diff --git a/deployment/APISIX/.env b/deployment/APISIX/.env deleted file mode 100644 index 6be06df..0000000 --- a/deployment/APISIX/.env +++ /dev/null @@ -1,55 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with APISIX -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Make sure to have a valid apisix configuration for APISIX in standalone mode in the following file: -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -APISIX_CONFIG=./apisix-config/apisix.yaml - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the apisix.yaml file in APISIX_CONFIG folder -## to include route and node configuration for forwarding external traffic to the juiceshop-backend container -## (apisix listens by default for HTTP/HTTPS on port 9080/9443) -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/apisix.yaml -## in the appsec-apisix service definition -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/APISIX/apisix-config/apisix.yaml b/deployment/APISIX/apisix-config/apisix.yaml deleted file mode 100644 index baa0928..0000000 --- a/deployment/APISIX/apisix-config/apisix.yaml +++ /dev/null @@ -1,9 +0,0 @@ -routes: - - - uri: / - upstream: - nodes: - "juiceshop-backend:3000": 1 - type: roundrobin - -#END diff --git a/deployment/APISIX/docker-compose.yaml b/deployment/APISIX/docker-compose.yaml deleted file mode 100644 index c416d9b..0000000 --- a/deployment/APISIX/docker-compose.yaml +++ /dev/null @@ -1,131 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with APISIX -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server=APISIX Server - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-apisix: - image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION} - container_name: appsec-apisix - ipc: service:appsec-agent - restart: always - environment: - - APISIX_STAND_ALONE=true - volumes: - - ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro - ports: - - "9080:9080/tcp" # HTTP API port - - "9443:9443/tcp" # HTTPS API port - - "9180:9180/tcp" # Admin API HTTP port - - "9091:9091/tcp" # Admin API HTTPS port - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: always - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: always -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: always - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: always - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/NGINX-Unified/.env b/deployment/NGINX-Unified/.env deleted file mode 100644 index f064232..0000000 --- a/deployment/NGINX-Unified/.env +++ /dev/null @@ -1,54 +0,0 @@ -## .env file for docker-compose deployments of open-appsec NGINX unified container -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG. -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -NGINX_CONFIG=./nginx-config - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder -## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf -## place the file above in NGINX_CONFIG folder -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/NGINX-Unified/docker-compose.yaml b/deployment/NGINX-Unified/docker-compose.yaml deleted file mode 100644 index 8d5c270..0000000 --- a/deployment/NGINX-Unified/docker-compose.yaml +++ /dev/null @@ -1,126 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec deployments of NGINX unified container -## - -version: "3.9" -services: - appsec-agent-nginx-unified: - image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION} - container_name: appsec-agent-nginx-unified - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - ipc: shareable - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - - ${NGINX_CONFIG}:/etc/nginx/conf.d -## advanced configuration - volume mount for nginx.conf file: -## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below -## make sure to include the line starting with "load_module" which loads the appsec attachment -## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container -# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf - ports: - - "80:80" - - "443:443" - command: /cp-nano-agent - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent-nginx-unified - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/NGINX-Unified/nginx-config/default.conf b/deployment/NGINX-Unified/nginx-config/default.conf deleted file mode 100644 index e3ca187..0000000 --- a/deployment/NGINX-Unified/nginx-config/default.conf +++ /dev/null @@ -1,47 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name _; - - #access_log /var/log/nginx/host.access.log main; - - location / { - proxy_pass http://juiceshop-backend:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -} diff --git a/deployment/apisix/apisix-example-config/apisix-standalone.yaml b/deployment/apisix/apisix-example-config/apisix-standalone.yaml deleted file mode 100644 index 97ce7b7..0000000 --- a/deployment/apisix/apisix-example-config/apisix-standalone.yaml +++ /dev/null @@ -1,12 +0,0 @@ - -# example local declarative configuration file for apisix in standalone mode - -routes: - - - uri: /anything - upstream: - nodes: - "httpbin.org:80": 1 - type: roundrobin - -#END diff --git a/deployment/apisix/docker-compose.yaml b/deployment/apisix/docker-compose.yaml deleted file mode 100644 index 5047b56..0000000 --- a/deployment/apisix/docker-compose.