Web Application Firewall (WAF) supports protection clusters for Hybrid Cloud WAF. The clusters use your on-premises servers as WAF protection nodes. Before you can deploy a protection cluster for Hybrid Cloud WAF, you must install the WAF agent (vagent) on your on-premises servers that you want to use as protection nodes. This topic describes how to install and start vagent on your on-premises servers.
Background information
vagent is a client application of WAF. You must install vagent on your on-premises servers that serve as protection nodes in protection clusters for Hybrid Cloud WAF.
vagent delivers the following capabilities:
Communicates with Alibaba Cloud WAF, reports the running status of WAF protection nodes, and downloads the latest WAF protection rules. These capabilities ensure service stability.
Adds or removes protection node configuration on your on-premises servers based on your cluster configuration, and monitors the service running status. These capabilities ensure stable and effective protection.
After you install and start vagent on your on-premises servers, the AliYunDunWaf process appears in the system processes of the servers. This indicates that vagent is working and can communicate with Alibaba Cloud WAF. Then, you can configure a cluster and add the servers to the cluster as on-premises protection nodes. For more information, see Deploy a protection cluster for Hybrid Cloud WAF.
Installation environment requirements
vagent can be installed only on Linux servers by running the rpm command. The following table describes the operating system versions supported by vagent.
If vagent does not support your operating system version, contact WAF technical support.
Operating system | Supported version |
Linux |
|
Procedure
Log on to your on-premises server.
Contact WAF technical support in the required DingTalk group to obtain the latest version of vagent and download vagent to your on-premises server.
Install vagent.
Run the following command to install vagent on your on-premises server:
Before you run the command, replace
xxxxxxx.xxxxxwith the version number of vagent that you downloaded.sudo rpm -ivh t-yundun-vagent-xxxxxxx.xxxxx.rpmAfter the installation is complete, run the following command to view the version of vagent. Make sure that the latest version of vagent is installed.
rpm -qa|grep vagent
Modify the configuration file of vagent.
After you install vagent, you must modify the vagent configuration file based on the access mode of Hybrid Cloud WAF to enable communication between vagent and Alibaba Cloud WAF. To modify the vagent configuration file, perform the following steps:
Run the following command to open the vagent configuration file:
sudo vi /home/admin/vagent/conf/vagent.tomlPress i to enter the insert mode, and modify or add the following information:
domain="wafopenapi.cn-hangzhou.aliyuncs.com" // The endpoint of Hybrid Cloud WAF. For more information, see the "Valid values of the domain parameter" section of this topic. access_key_id=************* // The AccessKey ID of your Alibaba Cloud account. access_key_secret=*********** // The AccessKey secret of your Alibaba Cloud account.Valid values of the domain parameter
WAF region
Access mode of Hybrid Cloud WAF
Value of the domain parameter
Chinese mainland
Internet: If you select this option, the WAF console allows access from the hybrid cloud cluster only over the Internet.
wafopenapi.cn-hangzhou.aliyuncs.comInternal Network: If you select this option, the WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you deployed Express Connect.
NoteOnly virtual private clouds (VPCs) that reside in the following regions are supported: China (Hangzhou), China (Shanghai), and China (Beijing). If your VPC resides in a different region in the Chinese mainland, contact your business manager or architect.
wafopenapi.vpc-proxy.aliyuncs.comOutside the Chinese mainland
Internet: If you select this option, the WAF console allows access from the hybrid cloud cluster only over the Internet.
wafopenapi.ap-southeast-1.aliyuncs.comInternal Network: If you select this option, the WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you deployed Express Connect.
NoteIf your VPC resides in a region outside the Chinese mainland, contact your business manager or architect.
wafopenapi-intl.vpc-proxy.aliyuncs.comPress the Esc key to exit the insert mode.
Enter :wq and press the Enter key to save the configuration file and exit.
Start vagent.
Run the following command to start vagent:
sudo systemctl start vagentRun the following command to configure automatic startup for vagent:
sudo systemctl enable vagentIf the configuration is successful, the system displays the following information:
Created symlink from /etc/systemd/system/multi-user.target.wants/vagent.service to /usr/lib/systemd/system/vagent.service.
Other related commands:
Stop vagent.
sudo systemctl stop vagentView the status of vagent.
sudo systemctl status vagent
If vagent fails to start, you can use one of the following methods to query the logs of vagent for troubleshooting:
Use the systemd tool. Run the following command:
sudo journalctl -u vagentUse the vagent log file. Run the following command:
tail /home/admin/vagent/logs/vagent.log
Verify that vagent is installed.
In a Linux operating system, run the following command to check whether vagent is installed:
ps aux | grep AliYunDunWafIf the
AliYunDunWafprocess appears in the command output, vagent is installed on the on-premises server and is running.If the
AliYunDunWafprocess does not appear in the command output, check whether you correctly performed the installation steps and re-install and start vagent. If vagent still fails to be installed, contact WAF technical support.
What to do next
After you install vagent on your on-premises servers, you can add your on-premises servers to a protection cluster for Hybrid Cloud WAF as protection nodes. For more information, see Deploy a protection cluster for Hybrid Cloud WAF.