From 1e98fc8c6668523f1d4d11e4aadf8678ebba1686 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 3 Feb 2025 16:16:50 +0200 Subject: [PATCH] Add files via upload --- .../appsec-localconfig/local_policy.yaml | 62 ++++++++ .../docker-compose/envoy/docker-compose.yaml | 139 ++++++++++++++++++ .../envoy/envoy-config/envoy.yaml | 56 +++++++ 3 files changed, 257 insertions(+) create mode 100644 deployment/docker-compose/envoy/appsec-localconfig/local_policy.yaml create mode 100644 deployment/docker-compose/envoy/docker-compose.yaml create mode 100644 deployment/docker-compose/envoy/envoy-config/envoy.yaml diff --git a/deployment/docker-compose/envoy/appsec-localconfig/local_policy.yaml b/deployment/docker-compose/envoy/appsec-localconfig/local_policy.yaml new file mode 100644 index 0000000..c011b6f --- /dev/null +++ b/deployment/docker-compose/envoy/appsec-localconfig/local_policy.yaml @@ -0,0 +1,62 @@ +policies: + default: + triggers: + - appsec-default-log-trigger + mode: prevent-learn + practices: + - webapp-default-practice + custom-response: appsec-default-web-user-response + specific-rules: [] + +practices: + - name: webapp-default-practice + openapi-schema-validation: + configmap: [] + override-mode: as-top-level + snort-signatures: + configmap: [] + override-mode: as-top-level + web-attacks: + max-body-size-kb: 1000000 + max-header-size-bytes: 102400 + max-object-depth: 40 + max-url-size-bytes: 32768 + minimum-confidence: critical + override-mode: as-top-level + protections: + csrf-protection: inactive + error-disclosure: inactive + non-valid-http-methods: false + open-redirect: inactive + anti-bot: + injected-URIs: [] + validated-URIs: [] + override-mode: as-top-level + +log-triggers: + - name: appsec-default-log-trigger + access-control-logging: + allow-events: false + drop-events: true + additional-suspicious-events-logging: + enabled: true + minimum-severity: high + response-body: false + appsec-logging: + all-web-requests: false + detect-events: true + prevent-events: true + extended-logging: + http-headers: false + request-body: false + url-path: false + url-query: false + log-destination: + cloud: true + stdout: + format: json + +custom-responses: + - name: appsec-default-web-user-response + mode: response-code-only + http-response-code: 403 diff --git a/deployment/docker-compose/envoy/docker-compose.yaml b/deployment/docker-compose/envoy/docker-compose.yaml new file mode 100644 index 0000000..9c05fa4 --- /dev/null +++ b/deployment/docker-compose/envoy/docker-compose.yaml @@ -0,0 +1,139 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with Envoy +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server="Envoy" + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-envoy: + image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION} + container_name: appsec-envoy + ipc: service:appsec-agent + restart: unless-stopped + environment: + - ENVOY_UID=0 + - CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC} + - CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER} + volumes: + - ${ENVOY_CONFIG}:/envoy.yaml + command: -c /envoy.yaml +## If required you can adjust the amount of worker threads envoy will run by commenting out the line above and uncommenting the line below +## then specify ENVOY_CONCURRENCY parameter with the desired thread amount in the .env file. +## By default there's one worker thread per virtual CPU (vCPU) core available on the machine. +# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY} + + ports: + - "80:80" + - "443:443" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + profiles: + - juiceshop + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/envoy/envoy-config/envoy.yaml b/deployment/docker-compose/envoy/envoy-config/envoy.yaml new file mode 100644 index 0000000..fd794a1 --- /dev/null +++ b/deployment/docker-compose/envoy/envoy-config/envoy.yaml @@ -0,0 +1,56 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 80 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + http_filters: + ## The following 10 lines are required to load the envoy attachment filter for open-appsec + - name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: cp_nano_filter + library_path: "/usr/lib/libenvoy_attachment.so" + plugin_name: cp_nano_filter + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + prefix_localreply_body: "Configured local reply from go" + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + +## +## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file. +## + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: juiceshop + + clusters: + - name: juiceshop + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: juiceshop + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: juiceshop-backend + port_value: 3000 \ No newline at end of file