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -version: "3" - -services: - apisix: - container_name: apisix - image: "ghcr.io/openappsec/apisix-attachment:latest" - ipc: host - restart: always - volumes: - - ./apisix-localconfig/apisix-standalone.yaml:/usr/local/apisix/conf/apisix.yaml:ro - environment: - - APISIX_STAND_ALONE=true - ports: - - "9180:9180/tcp" - - "9080:9080/tcp" - - "9091:9091/tcp" - - "9443:9443/tcp" - - appsec-agent: - container_name: appsec-agent - image: 'ghcr.io/openappsec/agent:latest' - ipc: host - restart: unless-stopped - environment: - # adjust with your own email below - - user_email=user@email.com - - registered_server="APISIX Server" - - AGENT_TOKEN= - volumes: - - ./appsec-config:/etc/cp/conf - - ./appsec-data:/etc/cp/data - - ./appsec-logs:/var/log/nano_agent - - ./appsec-localconfig:/ext/appsec - command: /cp-nano-agent diff --git a/deployment/docker-compose/envoy/docker-compose.yaml b/deployment/docker-compose/envoy/docker-compose.yaml deleted file mode 100644 index 11088b2..0000000 --- a/deployment/docker-compose/envoy/docker-compose.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with Envoy -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server="Envoy Server" - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-envoy: - image: openappsec-envoy:${APPSEC_VERSION} -# for docs: image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION} - container_name: appsec-envoy - ipc: service:appsec-agent - restart: unless-stopped - environment: - - ENVOY_UID=0 - - CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC} - - CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER} - volumes: - - ${ENVOY_CONFIG}:/envoy.yaml - command: -c /envoy.yaml -## adjustment of threads is possible as follows: -# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY} - - ports: - - "80:80" - - "443:443" - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/envoy/.env b/deployment/envoy/.env deleted file mode 100644 index e2e3ded..0000000 --- a/deployment/envoy/.env +++ /dev/null @@ -1,57 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with Envoy -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -ENVOY_CONCURRENCY_CALC=numOfCores ## Possible values: "numOfCores" (default), "custom" -ENVOY_CONCURRENCY_NUMBER="" - -## Make sure to have a valid envoy.yaml Envoy configuration file present in the path below. -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -ENVOY_CONFIG=./envoy-config/envoy.yaml - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the envoy.yaml file in ENVOY_CONFIG path -## to add a routing configuration for forwarding external traffic on e.g. port 80 to the juiceshop-backend container -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/envoy/envoy.yaml -## place the file above in ENVOY_CONFIG path -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/envoy/envoy-config/envoy.yaml b/deployment/envoy/envoy-config/envoy.yaml deleted file mode 100644 index 8ab8070..0000000 --- a/deployment/envoy/envoy-config/envoy.yaml +++ /dev/null @@ -1,56 +0,0 @@ -static_resources: - listeners: - - name: listener_0 - address: - socket_address: - address: 0.0.0.0 - port_value: 80 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - http_filters: - ## The following 10 lines are required to load the envoy attachment filter for open-appsec - - name: envoy.filters.http.golang - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config - library_id: cp_nano_filter - library_path: "/usr/lib/libenvoy_attachment.so" - plugin_name: cp_nano_filter - plugin_config: - "@type": type.googleapis.com/xds.type.v3.TypedStruct - value: - prefix_localreply_body: "Configured local reply from go" - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - -## -## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file. -## - route_config: - name: local_route - virtual_hosts: - - name: local_service - domains: ["*"] - routes: - - match: - prefix: "/" - route: - cluster: juiceshop - - clusters: - - name: juiceshop - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: juiceshop - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: juiceshop-backend - port_value: 3000 diff --git a/deployment/kong/.env b/deployment/kong/.env deleted file mode 100644 index b5471ec..0000000 --- a/deployment/kong/.env +++ /dev/null @@ -1,57 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with Kong -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG. -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -KONG_CONFIG=./kong-config - -## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment -KONG_IMAGE=kong-attachment - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder -## to include service and route configuration for forwarding external traffic to the juiceshop-backend container -## (kong listens by default for HTTP/HTTPS on port 8000/8443) -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/kong/docker-compose.yaml b/deployment/kong/docker-compose.yaml deleted file mode 100644 index ad5c767..0000000 --- a/deployment/kong/docker-compose.