diff --git a/deployment/apisix/apisix-example-config/apisix-standalone.yaml b/deployment/apisix/apisix-example-config/apisix-standalone.yaml new file mode 100644 index 0000000..97ce7b7 --- /dev/null +++ b/deployment/apisix/apisix-example-config/apisix-standalone.yaml @@ -0,0 +1,12 @@ + +# example local declarative configuration file for apisix in standalone mode + +routes: + - + uri: /anything + upstream: + nodes: + "httpbin.org:80": 1 + type: roundrobin + +#END diff --git a/deployment/apisix/docker-compose.yaml b/deployment/apisix/docker-compose.yaml new file mode 100644 index 0000000..5047b56 --- /dev/null +++ b/deployment/apisix/docker-compose.yaml @@ -0,0 +1,47 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: "3" + +services: + apisix: + container_name: apisix + image: "ghcr.io/openappsec/apisix-attachment:latest" + ipc: host + restart: always + volumes: + - ./apisix-localconfig/apisix-standalone.yaml:/usr/local/apisix/conf/apisix.yaml:ro + environment: + - APISIX_STAND_ALONE=true + ports: + - "9180:9180/tcp" + - "9080:9080/tcp" + - "9091:9091/tcp" + - "9443:9443/tcp" + + appsec-agent: + container_name: appsec-agent + image: 'ghcr.io/openappsec/agent:latest' + ipc: host + restart: unless-stopped + environment: + # adjust with your own email below + - user_email=user@email.com + - registered_server="APISIX Server" + - AGENT_TOKEN= + volumes: + - ./appsec-config:/etc/cp/conf + - ./appsec-data:/etc/cp/data + - ./appsec-logs:/var/log/nano_agent + - ./appsec-localconfig:/ext/appsec + command: /cp-nano-agent diff --git a/deployment/docker-compose/apisix/apisix-config/apisix.yaml b/deployment/docker-compose/apisix/apisix-config/apisix.yaml new file mode 100644 index 0000000..baa0928 --- /dev/null +++ b/deployment/docker-compose/apisix/apisix-config/apisix.yaml @@ -0,0 +1,9 @@ +routes: + - + uri: / + upstream: + nodes: + "juiceshop-backend:3000": 1 + type: roundrobin + +#END diff --git a/deployment/docker-compose/apisix/docker-compose.yaml b/deployment/docker-compose/apisix/docker-compose.yaml new file mode 100644 index 0000000..d4ed4da --- /dev/null +++ b/deployment/docker-compose/apisix/docker-compose.yaml @@ -0,0 +1,131 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with APISIX +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=APISIX Server + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-apisix: + image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION} + container_name: appsec-apisix + ipc: service:appsec-agent + restart: always + environment: + - APISIX_STAND_ALONE=true + volumes: + - ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro + ports: + - "9080:9080/tcp" # HTTP API port + - "9443:9443/tcp" # HTTPS API port + - "9180:9180/tcp" # Admin API HTTP port + - "9091:9091/tcp" # Admin API HTTPS port + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: always + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: always +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: always + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: always + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" \ No newline at end of file diff --git a/deployment/docker-compose/envoy/docker-compose.yaml b/deployment/docker-compose/envoy/docker-compose.yaml new file mode 100644 index 0000000..11088b2 --- /dev/null +++ b/deployment/docker-compose/envoy/docker-compose.yaml @@ -0,0 +1,135 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with Envoy +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server="Envoy Server" + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-envoy: + image: openappsec-envoy:${APPSEC_VERSION} +# for docs: image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION} + container_name: appsec-envoy + ipc: service:appsec-agent + restart: unless-stopped + environment: + - ENVOY_UID=0 + - CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC} + - CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER} + volumes: + - ${ENVOY_CONFIG}:/envoy.yaml + command: -c /envoy.yaml +## adjustment of threads is possible as follows: +# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY} + + ports: + - "80:80" + - "443:443" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/envoy/envoy-config/envoy.yaml b/deployment/docker-compose/envoy/envoy-config/envoy.yaml new file mode 100644 index 0000000..8ab8070 --- /dev/null +++ b/deployment/docker-compose/envoy/envoy-config/envoy.yaml @@ -0,0 +1,56 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 80 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + http_filters: + ## The following 10 lines are required to load the envoy attachment filter for open-appsec + - name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: cp_nano_filter + library_path: "/usr/lib/libenvoy_attachment.so" + plugin_name: cp_nano_filter + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + prefix_localreply_body: "Configured local reply from go" + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + +## +## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file. +## + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: juiceshop + + clusters: + - name: juiceshop + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: juiceshop + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: juiceshop-backend + port_value: 3000 diff --git a/deployment/docker-compose/kong/docker-compose.yaml b/deployment/docker-compose/kong/docker-compose.yaml new file mode 