Update docker-compose.yaml

2025-06-28 16:41:02 +03:00 · 2025-01-13 14:13:23 +02:00 · 2025-01-13 14:13:23 +02:00 · d14fa7a468
commit d14fa7a468
parent ae0de5bf14
1 changed files with 46 additions and 124 deletions
--- a/deployment/kong/docker-compose.yaml
+++ b/deployment/kong/docker-compose.yaml
@ -1,135 +1,57 @@
-# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+## .env file for docker-compose deployments of open-appsec integrated with Kong
 ## for more info see https://docs.openappsec.io
-# Licensed under the Apache License, Version 2.0 (the "License");
+APPSEC_VERSION=latest
-# You may obtain a copy of the License at
+APPSEC_CONFIG=./appsec-config
 APPSEC_DATA=./appsec-data
 APPSEC_LOGS=./appsec-logs
 APPSEC_LOCALCONFIG=./appsec-localconfig
-#     http://www.apache.org/licenses/LICENSE-2.0
+## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
 ## open-appsec configuration via open-appsec Web UI.
 ## You can optionally set it to true when using local, declarative management for open-appsec,
 ## declarative configuration will then get applied automatically when changed.
 APPSEC_AUTO_POLICY_LOAD=false
-# Unless required by applicable law or agreed to in writing, software
+## Example for configuring HTTPS Proxy:
-# distributed under the License is distributed on an "AS IS" BASIS,
+## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+APPSEC_HTTPS_PROXY=
 # See the License for the specific language governing permissions and
 # limitations under the License.
-##
+APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
-## Docker compose file for open-appsec integrated with Kong
+APPSEC_USER_EMAIL=user@email.com
-##
+APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
-version: "3.9"
+## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
-services:
+## For deployment of a simple lab testing environment, you can deploy the example configuration provided
-  appsec-agent:
+## for the vulnerable juice-shop container, see instructions further below.
-    image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
+KONG_CONFIG=./kong-config
    container_name: appsec-agent
    environment:
      - SHARED_STORAGE_HOST=appsec-shared-storage
      - LEARNING_HOST=appsec-smartsync
      - TUNING_HOST=appsec-tuning-svc
      - https_proxy=${APPSEC_HTTPS_PROXY}
      - user_email=${APPSEC_USER_EMAIL}
      - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
      - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
      - registered_server=Kong Server
    ipc: shareable
    restart: unless-stopped
    volumes:
      - ${APPSEC_CONFIG}:/etc/cp/conf
      - ${APPSEC_DATA}:/etc/cp/data
      - ${APPSEC_LOGS}:/var/log/nano_agent
      - ${APPSEC_LOCALCONFIG}:/ext/appsec
    command: /cp-nano-agent
-  appsec-kong:
+## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment
-    image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
+KONG_IMAGE=kong-attachment
    container_name: appsec-kong
    ipc: service:appsec-agent
 ## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
 ## please make sure to have a valid config present in {KONG_CONFIG}:
    environment:
      - KONG_DATABASE=off
      - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml
    volumes:
      - ${KONG_CONFIG}:/opt/kong
    restart: unless-stopped
    ports:
      - "8000:8000"
      - "8443:8443"
      - "127.0.0.1:8001:8001"
      - "127.0.0.1:8444:8444"
-  appsec-smartsync:
+## To connect your deployment to central open-appsec WebUI provide the token for a profile
-    profiles:
+## which you created in open-appsec WebUI at https://my.openappsec.io
-      - standalone
+## Example: APPSEC_AGENT_TOKEN=111-22222-111
-    image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
+APPSEC_AGENT_TOKEN=
    container_name: appsec-smartsync
    environment:
      - SHARED_STORAGE_HOST=appsec-shared-storage
    restart: unless-stopped
    depends_on:
      - appsec-shared-storage
-  appsec-shared-storage:
+## Important: When not providing token for connection to central WebUI:
-    profiles:
+## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
-      - standalone
+## sharing of learning between processes and allow you to perform tuning locally on CLI
-    image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
+COMPOSE_PROFILES=
    container_name: appsec-shared-storage
    ipc: service:appsec-agent
    restart: unless-stopped
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
    user: root
    volumes:
      - ${APPSEC_SMART_SYNC_STORAGE}:/db:z
 ## instead of using local storage for local learning (see line above)
 ## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
 ## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) 
 #     - learning_nfs:/db:z
-  appsec-tuning-svc:
+## JUICE SHOP DEMO CONTAINER:
-    profiles:
+## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
-      - standalone
+## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
    image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
    container_name: appsec-tuning-svc
    environment:
      - SHARED_STORAGE_HOST=appsec-shared-storage
      - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
      - QUERY_DB_HOST=${APPSEC_DB_HOST}
      - QUERY_DB_USER=${APPSEC_DB_USER}
 ## only relevant when deploying own DB 
 #     - SSLMODE:
    restart: unless-stopped
    volumes:
      - ${APPSEC_CONFIG}:/etc/cp/conf
    depends_on:
      - appsec-shared-storage
      - appsec-db
  appsec-db:
    profiles:
      - standalone
    image: postgres
    container_name: appsec-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
      - POSTGRES_USER=${APPSEC_DB_USER} 
    volumes:
      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
-## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
+## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder
-  juiceshop-backend:
+## to include service and route configuration for forwarding external traffic to the juiceshop-backend container
-    image: bkimminich/juice-shop:latest
+## (kong listens by default for HTTP/HTTPS on port 8000/8443) 
-    container_name: juiceshop-backend
+## you can use the example file available here:
-    profiles:
+## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml
-      - juiceshop
+## note that juiceshop container listens on HTTP port 3000 by default
-## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
+## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
-##
+## COMPOSE_PROFILES=standalone,juiceshop
 ## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
 ##
 #volumes:
 # learning_nfs:
 #   driver: local
 #   driver_opts:
 #     type: nfs
 #     o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
 #     device: ":/"