# Dual Docker: NGINX / Kong / Envoy + Security Agent

In this option you will deploy two docker images:

* NGINX/Kong/Envoy - managed locally by you
* CloudGuard WAF Agent - centrally managed via WebUI or API

The benefit of this mode is that you can upgrade each docker separately.

{% tabs %}
{% tab title="NGINX" %}

#### Step 1: Pull agent container image

As part of your CI, use the [checkpoint/infinity-next-nano-agent ](https://hub.docker.com/r/checkpoint/infinity-next-nano-agent)registry to pull the Nano-Agent image.

#### Step 2: Obtain the registration token

{% hint style="info" %}
Make sure you obtain the \<token> from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. you will need it during agent deployment.

![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FodEuUgaIWcxkuTtYrJ2n%2Fappsec-profiles-authentication-token.PNG?alt=media\&token=aaa5d4ad-7a5b-4986-9378-7ec39b22aadd)
{% endhint %}

#### Step 3: Run the agent

Run the agent with this command:

```
docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent –e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent --token <token>
```

{% hint style="info" %}
`–e https_proxy` parameter is optional and used only in case the outbound traffic reaches the internet through a proxy server.
{% endhint %}

#### Step 4: Replace the NGINX container with the Check Point NGINX container

Replace the NGINX container using the following registry to pull the image for this deployment: [checkpoint/infinity-next-nginx](https://hub.docker.com/r/checkpoint/infinity-next-nginx)&#x20;

{% hint style="warning" %}
As part of creating your reverse proxy for this environment, make sure that the reverse proxy is deployed with the correct downstream and upstream routing.
{% endhint %}

#### Step 5: Modify the run command

Change your existing NGINX/Kong docker run command and add the `--ipc=host` parameter.

{% hint style="info" %}
If you are installing a reverse proxy for the first time and have no prior knowledge of deployment methods, an example of simple deployment instructions using NGINX can be found in [the official NGINX docker hub repository](https://hub.docker.com/_/nginx).&#x20;
{% endhint %}

#### Step 6: Deploy the two containers

Deploy the two containers.

To make sure that it is running, run: `docker ps`.

#### Step 7: Configure SSL certificates (optional if the servers do not use HTTPS)

To configure SSL certificates in **NGINX** follow these guides:

* [NGINX](https://nginx.org/en/docs/http/configuring_https_servers.html)
* [NGINX PLUS](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/)

#### Step 8: Verify installation

Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message:

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FzrhFNuIBv6uIUGnQsqIw%2Fappsec-agents-agent-connected-banner-notification.PNG?alt=media&#x26;token=47ad548e-bf80-4619-9ebf-c93fb736257f" alt=""><figcaption></figcaption></figure>
{% endtab %}

{% tab title="Kong" %}

#### Step 1: Pull agent container image

As part of your CI, use the [checkpoint/infinity-next-nano-agent ](https://hub.docker.com/r/checkpoint/infinity-next-nano-agent)registry to pull the Nano-Agent image.

#### Step 2: Obtain the registration token

{% hint style="info" %}
Make sure you obtain the \<token> from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. you will need it during agent deployment.

![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FodEuUgaIWcxkuTtYrJ2n%2Fappsec-profiles-authentication-token.PNG?alt=media\&token=aaa5d4ad-7a5b-4986-9378-7ec39b22aadd)
{% endhint %}

#### Step 3: Run the agent

Run the agent with this command:

```
docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent –e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent --token <token>
```

{% hint style="info" %}
`–e https_proxy` parameter is optional and used only in case the outbound traffic reaches the internet through a proxy server.
{% endhint %}

#### Step 4: Replace the Kong container with the Check Point Kong container

Replace the NGINX container using the following registry to pull the image for this deployment:&#x20;

* [Pre-packaged Kong with Nano Agent Attachment ](https://hub.docker.com/r/checkpoint/infinity-next-kong-plugin)
* [Pre-packaged Kong Gateway  with Nano Agent Attachment ](https://hub.docker.com/r/checkpoint/infinity-next-kong-gateway-plugin)

{% hint style="warning" %}
As part of creating your reverse proxy for this environment, make sure that the reverse proxy is deployed with the correct downstream and upstream routing.
{% endhint %}

#### Step 5: Modify the run command

Change your existing NGINX/Kong docker run command and add the `--ipc=host` parameter.

