github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
orianelou 2025-01-20 12:00:49 +02:00 committed by GitHub
parent b1731237d1
commit 923a8a804b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
18 changed files with 1453 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
deployment/apisix/apisix-example-config/apisix-standalone.yaml Normal file
View File

@ -0,0 +1,12 @@
# example local declarative configuration file for apisix in standalone mode
routes:
-
uri: /anything
upstream:
nodes:
"httpbin.org:80": 1
type: roundrobin
#END

47
deployment/apisix/docker-compose.yaml Normal file
View File

@ -0,0 +1,47 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
version: "3"
services:
apisix:
container_name: apisix
image: "ghcr.io/openappsec/apisix-attachment:latest"
ipc: host
restart: always
volumes:
- ./apisix-localconfig/apisix-standalone.yaml:/usr/local/apisix/conf/apisix.yaml:ro
environment:
- APISIX_STAND_ALONE=true
ports:
- "9180:9180/tcp"
- "9080:9080/tcp"
- "9091:9091/tcp"
- "9443:9443/tcp"
appsec-agent:
container_name: appsec-agent
image: 'ghcr.io/openappsec/agent:latest'
ipc: host
restart: unless-stopped
environment:
# adjust with your own email below
- user_email=user@email.com
- registered_server="APISIX Server"
- AGENT_TOKEN=<TOKEN>
volumes:
- ./appsec-config:/etc/cp/conf
- ./appsec-data:/etc/cp/data
- ./appsec-logs:/var/log/nano_agent
- ./appsec-localconfig:/ext/appsec
command: /cp-nano-agent

9
deployment/docker-compose/apisix/apisix-config/apisix.yaml Normal file
View File

@ -0,0 +1,9 @@
routes:
-
uri: /
upstream:
nodes:
"juiceshop-backend:3000": 1
type: roundrobin
#END

131
deployment/docker-compose/apisix/docker-compose.yaml Normal file
View File

@ -0,0 +1,131 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with APISIX
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=APISIX Server
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-apisix:
image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION}
container_name: appsec-apisix
ipc: service:appsec-agent
restart: always
environment:
- APISIX_STAND_ALONE=true
volumes:
- ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro
ports:
- "9080:9080/tcp" # HTTP API port
- "9443:9443/tcp" # HTTPS API port
- "9180:9180/tcp" # Admin API HTTP port
- "9091:9091/tcp" # Admin API HTTPS port
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: always
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: always
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: always
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: always
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

135
deployment/docker-compose/envoy/docker-compose.yaml Normal file
View File

@ -0,0 +1,135 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with Envoy
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="Envoy Server"
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-envoy:
image: openappsec-envoy:${APPSEC_VERSION}
# for docs: image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION}
container_name: appsec-envoy
ipc: service:appsec-agent
restart: unless-stopped
environment:
- ENVOY_UID=0
- CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC}
- CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER}
volumes:
- ${ENVOY_CONFIG}:/envoy.yaml
command: -c /envoy.yaml
## adjustment of threads is possible as follows:
# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY}
ports:
- "80:80"
- "443:443"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

56
deployment/docker-compose/envoy/envoy-config/envoy.yaml Normal file
View File

@ -0,0 +1,56 @@
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
http_filters:
## The following 10 lines are required to load the envoy attachment filter for open-appsec
- name: envoy.filters.http.golang
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config
library_id: cp_nano_filter
library_path: "/usr/lib/libenvoy_attachment.so"
plugin_name: cp_nano_filter
plugin_config:
"@type": type.googleapis.com/xds.type.v3.TypedStruct
value:
prefix_localreply_body: "Configured local reply from go"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
##
## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file.
##
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: juiceshop
clusters:
- name: juiceshop
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: juiceshop
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: juiceshop-backend
port_value: 3000

135
deployment/docker-compose/kong/docker-compose.yaml Normal file
View File

@ -0,0 +1,135 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with Kong
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=Kong Server
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-kong:
image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
container_name: appsec-kong
ipc: service:appsec-agent
## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
## please make sure to have a valid config present in {KONG_CONFIG}:
environment:
- KONG_DATABASE=off
- KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml
volumes:
- ${KONG_CONFIG}:/opt/kong
restart: unless-stopped
ports:
- "8000:8000"
- "8443:8443"
- "127.0.0.1:8001:8001"
- "127.0.0.1:8444:8444"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

9
deployment/docker-compose/kong/kong-config/kong.yaml Normal file
View File

@ -0,0 +1,9 @@
_format_version: "3.0"
services:
- name: juiceshop-service
url: http://juiceshop-backend:3000
routes:
- name: juiceshop-route
paths:
- /

132
deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml Normal file
View File

@ -0,0 +1,132 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX Proxy Manager
## with open-appsec management via central open-appsec WebUI (SaaS)
##
version: '3.9'
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
ipc: shareable
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- nginxproxymanager=true
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION}
ipc: service:appsec-agent
restart: unless-stopped
ports:
- 80:80 # Public HTTP Port
- 443:443 # Public HTTPS Port
- 81:81 # Admin Web Port
volumes:
- ${NPM_DATA}:/data
- ${NPM_LETSENCRYPT}:/etc/letsencrypt
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

