availability

Package: Invicti API Security Standalone or Bundle

Manage the NTA with Docker Compose

This document covers how to install, update, and uninstall the Invicti Network Traffic Analyzer (NTA) using Docker Compose. It also covers how to authenticate with the Invicti container registry and what networking requirements apply for each integration type.

Prerequisites

Before you begin, ensure the following:

Docker is installed and running on your host machine. On Windows and macOS, this means Docker Desktop must be open and fully started before you run any commands.

Step 1: Authenticate with the Invicti container registry

note

The commands in this document use the Docker Compose v2 syntax (docker compose). If you're using an older Docker installation, use docker-compose instead.

Before installing or updating the NTA, log in to the Invicti container registry. You can run this command in any terminal - bash, PowerShell, or Command Prompt - from any directory:

docker login registry.invicti.com -u YOUR_EMAIL -p YOUR_LICENSE_KEY

Replace YOUR_EMAIL with your Invicti account email and YOUR_LICENSE_KEY with your license key.

note

You may see the following warning: WARNING! Using --password via the CLI is insecure. Use --password-stdin. This is expected and can be ignored. If the output ends with Login Succeeded, authentication was successful.

Find your license key

Your license key is available in Invicti Platform under Settings >Subscription >License.

warning

You must log in to registry.invicti.com before installing or updating the NTA. The docker-compose up command pulls images from this registry and will fail without authentication.

Step 2: Install the NTA

Create a project folder:

mkdir nta-setup
cd nta-setup

In that folder, create a file called docker-compose.yml with the following content:

services:
  reconstructor:
    image: registry.invicti.com/api-discovery/reconstructor:latest
    restart: always
    expose:
      - 8090
    ports:
      - 8090:8090/tcp
    environment:
      APIHUB_CONFIG: YOUR_REGISTRATION_TOKEN_HERE
    networks:
      - nta-network
    volumes:
      - reconstructor-config:/configuration

  tsa:
    depends_on:
      reconstructor:
        condition: service_started
    image: registry.invicti.com/api-discovery/tsa:latest
    restart: always
    environment:
      - TSA_SINK_RECONSTRUCTOR_ENABLED=true
      - TSA_SINK_RECONSTRUCTOR_URL=http://reconstructor:8090
      # Add source-specific variables — see the next step
    networks:
      - nta-network

networks:
  nta-network:
    driver: bridge

volumes:
  reconstructor-config:
    driver: local

Replace YOUR_REGISTRATION_TOKEN_HERE with your registration token. For instructions on how to get it, see Generate a new registration token.

Step 3: Configure the TSA for your integration type

The TSA collects traffic data from your integration and forwards it to the Reconstructor for analysis. It supports multiple traffic sources, each enabled by environment variables. Add the relevant variables to the tsa service's environment section and add the corresponding port mapping.

Multiple sources

You can enable more than one source at the same time by including multiple TSA_SOURCE_*_ENABLED variables. The sink (Reconstructor) is always the same regardless of which sources are active.

warning

The TSA will not start if no source is configured. Make sure you've added the source-specific variables for your integration type (see the sections below) before proceeding to Step 4 to start the services.

NGINX (syslog)

    expose:
      - 15400/udp
    ports:
      - 15400:15400/udp
    environment:
      - TSA_SOURCE_SYSLOG_ENABLED=true
      - TSA_SOURCE_SYSLOG_ADDR=:15400

For full setup instructions, see NTA in Docker with NGINX in Docker. That doc also covers the NTA installation in Step 2 - if you've already completed the steps in this document, you can skip Step 2 there.

NGINX (HTTP mirror)

    expose:
      - 8000/tcp
    ports:
      - 8000:8000/tcp
    environment:
      - TSA_SOURCE_HTTP_MIRROR_ENABLED=true
      - TSA_SOURCE_HTTP_MIRROR_ADDR=:8000

F5 BIG-IP

    expose:
      - 15400/udp
    ports:
      - 15400:15400/udp
    environment:
      - TSA_SOURCE_BIGIP_ENABLED=true
      - TSA_SOURCE_BIGIP_ADDR=:15400

For instructions on configuring the F5 BIG-IP iRule to send traffic to the NTA, see NTA with F5 BIG-IP iRule. Note that the NTA installation steps in that document use a Helm deployment - if you're using Docker Compose, follow the NTA installation steps in this Manage the NTA with Docker Compose document instead.

Step 4: Start the services

docker compose up -d

Update or uninstall the NTA

To update the NTA to the latest version, see Update the NTA.
To remove the NTA from your system, see Uninstall the NTA.

Networking requirements

The host machine running the NTA must have the relevant port open and be reachable from your integration. The required port and protocol depend on the integration type:

Integration	Port	Protocol
NGINX (syslog)	15400	UDP
NGINX (HTTP mirror)	8000	TCP
F5 BIG-IP	15400	UDP
Kong	8090	TCP

Ports are configurable via the TSA_SOURCE_*_ADDR environment variables. The values above match the examples in this document.

For the integration to work correctly:

The integration (F5, NGINX, or Kong) must be able to send traffic to the NTA host on the correct port and protocol.
DNS must resolve the NTA's address from the integration. The simplest way to achieve this is to place the NTA and the integration in the same Docker network.
Firewall rules must allow traffic between the integration and the NTA on the required port.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Prerequisites​

Step 1: Authenticate with the Invicti container registry​

Step 2: Install the NTA​

Step 3: Configure the TSA for your integration type​

NGINX (syslog)​

NGINX (HTTP mirror)​

F5 BIG-IP​

Step 4: Start the services​

Update or uninstall the NTA​

Networking requirements​

Need help?​