The PerimeterX NGINX plugin can be installed on NGINX+ up to version R15.
There is currently a known bug in R16 which crashes NGINX when calling init_worker_by_lua_block (required by the PerimeterX plugin). Until this bug is fixed, PerimeterX will not support installations using R16.
-
Install the NGINX+ lua module according to the version of NGINX+ installed. (The example shows R15):
sudo yum install -y nginx-plus-module-lua-r15
-
Make sure Nettle is removed:
sudo yum -y remove nettle
-
Install the development tools:
sudo yum groupinstall -y "Development Tools" -
Compile and install Nettle from source:
mkdir /tmp cd /tmp/ wget https://ftp.gnu.org/gnu/nettle/nettle-3.3.tar.gz tar -xzf nettle-3.3.tar.gz cd nettle-3.3 ./configure make sudo make install
-
Install Luarocks and the PerimeterX Lua plugin dependencies:
sudo yum install -y luarocks lua-devel sudo luarocks install lua-cjson sudo luarocks install lustache sudo luarocks install lua-resty-nettle sudo luarocks install luasocket sudo luarocks install lua-resty-http
-
Install the PerimeterX Module:
sudo luarocks install perimeterx-nginx-plugin
-
Add the modules loading declaration at the top of the
nginx.conffile:load_module modules/ndk_http_module.so; load_module modules/ngx_http_lua_module.so;
-
Add the
lua_package_pathandlua_package_cpathdeclarations inside thehttpscope:lua_package_path "/usr/local/lib/lua/?.lua;;"; lua_package_cpath "/usr/lib64/lua/5.1/?.so;;";
-
Add the Resolver directive:
The Resolver directive must be configured in the HTTP section of your NGINX configuration.
- Set the Resolver,
resolver A.B.C.D;, to an external DNS resolver, such as Google (resolver 8.8.8.8;),
or
- Set the resolver,
resolver A.B.C.D;, to the internal IP address of your DNS resolver (resolver 10.1.1.1;).
This is required for NGINX to resolve the PerimeterX API.
- Add the Lua CA Certificates:
For TLS to support PerimeterX servers, configure Lua to point to the trusted certificate location.
lua_ssl_trusted_certificate "/etc/pki/tls/certs/ca-bundle.crt";
lua_ssl_verify_depth 3;- Add the Lua Timer Initialization:
Add the init with a Lua script. The init is used by PerimeterX to hold and send metrics at regular intervals. This section also defines the runtime path to the 'nettle' library.
init_worker_by_lua_block {
_NETTLE_LIB_PATH = "/usr/local/lib64"
local pxconfig = require("px.pxconfig")
require ("px.utils.pxtimer").application(pxconfig)
}- Apply PerimeterX Enforcement:
Add the following line to your location block
#----- PerimeterX protect location -----#
access_by_lua_block {
local pxconfig = require("px.pxconfig")
require ("px.pxnginx").application(pxconfig)
}
#----- PerimeterX Module End -----#- Continue with the PerimeterX Plugin Configuration section.