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with Kong -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server=Kong Server - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-kong: - image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} - container_name: appsec-kong - ipc: service:appsec-agent -## This docker compose deploys Kong in DB-less mode with declarative Kong configuration -## please make sure to have a valid config present in {KONG_CONFIG}: - environment: - - KONG_DATABASE=off - - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml - volumes: - - ${KONG_CONFIG}:/opt/kong - restart: unless-stopped - ports: - - "8000:8000" - - "8443:8443" - - "127.0.0.1:8001:8001" - - "127.0.0.1:8444:8444" - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/kong/kong-config/kong.yaml b/deployment/kong/kong-config/kong.yaml deleted file mode 100644 index 60c4c32..0000000 --- a/deployment/kong/kong-config/kong.yaml +++ /dev/null @@ -1,9 +0,0 @@ -_format_version: "3.0" - -services: - - name: juiceshop-service - url: http://juiceshop-backend:3000 - routes: - - name: juiceshop-route - paths: - - / diff --git a/deployment/nginx-proxy-manager-centrally-managed/.env b/deployment/nginx-proxy-manager-centrally-managed/.env deleted file mode 100644 index 4795c2b..0000000 --- a/deployment/nginx-proxy-manager-centrally-managed/.env +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with NGINX Proxy Manager -## with open-appsec management via central open-appsec WebUI (SaaS) -## - -version: '3.9' - -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - ipc: shareable - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - nginxproxymanager=true - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-nginx-proxy-manager: - container_name: appsec-nginx-proxy-manager - image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} - ipc: service:appsec-agent - restart: unless-stopped - ports: - - 80:80 # Public HTTP Port - - 443:443 # Public HTTPS Port - - 81:81 # Admin Web Port - volumes: - - ${NPM_DATA}:/data - - ${NPM_LETSENCRYPT}:/etc/letsencrypt - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml b/deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml deleted file mode 100644 index 4795c2b..0000000 --- a/deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with NGINX Proxy Manager -## with open-appsec management via central open-appsec WebUI (SaaS) -## - -version: '3.9' - -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - ipc: shareable - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - nginxproxymanager=true - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-nginx-proxy-manager: - container_name: appsec-nginx-proxy-manager - image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} - ipc: service:appsec-agent - restart: unless-stopped - ports: - - 80:80 # Public HTTP Port - - 443:443 # Public HTTPS Port - - 81:81 # Admin Web Port - volumes: - - ${NPM_DATA}:/data - - ${NPM_LETSENCRYPT}:/etc/letsencrypt - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/nginx-proxy-manager/.env b/deployment/nginx-proxy-manager/.env deleted file mode 100644 index 129653f..0000000 --- a/deployment/nginx-proxy-manager/.env +++ /dev/null @@ -1,48 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with NGINX Proxy Manager -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to true for changes -## of open-appsec configuration in the NGINX Proxy Manager WebUI to be applied automatically -APPSEC_AUTO_POLICY_LOAD=true - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -# Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file -NPM_DATA=./data -NPM_LETSENCRYPT=./letsencrypt - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also create a new proxy host in the NGINX Proxy Manager WebUI -## which accepts traffic on http port 80 and proxies traffic to juiceshop-backend on port 3000. -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/nginx-proxy-manager/docker-compose.yaml b/deployment/nginx-proxy-manager/docker-compose.yaml deleted file mode 100644 index fc80272..0000000 --- a/deployment/nginx-proxy-manager/docker-compose.yaml +++ /dev/null @@ -1,134 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with NGINX Proxy Manager -## with open-appsec management via NGINX Proxy Manager WebUI -## - -version: '3.9' - -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - ipc: shareable - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - nginxproxymanager=true - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-nginx-proxy-manager: - container_name: appsec-nginx-proxy-manager - image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION} - ipc: service:appsec-agent - restart: unless-stopped - ports: - - 80:80 # Public HTTP Port - - 443:443 # Public HTTPS Port - - 81:81 # Admin Web Port - volumes: - - ${NPM_DATA}:/data - - ${NPM_LETSENCRYPT}:/etc/letsencrypt - - ${APPSEC_LOGS}:/ext/appsec-logs - - ${APPSEC_LOCALCONFIG}:/ext/appsec - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/nginx/.env b/deployment/nginx/.env deleted file mode 100644 index 297335b..0000000 --- a/deployment/nginx/.env +++ /dev/null @@ -1,54 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with NGINX -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG. -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -NGINX_CONFIG=./nginx-config - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder -## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf -## place the file above in NGINX_CONFIG folder -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/nginx/docker-compose.yaml b/deployment/nginx/docker-compose.yaml deleted file mode 100644 index aee9fca..0000000 --- a/deployment/nginx/docker-compose.yaml +++ /dev/null @@ -1,136 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with NGINX -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server="NGINX Server" - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-nginx: - image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION} - container_name: appsec-nginx - ipc: service:appsec-agent - restart: unless-stopped - volumes: - - ${NGINX_CONFIG}:/etc/nginx/conf.d - -## advanced configuration - volume mount for nginx.conf file: -## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below -## then specify a desired local folder for NGINX_CONF_FILE in the .env file. -## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment -## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container. -# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf - - ports: - - "80:80" - - "443:443" - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/nginx/nginx-config/default.conf b/deployment/nginx/nginx-config/default.conf deleted file mode 100644 index e3ca187..0000000 --- a/deployment/nginx/nginx-config/default.conf +++ /dev/null @@ -1,47 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name _; - - #access_log /var/log/nginx/host.access.log main; - - location / { - proxy_pass http://juiceshop-backend:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -} diff --git a/deployment/swag-new/.env b/deployment/swag-new/.env deleted file mode 100644 index ceb0326..0000000 --- a/deployment/swag-new/.env +++ /dev/null @@ -1,76 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with SWAG -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file -SWAG_CONFIG=./swag-config -## Make sure to have a valid nginx config default.conf in SWAG_NGINX_SITE_CONFS folder -SWAG_NGINX_SITE_CONFS=./swag-nginx-site-confs -## Make sure to have valid *.conf proxy configuration in SWAG_NGINX_PROXY_CONFS folder -SWAG_PROXY_CONFS=./swag-proxy-confs -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. - -SWAG_TZ=Etc/UTC -SWAG_VALIDATION=http # configure "http" or "dns" as validation modes -SWAG_DNSPLUGIN="" # configure e.g. "route53" or some other DNS Plugin supported by SWAG if you set "dns" above - -## Examples parameters for "route53" DNS plugin (AWS DNS service), you can add others here as required, -## when you do make sure to also add them to the docker compose file -SWAG_AWS_ACCESS_KEY_ID="" -SWAG_AWS_SECRET_ACCESS_KEY="" -## - -SWAG_STAGING=true ## switch to 'false' after successful testing -SWAG_URL=yourdomain.url -SWAG_SUBDOMAINS="" -SWAG_ONLY_SUBDOMAINS="" -## replace yourdomain.url with your own domain -## make sure your domain's public IP resolves to -## the docker host for Let's Encrypt cert generation to succeed - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to put a juiceshop.subfolder.conf file in SWAG_PROXY_CONFS folder -## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in SWAG_NGINX_SITE_CONFS folder -## you can use the example files available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/juiceshop.subfolder.conf -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/default.conf -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/swag-new/docker-compose.yaml b/deployment/swag-new/docker-compose.yaml deleted file mode 100644 index ecce3c2..0000000 --- a/deployment/swag-new/docker-compose.yaml +++ /dev/null @@ -1,145 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with SWAG -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server=SWAG Server - ipc: shareable - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-swag: - image: ghcr.io/openappsec/swag-attachment:latest - container_name: appsec-swag - ipc: service:appsec-agent - restart: unless-stopped - cap_add: - - NET_ADMIN - environment: - - PUID=1000 - - PGID=1000 - - TZ=${SWAG_TZ} - - URL=${SWAG_URL} - - VALIDATION=${SWAG_VALIDATION} - - DNSPLUGIN=${SWAG_DNSPLUGIN} - - AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID} - - AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY} - - SUBDOMAINS=${SWAG_SUBDOMAINS} - - ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS} -## see https://docs.linuxserver.io/images/docker-swag/ for -## more cert generation/validation options - - STAGING=${SWAG_STAGING} - volumes: - - ${SWAG_CONFIG}:/config - - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs - - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs - ports: - - 443:443 - - 80:80 ## optional - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/swag-new/swag-nginx-site-confs/default.conf b/deployment/swag-new/swag-nginx-site-confs/default.conf deleted file mode 100644 index 9412c18..0000000 --- a/deployment/swag-new/swag-nginx-site-confs/default.conf +++ /dev/null @@ -1,84 +0,0 @@ -## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample - -# redirect all traffic to https -server { - listen 80 default_server; - listen [::]:80 default_server; - - location / { - return 301 https://$host$request_uri; - } -} - -# main server block -server { - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - server_name _; - - include /config/nginx/ssl.conf; - -# root /config/www; -# index index.html index.htm index.php; - - # enable subfolder method reverse proxy confs - include /config/nginx/proxy-confs/*.subfolder.conf; - - # enable for ldap auth (requires ldap-location.conf in the location block) - #include /config/nginx/ldap-server.conf; - - # enable for Authelia (requires authelia-location.conf in the location block) - #include /config/nginx/authelia-server.conf; - - # enable for Authentik (requires authentik-location.conf in the location block) - #include /config/nginx/authentik-server.conf; - - #location / { - # enable for basic auth - #auth_basic "Restricted"; - #auth_basic_user_file /config/nginx/.htpasswd; - - # enable for ldap auth (requires ldap-server.conf in the server block) - #include /config/nginx/ldap-location.conf; - - # enable for Authelia (requires authelia-server.conf in the server block) - #include /config/nginx/authelia-location.conf; - - # enable for Authentik (requires authentik-server.conf in the server block) - #include /config/nginx/authentik-location.conf; - - # try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args; - #} - - location ~ ^(.+\.php)(.*)$ { - # enable the next two lines for http auth - #auth_basic "Restricted"; - #auth_basic_user_file /config/nginx/.htpasswd; - - # enable for ldap auth (requires ldap-server.conf in the server block) - #include /config/nginx/ldap-location.conf; - - # enable for Authelia (requires authelia-server.conf in the server block) - #include /config/nginx/authelia-location.conf; - - # enable for Authentik (requires authentik-server.conf in the server block) - #include /config/nginx/authentik-location.conf; - - fastcgi_split_path_info ^(.+\.php)(.*)$; - if (!-f $document_root$fastcgi_script_name) { return 404; } - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include /etc/nginx/fastcgi_params; - } - - # deny access to .htaccess/.htpasswd files - location ~ /\.ht { - deny all; - } -} - -# enable subdomain method reverse proxy confs -include /config/nginx/proxy-confs/*.subdomain.conf; -# enable proxy cache for auth -proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf b/deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf deleted file mode 100644 index e94c276..0000000 --- a/deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf +++ /dev/null @@ -1,22 +0,0 @@ -location / { - # enable the next two lines for http auth - #auth_basic "Restricted"; - #auth_basic_user_file /config/nginx/.htpasswd; - - # enable for ldap auth (requires ldap-server.conf in the server block) - #include /config/nginx/ldap-location.conf; - - # enable for Authelia (requires authelia-server.conf in the server block) - #include /config/nginx/authelia-location.conf; - - # enable for Authentik (requires authentik-server.conf in the server block) - #include /config/nginx/authentik-location.conf; - - include /config/nginx/proxy.conf; - include /config/nginx/resolver.conf; - set $upstream_app juiceshop-backend; - set $upstream_port 3000; - set $upstream_proto http; - proxy_pass $upstream_proto://$upstream_app:$upstream_port; - -} diff --git a/deployment/swag/docker-compose.yaml b/deployment/swag/docker-compose.yaml deleted file mode 100644 index dcd5fbf..0000000 --- a/deployment/swag/docker-compose.yaml +++ /dev/null @@ -1,46 +0,0 @@ -services: - swag-attachment: - image: ghcr.io/openappsec/swag-attachment:latest - ipc: service:appsec-agent - restart: unless-stopped - container_name: swag-attachment - cap_add: - - NET_ADMIN - environment: - - PUID=1000 - - PGID=1000 - - TZ=Etc/UTC - - URL=yourdomain.url # replace yourdomain.url with your own domain - # make sure your domain's public IP resolves to - # the docker host for Let's Encrypt cert generation to succeed - - VALIDATION=http - # see https://docs.linuxserver.io/images/docker-swag/ for - # more cert generation/validation options - - STAGING=true # switch to 'false' after successful testing - volumes: - - ./swag-config:/config - ports: - - 443:443 - - 80:80 #optional - - appsec-agent: - container_name: appsec-agent - image: ghcr.io/openappsec/agent:latest - ipc: shareable - restart: unless-stopped - environment: - - user_email=user@email.com # adjust with your own email - - registered_server=SWAG Server - # if autoPolicyLoad is set to true, open-appsec will apply - # changes in local_policy.yaml automatically - - autoPolicyLoad=true - # To connect to open-appsec central management WebUI - ## create your WebUI profile at https://my.openappsec.io, - ## enforce policy, copy the profile token from WebUI and add it below - - AGENT_TOKEN= - volumes: - - ./appsec-config:/etc/cp/conf - - ./appsec-data:/etc/cp/data - - ./appsec-logs:/var/log/nano_agent - - ./appsec-localconfig:/ext/appsec - command: /cp-nano-agent