From b7e2efbf7e85b6290fb4b14aed92a1ea82fbb7ff Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 10:20:02 +0200 Subject: [PATCH 01/38] Create docker-compose.yaml --- deployment/kong/docker-compose.yaml | 145 ++++++++++++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 deployment/kong/docker-compose.yaml diff --git a/deployment/kong/docker-compose.yaml b/deployment/kong/docker-compose.yaml new file mode 100644 index 0000000..58bed29 --- /dev/null +++ b/deployment/kong/docker-compose.yaml @@ -0,0 +1,145 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with Kong +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=Kong Server + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-kong: + image: ghcr.io/openappsec/kong-attachment:${APPSEC_VERSION} +## If you want to deploy Kong Gateway Enterprise Edition comment out the line above and uncomment the following line: +# image: ghcr.io/openappsec/kong-gateway-attachment:${APPSEC_VERSION} + container_name: appsec-kong + ipc: service:appsec-agent +## If you want to deploy Kong in DB-less mode with declarative configuration +## please comment out the following five lines below and place the config in {KONG_CONF_DIR}: +# environment: +# - KONG_DATABASE=off +# - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml +# volumes: +# - ${KONG_CONFIG}:/opt/kong + restart: unless-stopped + ports: + - "8000:8000" + - "8443:8443" + - "127.0.0.1:8001:8001" + - "127.0.0.1:8444:8444" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) +## +## uncomment this block for testing purposes only, make sure to also adjust the kong.yaml file in {KONG_CONFIG} folder +## to include service and route configuration for forwarding external traffic to the juiceshop-backend container +## (kong listens by default for HTTP/HTTPS on port 8000/8443) +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/kong.yaml +## in the appsec-kong service definition +## note that juiceshop container listens on HTTP port 3000 by default +## +# juiceshop-backend: +# image: bkimminich/juice-shop:latest +# container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From fa6a2e4233be404244f97315d616c6d65c71eeeb Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 16:18:53 +0200 Subject: [PATCH 02/38] Create .env --- deployment/kong/.env | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 deployment/kong/.env diff --git a/deployment/kong/.env b/deployment/kong/.env new file mode 100644 index 0000000..60814b4 --- /dev/null +++ b/deployment/kong/.env @@ -0,0 +1,29 @@ +## .env file for docker-compose deployments of open-appsec integrated with Kong +## for more info see https://docs.openappsec.io + +APPSEC_VERSION=latest +APPSEC_CONFIG=./appsec-config +APPSEC_DATA=./appsec-data +APPSEC_LOGS=./appsec-logs +APPSEC_LOCALCONFIG=./appsec-localconfig +APPSEC_AUTO_POLICY_LOAD=false +## Example for configuring HTTPS Proxy: +## APPSEC_HTTPS_PROXY=user:password@proxy_address:port +APPSEC_HTTPS_PROXY= +APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage +APPSEC_USER_EMAIL=user@email.com +APPSEC_DB_PASSWORD=pass +APPSEC_DB_USER=postgres +APPSEC_DB_HOST=appsec-db +APPSEC_POSTGRES_STORAGE=./appsec-postgres-data + +KONG_CONFIG=./kong-config + +## To connect your deployment to central WebUI you can uncomment following line +## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## Example: APPSEC_AGENT_TOKEN=111-22222-111 +APPSEC_AGENT_TOKEN= + +## When not providing token for connection to central WebUI please uncomment following line +## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI +# COMPOSE_PROFILES=standalone From f67eff87bc6eb0a61190279ed8100d0f7a92e621 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 16:19:32 +0200 Subject: [PATCH 03/38] Create kong.yaml --- deployment/kong/kong-config/kong.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 deployment/kong/kong-config/kong.yaml diff --git a/deployment/kong/kong-config/kong.yaml b/deployment/kong/kong-config/kong.yaml new file mode 100644 index 0000000..60c4c32 --- /dev/null +++ b/deployment/kong/kong-config/kong.yaml @@ -0,0 +1,9 @@ +_format_version: "3.0" + +services: + - name: juiceshop-service + url: http://juiceshop-backend:3000 + routes: + - name: juiceshop-route + paths: + - / From 8889c3c054960413e80198f53166736f52c3514e Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 16:46:16 +0200 Subject: [PATCH 04/38] Create docker-compose.yaml --- deployment/NGINX-Unified/docker-compose.yaml | 135 +++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 deployment/NGINX-Unified/docker-compose.yaml diff --git a/deployment/NGINX-Unified/docker-compose.yaml b/deployment/NGINX-Unified/docker-compose.yaml new file mode 100644 index 0000000..b94928a --- /dev/null +++ b/deployment/NGINX-Unified/docker-compose.yaml @@ -0,0 +1,135 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec deployments of NGINX unified container +## + +version: "3.9" +services: + appsec-agent-nginx-unified: + image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION} + container_name: appsec-agent-nginx-unified + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + ipc: shareable + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec +## when mounting own external nginx config uncomment the line below, place the config in {NGINX_CONFIG} +# - ${NGINX_CONFIG}:/etc/nginx/conf.d +## +## advanced configuration - volume mount for nginx.conf file: +## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below +## make sure to include the line starting with "load_module" which loads the appsec attachment +## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container +# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf + ports: + - "80:80" + - "443:443" + command: /cp-nano-agent + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent-nginx-unified + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) +## +## uncomment this block for testing purposes only, make sure to also adjust the nginx.conf file in {NGINX_CONFIG} folder +## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/default.conf +## place the file above in {NGINX_CONF_DIR} and uncomment the two lines for creating a volume mount +## in the appsec-nginx service definition +## note that juiceshop container listens on HTTP port 3000 by default +# +# juiceshop-backend: +# image: bkimminich/juice-shop:latest +# container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From c557affd9bf096b7f58dce592c97b83540ee9cb8 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 16:46:38 +0200 Subject: [PATCH 05/38] Create .env --- deployment/NGINX-Unified/.env | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 deployment/NGINX-Unified/.env diff --git a/deployment/NGINX-Unified/.env b/deployment/NGINX-Unified/.env new file mode 100644 index 0000000..a2f19fc --- /dev/null +++ b/deployment/NGINX-Unified/.env @@ -0,0 +1,29 @@ +## .env file for docker-compose deployments of open-appsec NGINX unified container +## for more info see https://docs.openappsec.io + +APPSEC_VERSION=latest +APPSEC_CONFIG=./appsec-config +APPSEC_DATA=./appsec-data +APPSEC_LOGS=./appsec-logs +APPSEC_LOCALCONFIG=./appsec-localconfig +APPSEC_AUTO_POLICY_LOAD=false +## Example for configuring HTTPS Proxy: +## APPSEC_HTTPS_PROXY=user:password@proxy_address:port +APPSEC_HTTPS_PROXY= +APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage +APPSEC_USER_EMAIL=user@email.com +APPSEC_DB_PASSWORD=pass +APPSEC_DB_USER=postgres +APPSEC_DB_HOST=appsec-db +APPSEC_POSTGRES_STORAGE=./appsec-postgres-data + +NGINX_CONFIG=./nginx-config + +## To connect your deployment to central WebUI you can uncomment following line +## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## Example: APPSEC_AGENT_TOKEN=111-22222-111 +APPSEC_AGENT_TOKEN= + +## When not providing token for connection to central WebUI please uncomment following line +## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI +# COMPOSE_PROFILES=standalone From 02c1db01f61e3415015fd26ed585595e3d49c4de Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 16:47:53 +0200 Subject: [PATCH 06/38] Create default.conf --- .../NGINX-Unified/nginx-config/default.conf | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 deployment/NGINX-Unified/nginx-config/default.conf diff --git a/deployment/NGINX-Unified/nginx-config/default.conf b/deployment/NGINX-Unified/nginx-config/default.conf new file mode 100644 index 0000000..e3ca187 --- /dev/null +++ b/deployment/NGINX-Unified/nginx-config/default.conf @@ -0,0 +1,47 @@ +server { + listen 80; + listen [::]:80; + server_name _; + + #access_log /var/log/nginx/host.access.log main; + + location / { + proxy_pass http://juiceshop-backend:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} From 4571d563f439c77a0b5ca968871d931ac030b9f6 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 16:58:35 +0200 Subject: [PATCH 07/38] Create docker-compose.yaml --- deployment/APISIX/docker-compose.yaml | 143 ++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 deployment/APISIX/docker-compose.yaml diff --git a/deployment/APISIX/docker-compose.yaml b/deployment/APISIX/docker-compose.yaml new file mode 100644 index 0000000..0e30df0 --- /dev/null +++ b/deployment/APISIX/docker-compose.yaml @@ -0,0 +1,143 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with APISIX +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=APISIX Server + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-apisix: + image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION} +## If you want to