Adding the NGINX Plus with App Protect Instance to NGINX Management Suite

Since this lab utilizes NMS, we’re going to install the NGINX Agent and add the instance to the NGINX Management Suite for centralized management and analytics.

Warning

If you’re installing the NGINX Agent in your environment, a few steps are required before starting the installation process. See https://docs.nginx.com/nginx-management-suite/nginx-agent/install-nginx-agent/ for more information. In this lab, these have been checked for you.

  1. Connect to the NGINX Plus 2 instance via SSH, if not already connected.
  2. The NGINX Agent will be pulled from the NGINX Management Suite server and installed:
curl -k https://nginx-mgmt-suite.agility.lab/install/nginx-agent | sudo sh

Result

../../../_images/nginx_agent_install_result.png
  1. Configure the NGINX Agent

Now you’ll need to configure NGINX Agent to perform additional tasks for NGINX App Protect.

Load the file into a file editor:

sudo nano /etc/nginx-agent/nginx-agent.conf

Add the following configuration block to the end of the file:

Caution

When you paste the block below, extra line breaks may be included. Please remove those line spaces to ensure no errors occur.

# Enable reporting NGINX App Protect details to the control plane.
nginx_app_protect:
  # Report interval for NGINX App Protect details - the frequency the NGINX Agent checks NGINX App Protect for changes.
  report_interval: 15s
  # Enable precompiled publication from the NGINX Management Suite (true) or perform compilation on the data plane host (false).
  precompiled_publication: true
# NGINX App Protect Monitoring config
nap_monitoring:
  # Buffer size for collector. Will contain log lines and parsed log lines
  collector_buffer_size: 50000
  # Buffer size for processor. Will contain log lines and parsed log lines
  processor_buffer_size: 50000
  # Syslog server IP address the collector will be listening to
  syslog_ip: "127.0.0.1"
  # Syslog server port the collector will be listening to
  syslog_port: 514

Prior to saving, your screen should look the same as below:

../../../_images/nginx_agent_conf_edits.png

Press CTRL + X to save the file, followed by Y when asked to save the buffer, then enter when asked for the filename.

In this example, we’ve configured NGINX Agent to:

  • check for configuration changes every 15 seconds
  • allow for precompiled policies, meaning that NMS will compile the policy before sending to the NGINX Plus/NAP instance
  • Enable large buffers for NGINX App Protect Monitoring
  • Enable NGINX Agent to run a syslog daemon that will forward logs to NMS Security Monitoring
  1. Start the NGINX Agent and set to start at boot:
sudo systemctl enable --now nginx-agent

Create the Metrics service on NGINX

The NGINX Agent is now configured and started. We’ll need a few more configuration pieces to finish the installation.

  1. Switch to Firefox, if already open, or open Firefox by selecting Applications > Favorites > Firefox from the top menu bar.
../../../_images/firefox_launch.png
  1. Click the NMS bookmark or navigate to https://nginx-mgmt-suite.agility.lab/ui/.
../../../_images/launch_nms.png
  1. Log in using the lab / Agility2023! credentials.
../../../_images/login1.png
  1. Click on the Instance Manager tile to launch NIM.
../../../_images/nim_tile.png
  1. You should now see second instance in the list. Click Refresh in the toolbar if you do not see the new instance.
../../../_images/nms_refresh_result.png
  1. Click the nginx-plus-2.agility.lab instance in the list.
../../../_images/nginx_plus_2_detail.png
  1. Click the Edit Config button.
../../../_images/edit_button.png
  1. Click on Add File button in the navigation pane.

Note

If you do not see the Add File button on the toolbar, click the expand_button expand button.

../../../_images/add_file_button.png
  1. Provide the filename /etc/nginx/conf.d/metrics.conf. Click Create.
../../../_images/filename_prompt.png
  1. Paste the following configuration into the editor:
server {
    listen 8080;

    location /api/ {
      api write=on;
      allow 127.0.0.1;
      deny all;
    }
}

Result

../../../_images/file_contents.png
  1. Click the Publish button.
../../../_images/publish_button.png
  1. Click Publish when presented with the confirmation prompt.
../../../_images/publish_confirm.png
  1. You will see the Published notification shortly after.
../../../_images/published_notification.png
  1. Return to the SSH terminal to the NGINX Plus 2 instance. Restart NGINX:
sudo nginx -s reload
  1. Restart the NGINX Agent

To start the NGINX Agent on systemd systems, run the following command:

sudo systemctl restart nginx-agent
  1. Verifying NGINX Agent is Running and Registered

Run the following command on your data plane to verify that the NGINX Agent process is running:

ps aux | grep nginx-agent

You should see output that looks similar to the following example:

../../../_images/nginx_agent_ps_aux_result.png

This section of the lab is complete.