/ansible/devel/playbook_guide/playbooks_intro.html), or others. + +## SSL/TLS termination in the Native Node The Native Node **does not handle SSL/TLS termination** and never acts as an inline traffic endpoint. It always analyzes a copy of traffic, not the original client connection. From a7f81f8ca4d987ab72e3a404e043f2f0466ea03d Mon Sep 17 00:00:00 2001 From: Ekaterina Goverdovskaya Date: Thu, 19 Feb 2026 09:21:12 +0200 Subject: [PATCH 3/3] DOCS-2204 SSL termination updates --- docs/latest/admin-en/ssl-certificates.md | 50 +++++++++++-------- .../sending-traffic-to-node-inline.md | 2 +- 2 files changed, 29 insertions(+), 23 deletions(-) diff --git a/docs/latest/admin-en/ssl-certificates.md b/docs/latest/admin-en/ssl-certificates.md index ff6ccc3a70..acbfe5761c 100644 --- a/docs/latest/admin-en/ssl-certificates.md +++ b/docs/latest/admin-en/ssl-certificates.md @@ -2,39 +2,47 @@ [ssl-termination]: ../installation/kubernetes/sidecar-proxy/customization.md#ssltls-termination [nginx-aio]: ../installation/inline/compute-instances/linux/all-in-one.md [nginx-docker]: ../admin-en/installation-docker-en.md +[nginx-node]: ../installation/nginx-native-node-internals.md#nginx-node +[native-node]: ../installation/nginx-native-node-internals.md#native-node +[security-edge]: ../installation/security-edge/overview.md +[aws-ami]: ../installation/inline/compute-instances/aws/aws-ami.md +[gcp]: ../installation/inline/compute-instances/gcp/machine-image.md -# SSL/TLS Termination and Certificate Management +# TLS Termination and Certificate Management (Self-Hosted Nodes) -This article explains how and where SSL/TLS termination is performed in Wallarm nodes, including certificate requirements and management. +This article describes how TLS termination and certificate management work in self-hosted Wallarm nodes (including NGINX and Native Nodes), and how HTTPS traffic is processed for analysis. -## SSL/TLS termination +Wallarm analyzes HTTP traffic only after TLS decryption. TLS termination can occur on an upstream component or on the Wallarm Node, which determines HTTPS traffic flow and whether certificates must be managed on the Wallarm side. -SSL/TLS termination is the process of decrypting HTTPS traffic at a network component (e.g., a proxy or gateway). Wallarm requires decrypted HTTPS traffic to inspect HTTP data (URLs, headers, and request bodies), detect threats, and block malicious requests. +## HTTPS traffic flow and TLS termination -The configuration and location of SSL/TLS termination depend on your Wallarm [deployment type](../installation/nginx-native-node-internals.md). +HTTPS traffic is encrypted and cannot be inspected in its encrypted form. To analyze requests, the traffic must be decrypted at the point of TLS termination. -## SSL/TLS termination in the NGINX Node +In Wallarm deployments, TLS termination can be performed either by an upstream component (e.g., a load balancer or Ingress Controller) or by a Wallarm Node. -* [Sidecar][nginx-sidecar] +* If TLS is terminated upstream, Wallarm receives already decrypted traffic and does not require certificates. +* If a Wallarm NGINX Node terminates TLS, certificates must be issued, configured, and maintained on the Wallarm side. - By default, Wallarm Sidecar does not handle SSL/TLS termination. It expects an upstream component (e.g., Ingress or Application Gateway) to handle HTTPS, while Wallarm Sidecar receives decrypted HTTP traffic. +## TLS termination in the NGINX Node - However, if your infrastructure cannot terminate SSL/TLS upstream, you can [enable SSL/TLS termination directly in Wallarm Sidecar][ssl-termination]. +The way TLS termination is handled in the NGINX Node depends on the deployment artifact (Sidecar, all-in-one installer, Docker image, or AWS/GCP cloud image). You can see each case described below. -* [All-in-one installer][nginx-aio], [Docker image][nginx-docker], and cloud images: +### Sidecar - The NGINX Node handles SSL/TLS termination. To configure it, you must issue an SSL/TLS certificate for the protected resource, upload the certificate and private key to the NGINX Node, and edit the [NGINX configuration](https://nginx.org/en/docs/http/configuring_https_servers.html). +By default, [Wallarm Sidecar][nginx-sidecar] does not terminate TLS. It expects an upstream component (e.g., Ingress or Application Gateway) to handle HTTPS, while the Sidecar receives decrypted HTTP traffic. - To learn more about certificate management when SSL/TLS termination is handled by the NGINX Node, see the section below. +In this case, the Wallarm Node doesn't need certificates because TLS is terminated upstream. However, if your infrastructure