deploy Kong Gateway Enterprise Edition comment out the line above and uncomment the following line: +# image: ghcr.io/openappsec/kong-gateway-attachment:${APPSEC_VERSION} + container_name: appsec-apisix + ipc: service:appsec-agent + restart: always +## If you do not want to configure APISIX declaratively please comment out the following four lines and place the configfile in {APISIX_CONF_PATH}: +# environment: +# - APISIX_STAND_ALONE=true +# volumes: +# - ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro + ports: + - "9180:9180/tcp" + - "9080:9080/tcp" + - "9091:9091/tcp" + - "9443:9443/tcp" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: always + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: always +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: always + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: always + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) +## +## uncomment this block for testing purposes only, make sure to also adjust the apisix.yaml file in {APISIX_CONFIG} folder +## to include route and node configuration for forwarding external traffic to the juiceshop-backend container +## (apisix listens by default for HTTP/HTTPS on port 9080/9443) +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/apisix.yaml +## in the appsec-apisix service definition +## note that juiceshop container listens on HTTP port 3000 by default +# +# juiceshop-backend: +# image: bkimminich/juice-shop:latest +# container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From e56fb0bc1a8faa0cb234b66f986843c5b76b722e Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 16:59:07 +0200 Subject: [PATCH 08/38] Create .env --- deployment/APISIX/.env | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 deployment/APISIX/.env diff --git a/deployment/APISIX/.env b/deployment/APISIX/.env new file mode 100644 index 0000000..77d8b4d --- /dev/null +++ b/deployment/APISIX/.env @@ -0,0 +1,29 @@ +## .env file for docker-compose deployments of open-appsec integrated with APISIX +## for more info see https://docs.openappsec.io + +APPSEC_VERSION=latest +APPSEC_CONFIG=./appsec-config +APPSEC_DATA=./appsec-data +APPSEC_LOGS=./appsec-logs +APPSEC_LOCALCONFIG=./appsec-localconfig +APPSEC_AUTO_POLICY_LOAD=false +## Example for configuring HTTPS Proxy: +## APPSEC_HTTPS_PROXY=user:password@proxy_address:port +APPSEC_HTTPS_PROXY= +APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage +APPSEC_USER_EMAIL=user@email.com +APPSEC_DB_PASSWORD=pass +APPSEC_DB_USER=postgres +APPSEC_DB_HOST=appsec-db +APPSEC_POSTGRES_STORAGE=./appsec-postgres-data + +APISIX_CONFIG=./apisix-config/apisix.yaml + +## To connect your deployment to central WebUI you can uncomment following line +## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## Example: APPSEC_AGENT_TOKEN=111-22222-111 +APPSEC_AGENT_TOKEN= + +## When not providing token for connection to central WebUI please uncomment following line +## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI +# COMPOSE_PROFILES=standalone From 11c97330f51929ad121a6f81364500d3529a3abf Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 16:59:40 +0200 Subject: [PATCH 09/38] Create apisix.yaml --- deployment/APISIX/apisix-config/apisix.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 deployment/APISIX/apisix-config/apisix.yaml diff --git a/deployment/APISIX/apisix-config/apisix.yaml b/deployment/APISIX/apisix-config/apisix.yaml new file mode 100644 index 0000000..baa0928 --- /dev/null +++ b/deployment/APISIX/apisix-config/apisix.yaml @@ -0,0 +1,9 @@ +routes: + - + uri: / + upstream: + nodes: + "juiceshop-backend:3000": 1 + type: roundrobin + +#END From 63b8bb22c20bdbf7425de905a775449e87afe2e1 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 17:21:53 +0200 Subject: [PATCH 10/38] Create docker-compose.yaml --- deployment/swag-new/docker-compose.yaml | 155 ++++++++++++++++++++++++ 1 file changed, 155 insertions(+) create mode 100644 deployment/swag-new/docker-compose.yaml diff --git a/deployment/swag-new/docker-compose.yaml b/deployment/swag-new/docker-compose.yaml new file mode 100644 index 0000000..10a9c87 --- /dev/null +++ b/deployment/swag-new/docker-compose.yaml @@ -0,0 +1,155 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with SWAG +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=SWAG Server + ipc: shareable + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-swag: + image: ghcr.io/openappsec/swag-attachment:latest + container_name: appsec-swag + ipc: service:appsec-agent + restart: unless-stopped + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - TZ=${SWAG_TZ} + - URL=${SWAG_URL} + - VALIDATION=${SWAG_VALIDATION} + - DNSPLUGIN=${SWAG_DNSPLUGIN} + - AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID} + - AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY} + - SUBDOMAINS=${SWAG_SUBDOMAINS} + - ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS} +## see https://docs.linuxserver.io/images/docker-swag/ for +## more cert generation/validation options + - STAGING=${SWAG_STAGING} ## switch to 'false' after successful testing + volumes: + - ${SWAG_CONFIG}:/config +## when mounting own external nginx config uncomment the line below, place the config in {SWAG_NGINX_CONFIG} folder +# - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs +## when mounting own proxy.conf files uncomment the line below, place the proxy config files in {SWAG_PROXY_CONFS} folder +# - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs + ports: + - 443:443 + - 80:80 ## optional + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) +## +## uncomment this block for testing purposes only, make sure to put a juiceshop.subfolder.conf file in {SWAG_PROXY_CONFS} folder +## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in {SWAG_NGINX_SITE_CONFS} folder +## you can use the example files available here: +## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/swag/juiceshop.subfolder.conf +## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/swag/default.conf +## note that juiceshop container listens on HTTP port 3000 by default +# +# juiceshop-backend: +# image: bkimminich/juice-shop:latest +# container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From e38bb9525ce140db785478aab3e20bace2e49f30 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 17:22:40 +0200 Subject: [PATCH 11/38] Create .env --- deployment/swag-new/.env | 49 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 deployment/swag-new/.env diff --git a/deployment/swag-new/.env b/deployment/swag-new/.env new file mode 100644 index 0000000..3034f90 --- /dev/null +++ b/deployment/swag-new/.env @@ -0,0 +1,49 @@ +## .env file for docker-compose deployments of open-appsec integrated with SWAG +## for more info see https://docs.openappsec.io + +APPSEC_VERSION=latest +APPSEC_CONFIG=./appsec-config +APPSEC_DATA=./appsec-data +APPSEC_LOGS=./appsec-logs +APPSEC_LOCALCONFIG=./appsec-localconfig +APPSEC_AUTO_POLICY_LOAD=false +## Example for configuring HTTPS Proxy: +## APPSEC_HTTPS_PROXY=user:password@proxy_address:port +APPSEC_HTTPS_PROXY= +APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage +APPSEC_USER_EMAIL=user@email.com +APPSEC_DB_PASSWORD=pass +APPSEC_DB_USER=postgres +APPSEC_DB_HOST=appsec-db +APPSEC_POSTGRES_STORAGE=./appsec-postgres-data + +## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file +SWAG_CONFIG=./swag-config +SWAG_NGINX_SITE_CONFS=./swag-nginx-site-confs +SWAG_PROXY_CONFS=./swag-proxy-confs +SWAG_TZ=Etc/UTC +SWAG_VALIDATION=http # configure "http" or "dns" as validation modes +SWAG_DNSPLUGIN="" # configure e.g. "route53" or some other DNS Plugin supported by SWAG if you set "dns" above + +## Examples parameters for "route53" DNS plugin (AWS DNS service), you can add others here as required, +## when you do make sure to also add them to the docker compose file +SWAG_AWS_ACCESS_KEY_ID="" +SWAG_AWS_SECRET_ACCESS_KEY="" +## + +SWAG_STAGING=true +SWAG_URL=yourdomain.url +SWAG_SUBDOMAINS="" +SWAG_ONLY_SUBDOMAINS="" +## replace yourdomain.url with your own domain +## make sure your domain's public IP resolves to +## the docker host for Let's Encrypt cert generation to succeed + +## To connect your deployment to central WebUI you can uncomment following line +## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## Example: APPSEC_AGENT_TOKEN=111-22222-111 +APPSEC_AGENT_TOKEN= + +## When not providing token for connection to central WebUI please uncomment following line +## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI +# COMPOSE_PROFILES=standalone From 1fb28e14d68b6c41eb10115751e3bf49cb73490d Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 17:24:26 +0200 Subject: [PATCH 12/38] Create juiceshop.subfolder.conf --- .../swag-proxy-confs/juiceshop.subfolder.conf | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf diff --git a/deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf b/deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf new file mode 100644 index 0000000..e94c276 --- /dev/null +++ b/deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf @@ -0,0 +1,22 @@ +location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app juiceshop-backend; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + +} From 4e14ff9a58b88afe8910053677e2628c5667a60b Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 23 Dec 2024 17:25:23 +0200 Subject: [PATCH 13/38] Create default.conf --- .../swag-nginx-site-confs/default.conf | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 deployment/swag-new/swag-nginx-site-confs/default.conf diff --git a/deployment/swag-new/swag-nginx-site-confs/default.conf b/deployment/swag-new/swag-nginx-site-confs/default.conf new file mode 100644 index 0000000..9412c18 --- /dev/null +++ b/deployment/swag-new/swag-nginx-site-confs/default.conf @@ -0,0 +1,84 @@ +## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample + +# redirect all traffic to https +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } +} + +# main server block +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + + include /config/nginx/ssl.conf; + +# root /config/www; +# index index.html index.htm index.php; + + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + #location / { + # enable for basic auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + # try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args; + #} + + location ~ ^(.