github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Delete deployment directory

Browse Source
This commit is contained in:
orianelou 2025-01-20 11:58:01 +02:00 committed by GitHub
parent 3d3d6e73b9
commit b1731237d1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
26 changed files with 0 additions and 1986 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
deployment/APISIX/.env
View File

@ -1,55 +0,0 @@
## .env file for docker-compose deployments of open-appsec integrated with APISIX
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Make sure to have a valid apisix configuration for APISIX in standalone mode in the following file:
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
APISIX_CONFIG=./apisix-config/apisix.yaml
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the apisix.yaml file in APISIX_CONFIG folder
## to include route and node configuration for forwarding external traffic to the juiceshop-backend container
## (apisix listens by default for HTTP/HTTPS on port 9080/9443)
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/apisix.yaml
## in the appsec-apisix service definition
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

9
deployment/APISIX/apisix-config/apisix.yaml
View File

@ -1,9 +0,0 @@
routes:
-
uri: /
upstream:
nodes:
"juiceshop-backend:3000": 1
type: roundrobin
#END

131
deployment/APISIX/docker-compose.yaml
View File

@ -1,131 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with APISIX
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=APISIX Server
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-apisix:
image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION}
container_name: appsec-apisix
ipc: service:appsec-agent
restart: always
environment:
- APISIX_STAND_ALONE=true
volumes:
- ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro
ports:
- "9080:9080/tcp" # HTTP API port
- "9443:9443/tcp" # HTTPS API port
- "9180:9180/tcp" # Admin API HTTP port
- "9091:9091/tcp" # Admin API HTTPS port
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: always
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: always
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: always
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: always
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

54
deployment/NGINX-Unified/.env
View File

@ -1,54 +0,0 @@
## .env file for docker-compose deployments of open-appsec NGINX unified container
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
NGINX_CONFIG=./nginx-config
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder
## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf
## place the file above in NGINX_CONFIG folder
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

126
deployment/NGINX-Unified/docker-compose.yaml
View File

@ -1,126 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec deployments of NGINX unified container
##
version: "3.9"
services:
appsec-agent-nginx-unified:
image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION}
container_name: appsec-agent-nginx-unified
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
ipc: shareable
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
- ${NGINX_CONFIG}:/etc/nginx/conf.d
## advanced configuration - volume mount for nginx.conf file:
## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below
## make sure to include the line starting with "load_module" which loads the appsec attachment
## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container
# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
ports:
- "80:80"
- "443:443"
command: /cp-nano-agent
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent-nginx-unified
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

47
deployment/NGINX-Unified/nginx-config/default.conf
View File

@ -1,47 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://juiceshop-backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

12
deployment/apisix/apisix-example-config/apisix-standalone.yaml
View File

@ -1,12 +0,0 @@
# example local declarative configuration file for apisix in standalone mode
routes:
-
uri: /anything
upstream:
nodes:
"httpbin.org:80": 1
type: roundrobin
#END

47
deployment/apisix/docker-compose.yaml
View File

@ -1,47 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
version: "3"
services:
apisix:
container_name: apisix
image: "ghcr.io/openappsec/apisix-attachment:latest"
ipc: host
restart: always
volumes:
- ./apisix-localconfig/apisix-standalone.yaml:/usr/local/apisix/conf/apisix.yaml:ro
environment:
- APISIX_STAND_ALONE=true
ports:
- "9180:9180/tcp"
- "9080:9080/tcp"
- "9091:9091/tcp"
- "9443:9443/tcp"
appsec-agent:
container_name: appsec-agent
image: 'ghcr.io/openappsec/agent:latest'
ipc: host
restart: unless-stopped
environment:
# adjust with your own email below
- user_email=user@email.com
- registered_server="APISIX Server"
- AGENT_TOKEN=<TOKEN>
volumes:
- ./appsec-config:/etc/cp/conf
- ./appsec-data:/etc/cp/data
- ./appsec-logs:/var/log/nano_agent
- ./appsec-localconfig:/ext/appsec
command: /cp-nano-agent

135
deployment/docker-compose/envoy/docker-compose.yaml
View File

@ -1,135 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with Envoy
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="Envoy Server"
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-envoy:
image: openappsec-envoy:${APPSEC_VERSION}
# for docs: image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION}
container_name: appsec-envoy
ipc: service:appsec-agent
restart: unless-stopped
environment:
- ENVOY_UID=0
- CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC}
- CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER}
volumes:
- ${ENVOY_CONFIG}:/envoy.yaml
command: -c /envoy.yaml
## adjustment of threads is possible as follows:
# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY}
ports:
- "80:80"
- "443:443"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

57
deployment/envoy/.env
View File

@ -1,57 +0,0 @@
## .env file for docker-compose deployments of open-appsec integrated with Envoy
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
ENVOY_CONCURRENCY_CALC=numOfCores ## Possible values: "numOfCores" (default), "custom"
ENVOY_CONCURRENCY_NUMBER=""
## Make sure to have a valid envoy.yaml Envoy configuration file present in the path below.
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
ENVOY_CONFIG=./envoy-config/envoy.yaml
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the envoy.yaml file in ENVOY_CONFIG path
## to add a routing configuration for forwarding external traffic on e.g. port 80 to the juiceshop-backend container
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/envoy/envoy.yaml
## place the file above in ENVOY_CONFIG path
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