100644 index 0000000..ad5c767 --- /dev/null +++ b/deployment/docker-compose/kong/docker-compose.yaml @@ -0,0 +1,135 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with Kong +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=Kong Server + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-kong: + image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} + container_name: appsec-kong + ipc: service:appsec-agent +## This docker compose deploys Kong in DB-less mode with declarative Kong configuration +## please make sure to have a valid config present in {KONG_CONFIG}: + environment: + - KONG_DATABASE=off + - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml + volumes: + - ${KONG_CONFIG}:/opt/kong + restart: unless-stopped + ports: + - "8000:8000" + - "8443:8443" + - "127.0.0.1:8001:8001" + - "127.0.0.1:8444:8444" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/kong/kong-config/kong.yaml b/deployment/docker-compose/kong/kong-config/kong.yaml new file mode 100644 index 0000000..60c4c32 --- /dev/null +++ b/deployment/docker-compose/kong/kong-config/kong.yaml @@ -0,0 +1,9 @@ +_format_version: "3.0" + +services: + - name: juiceshop-service + url: http://juiceshop-backend:3000 + routes: + - name: juiceshop-route + paths: + - / diff --git a/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml b/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml new file mode 100644 index 0000000..4795c2b --- /dev/null +++ b/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml @@ -0,0 +1,132 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## with open-appsec management via central open-appsec WebUI (SaaS) +## + +version: '3.9' + +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + ipc: shareable + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - nginxproxymanager=true + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx-proxy-manager: + container_name: appsec-nginx-proxy-manager + image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} + ipc: service:appsec-agent + restart: unless-stopped + ports: + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port + volumes: + - ${NPM_DATA}:/data + - ${NPM_LETSENCRYPT}:/etc/letsencrypt + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml b/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml new file mode 100644 index 0000000..fc80272 --- /dev/null +++ b/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml @@ -0,0 +1,134 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## with open-appsec management via NGINX Proxy Manager WebUI +## + +version: '3.9' + +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + ipc: shareable + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - nginxproxymanager=true + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx-proxy-manager: + container_name: appsec-nginx-proxy-manager + image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION} + ipc: service:appsec-agent + restart: unless-stopped + ports: + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port + volumes: + - ${NPM_DATA}:/data + - ${NPM_LETSENCRYPT}:/etc/letsencrypt + - ${APPSEC_LOGS}:/ext/appsec-logs + - ${APPSEC_LOCALCONFIG}:/ext/appsec + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/nginx-unifed/docker-compose.yaml b/deployment/docker-compose/nginx-unifed/docker-compose.yaml new file mode 100644 index 0000000..8d5c270 --- /dev/null +++ b/deployment/docker-compose/nginx-unifed/docker-compose.yaml @@ -0,0 +1,126 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec deployments of NGINX unified container +## + +version: "3.9" +services: + appsec-agent-nginx-unified: + image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION} + container_name: appsec-agent-nginx-unified + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + ipc: shareable + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + - ${NGINX_CONFIG}:/etc/nginx/conf.d +## advanced configuration - volume mount for nginx.conf file: +## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below +## make sure to include the line starting with "load_module" which loads the appsec attachment +## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container +# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf + ports: + - "80:80" + - "443:443" + command: /cp-nano-agent + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent-nginx-unified + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/nginx-unifed/nginx-config/default.conf b/deployment/docker-compose/nginx-unifed/nginx-config/default.conf new file mode 100644 index 0000000..e3ca187 --- /dev/null +++ b/deployment/docker-compose/nginx-unifed/nginx-config/default.conf @@ -0,0 +1,47 @@ +server { + listen 80; + listen [::]:80; + server_name _; + + #access_log /var/log/nginx/host.access.log main; + + location / { + proxy_pass http://juiceshop-backend:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} diff --git a/deployment/docker-compose/swag/docker-compose.yaml b/deployment/docker-compose/swag/docker-compose.yaml new file mode 100644 index 0000000..ecce3c2 --- /dev/null +++ b/deployment/docker-compose/swag/docker-compose.yaml @@ -0,0 +1,145 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with SWAG +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=SWAG Server + ipc: shareable + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-swag: + image: ghcr.io/openappsec/swag-attachment:latest + container_name: appsec-swag + ipc: service:appsec-agent + restart: unless-stopped + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - TZ=${SWAG_TZ} + - URL=${SWAG_URL} + - VALIDATION=${SWAG_VALIDATION} + - DNSPLUGIN=${SWAG_DNSPLUGIN} + - AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID} + - AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY} + - SUBDOMAINS=${SWAG_SUBDOMAINS} + - ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS} +## see https://docs.linuxserver.io/images/docker-swag/ for +## more cert generation/validation options + - STAGING=${SWAG_STAGING} + volumes: + - ${SWAG_CONFIG}:/config + - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs + - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs + ports: + - 443:443 + - 80:80 ## optional + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf b/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf new file mode 100644 index 0000000..9412c18 --- /dev/null +++ b/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf @@ -0,0 +1,84 @@ +## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample + +# redirect all traffic to https +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } +} + +# main server block +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + + include /config/nginx/ssl.conf; + +# root /config/www; +# index index.html index.htm index.php; + + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + #location / { + # enable for basic auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + # try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args; + #} + + location ~ ^(.+\.php)(.*)$ { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + fastcgi_split_path_info ^(.+\.php)(.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + # deny access to .htaccess/.htpasswd files + location ~ /\.ht { + deny all; + } +} + +# enable subdomain method reverse proxy confs +include /config/nginx/proxy-confs/*.subdomain.conf; +# enable proxy cache for auth +proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf b/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf new file mode 100644 index 0000000..e94c276 --- /dev/null +++ b/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf @@ -0,0 +1,22 @@ +location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app juiceshop-backend; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + +} diff --git a/deployment/nginx/docker-compose.yaml b/deployment/nginx/docker-compose.yaml new file mode 100644 index 0000000..aee9fca --- /dev/null +++ b/deployment/nginx/docker-compose.yaml @@ -0,0 +1,136 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server="NGINX Server" + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx: + image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION} + container_name: appsec-nginx + ipc: service:appsec-agent + restart: unless-stopped + volumes: + - ${NGINX_CONFIG}:/etc/nginx/conf.d + +## advanced configuration - volume mount for nginx.conf file: +## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below +## then specify a desired local folder for NGINX_CONF_FILE in the .env file. +## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment +## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container. +# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf + + ports: + - "80:80" + - "443:443" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/nginx/nginx-config/default.conf b/deployment/nginx/nginx-config/default.conf new file mode 100644 index 0000000..e3ca187 --- /dev/null +++ b/deployment/nginx/nginx-config/default.conf @@ -0,0 +1,47 @@ +server { + listen 80; + listen [::]:80; + server_name _; + + #access_log /var/log/nginx/host.access.log main; + + location / { + proxy_pass http://juiceshop-backend:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} diff --git a/deployment/swag/docker-compose.yaml b/deployment/swag/docker-compose.yaml new file mode 100644 index 0000000..dcd5fbf --- /dev/null +++ b/deployment/swag/docker-compose.yaml @@ -0,0 +1,46 @@ +services: + swag-attachment: + image: ghcr.io/openappsec/swag-attachment:latest + ipc: service:appsec-agent + restart: unless-stopped + container_name: swag-attachment + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - TZ=Etc/UTC + - URL=yourdomain.url # replace yourdomain.url with your own domain + # make sure your domain's public IP resolves to + # the docker host for Let's Encrypt cert generation to succeed + - VALIDATION=http + # see https://docs.linuxserver.io/images/docker-swag/ for + # more cert generation/validation options + - STAGING=true # switch to 'false' after successful testing + volumes: + - ./swag-config:/config + ports: + - 443:443 + - 80:80 #optional + + appsec-agent: + container_name: appsec-agent + image: ghcr.io/openappsec/agent:latest + ipc: shareable + restart: unless-stopped + environment: + - user_email=user@email.com # adjust with your own email + - registered_server=SWAG Server + # if autoPolicyLoad is set to true, open-appsec will apply + # changes in local_policy.yaml automatically + - autoPolicyLoad=true + # To connect to open-appsec central management WebUI + ## create your WebUI profile at https://my.openappsec.io, + ## enforce policy, copy the profile token from WebUI and add it below + - AGENT_TOKEN= + volumes: + - ./appsec-config:/etc/cp/conf + - ./appsec-data:/etc/cp/data + - ./appsec-logs:/var/log/nano_agent + - ./appsec-localconfig:/ext/appsec + command: /cp-nano-agent