{% hint style="info" %}
If you are installing a reverse proxy for the first time and have no prior knowledge of deployment methods, an example of simple deployment instructions using NGINX can be found in [the official NGINX docker hub repository](https://hub.docker.com/_/nginx).&#x20;
{% endhint %}

#### Step 6: Deploy the two containers

Deploy the two containers.

To make sure that it is running, run: `docker ps`.

#### Step 7: Configure SSL certificates (optional if the servers do not use HTTPS)

To configure SSL certificates in **Kong** follow the guide in the following [link](https://docs.konghq.com/gateway/latest/how-kong-works/routing-traffic/#configuring-tls-for-a-route).

#### Step 8: Verify installation

Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message:

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FzrhFNuIBv6uIUGnQsqIw%2Fappsec-agents-agent-connected-banner-notification.PNG?alt=media&#x26;token=47ad548e-bf80-4619-9ebf-c93fb736257f" alt=""><figcaption></figcaption></figure>
{% endtab %}

{% tab title="Envoy" %}

#### Step 1: Pull agent container image

As part of your CI, use the [checkpoint/infinity-next-nano-agent ](https://hub.docker.com/r/checkpoint/infinity-next-nano-agent)registry to pull the Nano-Agent image.

#### Step 2: Obtain the registration token

{% hint style="info" %}
Make sure you obtain the \<token> from the [Enforcement **Profile**](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page, **Authentication** section. you will need it during agent deployment.

![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FodEuUgaIWcxkuTtYrJ2n%2Fappsec-profiles-authentication-token.PNG?alt=media\&token=aaa5d4ad-7a5b-4986-9378-7ec39b22aadd)
{% endhint %}

#### Step 3: Run the agent

Run the agent with this command:

```
docker run -d --name=agent-container --ipc=host -v=<path to persistent location for agent config>:/etc/cp/conf -v=<path to persistent location for agent data files>:/etc/cp/data -v=<path to persistent location for agent debugs and logs>:/var/log/nano_agent –e https_proxy=<user:password@Proxy address:port> -it <agent-image> /cp-nano-agent --token <token>
```

{% hint style="info" %}
`–e https_proxy` parameter is optional and used only in case the outbound traffic reaches the internet through a proxy server.
{% endhint %}

#### Step 4: Replace the Envoy container with the Check Point Envoy container

Replace the NGINX container using the following registry to pull the image for this deployment: [ checkpoint/cloudguard-waf-envoy](https://hub.docker.com/r/checkpoint/cloudguard-waf-envoy)

{% hint style="warning" %}
As part of creating your reverse proxy for this environment, make sure that the reverse proxy is deployed with the correct downstream and upstream routing.
{% endhint %}

#### Step 5: Load the CloudGuard WAF attachment in the proxy configuration

{% hint style="warning" %}
When installing Envoy on Docker: \
As an `envoy.yaml` configuration file is not included in the Envoy container make sure to have the above configuration added yourself to that file!
{% endhint %}

In the Envoy configuration file, which is typically called `envoy.yaml` make sure to have the CloudGuard WAF attachment loaded as a filter for HTTP traffic.

The CloudGuard WAF attachment is usually located here: `/usr/lib/libenvoy_attachment.so`

#### Step 6: Deploy the two containers

Deploy the two containers.

To make sure that it is running, run: `docker ps`.

#### Step 7: Configure SSL certificates (optional if the servers do not use HTTPS)

To configure SSL certificates in **Envoy** follow the guide in the following [link](https://www.envoyproxy.io/docs/envoy/latest/operations/certificates).

#### Step 8: Verify installation

Following the steps above, the agent will install and connect automatically. CloudGuard WAF web portal should display a successful connection message:

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FzrhFNuIBv6uIUGnQsqIw%2Fappsec-agents-agent-connected-banner-notification.PNG?alt=media&#x26;token=47ad548e-bf80-4619-9ebf-c93fb736257f" alt=""><figcaption></figcaption></figure>
{% endtab %}
{% endtabs %}