+\.php)(.*)$ { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + fastcgi_split_path_info ^(.+\.php)(.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + # deny access to .htaccess/.htpasswd files + location ~ /\.ht { + deny all; + } +} + +# enable subdomain method reverse proxy confs +include /config/nginx/proxy-confs/*.subdomain.conf; +# enable proxy cache for auth +proxy_cache_path cache/ keys_zone=auth_cache:10m; From 72a263d25a0fdb0ff09f4e3f7b3a6eaa2a04de85 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Tue, 24 Dec 2024 11:00:58 +0200 Subject: [PATCH 14/38] Create docker-compose.yaml --- .../nginx-proxy-manager/docker-compose.yaml | 137 ++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 deployment/nginx-proxy-manager/docker-compose.yaml diff --git a/deployment/nginx-proxy-manager/docker-compose.yaml b/deployment/nginx-proxy-manager/docker-compose.yaml new file mode 100644 index 0000000..12ba911 --- /dev/null +++ b/deployment/nginx-proxy-manager/docker-compose.yaml @@ -0,0 +1,137 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## + +version: '3.9' + +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + ipc: shareable + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - nginxproxymanager=true + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx-proxy-manager: + container_name: appsec-nginx-proxy-manager + image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION} + ipc: service:appsec-agent + restart: unless-stopped + ports: + - '80:80' # Public HTTP Port + - '443:443' # Public HTTPS Port + - '81:81' # Admin Web Port + volumes: + - ${NPM_DATA}:/data + - ${NPM_LETSENCRYPT}:/etc/letsencrypt + - ${APPSEC_LOGS}:/ext/appsec-logs + - ${APPSEC_LOCALCONFIG}:/ext/appsec + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) +## +## uncomment this block for testing purposes only, make sure to also create a new proxy host in the NGINX Proxy Manager WebUI +## which accepts traffic on http port 80 and proxies traffic to juiceshop-backend on port 3000. +## note that juiceshop container listens on HTTP port 3000 by default +# +# juiceshop-backend: +# image: bkimminich/juice-shop:latest +# container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From 2c91793f08f733d888821b70389738756ca25f92 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Tue, 24 Dec 2024 11:04:38 +0200 Subject: [PATCH 15/38] Create .env --- deployment/nginx-proxy-manager/.env | 31 +++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 deployment/nginx-proxy-manager/.env diff --git a/deployment/nginx-proxy-manager/.env b/deployment/nginx-proxy-manager/.env new file mode 100644 index 0000000..f20a0a1 --- /dev/null +++ b/deployment/nginx-proxy-manager/.env @@ -0,0 +1,31 @@ +## .env file for docker-compose deployments of open-appsec integrated with NGINX Proxy Manager +## for more info see https://docs.openappsec.io + +APPSEC_VERSION=latest +APPSEC_CONFIG=./appsec-config +APPSEC_DATA=./appsec-data +APPSEC_LOGS=./appsec-logs +APPSEC_LOCALCONFIG=./appsec-localconfig +APPSEC_AUTO_POLICY_LOAD=false +## Example for configuring HTTPS Proxy: +## APPSEC_HTTPS_PROXY=user:password@proxy_address:port +APPSEC_HTTPS_PROXY= +APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage +APPSEC_USER_EMAIL=user@email.com +APPSEC_DB_PASSWORD=pass +APPSEC_DB_USER=postgres +APPSEC_DB_HOST=appsec-db +APPSEC_POSTGRES_STORAGE=./appsec-postgres-data + +# Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file +NPM_DATA=./data +NPM_LETSENCRYPT=./letsencrypt + +## To connect your deployment to central WebUI you can uncomment following line +## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## Example: APPSEC_AGENT_TOKEN=111-22222-111 +APPSEC_AGENT_TOKEN= + +## When not providing token for connection to central WebUI please uncomment following line +## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI +# COMPOSE_PROFILES=standalone From bbe293d215f2fb129728910f4f2282c52eeec056 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:10:48 +0200 Subject: [PATCH 16/38] Update docker-compose.yaml --- deployment/nginx/docker-compose.yaml | 100 ++++++++++++++++----------- 1 file changed, 59 insertions(+), 41 deletions(-) diff --git a/deployment/nginx/docker-compose.yaml b/deployment/nginx/docker-compose.yaml index ed59464..aee9fca 100644 --- a/deployment/nginx/docker-compose.yaml +++ b/deployment/nginx/docker-compose.yaml @@ -1,4 +1,21 @@ -version: "2" +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX +## + +version: "3.9" services: appsec-agent: image: ghcr.io/openappsec/agent:${APPSEC_VERSION} @@ -8,35 +25,38 @@ services: - LEARNING_HOST=appsec-smartsync - TUNING_HOST=appsec-tuning-svc - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${USER_EMAIL} + - user_email=${APPSEC_USER_EMAIL} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - registered_server="NGINX Server" ipc: shareable + restart: unless-stopped volumes: - ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_DATA}:/etc/cp/data - ${APPSEC_LOGS}:/var/log/nano_agent - ${APPSEC_LOCALCONFIG}:/ext/appsec command: /cp-nano-agent + appsec-nginx: image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION} container_name: appsec-nginx ipc: service:appsec-agent -## when mounting own external nginx config uncomment the two lines below, place the config in {NGINX_CONF_DIR} -# volumes: -# - ${NGINX_CONF_DIR}:/etc/nginx/conf.d + restart: unless-stopped + volumes: + - ${NGINX_CONFIG}:/etc/nginx/conf.d ## advanced configuration - volume mount for nginx.conf file: -## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below -## make sure to include the line starting with "load_module" which loads the appsec attachment -## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container -## make sure to only have one "volumes:" key -# volumes: +## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below +## then specify a desired local folder for NGINX_CONF_FILE in the .env file. +## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment +## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container. # - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf + ports: - "80:80" - "443:443" + appsec-smartsync: profiles: - standalone @@ -44,23 +64,27 @@ services: container_name: appsec-smartsync environment: - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped depends_on: - appsec-shared-storage + appsec-shared-storage: profiles: - standalone image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} container_name: appsec-shared-storage ipc: service:appsec-agent - ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment - ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db user: root volumes: - - ${SMART_SYNC_STORAGE}:/db:z + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z ## instead of using local storage for local learning (see line above) ## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) ## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) # - learning_nfs:/db:z + appsec-tuning-svc: profiles: - standalone @@ -68,51 +92,45 @@ services: container_name: appsec-tuning-svc environment: - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${DB_PASSWORD} - - QUERY_DB_HOST=${DB_HOST} - - QUERY_DB_USER=${DB_USER} + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} ## only relevant when deploying own DB # - SSLMODE: + restart: unless-stopped volumes: - ${APPSEC_CONFIG}:/etc/cp/conf depends_on: - appsec-shared-storage - appsec-db + appsec-db: profiles: - standalone image: postgres container_name: appsec-db - restart: always + restart: unless-stopped environment: - - POSTGRES_PASSWORD=${DB_PASSWORD} - - POSTGRES_USER=${DB_USER} + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} volumes: - - ${POSTGRES_STORAGE}:/var/lib/postgresql/data + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) -## -## uncomment this block for testing purposes only, make sure to also adjust the nginx.conf file -## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/default.conf -## place the file above in {NGINX_CONF_DIR} and uncomment the two lines for creating a volume mount -## in the appsec-nginx service definition -## note that juiceshop container listens on HTTP port 3000 by default -# -# juiceshop-backend: -# image: bkimminich/juice-shop:latest -# container_name: juiceshop-backend - + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container ## ## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -# -# volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From 949b656b1357eb2b03c4ff262e70535b6ff66c7f Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:11:02 +0200 Subject: [PATCH 17/38] Update .env --- deployment/nginx/.env | 50 ++++++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 12 deletions(-) diff --git a/deployment/nginx/.env b/deployment/nginx/.env index 978fae6..297335b 100644 --- a/deployment/nginx/.env +++ b/deployment/nginx/.env @@ -6,23 +6,49 @@ APPSEC_CONFIG=./appsec-config APPSEC_DATA=./appsec-data APPSEC_LOGS=./appsec-logs APPSEC_LOCALCONFIG=./appsec-localconfig + +## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing +## open-appsec configuration via open-appsec Web UI. +## You can optionally set it to true when using local, declarative management for open-appsec, +## declarative configuration will then get applied automatically when changed. APPSEC_AUTO_POLICY_LOAD=false + ## Example for configuring HTTPS Proxy: ## APPSEC_HTTPS_PROXY=user:password@proxy_address:port APPSEC_HTTPS_PROXY= -SMART_SYNC_STORAGE=./smartsync-storage -USER_EMAIL=user@email.com -DB_PASSWORD=pass -DB_USER=postgres -DB_HOST=appsec-db -POSTGRES_STORAGE=./postgres-data -NGINX_CONF_DIR=./nginx-proxy-config -## To connect your deployment to central WebUI you can uncomment following line -## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage +APPSEC_USER_EMAIL=user@email.com +APPSEC_DB_PASSWORD=pass +APPSEC_DB_USER=postgres +APPSEC_DB_HOST=appsec-db +APPSEC_POSTGRES_STORAGE=./appsec-postgres-data + +## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG. +## For deployment of a simple lab testing environment, you can deploy the example configuration provided +## for the vulnerable juice-shop container, see instructions further below. +NGINX_CONFIG=./nginx-config + +## To connect your deployment to central open-appsec WebUI provide the token for a profile +## which you created in open-appsec WebUI at https://my.openappsec.io ## Example: APPSEC_AGENT_TOKEN=111-22222-111 APPSEC_AGENT_TOKEN= -## When not providing token for connection to central WebUI please uncomment following line -## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI -# COMPOSE_PROFILES=standalone +## Important: When not providing token for connection to central WebUI: +## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable +## sharing of learning between processes and allow you to perform tuning locally on CLI +COMPOSE_PROFILES= + +## JUICE SHOP DEMO CONTAINER: +## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): +## Add the value "juiceshop" to the COMPOSE_PROFILES value above. + +## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder +## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf +## place the file above in NGINX_CONFIG folder +## note that juiceshop container listens on HTTP port 3000 by default + +## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: +## COMPOSE_PROFILES=standalone,juiceshop From f05b5f8ceed86f5af6be6b23b35966bff3597799 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:11:47 +0200 Subject: [PATCH 18/38] Create default.conf --- deployment/nginx/nginx-config/default.conf | 47 ++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 deployment/nginx/nginx-config/default.conf diff --git a/deployment/nginx/nginx-config/default.conf b/deployment/nginx/nginx-config/default.conf new file mode 100644 index 0000000..e3ca187 --- /dev/null +++ b/deployment/nginx/nginx-config/default.conf @@ -0,0 +1,47 @@ +server { + listen 80; + listen [::]:80; + server_name _; + + #access_log /var/log/nginx/host.access.log main; + + location / { + proxy_pass http://juiceshop-backend:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} From 4f215e1409b68af09b928534077616a7b1800875 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:12:09 +0200 Subject: [PATCH 19/38] Update docker-compose.yaml --- deployment/APISIX/docker-compose.yaml | 34 +++++++++------------------ 1 file changed, 11 insertions(+), 23 deletions(-) diff --git a/deployment/APISIX/docker-compose.yaml b/deployment/APISIX/docker-compose.yaml index 0e30df0..c416d9b 100644 --- a/deployment/APISIX/docker-compose.yaml +++ b/deployment/APISIX/docker-compose.yaml @@ -40,21 +40,18 @@ services: appsec-apisix: image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION} -## If you want to deploy Kong Gateway Enterprise Edition comment out the line above and uncomment the following line: -# image: ghcr.io/openappsec/kong-gateway-attachment:${APPSEC_VERSION} container_name: appsec-apisix ipc: service:appsec-agent restart: always -## If you do not want to configure APISIX declaratively please comment out the following four lines and place the configfile in {APISIX_CONF_PATH}: -# environment: -# - APISIX_STAND_ALONE=true -# volumes: -# - ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro + environment: + - APISIX_STAND_ALONE=true + volumes: + - ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro ports: - - "9180:9180/tcp" - - "9080:9080/tcp" - - "9091:9091/tcp" - - "9443:9443/tcp" + - "9080:9080/tcp" # HTTP API port + - "9443:9443/tcp" # HTTPS API port + - "9180:9180/tcp" # Admin API HTTP port + - "9091:9091/tcp" # Admin API HTTPS port appsec-smartsync: profiles: @@ -116,18 +113,9 @@ services: - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) -## -## uncomment this block for testing purposes only, make sure to also adjust the apisix.yaml file in {APISIX_CONFIG} folder -## to include route and node configuration for forwarding external traffic to the juiceshop-backend container -## (apisix listens by default for HTTP/HTTPS on port 9080/9443) -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/apisix.yaml -## in the appsec-apisix service definition -## note that juiceshop container listens on HTTP port 3000 by default -# -# juiceshop-backend: -# image: bkimminich/juice-shop:latest -# container_name: juiceshop-backend + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container From d39919f34819fd8638bc998f3df7cf4a488674f1 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:12:32 +0200 Subject: [PATCH 20/38] Update .env --- deployment/APISIX/.env | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/deployment/APISIX/.env b/deployment/APISIX/.env index 77d8b4d..6be06df 100644 --- a/deployment/APISIX/.env +++ b/deployment/APISIX/.env @@ -6,10 +6,17 @@ APPSEC_CONFIG=./appsec-config APPSEC_DATA=./appsec-data APPSEC_LOGS=./appsec-logs APPSEC_LOCALCONFIG=./appsec-localconfig + +## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing +## open-appsec configuration via open-appsec Web UI. +## You can optionally set it to true when using local, declarative management for open-appsec, +## declarative configuration will then get applied automatically when changed. APPSEC_AUTO_POLICY_LOAD=false + ## Example for configuring HTTPS Proxy: ## APPSEC_HTTPS_PROXY=user:password@proxy_address:port APPSEC_HTTPS_PROXY= + APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage APPSEC_USER_EMAIL=user@email.com APPSEC_DB_PASSWORD=pass @@ -17,13 +24,32 @@ APPSEC_DB_USER=postgres APPSEC_DB_HOST=appsec-db APPSEC_POSTGRES_STORAGE=./appsec-postgres-data +## Make sure to have a valid apisix configuration for APISIX in standalone mode in the following file: +## For deployment of a simple lab testing environment, you can deploy the example configuration provided +## for the vulnerable juice-shop container, see instructions further below. APISIX_CONFIG=./apisix-config/apisix.yaml -## To connect your deployment to central WebUI you can uncomment following line -## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## To connect your deployment to central open-appsec WebUI provide the token for a profile +## which you created in open-appsec WebUI at https://my.openappsec.io ## Example: APPSEC_AGENT_TOKEN=111-22222-111 APPSEC_AGENT_TOKEN= -## When not providing token for connection to central WebUI please uncomment following line -## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI -# COMPOSE_PROFILES=standalone +## Important: When not providing token for connection to central WebUI: +## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable +## sharing of learning between processes and allow you to perform tuning locally on CLI +COMPOSE_PROFILES= + +## JUICE SHOP DEMO CONTAINER: +## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): +## Add the value "juiceshop" to the COMPOSE_PROFILES value above. + +## Make sure to also adjust the apisix.yaml file in APISIX_CONFIG folder +## to include route and node configuration for forwarding external traffic to the juiceshop-backend container +## (apisix listens by default for HTTP/HTTPS on port 9080/9443) +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/apisix.yaml +## in the appsec-apisix service definition +## note that juiceshop container listens on HTTP port 3000 by default + +## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: +## COMPOSE_PROFILES=standalone,juiceshop From ae0de5bf14e1c4eff0b6e33ed596e0d6f6343f8a Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:13:12 +0200 Subject: [PATCH 21/38] Update docker-compose.yaml --- deployment/kong/docker-compose.yaml | 36 +++++++++++------------------ 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/deployment/kong/docker-compose.yaml b/deployment/kong/docker-compose.yaml index 58bed29..ad5c767 100644 --- a/deployment/kong/docker-compose.yaml +++ b/deployment/kong/docker-compose.yaml @@ -39,18 +39,16 @@ services: command: /cp-nano-agent appsec-kong: - image: ghcr.io/openappsec/kong-attachment:${APPSEC_VERSION} -## If you want to deploy Kong Gateway Enterprise Edition comment out the line above and uncomment the following line: -# image: ghcr.io/openappsec/kong-gateway-attachment:${APPSEC_VERSION} + image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} container_name: appsec-kong ipc: service:appsec-agent -## If you want to deploy Kong in DB-less mode with declarative configuration -## please comment out the following five lines below and place the config in {KONG_CONF_DIR}: -# environment: -# - KONG_DATABASE=off -# - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml -# volumes: -# - ${KONG_CONFIG}:/opt/kong +## This docker compose deploys Kong in DB-less mode with declarative Kong configuration +## please make sure to have a valid config present in {KONG_CONFIG}: + environment: + - KONG_DATABASE=off + - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml + volumes: + - ${KONG_CONFIG}:/opt/kong restart: unless-stopped ports: - "8000:8000" @@ -118,19 +116,11 @@ services: - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) -## -## uncomment this block for testing purposes only, make sure to also adjust the kong.yaml file in {KONG_CONFIG} folder -## to include service and route configuration for forwarding external traffic to the juiceshop-backend container -## (kong listens by default for HTTP/HTTPS on port 8000/8443) -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/kong.yaml -## in the appsec-kong service definition -## note that juiceshop container listens on HTTP port 3000 by default -## -# juiceshop-backend: -# image: bkimminich/juice-shop:latest -# container_name: juiceshop-backend - + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container ## From d14fa7a4689101497a39d0eaa4a8f8747a95dacc Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:13:23 +0200 Subject: [PATCH 22/38] Update docker-compose.yaml --- deployment/kong/docker-compose.yaml | 170 ++++++++-------------------- 1 file changed, 46 insertions(+), 124 deletions(-) diff --git a/deployment/kong/docker-compose.yaml b/deployment/kong/docker-compose.yaml index ad5c767..b5471ec 100644 --- a/deployment/kong/docker-compose.yaml +++ b/deployment/kong/docker-compose.yaml @@ -1,135 +1,57 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. +## .env file for docker-compose deployments of open-appsec integrated with Kong +## for more info see https://docs.openappsec.io -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at +APPSEC_VERSION=latest +APPSEC_CONFIG=./appsec-config +APPSEC_DATA=./appsec-data +APPSEC_LOGS=./appsec-logs +APPSEC_LOCALCONFIG=./appsec-localconfig -# http://www.apache.org/licenses/LICENSE-2.0 +## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing +## open-appsec configuration via open-appsec Web UI. +## You can optionally set it to true when using local, declarative management for open-appsec, +## declarative configuration will then get applied automatically when changed. +APPSEC_AUTO_POLICY_LOAD=false -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. +## Example for configuring HTTPS Proxy: +## APPSEC_HTTPS_PROXY=user:password@proxy_address:port +APPSEC_HTTPS_PROXY= -## -## Docker compose file for open-appsec integrated with Kong -## +APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage +APPSEC_USER_EMAIL=user@email.com +APPSEC_DB_PASSWORD=pass +APPSEC_DB_USER=postgres +APPSEC_DB_HOST=appsec-db +APPSEC_POSTGRES_STORAGE=./appsec-postgres-data -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server=Kong Server - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent +## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG. +## For deployment of a simple lab testing environment, you can deploy the example configuration provided +## for the vulnerable juice-shop container, see instructions further below. +KONG_CONFIG=./kong-config - appsec-kong: - image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} - container_name: appsec-kong - ipc: service:appsec-agent -## This docker compose deploys Kong in DB-less mode with declarative Kong configuration -## please make sure to have a valid config present in {KONG_CONFIG}: - environment: - - KONG_DATABASE=off - - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml - volumes: - - ${KONG_CONFIG}:/opt/kong - restart: unless-stopped - ports: - - "8000:8000" - - "8443:8443" - - "127.0.0.1:8001:8001" - - "127.0.0.1:8444:8444" +## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment +KONG_IMAGE=kong-attachment - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage +## To connect your deployment to central open-appsec WebUI provide the token for a profile +## which you created in open-appsec WebUI at https://my.openappsec.io +## Example: APPSEC_AGENT_TOKEN=111-22222-111 +APPSEC_AGENT_TOKEN= - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z +## Important: When not providing token for connection to central WebUI: +## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable +## sharing of learning between processes and allow you to perform tuning locally on CLI +COMPOSE_PROFILES= - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data +## JUICE SHOP DEMO CONTAINER: +## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): +## Add the value "juiceshop" to the COMPOSE_PROFILES value above. -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop +## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder +## to include service and route configuration for forwarding external traffic to the juiceshop-backend container +## (kong listens by default for HTTP/HTTPS on port 8000/8443) +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml +## note that juiceshop container listens on HTTP port 3000 by default -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" +## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: +## COMPOSE_PROFILES=standalone,juiceshop From 63541a4c3c1587ce98dca32afc855a5f3d0152b5 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:13:53 +0200 Subject: [PATCH 23/38] Update docker-compose.yaml --- deployment/kong/docker-compose.yaml | 170 ++++++++++++++++++++-------- 1 file changed, 124 insertions(+), 46 deletions(-) diff --git a/deployment/kong/docker-compose.yaml b/deployment/kong/docker-compose.yaml index b5471ec..ad5c767 100644 --- a/deployment/kong/docker-compose.yaml +++ b/deployment/kong/docker-compose.yaml @@ -1,57 +1,135 @@ -## .env file for docker-compose deployments of open-appsec integrated with Kong -## for more info see https://docs.openappsec.io +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false +# http://www.apache.org/licenses/LICENSE-2.0 -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data +## +## Docker compose file for open-appsec integrated with Kong +## -## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG. -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -KONG_CONFIG=./kong-config +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=Kong Server + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent -## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment -KONG_IMAGE=kong-attachment + appsec-kong: + image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} + container_name: appsec-kong + ipc: service:appsec-agent +## This docker compose deploys Kong in DB-less mode with declarative Kong configuration +## please make sure to have a valid config present in {KONG_CONFIG}: + environment: + - KONG_DATABASE=off + - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml + volumes: + - ${KONG_CONFIG}:/opt/kong + restart: unless-stopped + ports: + - "8000:8000" + - "8443:8443" + - "127.0.0.1:8001:8001" + - "127.0.0.1:8444:8444" -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data -## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder -## to include service and route configuration for forwarding external traffic to the juiceshop-backend container -## (kong listens by default for HTTP/HTTPS on port 8000/8443) -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml -## note that juiceshop container listens on HTTP port 3000 by default +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From f6c36f3363af9b9100dca6ebd36b04c9a9a2c900 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:14:07 +0200 Subject: [PATCH 24/38] Update .env --- deployment/kong/.env | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/deployment/kong/.env b/deployment/kong/.env index 60814b4..b5471ec 100644 --- a/deployment/kong/.env +++ b/deployment/kong/.env @@ -6,10 +6,17 @@ APPSEC_CONFIG=./appsec-config APPSEC_DATA=./appsec-data APPSEC_LOGS=./appsec-logs APPSEC_LOCALCONFIG=./appsec-localconfig + +## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing +## open-appsec configuration via open-appsec Web UI. +## You can optionally set it to true when using local, declarative management for open-appsec, +## declarative configuration will then get applied automatically when changed. APPSEC_AUTO_POLICY_LOAD=false + ## Example for configuring HTTPS Proxy: ## APPSEC_HTTPS_PROXY=user:password@proxy_address:port APPSEC_HTTPS_PROXY= + APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage APPSEC_USER_EMAIL=user@email.com APPSEC_DB_PASSWORD=pass @@ -17,13 +24,34 @@ APPSEC_DB_USER=postgres APPSEC_DB_HOST=appsec-db APPSEC_POSTGRES_STORAGE=./appsec-postgres-data +## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG. +## For deployment of a simple lab testing environment, you can deploy the example configuration provided +## for the vulnerable juice-shop container, see instructions further below. KONG_CONFIG=./kong-config -## To connect your deployment to central WebUI you can uncomment following line -## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment +KONG_IMAGE=kong-attachment + +## To connect your deployment to central open-appsec WebUI provide the token for a profile +## which you created in open-appsec WebUI at https://my.openappsec.io ## Example: APPSEC_AGENT_TOKEN=111-22222-111 APPSEC_AGENT_TOKEN= -## When not providing token for connection to central WebUI please uncomment following line -## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI -# COMPOSE_PROFILES=standalone +## Important: When not providing token for connection to central WebUI: +## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable +## sharing of learning between processes and allow you to perform tuning locally on CLI +COMPOSE_PROFILES= + +## JUICE SHOP DEMO CONTAINER: +## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): +## Add the value "juiceshop" to the COMPOSE_PROFILES value above. + +## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder +## to include service and route configuration for forwarding external traffic to the juiceshop-backend container +## (kong listens by default for HTTP/HTTPS on port 8000/8443) +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml +## note that juiceshop container listens on HTTP port 3000 by default + +## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: +## COMPOSE_PROFILES=standalone,juiceshop From 46d42c8fa336807325fc388e07858b647e483731 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:15:15 +0200 Subject: [PATCH 25/38] Update docker-compose.yaml --- deployment/NGINX-Unified/docker-compose.yaml | 21 ++++++-------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/deployment/NGINX-Unified/docker-compose.yaml b/deployment/NGINX-Unified/docker-compose.yaml index b94928a..8d5c270 100644 --- a/deployment/NGINX-Unified/docker-compose.yaml +++ b/deployment/NGINX-Unified/docker-compose.yaml @@ -35,9 +35,7 @@ services: - ${APPSEC_DATA}:/etc/cp/data - ${APPSEC_LOGS}:/var/log/nano_agent - ${APPSEC_LOCALCONFIG}:/ext/appsec -## when mounting own external nginx config uncomment the line below, place the config in {NGINX_CONFIG} -# - ${NGINX_CONFIG}:/etc/nginx/conf.d -## + - ${NGINX_CONFIG}:/etc/nginx/conf.d ## advanced configuration - volume mount for nginx.conf file: ## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below ## make sure to include the line starting with "load_module" which loads the appsec attachment @@ -108,18 +106,11 @@ services: - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) -## -## uncomment this block for testing purposes only, make sure to also adjust the nginx.conf file in {NGINX_CONFIG} folder -## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/default.conf -## place the file above in {NGINX_CONF_DIR} and uncomment the two lines for creating a volume mount -## in the appsec-nginx service definition -## note that juiceshop container listens on HTTP port 3000 by default -# -# juiceshop-backend: -# image: bkimminich/juice-shop:latest -# container_name: juiceshop-backend + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container From d024ad584583a9b390a23834261be2bde5ba0149 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:15:28 +0200 Subject: [PATCH 26/38] Update .env --- deployment/NGINX-Unified/.env | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/deployment/NGINX-Unified/.env b/deployment/NGINX-Unified/.env index a2f19fc..f064232 100644 --- a/deployment/NGINX-Unified/.env +++ b/deployment/NGINX-Unified/.env @@ -6,10 +6,17 @@ APPSEC_CONFIG=./appsec-config APPSEC_DATA=./appsec-data APPSEC_LOGS=./appsec-logs APPSEC_LOCALCONFIG=./appsec-localconfig + +## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing +## open-appsec configuration via open-appsec Web UI. +## You can optionally set it to true when using local, declarative management for open-appsec, +## declarative configuration will then get applied automatically when changed. APPSEC_AUTO_POLICY_LOAD=false + ## Example for configuring HTTPS Proxy: ## APPSEC_HTTPS_PROXY=user:password@proxy_address:port APPSEC_HTTPS_PROXY= + APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage APPSEC_USER_EMAIL=user@email.com APPSEC_DB_PASSWORD=pass @@ -17,13 +24,31 @@ APPSEC_DB_USER=postgres APPSEC_DB_HOST=appsec-db APPSEC_POSTGRES_STORAGE=./appsec-postgres-data +## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG. +## For deployment of a simple lab testing environment, you can deploy the example configuration provided +## for the vulnerable juice-shop container, see instructions further below. NGINX_CONFIG=./nginx-config -## To connect your deployment to central WebUI you can uncomment following line -## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## To connect your deployment to central open-appsec WebUI provide the token for a profile +## which you created in open-appsec WebUI at https://my.openappsec.io ## Example: APPSEC_AGENT_TOKEN=111-22222-111 APPSEC_AGENT_TOKEN= -## When not providing token for connection to central WebUI please uncomment following line -## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI -# COMPOSE_PROFILES=standalone +## Important: When not providing token for connection to central WebUI: +## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable +## sharing of learning between processes and allow you to perform tuning locally on CLI +COMPOSE_PROFILES= + +## JUICE SHOP DEMO CONTAINER: +## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): +## Add the value "juiceshop" to the COMPOSE_PROFILES value above. + +## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder +## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf +## place the file above in NGINX_CONFIG folder +## note that juiceshop container listens on HTTP port 3000 by default + +## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: +## COMPOSE_PROFILES=standalone,juiceshop From e0198a1a95564f7244048b3e28b1c5efeff591ce Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:17:49 +0200 Subject: [PATCH 27/38] Update docker-compose.yaml --- deployment/swag-new/docker-compose.yaml | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/deployment/swag-new/docker-compose.yaml b/deployment/swag-new/docker-compose.yaml index 10a9c87..ecce3c2 100644 --- a/deployment/swag-new/docker-compose.yaml +++ b/deployment/swag-new/docker-compose.yaml @@ -58,13 +58,11 @@ services: - ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS} ## see https://docs.linuxserver.io/images/docker-swag/ for ## more cert generation/validation options - - STAGING=${SWAG_STAGING} ## switch to 'false' after successful testing + - STAGING=${SWAG_STAGING} volumes: - ${SWAG_CONFIG}:/config -## when mounting own external nginx config uncomment the line below, place the config in {SWAG_NGINX_CONFIG} folder -# - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs -## when mounting own proxy.conf files uncomment the line below, place the proxy config files in {SWAG_PROXY_CONFS} folder -# - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs + - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs + - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs ports: - 443:443 - 80:80 ## optional @@ -129,17 +127,9 @@ services: - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) -## -## uncomment this block for testing purposes only, make sure to put a juiceshop.subfolder.conf file in {SWAG_PROXY_CONFS} folder -## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in {SWAG_NGINX_SITE_CONFS} folder -## you can use the example files available here: -## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/swag/juiceshop.subfolder.conf -## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/swag/default.conf -## note that juiceshop container listens on HTTP port 3000 by default -# -# juiceshop-backend: -# image: bkimminich/juice-shop:latest -# container_name: juiceshop-backend + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container From 87b34590d47e2e3d8ef0820aaab11004221ccbd9 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:18:04 +0200 Subject: [PATCH 28/38] Update .env --- deployment/swag-new/.env | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/deployment/swag-new/.env b/deployment/swag-new/.env index 3034f90..ceb0326 100644 --- a/deployment/swag-new/.env +++ b/deployment/swag-new/.env @@ -6,10 +6,17 @@ APPSEC_CONFIG=./appsec-config APPSEC_DATA=./appsec-data APPSEC_LOGS=./appsec-logs APPSEC_LOCALCONFIG=./appsec-localconfig + +## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing +## open-appsec configuration via open-appsec Web UI. +## You can optionally set it to true when using local, declarative management for open-appsec, +## declarative configuration will then get applied automatically when changed. APPSEC_AUTO_POLICY_LOAD=false + ## Example for configuring HTTPS Proxy: ## APPSEC_HTTPS_PROXY=user:password@proxy_address:port APPSEC_HTTPS_PROXY= + APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage APPSEC_USER_EMAIL=user@email.com APPSEC_DB_PASSWORD=pass @@ -19,8 +26,13 @@ APPSEC_POSTGRES_STORAGE=./appsec-postgres-data ## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file SWAG_CONFIG=./swag-config +## Make sure to have a valid nginx config default.conf in SWAG_NGINX_SITE_CONFS folder SWAG_NGINX_SITE_CONFS=./swag-nginx-site-confs +## Make sure to have valid *.conf proxy configuration in SWAG_NGINX_PROXY_CONFS folder SWAG_PROXY_CONFS=./swag-proxy-confs +## For deployment of a simple lab testing environment, you can deploy the example configuration provided +## for the vulnerable juice-shop container, see