From d14fa7a4689101497a39d0eaa4a8f8747a95dacc Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:13:23 +0200 Subject: [PATCH] Update docker-compose.yaml --- deployment/kong/docker-compose.yaml | 170 ++++++++-------------------- 1 file changed, 46 insertions(+), 124 deletions(-) diff --git a/deployment/kong/docker-compose.yaml b/deployment/kong/docker-compose.yaml index ad5c767..b5471ec 100644 --- a/deployment/kong/docker-compose.yaml +++ b/deployment/kong/docker-compose.yaml @@ -1,135 +1,57 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. +## .env file for docker-compose deployments of open-appsec integrated with Kong +## for more info see https://docs.openappsec.io -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at +APPSEC_VERSION=latest +APPSEC_CONFIG=./appsec-config +APPSEC_DATA=./appsec-data +APPSEC_LOGS=./appsec-logs +APPSEC_LOCALCONFIG=./appsec-localconfig -# http://www.apache.org/licenses/LICENSE-2.0 +## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing +## open-appsec configuration via open-appsec Web UI. +## You can optionally set it to true when using local, declarative management for open-appsec, +## declarative configuration will then get applied automatically when changed. +APPSEC_AUTO_POLICY_LOAD=false -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. +## Example for configuring HTTPS Proxy: +## APPSEC_HTTPS_PROXY=user:password@proxy_address:port +APPSEC_HTTPS_PROXY= -## -## Docker compose file for open-appsec integrated with Kong -## +APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage +APPSEC_USER_EMAIL=user@email.com +APPSEC_DB_PASSWORD=pass +APPSEC_DB_USER=postgres +APPSEC_DB_HOST=appsec-db +APPSEC_POSTGRES_STORAGE=./appsec-postgres-data -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server=Kong Server - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent +## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG. +## For deployment of a simple lab testing environment, you can deploy the example configuration provided +## for the vulnerable juice-shop container, see instructions further below. +KONG_CONFIG=./kong-config - appsec-kong: - image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} - container_name: appsec-kong - ipc: service:appsec-agent -## This docker compose deploys Kong in DB-less mode with declarative Kong configuration -## please make sure to have a valid config present in {KONG_CONFIG}: - environment: - - KONG_DATABASE=off - - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml - volumes: - - ${KONG_CONFIG}:/opt/kong - restart: unless-stopped - ports: - - "8000:8000" - - "8443:8443" - - "127.0.0.1:8001:8001" - - "127.0.0.1:8444:8444" +## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment +KONG_IMAGE=kong-attachment - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage +## To connect your deployment to central open-appsec WebUI provide the token for a profile +## which you created in open-appsec WebUI at https://my.openappsec.io +## Example: APPSEC_AGENT_TOKEN=111-22222-111 +APPSEC_AGENT_TOKEN= - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z +## Important: When not providing token for connection to central WebUI: +## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable +## sharing of learning between processes and allow you to perform tuning locally on CLI +COMPOSE_PROFILES= - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data +## JUICE SHOP DEMO CONTAINER: +## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): +## Add the value "juiceshop" to the COMPOSE_PROFILES value above. -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop +## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder +## to include service and route configuration for forwarding external traffic to the juiceshop-backend container +## (kong listens by default for HTTP/HTTPS on port 8000/8443) +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml +## note that juiceshop container listens on HTTP port 3000 by default -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" +## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: +## COMPOSE_PROFILES=standalone,juiceshop