Linux / NGINX / Kong



CloudGuard WAF can be deployed as an add-on for NGINX, thus providing protection to any applications and APIs served by NGINX Reverse Proxy.

In this scenario the admin have the flexibility to manage all aspects of NGINX on their own. For more details:

Additional reverse proxy or API servers support

As time passes CloudGuard adds support for additional reverse proxy servers and API servers running similarly to the NGINX example depicted above. The basic installation command is the same for all of them as the agent automatically recognizes the environment in which it is installed.

Installation of SSL certificates may differ between different servers.

Currently supported:

  • Kong

Proxy vs locally served applications

The CloudGuard WAF Nano Agent attaches itself to the traffic being proxied by the Proxy Server or API server.

If the server serves applications locally, and does not serve as a proxy between an exposed domain and an internal one - the Nano Agent can still inspect the traffic if you change the port for the local applications to a higher port, and add a proxy rule between the exposed listening domain and port, to the same local machine at a higher port.


  • An existing deployment of NGINX or Kong for Linux running over a variety of platforms.

  • Specific versions numbers are updated under Support->Platforms


Step 1: Download the Installer to the linux machine

Run the following commands from the linux server shell:

sudo su

wget -O nanoegg

Step 2: Install the Agent

Run the following commands from the linux server shell, from the same location as previous step:

chmod +x nanoegg

./nanoegg --install --token <token>

Make sure you obtain the <token> from the Enforcement Profile page, Authentication section. you will need it during agent deployment.

The installer creates an initial registration with the CloudGuard WAF cloud and downloads the latest version of the agent installation.

It will also add to your nginx.conf the following line:

load_module /usr/lib/nginx/modules/;

Step 3: Configure SSL certificates (optional if the servers do not use HTTPS)

To configure SSL certificates in NGINX follow these guides:

To configure SSL certificates in Kong follow the guide in the following link.

Step 4: Verify installation

The agent will automatically install, connect and should display a successful connection message within the CloudGuard WAF web portal:

To check agent status after the installation from the Linux server shell, you can run:

cpnano -s

Last updated