DOCS-2202 SSL termination - final version by egoverdovskaya-wallarm · Pull Request #1933 · wallarm/product-documentation

egoverdovskaya-wallarm · 2026-02-23T07:50:26Z

No description provided.

netlify · 2026-02-23T07:50:30Z

✅ Deploy Preview for pensive-dubinsky-5f7a00 ready!

Name	Link
🔨 Latest commit	`c6a5aa0`
🔍 Latest deploy log	https://app.netlify.com/projects/pensive-dubinsky-5f7a00/deploys/699c06c45f46b9000897bd48
😎 Deploy Preview	https://deploy-preview-1933--pensive-dubinsky-5f7a00.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

AnastasiaTWW · 2026-02-23T14:45:39Z

+
+# SSL/TLS Termination and Certificate Management (Self-Hosted Nodes)
+
+This article describes how SSL/TLS termination and certificate management work in self-hosted Wallarm nodes (including NGINX and Native Nodes), and how HTTPS traffic is processed for analysis.


"NGINX and Native Nodes" - add the link to https://docs.wallarm.com/installation/nginx-native-node-internals/

AnastasiaTWW · 2026-02-23T14:48:58Z

+[security-edge]:                ../installation/security-edge/overview.md
+[aws-ami]:                      ../installation/cloud-platforms/aws/ami.md
+[gcp]:                          ../installation/cloud-platforms/gcp/machine-image.md
+


the question which is not covered by the article - how do a customer choose where SSL/TLS termination should happen?

AnastasiaTWW · 2026-02-23T14:59:29Z

+[aws-ami]:                      ../installation/cloud-platforms/aws/ami.md
+[gcp]:                          ../installation/cloud-platforms/gcp/machine-image.md
+
+


the article is currently missing the details on mTLS. it is probably a separate task but we need to describe the way the Node proxies traffic further - plan HTTPS/HTTPS and how to configure it

AnastasiaTWW · 2026-02-23T15:01:56Z

+
+You need to:
+
+1. Issue a certificate from a trusted Certificate Authority (CA) for a Wallarm Node instance.


for a Wallarm Node instance? usually, the certificate is requested for protected endpoints, not the Node instance. for example, in the article for sidecar, we ask a user to request certificates for "the server for which the Sidecar will terminate SSL/TLS" https://deploy-preview-1933--pensive-dubinsky-5f7a00.netlify.app/installation/kubernetes/sidecar-proxy/customization/#ssltls-termination

AnastasiaTWW · 2026-02-23T15:05:32Z

+
+To automate these actions, you can use external tools, e.g., [Certbot](https://certbot.eff.org/), [HashiCorp Vault](https://developer.hashicorp.com/vault), [Kubernetes cert-manager](https://cert-manager.io/), [Ansible playbooks](https://docs.ansible.com/projects/ansible/devel/playbook_guide/playbooks_intro.html), or others.
+
+![SSL/TLS termination in the NGINX Nosw](../images/admin-guides/ssl-tls-termination.png)


Suggested change

![SSL/TLS termination in the NGINX Nosw](../images/admin-guides/ssl-tls-termination.png)

![SSL/TLS termination in the NGINX Node](../images/admin-guides/ssl-tls-termination.png)

AnastasiaTWW · 2026-02-23T15:25:20Z

+
+
+# SSL/TLS Termination and Certificate Management (Self-Hosted Nodes)
+


Avoid narrowing the scope to “HTTPS” in conceptual sections: since Wallarm also analyzes WebSocket, gRPC, etc., use broader wording like “SSL/TLS-protected application traffic” or “application-layer traffic” instead of “HTTPS traffic” where possible.