56
deployment/envoy/envoy-config/envoy.yaml
View File

@ -1,56 +0,0 @@
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
http_filters:
## The following 10 lines are required to load the envoy attachment filter for open-appsec
- name: envoy.filters.http.golang
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config
library_id: cp_nano_filter
library_path: "/usr/lib/libenvoy_attachment.so"
plugin_name: cp_nano_filter
plugin_config:
"@type": type.googleapis.com/xds.type.v3.TypedStruct
value:
prefix_localreply_body: "Configured local reply from go"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
##
## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file.
##
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: juiceshop
clusters:
- name: juiceshop
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: juiceshop
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: juiceshop-backend
port_value: 3000

57
deployment/kong/.env
View File

@ -1,57 +0,0 @@
## .env file for docker-compose deployments of open-appsec integrated with Kong
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
KONG_CONFIG=./kong-config
## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment
KONG_IMAGE=kong-attachment
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder
## to include service and route configuration for forwarding external traffic to the juiceshop-backend container
## (kong listens by default for HTTP/HTTPS on port 8000/8443)
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

135
deployment/kong/docker-compose.yaml
View File

@ -1,135 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with Kong
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=Kong Server
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-kong:
image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
container_name: appsec-kong
ipc: service:appsec-agent
## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
## please make sure to have a valid config present in {KONG_CONFIG}:
environment:
- KONG_DATABASE=off
- KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml
volumes:
- ${KONG_CONFIG}:/opt/kong
restart: unless-stopped
ports:
- "8000:8000"
- "8443:8443"
- "127.0.0.1:8001:8001"
- "127.0.0.1:8444:8444"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

9
deployment/kong/kong-config/kong.yaml
View File

@ -1,9 +0,0 @@
_format_version: "3.0"
services:
- name: juiceshop-service
url: http://juiceshop-backend:3000
routes:
- name: juiceshop-route
paths:
- /

132
deployment/nginx-proxy-manager-centrally-managed/.env
View File

@ -1,132 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX Proxy Manager
## with open-appsec management via central open-appsec WebUI (SaaS)
##
version: '3.9'
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
ipc: shareable
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- nginxproxymanager=true
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION}
ipc: service:appsec-agent
restart: unless-stopped
ports:
- 80:80 # Public HTTP Port
- 443:443 # Public HTTPS Port
- 81:81 # Admin Web Port
volumes:
- ${NPM_DATA}:/data
- ${NPM_LETSENCRYPT}:/etc/letsencrypt
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

132
deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml
View File

@ -1,132 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX Proxy Manager
## with open-appsec management via central open-appsec WebUI (SaaS)
##
version: '3.9'
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
ipc: shareable
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- nginxproxymanager=true
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION}
ipc: service:appsec-agent
restart: unless-stopped
ports:
- 80:80 # Public HTTP Port
- 443:443 # Public HTTPS Port
- 81:81 # Admin Web Port
volumes:
- ${NPM_DATA}:/data
- ${NPM_LETSENCRYPT}:/etc/letsencrypt
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

48
deployment/nginx-proxy-manager/.env
View File

@ -1,48 +0,0 @@
## .env file for docker-compose deployments of open-appsec integrated with NGINX Proxy Manager
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to true for changes
## of open-appsec configuration in the NGINX Proxy Manager WebUI to be applied automatically
APPSEC_AUTO_POLICY_LOAD=true
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
# Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file
NPM_DATA=./data
NPM_LETSENCRYPT=./letsencrypt
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also create a new proxy host in the NGINX Proxy Manager WebUI
## which accepts traffic on http port 80 and proxies traffic to juiceshop-backend on port 3000.
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

134
deployment/nginx-proxy-manager/docker-compose.yaml
View File

@ -1,134 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX Proxy Manager
## with open-appsec management via NGINX Proxy Manager WebUI
##
version: '3.9'
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
ipc: shareable
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- nginxproxymanager=true
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION}
ipc: service:appsec-agent
restart: unless-stopped
ports:
- 80:80 # Public HTTP Port
- 443:443 # Public HTTPS Port
- 81:81 # Admin Web Port
volumes:
- ${NPM_DATA}:/data
- ${NPM_LETSENCRYPT}:/etc/letsencrypt
- ${APPSEC_LOGS}:/ext/appsec-logs
- ${APPSEC_LOCALCONFIG}:/ext/appsec
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

54
deployment/nginx/.env
View File

@ -1,54 +0,0 @@
## .env file for docker-compose deployments of open-appsec integrated with NGINX
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
NGINX_CONFIG=./nginx-config
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder
## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf
## place the file above in NGINX_CONFIG folder
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

