diff --git a/deployment/docker-compose/apisix/apisix-config/apisix.yaml b/deployment/docker-compose/apisix/apisix-config/apisix.yaml new file mode 100644 index 0000000..baa0928 --- /dev/null +++ b/deployment/docker-compose/apisix/apisix-config/apisix.yaml @@ -0,0 +1,9 @@ +routes: + - + uri: / + upstream: + nodes: + "juiceshop-backend:3000": 1 + type: roundrobin + +#END diff --git a/deployment/docker-compose/apisix/docker-compose.yaml b/deployment/docker-compose/apisix/docker-compose.yaml new file mode 100644 index 0000000..d4ed4da --- /dev/null +++ b/deployment/docker-compose/apisix/docker-compose.yaml @@ -0,0 +1,131 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with APISIX +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=APISIX Server + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-apisix: + image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION} + container_name: appsec-apisix + ipc: service:appsec-agent + restart: always + environment: + - APISIX_STAND_ALONE=true + volumes: + - ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro + ports: + - "9080:9080/tcp" # HTTP API port + - "9443:9443/tcp" # HTTPS API port + - "9180:9180/tcp" # Admin API HTTP port + - "9091:9091/tcp" # Admin API HTTPS port + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: always + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: always +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: always + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: always + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" \ No newline at end of file diff --git a/deployment/docker-compose/envoy/docker-compose.yaml b/deployment/docker-compose/envoy/docker-compose.yaml new file mode 100644 index 0000000..11088b2 --- /dev/null +++ b/deployment/docker-compose/envoy/docker-compose.yaml @@ -0,0 +1,135 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with Envoy +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server="Envoy Server" + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-envoy: + image: openappsec-envoy:${APPSEC_VERSION} +# for docs: image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION} + container_name: appsec-envoy + ipc: service:appsec-agent + restart: unless-stopped + environment: + - ENVOY_UID=0 + - CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC} + - CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER} + volumes: + - ${ENVOY_CONFIG}:/envoy.yaml + command: -c /envoy.yaml +## adjustment of threads is possible as follows: +# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY} + + ports: + - "80:80" + - "443:443" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/envoy/envoy-config/envoy.yaml b/deployment/docker-compose/envoy/envoy-config/envoy.yaml new file mode 100644 index 0000000..8ab8070 --- /dev/null +++ b/deployment/docker-compose/envoy/envoy-config/envoy.yaml @@ -0,0 +1,56 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 80 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + http_filters: + ## The following 10 lines are required to load the envoy attachment filter for open-appsec + - name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: cp_nano_filter + library_path: "/usr/lib/libenvoy_attachment.so" + plugin_name: cp_nano_filter + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + prefix_localreply_body: "Configured local reply from go" + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + +## +## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file. +## + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: juiceshop + + clusters: + - name: juiceshop + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: juiceshop + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: juiceshop-backend + port_value: 3000 diff --git a/deployment/docker-compose/kong/docker-compose.yaml b/deployment/docker-compose/kong/docker-compose.yaml new file mode 100644 index 0000000..ad5c767 --- /dev/null +++ b/deployment/docker-compose/kong/docker-compose.yaml @@ -0,0 +1,135 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with Kong +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=Kong Server + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-kong: + image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} + container_name: appsec-kong + ipc: service:appsec-agent +## This docker compose deploys Kong in DB-less mode with declarative Kong configuration +## please make sure to have a valid config present in {KONG_CONFIG}: + environment: + - KONG_DATABASE=off + - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml + volumes: + - ${KONG_CONFIG}:/opt/kong + restart: unless-stopped + ports: + - "8000:8000" + - "8443:8443" + - "127.0.0.1:8001:8001" + - "127.0.0.1:8444:8444" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/kong/kong-config/kong.yaml b/deployment/docker-compose/kong/kong-config/kong.yaml new file mode 100644 index 0000000..60c4c32 --- /dev/null +++ b/deployment/docker-compose/kong/kong-config/kong.yaml @@ -0,0 +1,9 @@ +_format_version: "3.0" + +services: + - name: juiceshop-service + url: http://juiceshop-backend:3000 + routes: + - name: juiceshop-route + paths: + - / diff --git a/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml b/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml new file mode 100644 index 0000000..4795c2b --- /dev/null +++ b/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml @@ -0,0 +1,132 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## with open-appsec management via central open-appsec WebUI (SaaS) +## + +version: '3.9' + +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + ipc: shareable + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - nginxproxymanager=true + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx-proxy-manager: + container_name: appsec-nginx-proxy-manager + image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} + ipc: service:appsec-agent + restart: unless-stopped + ports: + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port + volumes: + - ${NPM_DATA}:/data + - ${NPM_LETSENCRYPT}:/etc/letsencrypt + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml b/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml new file mode 100644 index 0000000..fc80272 --- /dev/null +++ b/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml @@ -0,0 +1,134 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## with open-appsec management via NGINX Proxy Manager WebUI +## + +version: '3.9' + +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + ipc: shareable + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - nginxproxymanager=true + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx-proxy-manager: + container_name: appsec-nginx-proxy-manager + image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION} + ipc: service:appsec-agent + restart: unless-stopped + ports: + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port + volumes: + - ${NPM_DATA}:/data + - ${NPM_LETSENCRYPT}:/etc/letsencrypt + - ${APPSEC_LOGS}:/ext/appsec-logs + - ${APPSEC_LOCALCONFIG}:/ext/appsec + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/nginx-unifed/docker-compose.yaml b/deployment/docker-compose/nginx-unifed/docker-compose.yaml new file mode 100644 index 0000000..8d5c270 --- /dev/null +++ b/deployment/docker-compose/nginx-unifed/docker-compose.yaml @@ -0,0 +1,126 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec deployments of NGINX unified container +## + +version: "3.9" +services: + appsec-agent-nginx-unified: + image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION} + container_name: appsec-agent-nginx-unified + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + ipc: shareable + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + - ${NGINX_CONFIG}:/etc/nginx/conf.d +## advanced configuration - volume mount for nginx.conf file: +## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below +## make sure to include the line starting with "load_module" which loads the appsec attachment +## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container +# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf + ports: + - "80:80" + - "443:443" + command: /cp-nano-agent + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent-nginx-unified + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/nginx-unifed/nginx-config/default.conf b/deployment/docker-compose/nginx-unifed/nginx-config/default.conf new file mode 100644 index 0000000..e3ca187 --- /dev/null +++ b/deployment/docker-compose/nginx-unifed/nginx-config/default.conf @@ -0,0 +1,47 @@ +server { + listen 80; + listen [::]:80; + server_name _; + + #access_log /var/log/nginx/host.access.log main; + + location / { + proxy_pass http://juiceshop-backend:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} diff --git a/deployment/docker-compose/swag/docker-compose.yaml b/deployment/docker-compose/swag/docker-compose.yaml new file mode 100644 index 0000000..ecce3c2 --- /dev/null +++ b/deployment/docker-compose/swag/docker-compose.yaml @@ -0,0 +1,145 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with SWAG +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=SWAG Server + ipc: shareable + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-swag: + image: ghcr.io/openappsec/swag-attachment:latest + container_name: appsec-swag + ipc: service:appsec-agent + restart: unless-stopped + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - TZ=${SWAG_TZ} + - URL=${SWAG_URL} + - VALIDATION=${SWAG_VALIDATION} + - DNSPLUGIN=${SWAG_DNSPLUGIN} + - AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID} + - AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY} + - SUBDOMAINS=${SWAG_SUBDOMAINS} + - ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS} +## see https://docs.linuxserver.io/images/docker-swag/ for +## more cert generation/validation options + - STAGING=${SWAG_STAGING} + volumes: + - ${SWAG_CONFIG}:/config + - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs + - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs + ports: + - 443:443 + - 80:80 ## optional + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf b/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf new file mode 100644 index 0000000..9412c18 --- /dev/null +++ b/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf @@ -0,0 +1,84 @@ +## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample + +# redirect all traffic to https +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } +} + +# main server block +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + + include /config/nginx/ssl.conf; + +# root /config/www; +# index index.html index.htm index.php; + + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + #location / { + # enable for basic auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + # try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args; + #} + + location ~ ^(.+\.php)(.*)$ { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + fastcgi_split_path_info ^(.+\.php)(.