AnastasiaTWW · 2026-02-23T15:26:32Z

+        ```
+
+1. Monitor the certificate's validity and renew it before expiration.
+


after the NGINX config steps, include basic verification steps like config test, confirm Wallarm receives traffic

AnastasiaTWW · 2026-02-23T15:27:06Z

+                proxy_pass https://10.100.100.30; # Replace with the IP address of the origin server 
+                proxy_set_header Host $host;
+                proxy_set_header X-Forwarded-For $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


why is proxy_set_header specified twice?

AnastasiaTWW · 2026-02-23T15:30:59Z

+
+To automate these actions, you can use external tools, e.g., [Certbot](https://certbot.eff.org/), [HashiCorp Vault](https://developer.hashicorp.com/vault), [Kubernetes cert-manager](https://cert-manager.io/), [Ansible playbooks](https://docs.ansible.com/projects/ansible/devel/playbook_guide/playbooks_intro.html), or others.
+
+![SSL/TLS termination in the NGINX Nosw](../images/admin-guides/ssl-tls-termination.png)


comments for the diagram:

or Firewall or WAF - just keep "Firewall" because WAF is a firewall. inctead of "WAF" here can be "Ingress Controller" for example. and it is good to add "etc." to the list of upstream components

the concept of the diagram is unclear. for example, see the diagram for mTLS in SE inline https://docs.wallarm.com/installation/security-edge/inline/mtls/ - it clearly describes the stages of decryption. I would say that the current diagram also should reflect that

I would create 2 diagrams: one is for decryption on the upstream level and another is for decryption on the Node

DOCS-2202 SSL termination - final version

c6a5aa0

egoverdovskaya-wallarm requested a review from AnastasiaTWW February 23, 2026 07:50

AnastasiaTWW reviewed Feb 23, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DOCS-2202 SSL termination - final version#1933

DOCS-2202 SSL termination - final version#1933
egoverdovskaya-wallarm wants to merge 1 commit intomasterfrom
feature/docs-2204-SSL-termination-3

egoverdovskaya-wallarm commented Feb 23, 2026

Uh oh!

netlify bot commented Feb 23, 2026 •

edited

Loading

Uh oh!

AnastasiaTWW Feb 23, 2026

Uh oh!

AnastasiaTWW Feb 23, 2026

Uh oh!

AnastasiaTWW Feb 23, 2026

Uh oh!

AnastasiaTWW Feb 23, 2026

Uh oh!

AnastasiaTWW Feb 23, 2026

Uh oh!

AnastasiaTWW Feb 23, 2026

Uh oh!

AnastasiaTWW Feb 23, 2026

Uh oh!

AnastasiaTWW Feb 23, 2026

Uh oh!

AnastasiaTWW Feb 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants


		# SSL/TLS Termination and Certificate Management (Self-Hosted Nodes)

		This article describes how SSL/TLS termination and certificate management work in self-hosted Wallarm nodes (including NGINX and Native Nodes), and how HTTPS traffic is processed for analysis.

		[aws-ami]: ../installation/cloud-platforms/aws/ami.md
		[gcp]: ../installation/cloud-platforms/gcp/machine-image.md


		You need to:

		1. Issue a certificate from a trusted Certificate Authority (CA) for a Wallarm Node instance.


		To automate these actions, you can use external tools, e.g., [Certbot](https://certbot.eff.org/), [HashiCorp Vault](https://developer.hashicorp.com/vault), [Kubernetes cert-manager](https://cert-manager.io/), [Ansible playbooks](https://docs.ansible.com/projects/ansible/devel/playbook_guide/playbooks_intro.html), or others.

		![SSL/TLS termination in the NGINX Nosw](../images/admin-guides/ssl-tls-termination.png)

	![SSL/TLS termination in the NGINX Nosw](../images/admin-guides/ssl-tls-termination.png)
	![SSL/TLS termination in the NGINX Node](../images/admin-guides/ssl-tls-termination.png)

		```

		1. Monitor the certificate's validity and renew it before expiration.

Conversation

egoverdovskaya-wallarm commented Feb 23, 2026

Uh oh!

netlify bot commented Feb 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for pensive-dubinsky-5f7a00 ready!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

netlify bot commented Feb 23, 2026 •

edited

Loading