136
deployment/nginx/docker-compose.yaml
View File

@ -1,136 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="NGINX Server"
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx:
image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION}
container_name: appsec-nginx
ipc: service:appsec-agent
restart: unless-stopped
volumes:
- ${NGINX_CONFIG}:/etc/nginx/conf.d
## advanced configuration - volume mount for nginx.conf file:
## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below
## then specify a desired local folder for NGINX_CONF_FILE in the .env file.
## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment
## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container.
# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
ports:
- "80:80"
- "443:443"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

47
deployment/nginx/nginx-config/default.conf
View File

@ -1,47 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://juiceshop-backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

76
deployment/swag-new/.env
View File

@ -1,76 +0,0 @@
## .env file for docker-compose deployments of open-appsec integrated with SWAG
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file
SWAG_CONFIG=./swag-config
## Make sure to have a valid nginx config default.conf in SWAG_NGINX_SITE_CONFS folder
SWAG_NGINX_SITE_CONFS=./swag-nginx-site-confs
## Make sure to have valid *.conf proxy configuration in SWAG_NGINX_PROXY_CONFS folder
SWAG_PROXY_CONFS=./swag-proxy-confs
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
SWAG_TZ=Etc/UTC
SWAG_VALIDATION=http # configure "http" or "dns" as validation modes
SWAG_DNSPLUGIN="" # configure e.g. "route53" or some other DNS Plugin supported by SWAG if you set "dns" above
## Examples parameters for "route53" DNS plugin (AWS DNS service), you can add others here as required,
## when you do make sure to also add them to the docker compose file
SWAG_AWS_ACCESS_KEY_ID=""
SWAG_AWS_SECRET_ACCESS_KEY=""
##
SWAG_STAGING=true ## switch to 'false' after successful testing
SWAG_URL=yourdomain.url
SWAG_SUBDOMAINS=""
SWAG_ONLY_SUBDOMAINS=""
## replace yourdomain.url with your own domain
## make sure your domain's public IP resolves to
## the docker host for Let's Encrypt cert generation to succeed
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to put a juiceshop.subfolder.conf file in SWAG_PROXY_CONFS folder
## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in SWAG_NGINX_SITE_CONFS folder
## you can use the example files available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/juiceshop.subfolder.conf
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/default.conf
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

145
deployment/swag-new/docker-compose.yaml
View File

@ -1,145 +0,0 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with SWAG
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=SWAG Server
ipc: shareable
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-swag:
image: ghcr.io/openappsec/swag-attachment:latest
container_name: appsec-swag
ipc: service:appsec-agent
restart: unless-stopped
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=${SWAG_TZ}
- URL=${SWAG_URL}
- VALIDATION=${SWAG_VALIDATION}
- DNSPLUGIN=${SWAG_DNSPLUGIN}
- AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY}
- SUBDOMAINS=${SWAG_SUBDOMAINS}
- ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS}
## see https://docs.linuxserver.io/images/docker-swag/ for
## more cert generation/validation options
- STAGING=${SWAG_STAGING}
volumes:
- ${SWAG_CONFIG}:/config
- ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs
- ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs
ports:
- 443:443
- 80:80 ## optional
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

84
deployment/swag-new/swag-nginx-site-confs/default.conf
View File

@ -1,84 +0,0 @@
## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
include /config/nginx/ssl.conf;
# root /config/www;
# index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
#location / {
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
# try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
#}
location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

22
deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf
View File

@ -1,22 +0,0 @@
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app juiceshop-backend;
set $upstream_port 3000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}

46
deployment/swag/docker-compose.yaml
View File

@ -1,46 +0,0 @@
services:
swag-attachment:
image: ghcr.io/openappsec/swag-attachment:latest
ipc: service:appsec-agent
restart: unless-stopped
container_name: swag-attachment
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- URL=yourdomain.url # replace yourdomain.url with your own domain
# make sure your domain's public IP resolves to
# the docker host for Let's Encrypt cert generation to succeed
- VALIDATION=http
# see https://docs.linuxserver.io/images/docker-swag/ for
# more cert generation/validation options
- STAGING=true # switch to 'false' after successful testing
volumes:
- ./swag-config:/config
ports:
- 443:443
- 80:80 #optional
appsec-agent:
container_name: appsec-agent
image: ghcr.io/openappsec/agent:latest
ipc: shareable
restart: unless-stopped
environment:
- user_email=user@email.com # adjust with your own email
- registered_server=SWAG Server
# if autoPolicyLoad is set to true, open-appsec will apply
# changes in local_policy.yaml automatically
- autoPolicyLoad=true
# To connect to open-appsec central management WebUI
## create your WebUI profile at https://my.openappsec.io,
## enforce policy, copy the profile token from WebUI and add it below
- AGENT_TOKEN=
volumes:
- ./appsec-config:/etc/cp/conf
- ./appsec-data:/etc/cp/data
- ./appsec-logs:/var/log/nano_agent
- ./appsec-localconfig:/ext/appsec
command: /cp-nano-agent