134
deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml Normal file
View File

@ -0,0 +1,134 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX Proxy Manager
## with open-appsec management via NGINX Proxy Manager WebUI
##
version: '3.9'
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
ipc: shareable
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- nginxproxymanager=true
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION}
ipc: service:appsec-agent
restart: unless-stopped
ports:
- 80:80 # Public HTTP Port
- 443:443 # Public HTTPS Port
- 81:81 # Admin Web Port
volumes:
- ${NPM_DATA}:/data
- ${NPM_LETSENCRYPT}:/etc/letsencrypt
- ${APPSEC_LOGS}:/ext/appsec-logs
- ${APPSEC_LOCALCONFIG}:/ext/appsec
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

126
deployment/docker-compose/nginx-unifed/docker-compose.yaml Normal file
View File

@ -0,0 +1,126 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec deployments of NGINX unified container
##
version: "3.9"
services:
appsec-agent-nginx-unified:
image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION}
container_name: appsec-agent-nginx-unified
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
ipc: shareable
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
- ${NGINX_CONFIG}:/etc/nginx/conf.d
## advanced configuration - volume mount for nginx.conf file:
## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below
## make sure to include the line starting with "load_module" which loads the appsec attachment
## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container
# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
ports:
- "80:80"
- "443:443"
command: /cp-nano-agent
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent-nginx-unified
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

47
deployment/docker-compose/nginx-unifed/nginx-config/default.conf Normal file
View File

@ -0,0 +1,47 @@
server {
listen 80;
listen [::]:80;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://juiceshop-backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

145
deployment/docker-compose/swag/docker-compose.yaml Normal file
View File

@ -0,0 +1,145 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with SWAG
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=SWAG Server
ipc: shareable
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-swag:
image: ghcr.io/openappsec/swag-attachment:latest
container_name: appsec-swag
ipc: service:appsec-agent
restart: unless-stopped
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=${SWAG_TZ}
- URL=${SWAG_URL}
- VALIDATION=${SWAG_VALIDATION}
- DNSPLUGIN=${SWAG_DNSPLUGIN}
- AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY}
- SUBDOMAINS=${SWAG_SUBDOMAINS}
- ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS}
## see https://docs.linuxserver.io/images/docker-swag/ for
## more cert generation/validation options
- STAGING=${SWAG_STAGING}
volumes:
- ${SWAG_CONFIG}:/config
- ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs
- ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs
ports:
- 443:443
- 80:80 ## optional
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

84
deployment/docker-compose/swag/swag-nginx-site-confs/default.conf Normal file
View File

@ -0,0 +1,84 @@
## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
include /config/nginx/ssl.conf;
# root /config/www;
# index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
#location / {
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
# try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
#}
location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

22
deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf Normal file
View File

@ -0,0 +1,22 @@
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app juiceshop-backend;
set $upstream_port 3000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}

136
deployment/nginx/docker-compose.yaml Normal file
View File

@ -0,0 +1,136 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="NGINX Server"
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx:
image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION}
container_name: appsec-nginx
ipc: service:appsec-agent
restart: unless-stopped
volumes:
- ${NGINX_CONFIG}:/etc/nginx/conf.d
## advanced configuration - volume mount for nginx.conf file:
## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below
## then specify a desired local folder for NGINX_CONF_FILE in the .env file.
## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment
## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container.
# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
ports:
- "80:80"
- "443:443"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

47
deployment/nginx/nginx-config/default.conf Normal file
View File

@ -0,0 +1,47 @@
server {
listen 80;
listen [::]:80;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://juiceshop-backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

46
deployment/swag/docker-compose.yaml Normal file
View File

@ -0,0 +1,46 @@
services:
swag-attachment:
image: ghcr.io/openappsec/swag-attachment:latest
ipc: service:appsec-agent
restart: unless-stopped
container_name: swag-attachment
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- URL=yourdomain.url # replace yourdomain.url with your own domain
# make sure your domain's public IP resolves to
# the docker host for Let's Encrypt cert generation to succeed
- VALIDATION=http
# see https://docs.linuxserver.io/images/docker-swag/ for
# more cert generation/validation options
- STAGING=true # switch to 'false' after successful testing
volumes:
- ./swag-config:/config
ports:
- 443:443
- 80:80 #optional
appsec-agent:
container_name: appsec-agent
image: ghcr.io/openappsec/agent:latest
ipc: shareable
restart: unless-stopped
environment:
- user_email=user@email.com # adjust with your own email
- registered_server=SWAG Server
# if autoPolicyLoad is set to true, open-appsec will apply
# changes in local_policy.yaml automatically
- autoPolicyLoad=true
# To connect to open-appsec central management WebUI
## create your WebUI profile at https://my.openappsec.io,
## enforce policy, copy the profile token from WebUI and add it below
- AGENT_TOKEN=
volumes:
- ./appsec-config:/etc/cp/conf
- ./appsec-data:/etc/cp/data
- ./appsec-logs:/var/log/nano_agent
- ./appsec-localconfig:/ext/appsec
command: /cp-nano-agent