Deploy With Docker-Compose#
Prerequisites#
- Linux Docker Host with root permission
- Docker-Compose tool installed
- Sign-Up and Login to Portal
- Agent profile created for open-appsec Docker deployment in SaaS tenant. Follow the instructions available here link
How to Deploy / Update the Advanced Machine Learning Model#
- Create a folder for your new open-appsec deployment and switch to that folder, e.g.
mkdir open-appsec-deploymentcd ./open-appsec-deploymentAn Advanced Model can be downloaded from open-appsec portal.
This is more accurate and recommended for Production use.
Download the advanced machine learning model by going to: User Menu -> Download Advanced ML Model.
- Copy the tgz file into the folder.
- Map this .tgz file into the appsec container to “/advanced-model/open-appsec-advanced-model.tgz” file inside the container.
version: '3.3'# docker compose for npm open-appsec integration
services: appsec-npm: container_name: npm-attachment image: 'ghcr.io/openappsec/nginx-proxy-manager-attachment:latest' ipc: host restart: unless-stopped ports: - '80:80' # Public HTTP Port - '443:443' # Public HTTPS Port - '81:81' # Admin Web Port volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt - ./appsec-logs:/ext/appsec-logs - ./appsec-localconfig:/ext/appsec
appsec-agent: container_name: appsec-agent image: 'ghcr.io/openappsec/agent:latest' network_mode: service:appsec-npm ipc: host restart: unless-stopped environment: # adjust with your own email below - user_email=user@email.com - nginxproxymanager=true - autoPolicyLoad=true volumes: - ./appsec-config:/etc/cp/conf - ./appsec-data:/etc/cp/data - ./appsec-logs:/var/log/nano_agent - ./appsec-localconfig:/ext/appsec - ./open-appsec-advanced-model/open-appsec-advanced-model.tgz:/advanced-model/open-appsec-advanced-model.tgz:rw command: /cp-nano-agent --standalone- Validate the use of the Advanced Model
open-appsec-ctl --status
The model being used by each agent can also be validated using the Agents tab in the web UI:

Web Application Protection Advanced Settings#
Web Attacks Settings#
Browse to Assets, edit the web application asset object you have created and click on the “Web Attacks” Tab and look at the “Web Attacks” sub-practice configuration

Configuration Options#
Setting the Mode to As Top Level means inheriting the primary mode of the practice. Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.
- Confidence-dependent Prevent Mode
The option Activate when confidence is becomes available if practice or sub-practice are set to Prevent. The value determines the threshold in which open-appsec will block attacks and prevent them, rather than just send a log according to Log Trigger configuration.
- Advanced settings window
When clicking on Advanced additional advanced settings appear:
For all Size Limits - open-appsec Web Attacks engine will accept traffic that exceeds the limits if set to Detect/Learn mode (and that traffic will bypass inspection), or block traffic that exceeds the limits if set to Prevent mode.
| Advanced Setting | Meaning |
|---|---|
URL Size (Bytes) | Determines the URL size limit for inspection |
Max Object Depth | Determines the depth limit of a JSON/XML object inspected in the HTTP request. This includes embedded XML in JSON and the opposite. |
Body Size (Kilobytes) | Determines the HTTP body size limit for inspection |
Header Size (Bytes) | Determines the HTTP header size limit for inspection |
CSRF Protection | Determines the mode for the advanced CSRF protection, which blocks CSRF attacks. Important: This protection has a performance impact. |
Error Disclosure | Determines the mode for the advanced Error Disclosure protection, which replaces internal error codes in the response and injects a different response instead. Important: This protection has a performance impact. |
Open Redirect | Determines the mode for the advanced Open Redirect protection, which prevents client side redirection to other domains (e.g. as used by Phishing attacks). Important: This protection has a performance impact. |
Non-Valid HTTP methods | When set to No and practice is set to Prevent, non-valid HTTP methods are blocked. Valid HTTP methods are: GET, POST, DELETE, PATCH, PUT, CONNECT, OPTIONS, HEAD, TRACE, MKCOL, COPY, MOVE, PROPFIND, PROPPATCH, LOCK, UNLOCK, VERSION-CONTROL, REPORT, INDEX, CHECKOUT, CHECKIN, UNCHECK, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKREDIRECTREF, BIND, UNBIND |
- Intrusion Prevention System (IPS)
In addition to the Contextual Machine-Learning based engine, open-appsec provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures). One specific benefit of these signatures is the ability to see logs that indicate a specific CVE number.
Once the asset edit window opens, select the Web Attacks tab and scroll to the Intrusion Prevention sub-practice.

Edit the settings of the Intrusion Prevention sub-practice
The settings allow:
-
Changing which protections will be active according to their:
- Performance Impact
- Severity
- Year of the CVE they protect against
-
Changing the exact behavior upon detection of signature according to its confidence level (Prevent/Detect/Inactive, or, According to Practice when there is no unique behavior to the group of protections)
When making the first change to the default Web Application/API Best Practice’s configuration such as making changes to the default configuration of the IPS engine settings, you will be prompted to change the name of the Practice to your own custom practice name
Make sure the Mode of the Intrusion Prevention sub-practice is as desired
Setting the Mode to As Top Level means inheriting the primary mode of the practice.
Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.
You can also set up a specific action per confidence level of the the protection that caught the attack. According to Practice mode means the sub-practice’s mode determines the action. But you can set up Detect/Prevent/Disable specifically for that group of protections per confidence level. For example - the default configuration of the IPS sub-practice configures that Low confidence protections will be set to “Detect” mode, unrelated to the general IPS mode.
