Add files via upload

2025-09-29 19:24:26 +03:00 · 2025-01-20 12:00:49 +02:00
parent b1731237d1
commit 923a8a804b
18 changed files with 1453 additions and 0 deletions
--- a/deployment/docker-compose/swag/docker-compose.yaml
+++ b/deployment/docker-compose/swag/docker-compose.yaml
@@ -0,0 +1,145 @@
+# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+##
+## Docker compose file for open-appsec integrated with SWAG
+##
+
+version: "3.9"
+services:
+  appsec-agent:
+    image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
+    container_name: appsec-agent
+    restart: unless-stopped
+    environment:
+      - SHARED_STORAGE_HOST=appsec-shared-storage
+      - LEARNING_HOST=appsec-smartsync
+      - TUNING_HOST=appsec-tuning-svc
+      - https_proxy=${APPSEC_HTTPS_PROXY}
+      - user_email=${APPSEC_USER_EMAIL}
+      - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
+      - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
+      - registered_server=SWAG Server
+    ipc: shareable
+    volumes:
+      - ${APPSEC_CONFIG}:/etc/cp/conf
+      - ${APPSEC_DATA}:/etc/cp/data
+      - ${APPSEC_LOGS}:/var/log/nano_agent
+      - ${APPSEC_LOCALCONFIG}:/ext/appsec
+    command: /cp-nano-agent
+
+  appsec-swag:
+    image: ghcr.io/openappsec/swag-attachment:latest
+    container_name: appsec-swag
+    ipc: service:appsec-agent
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=${SWAG_TZ}
+      - URL=${SWAG_URL}
+      - VALIDATION=${SWAG_VALIDATION}
+      - DNSPLUGIN=${SWAG_DNSPLUGIN}
+      - AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID}
+      - AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY}
+      - SUBDOMAINS=${SWAG_SUBDOMAINS}
+      - ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS}
+## see https://docs.linuxserver.io/images/docker-swag/ for
+## more cert generation/validation options
+      - STAGING=${SWAG_STAGING}
+    volumes:
+      - ${SWAG_CONFIG}:/config
+      - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs
+      - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs
+    ports:
+      - 443:443
+      - 80:80 ## optional
+
+  appsec-smartsync:
+    profiles:
+      - standalone
+    image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
+    container_name: appsec-smartsync
+    environment:
+      - SHARED_STORAGE_HOST=appsec-shared-storage
+    restart: unless-stopped
+    depends_on:
+      - appsec-shared-storage
+
+  appsec-shared-storage:
+    profiles:
+      - standalone
+    image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
+    container_name: appsec-shared-storage
+    ipc: service:appsec-agent
+    restart: unless-stopped
+## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
+## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
+    user: root
+    volumes:
+      - ${APPSEC_SMART_SYNC_STORAGE}:/db:z
+## instead of using local storage for local learning (see line above)
+## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
+## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) 
+#     - learning_nfs:/db:z
+
+  appsec-tuning-svc:
+    profiles:
+      - standalone
+    image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
+    container_name: appsec-tuning-svc
+    environment:
+      - SHARED_STORAGE_HOST=appsec-shared-storage
+      - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
+      - QUERY_DB_HOST=${APPSEC_DB_HOST}
+      - QUERY_DB_USER=${APPSEC_DB_USER}
+## only relevant when deploying own DB 
+#     - SSLMODE:
+    restart: unless-stopped
+    volumes:
+      - ${APPSEC_CONFIG}:/etc/cp/conf
+    depends_on:
+      - appsec-shared-storage
+      - appsec-db
+      
+  appsec-db:
+    profiles:
+      - standalone
+    image: postgres
+    container_name: appsec-db
+    restart: unless-stopped
+    environment:
+      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
+      - POSTGRES_USER=${APPSEC_DB_USER} 
+    volumes:
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+
+## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
+  juiceshop-backend:
+    image: bkimminich/juice-shop:latest
+    container_name: juiceshop-backend
+
+
+## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
+##
+## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
+##
+#volumes:
+# learning_nfs:
+#   driver: local
+#   driver_opts:
+#     type: nfs
+#     o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
+#     device: ":/"
--- a/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf
+++ b/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf
@@ -0,0 +1,84 @@
+## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+
+# redirect all traffic to https
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# main server block
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+#    root /config/www;
+#    index index.html index.htm index.php;
+
+    # enable subfolder method reverse proxy confs
+    include /config/nginx/proxy-confs/*.subfolder.conf;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    #location / {
+        # enable for basic auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+    #    try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
+    #}
+
+    location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht {
+        deny all;
+    }
+}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
--- a/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf
+++ b/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf
@@ -0,0 +1,22 @@
+location / {
+    # enable the next two lines for http auth
+    #auth_basic "Restricted";
+    #auth_basic_user_file /config/nginx/.htpasswd;
+
+    # enable for ldap auth (requires ldap-server.conf in the server block)
+    #include /config/nginx/ldap-location.conf;
+
+    # enable for Authelia (requires authelia-server.conf in the server block)
+    #include /config/nginx/authelia-location.conf;
+
+    # enable for Authentik (requires authentik-server.conf in the server block)
+    #include /config/nginx/authentik-location.conf;
+
+    include /config/nginx/proxy.conf;
+    include /config/nginx/resolver.conf;
+    set $upstream_app juiceshop-backend;
+    set $upstream_port 3000;
+    set $upstream_proto http;
+    proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+}