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + # deny access to .htaccess/.htpasswd files + location ~ /\.ht { + deny all; + } +} + +# enable subdomain method reverse proxy confs +include /config/nginx/proxy-confs/*.subdomain.conf; +# enable proxy cache for auth +proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf b/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf new file mode 100644 index 0000000..e94c276 --- /dev/null +++ b/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf @@ -0,0 +1,22 @@ +location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app juiceshop-backend; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + +} diff --git a/deployment/nginx/.env b/deployment/nginx/.env deleted file mode 100644 index 978fae6..0000000 --- a/deployment/nginx/.env +++ /dev/null @@ -1,28 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with NGINX -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig -APPSEC_AUTO_POLICY_LOAD=false -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= -SMART_SYNC_STORAGE=./smartsync-storage -USER_EMAIL=user@email.com -DB_PASSWORD=pass -DB_USER=postgres -DB_HOST=appsec-db -POSTGRES_STORAGE=./postgres-data -NGINX_CONF_DIR=./nginx-proxy-config - -## To connect your deployment to central WebUI you can uncomment following line -## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## When not providing token for connection to central WebUI please uncomment following line -## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI -# COMPOSE_PROFILES=standalone diff --git a/deployment/nginx/docker-compose.yaml b/deployment/nginx/docker-compose.yaml index ed59464..aee9fca 100644 --- a/deployment/nginx/docker-compose.yaml +++ b/deployment/nginx/docker-compose.yaml @@ -1,4 +1,21 @@ -version: "2" +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX +## + +version: "3.9" services: appsec-agent: image: ghcr.io/openappsec/agent:${APPSEC_VERSION} @@ -8,35 +25,38 @@ services: - LEARNING_HOST=appsec-smartsync - TUNING_HOST=appsec-tuning-svc - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${USER_EMAIL} + - user_email=${APPSEC_USER_EMAIL} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - registered_server="NGINX Server" ipc: shareable + restart: unless-stopped volumes: - ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_DATA}:/etc/cp/data - ${APPSEC_LOGS}:/var/log/nano_agent - ${APPSEC_LOCALCONFIG}:/ext/appsec command: /cp-nano-agent + appsec-nginx: image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION} container_name: appsec-nginx ipc: service:appsec-agent -## when mounting own external nginx config uncomment the two lines below, place the config in {NGINX_CONF_DIR} -# volumes: -# - ${NGINX_CONF_DIR}:/etc/nginx/conf.d + restart: unless-stopped + volumes: + - ${NGINX_CONFIG}:/etc/nginx/conf.d ## advanced configuration - volume mount for nginx.conf file: -## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below -## make sure to include the line starting with "load_module" which loads the appsec attachment -## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container -## make sure to only have one "volumes:" key -# volumes: +## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below +## then specify a desired local folder for NGINX_CONF_FILE in the .env file. +## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment +## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container. # - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf + ports: - "80:80" - "443:443" + appsec-smartsync: profiles: - standalone @@ -44,23 +64,27 @@ services: container_name: appsec-smartsync environment: - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped depends_on: - appsec-shared-storage + appsec-shared-storage: profiles: - standalone image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} container_name: appsec-shared-storage ipc: service:appsec-agent - ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment - ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db user: root volumes: - - ${SMART_SYNC_STORAGE}:/db:z + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z ## instead of using local storage for local learning (see line above) ## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) ## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) # - learning_nfs:/db:z + appsec-tuning-svc: profiles: - standalone @@ -68,51 +92,45 @@ services: container_name: appsec-tuning-svc environment: - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${DB_PASSWORD} - - QUERY_DB_HOST=${DB_HOST} - - QUERY_DB_USER=${DB_USER} + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} ## only relevant when deploying own DB # - SSLMODE: + restart: unless-stopped volumes: - ${APPSEC_CONFIG}:/etc/cp/conf depends_on: - appsec-shared-storage - appsec-db + appsec-db: profiles: - standalone image: postgres container_name: appsec-db - restart: always + restart: unless-stopped environment: - - POSTGRES_PASSWORD=${DB_PASSWORD} - - POSTGRES_USER=${DB_USER} + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} volumes: - - ${POSTGRES_STORAGE}:/var/lib/postgresql/data + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) -## -## uncomment this block for testing purposes only, make sure to also adjust the nginx.conf file -## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/default.conf -## place the file above in {NGINX_CONF_DIR} and uncomment the two lines for creating a volume mount -## in the appsec-nginx service definition -## note that juiceshop container listens on HTTP port 3000 by default -# -# juiceshop-backend: -# image: bkimminich/juice-shop:latest -# container_name: juiceshop-backend - + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container ## ## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -# -# volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/nginx/nginx-config/default.conf b/deployment/nginx/nginx-config/default.conf new file mode 100644 index 0000000..e3ca187 --- /dev/null +++ b/deployment/nginx/nginx-config/default.conf @@ -0,0 +1,47 @@ +server { + listen 80; + listen [::]:80; + server_name _; + + #access_log /var/log/nginx/host.access.log main; + + location / { + proxy_pass http://juiceshop-backend:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +}