diff --git a/deployment/swag-new/docker-compose.yaml b/deployment/swag-new/docker-compose.yaml new file mode 100644 index 0000000..10a9c87 --- /dev/null +++ b/deployment/swag-new/docker-compose.yaml @@ -0,0 +1,155 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with SWAG +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=SWAG Server + ipc: shareable + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-swag: + image: ghcr.io/openappsec/swag-attachment:latest + container_name: appsec-swag + ipc: service:appsec-agent + restart: unless-stopped + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - TZ=${SWAG_TZ} + - URL=${SWAG_URL} + - VALIDATION=${SWAG_VALIDATION} + - DNSPLUGIN=${SWAG_DNSPLUGIN} + - AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID} + - AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY} + - SUBDOMAINS=${SWAG_SUBDOMAINS} + - ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS} +## see https://docs.linuxserver.io/images/docker-swag/ for +## more cert generation/validation options + - STAGING=${SWAG_STAGING} ## switch to 'false' after successful testing + volumes: + - ${SWAG_CONFIG}:/config +## when mounting own external nginx config uncomment the line below, place the config in {SWAG_NGINX_CONFIG} folder +# - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs +## when mounting own proxy.conf files uncomment the line below, place the proxy config files in {SWAG_PROXY_CONFS} folder +# - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs + ports: + - 443:443 + - 80:80 ## optional + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) +## +## uncomment this block for testing purposes only, make sure to put a juiceshop.subfolder.conf file in {SWAG_PROXY_CONFS} folder +## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in {SWAG_NGINX_SITE_CONFS} folder +## you can use the example files available here: +## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/swag/juiceshop.subfolder.conf +## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/swag/default.conf +## note that juiceshop container listens on HTTP port 3000 by default +# +# juiceshop-backend: +# image: bkimminich/juice-shop:latest +# container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/"