cannot terminate TLS upstream, you can [enable TLS termination directly in Wallarm Sidecar][ssl-termination]. -### Certificate issuance and management +### [All-in-one installer][nginx-aio], [Docker image][nginx-docker], and [AWS][aws-ami]/[GCP][gcp] cloud images -Wallarm does not issue, manage, or automatically renew certificates. All certificates must be provided and managed by clients. +The NGINX Node handles TLS termination. To configure it, you must issue an TLS certificate for the protected resource, upload the certificate and private key to the NGINX Node, and edit the [NGINX configuration](https://nginx.org/en/docs/http/configuring_https_servers.html). + +Because the NGINX Node terminates TLS directly, certificate provisioning and lifecycle management are the clients' responsibility. Wallarm does not issue, manage, or automatically renew certificates. You need to: -1. Issue a certificate from a trusted Certificate Authority (CA). +1. Issue a certificate from a trusted Certificate Authority (CA) for a Wallarm Node instance. The certificate must meet the following requirements: @@ -42,8 +50,8 @@ You need to: * Key types and sizes: Any key size supported by OpenSSL/NGINX, including 2048-bit, 4096-bit, and ECDSA keys. * Cipher suites: Defined and managed through standard NGINX/OpenSSL configuration. -1. Upload the certificate file and private key to the Wallarm node. -1. Edit the [NGINX configuration](https://nginx.org/en/docs/http/configuring_https_servers.html): +1. Upload the certificate file and private key to the host or container running the Wallarm NGINX Node. +1. Edit the [NGINX configuration](https://nginx.org/en/docs/http/configuring_https_servers.html) of the Wallarm Node: * [`ssl_certificate`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) - specifies the PEM-format certificate file, including the full certificate chain. * [`ssl_certificate_key`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key) - specifies the PEM-format private key file. @@ -85,10 +93,8 @@ You need to: To automate these actions, you can use external tools, e.g., [Certbot](https://certbot.eff.org/), [HashiCorp Vault](https://developer.hashicorp.com/vault), [Kubernetes cert-manager](https://cert-manager.io/), [Ansible playbooks](https://docs.ansible.com/projects/ansible/devel/playbook_guide/playbooks_intro.html), or others. -## SSL/TLS termination in the Native Node - -The Native Node **does not handle SSL/TLS termination** and never acts as an inline traffic endpoint. It always analyzes a copy of traffic, not the original client connection. +## TLS termination in the Native Node -HTTPS traffic must be decrypted before a copy is sent to the Native Node. SSL/TLS termination is performed by an upstream or adjacent component, e.g., a load balancer, reverse proxy, application delivery controller (ADC), ingress controller, a connector. +The Native Node **does not handle TLS termination** and never acts as an inline traffic endpoint. It analyzes a copy of traffic, not the original client connection. -The terminating component decrypts HTTPS traffic and sends a decrypted traffic copy to the Native Node for analysis. For configuration details, refer to the documentation of the chosen component. +HTTPS traffic must be decrypted by an upstream or adjacent component (e.g., load balancer, reverse proxy, ADC, Ingress Controller, or connector), which then sends a decrypted copy to the Native Node for analysis. Refer to the component's documentation for configuration details. \ No newline at end of file diff --git a/include/waf/installation/sending-traffic-to-node-inline.md b/include/waf/installation/sending-traffic-to-node-inline.md index 8f0713ad87..d3e763a9f5 100644 --- a/include/waf/installation/sending-traffic-to-node-inline.md +++ b/include/waf/installation/sending-traffic-to-node-inline.md @@ -1,4 +1,4 @@ -1. If you have secured the communications between the Wallarm node and the Wallarm Cloud with an SSL/TLS certificate, edit the [NGINX configuration ](https://nginx.org/en/docs/http/configuring_https_servers.html) to set up [SSL/TLS termination][ssl-certificates]: +1. If you have secured communications between clients and the Wallarm Node with an SSL/TLS certificate, edit the [NGINX configuration ](https://nginx.org/en/docs/http/configuring_https_servers.html) to set up [TLS termination][ssl-certificates]: * [`ssl_certificate`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) - specifies the PEM-format certificate file, including the full certificate chain. * [`ssl_certificate_key`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key) - specifies the PEM-format private key file.