instructions further below. + SWAG_TZ=Etc/UTC SWAG_VALIDATION=http # configure "http" or "dns" as validation modes SWAG_DNSPLUGIN="" # configure e.g. "route53" or some other DNS Plugin supported by SWAG if you set "dns" above @@ -31,7 +43,7 @@ SWAG_AWS_ACCESS_KEY_ID="" SWAG_AWS_SECRET_ACCESS_KEY="" ## -SWAG_STAGING=true +SWAG_STAGING=true ## switch to 'false' after successful testing SWAG_URL=yourdomain.url SWAG_SUBDOMAINS="" SWAG_ONLY_SUBDOMAINS="" @@ -39,11 +51,26 @@ SWAG_ONLY_SUBDOMAINS="" ## make sure your domain's public IP resolves to ## the docker host for Let's Encrypt cert generation to succeed -## To connect your deployment to central WebUI you can uncomment following line -## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## To connect your deployment to central open-appsec WebUI provide the token for a profile +## which you created in open-appsec WebUI at https://my.openappsec.io ## Example: APPSEC_AGENT_TOKEN=111-22222-111 APPSEC_AGENT_TOKEN= -## When not providing token for connection to central WebUI please uncomment following line -## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI -# COMPOSE_PROFILES=standalone +## Important: When not providing token for connection to central WebUI: +## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable +## sharing of learning between processes and allow you to perform tuning locally on CLI +COMPOSE_PROFILES= + +## JUICE SHOP DEMO CONTAINER: +## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): +## Add the value "juiceshop" to the COMPOSE_PROFILES value above. + +## Make sure to put a juiceshop.subfolder.conf file in SWAG_PROXY_CONFS folder +## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in SWAG_NGINX_SITE_CONFS folder +## you can use the example files available here: +## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/juiceshop.subfolder.conf +## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/default.conf +## note that juiceshop container listens on HTTP port 3000 by default + +## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: +## COMPOSE_PROFILES=standalone,juiceshop From a86aca13b4e15c08bc42530c8ef0dcf90d39e833 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:20:21 +0200 Subject: [PATCH 29/38] Update docker-compose.yaml --- .../nginx-proxy-manager/docker-compose.yaml | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/deployment/nginx-proxy-manager/docker-compose.yaml b/deployment/nginx-proxy-manager/docker-compose.yaml index 12ba911..fc80272 100644 --- a/deployment/nginx-proxy-manager/docker-compose.yaml +++ b/deployment/nginx-proxy-manager/docker-compose.yaml @@ -13,6 +13,7 @@ ## ## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## with open-appsec management via NGINX Proxy Manager WebUI ## version: '3.9' @@ -45,9 +46,9 @@ services: ipc: service:appsec-agent restart: unless-stopped ports: - - '80:80' # Public HTTP Port - - '443:443' # Public HTTPS Port - - '81:81' # Admin Web Port + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port volumes: - ${NPM_DATA}:/data - ${NPM_LETSENCRYPT}:/etc/letsencrypt @@ -114,15 +115,11 @@ services: - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) -## -## uncomment this block for testing purposes only, make sure to also create a new proxy host in the NGINX Proxy Manager WebUI -## which accepts traffic on http port 80 and proxies traffic to juiceshop-backend on port 3000. -## note that juiceshop container listens on HTTP port 3000 by default -# -# juiceshop-backend: -# image: bkimminich/juice-shop:latest -# container_name: juiceshop-backend - + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container ## From dc4b546bd1197112bd2d5a8eb54eb0b9a2c0464c Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:20:38 +0200 Subject: [PATCH 30/38] Update .env --- deployment/nginx-proxy-manager/.env | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/deployment/nginx-proxy-manager/.env b/deployment/nginx-proxy-manager/.env index f20a0a1..129653f 100644 --- a/deployment/nginx-proxy-manager/.env +++ b/deployment/nginx-proxy-manager/.env @@ -6,10 +6,15 @@ APPSEC_CONFIG=./appsec-config APPSEC_DATA=./appsec-data APPSEC_LOGS=./appsec-logs APPSEC_LOCALCONFIG=./appsec-localconfig -APPSEC_AUTO_POLICY_LOAD=false + +## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to true for changes +## of open-appsec configuration in the NGINX Proxy Manager WebUI to be applied automatically +APPSEC_AUTO_POLICY_LOAD=true + ## Example for configuring HTTPS Proxy: ## APPSEC_HTTPS_PROXY=user:password@proxy_address:port APPSEC_HTTPS_PROXY= + APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage APPSEC_USER_EMAIL=user@email.com APPSEC_DB_PASSWORD=pass @@ -21,11 +26,23 @@ APPSEC_POSTGRES_STORAGE=./appsec-postgres-data NPM_DATA=./data NPM_LETSENCRYPT=./letsencrypt -## To connect your deployment to central WebUI you can uncomment following line -## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io +## To connect your deployment to central open-appsec WebUI provide the token for a profile +## which you created in open-appsec WebUI at https://my.openappsec.io ## Example: APPSEC_AGENT_TOKEN=111-22222-111 APPSEC_AGENT_TOKEN= -## When not providing token for connection to central WebUI please uncomment following line -## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI -# COMPOSE_PROFILES=standalone +## Important: When not providing token for connection to central WebUI: +## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable +## sharing of learning between processes and allow you to perform tuning locally on CLI +COMPOSE_PROFILES= + +## JUICE SHOP DEMO CONTAINER: +## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): +## Add the value "juiceshop" to the COMPOSE_PROFILES value above. + +## Make sure to also create a new proxy host in the NGINX Proxy Manager WebUI +## which accepts traffic on http port 80 and proxies traffic to juiceshop-backend on port 3000. +## note that juiceshop container listens on HTTP port 3000 by default + +## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: +## COMPOSE_PROFILES=standalone,juiceshop From 024423cce9296cec3660d63233bf244c7f32bfde Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:21:35 +0200 Subject: [PATCH 31/38] Create docker-compose.yaml --- .../docker-compose.yaml | 132 ++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml diff --git a/deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml b/deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml new file mode 100644 index 0000000..4795c2b --- /dev/null +++ b/deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml @@ -0,0 +1,132 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## with open-appsec management via central open-appsec WebUI (SaaS) +## + +version: '3.9' + +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + ipc: shareable + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - nginxproxymanager=true + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx-proxy-manager: + container_name: appsec-nginx-proxy-manager + image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} + ipc: service:appsec-agent + restart: unless-stopped + ports: + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port + volumes: + - ${NPM_DATA}:/data + - ${NPM_LETSENCRYPT}:/etc/letsencrypt + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From 9e4c5014ce2e2cae411e7e23dfdc10f01bfe9b39 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:21:50 +0200 Subject: [PATCH 32/38] Create .env --- .../.env | 132 ++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 deployment/nginx-proxy-manager-centrally-managed/.env diff --git a/deployment/nginx-proxy-manager-centrally-managed/.env b/deployment/nginx-proxy-manager-centrally-managed/.env new file mode 100644 index 0000000..4795c2b --- /dev/null +++ b/deployment/nginx-proxy-manager-centrally-managed/.env @@ -0,0 +1,132 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## with open-appsec management via central open-appsec WebUI (SaaS) +## + +version: '3.9' + +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + ipc: shareable + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - nginxproxymanager=true + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx-proxy-manager: + container_name: appsec-nginx-proxy-manager + image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} + ipc: service:appsec-agent + restart: unless-stopped + ports: + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port + volumes: + - ${NPM_DATA}:/data + - ${NPM_LETSENCRYPT}:/etc/letsencrypt + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From 1f2502f9e4d07745d4fbae425707b5a94110f567 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:22:57 +0200 Subject: [PATCH 33/38] Create docker-compose.yaml --- deployment/envoy/docker-compose.yaml | 135 +++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 deployment/envoy/docker-compose.yaml diff --git a/deployment/envoy/docker-compose.yaml b/deployment/envoy/docker-compose.yaml new file mode 100644 index 0000000..11088b2 --- /dev/null +++ b/deployment/envoy/docker-compose.yaml @@ -0,0 +1,135 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with Envoy +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server="Envoy Server" + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-envoy: + image: openappsec-envoy:${APPSEC_VERSION} +# for docs: image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION} + container_name: appsec-envoy + ipc: service:appsec-agent + restart: unless-stopped + environment: + - ENVOY_UID=0 + - CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC} + - CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER} + volumes: + - ${ENVOY_CONFIG}:/envoy.yaml + command: -c /envoy.yaml +## adjustment of threads is possible as follows: +# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY} + + ports: + - "80:80" + - "443:443" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" From 886a5befe1c74acc1e08610490ce38cf54a78194 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:23:17 +0200 Subject: [PATCH 34/38] Create .env --- deployment/envoy/.env | 57 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 deployment/envoy/.env diff --git a/deployment/envoy/.env b/deployment/envoy/.env new file mode 100644 index 0000000..e2e3ded --- /dev/null +++ b/deployment/envoy/.env @@ -0,0 +1,57 @@ +## .env file for docker-compose deployments of open-appsec integrated with Envoy +## for more info see https://docs.openappsec.io + +APPSEC_VERSION=latest +APPSEC_CONFIG=./appsec-config +APPSEC_DATA=./appsec-data +APPSEC_LOGS=./appsec-logs +APPSEC_LOCALCONFIG=./appsec-localconfig + +## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing +## open-appsec configuration via open-appsec Web UI. +## You can optionally set it to true when using local, declarative management for open-appsec, +## declarative configuration will then get applied automatically when changed. +APPSEC_AUTO_POLICY_LOAD=false + +## Example for configuring HTTPS Proxy: +## APPSEC_HTTPS_PROXY=user:password@proxy_address:port +APPSEC_HTTPS_PROXY= + +APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage +APPSEC_USER_EMAIL=user@email.com +APPSEC_DB_PASSWORD=pass +APPSEC_DB_USER=postgres +APPSEC_DB_HOST=appsec-db +APPSEC_POSTGRES_STORAGE=./appsec-postgres-data + +ENVOY_CONCURRENCY_CALC=numOfCores ## Possible values: "numOfCores" (default), "custom" +ENVOY_CONCURRENCY_NUMBER="" + +## Make sure to have a valid envoy.yaml Envoy configuration file present in the path below. +## For deployment of a simple lab testing environment, you can deploy the example configuration provided +## for the vulnerable juice-shop container, see instructions further below. +ENVOY_CONFIG=./envoy-config/envoy.yaml + +## To connect your deployment to central open-appsec WebUI provide the token for a profile +## which you created in open-appsec WebUI at https://my.openappsec.io +## Example: APPSEC_AGENT_TOKEN=111-22222-111 +APPSEC_AGENT_TOKEN= + +## Important: When not providing token for connection to central WebUI: +## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable +## sharing of learning between processes and allow you to perform tuning locally on CLI +COMPOSE_PROFILES= + +## JUICE SHOP DEMO CONTAINER: +## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): +## Add the value "juiceshop" to the COMPOSE_PROFILES value above. + +## Make sure to also adjust the envoy.yaml file in ENVOY_CONFIG path +## to add a routing configuration for forwarding external traffic on e.g. port 80 to the juiceshop-backend container +## you can use the example file available here: +## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/envoy/envoy.yaml +## place the file above in ENVOY_CONFIG path +## note that juiceshop container listens on HTTP port 3000 by default + +## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: +## COMPOSE_PROFILES=standalone,juiceshop From d2b9bc8c9c55785b740262862ee50743ade3a2e5 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 13 Jan 2025 14:23:49 +0200 Subject: [PATCH 35/38] Create envoy.yaml --- deployment/envoy/envoy-config/envoy.yaml | 56 ++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 deployment/envoy/envoy-config/envoy.yaml diff --git a/deployment/envoy/envoy-config/envoy.yaml b/deployment/envoy/envoy-config/envoy.yaml new file mode 100644 index 0000000..8ab8070 --- /dev/null +++ b/deployment/envoy/envoy-config/envoy.yaml @@ -0,0 +1,56 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 80 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + http_filters: + ## The following 10 lines are required to load the envoy attachment filter for open-appsec + - name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: cp_nano_filter + library_path: "/usr/lib/libenvoy_attachment.so" + plugin_name: cp_nano_filter + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + prefix_localreply_body: "Configured local reply from go" + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + +## +## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file. +## + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: juiceshop + + clusters: + - name: juiceshop + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: juiceshop + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: juiceshop-backend + port_value: 3000 From 3d3d6e73b9f84e32bd81e9e25142c1dfb8634edd Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 20 Jan 2025 11:49:03 +0200 Subject: [PATCH 36/38] Rename deployment/envoy/docker-compose.yaml to deployment/docker-compose/envoy/docker-compose.yaml --- deployment/{ => docker-compose}/envoy/docker-compose.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployment/{ => docker-compose}/envoy/docker-compose.yaml (100%) diff --git a/deployment/envoy/docker-compose.yaml b/deployment/docker-compose/envoy/docker-compose.yaml similarity index 100% rename from deployment/envoy/docker-compose.yaml rename to deployment/docker-compose/envoy/docker-compose.yaml From b1731237d15c8784a00f06568d075b715158a33a Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 20 Jan 2025 11:58:01 +0200 Subject: [PATCH 37/38] Delete deployment directory --- deployment/APISIX/.env | 55 ------- deployment/APISIX/apisix-config/apisix.yaml | 9 -- deployment/APISIX/docker-compose.yaml | 131 ---------------- deployment/NGINX-Unified/.env | 54 ------- deployment/NGINX-Unified/docker-compose.yaml | 126 --------------- .../NGINX-Unified/nginx-config/default.conf | 47 ------ .../apisix-standalone.yaml | 12 -- deployment/apisix/docker-compose.yaml | 47 ------ .../docker-compose/envoy/docker-compose.yaml | 135 ---------------- deployment/envoy/.env | 57 ------- deployment/envoy/envoy-config/envoy.yaml | 56 ------- deployment/kong/.env | 57 ------- deployment/kong/docker-compose.yaml | 135 ---------------- deployment/kong/kong-config/kong.yaml | 9 -- .../.env | 132 ---------------- .../docker-compose.yaml | 132 ---------------- deployment/nginx-proxy-manager/.env | 48 ------ .../nginx-proxy-manager/docker-compose.yaml | 134 ---------------- deployment/nginx/.env | 54 ------- deployment/nginx/docker-compose.yaml | 136 ---------------- deployment/nginx/nginx-config/default.conf | 47 ------ deployment/swag-new/.env | 76 --------- deployment/swag-new/docker-compose.yaml | 145 ------------------ .../swag-nginx-site-confs/default.conf | 84 ---------- .../swag-proxy-confs/juiceshop.subfolder.conf | 22 --- deployment/swag/docker-compose.yaml | 46 ------ 26 files changed, 1986 deletions(-) delete mode 100644 deployment/APISIX/.env delete mode 100644 deployment/APISIX/apisix-config/apisix.yaml delete mode 100644 deployment/APISIX/docker-compose.yaml delete mode 100644 deployment/NGINX-Unified/.env delete mode 100644 deployment/NGINX-Unified/docker-compose.yaml delete mode 100644 deployment/NGINX-Unified/nginx-config/default.conf delete mode 100644 deployment/apisix/apisix-example-config/apisix-standalone.yaml delete mode 100644 deployment/apisix/docker-compose.yaml delete mode 100644 deployment/docker-compose/envoy/docker-compose.yaml delete mode 100644 deployment/envoy/.env delete mode 100644 deployment/envoy/envoy-config/envoy.yaml delete mode 100644 deployment/kong/.env delete mode 100644 deployment/kong/docker-compose.yaml delete mode 100644 deployment/kong/kong-config/kong.yaml delete mode 100644 deployment/nginx-proxy-manager-centrally-managed/.env delete mode 100644 deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml delete mode 100644 deployment/nginx-proxy-manager/.env delete mode 100644 deployment/nginx-proxy-manager/docker-compose.yaml delete mode 100644 deployment/nginx/.env delete mode 100644 deployment/nginx/docker-compose.yaml delete mode 100644 deployment/nginx/nginx-config/default.conf delete mode 100644 deployment/swag-new/.env delete mode 100644 deployment/swag-new/docker-compose.yaml delete mode 100644 deployment/swag-new/swag-nginx-site-confs/default.conf delete mode 100644 deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf delete mode 100644 deployment/swag/docker-compose.yaml diff --git a/deployment/APISIX/.env b/deployment/APISIX/.env deleted file mode 100644 index 6be06df..0000000 --- a/deployment/APISIX/.env +++ /dev/null @@ -1,55 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with APISIX -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Make sure to have a valid apisix configuration for APISIX in standalone mode in the following file: -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -APISIX_CONFIG=./apisix-config/apisix.yaml - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the apisix.yaml file in APISIX_CONFIG folder -## to include route and node configuration for forwarding external traffic to the juiceshop-backend container -## (apisix listens by default for HTTP/HTTPS on port 9080/9443) -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/apisix.yaml -## in the appsec-apisix service definition -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/APISIX/apisix-config/apisix.yaml b/deployment/APISIX/apisix-config/apisix.yaml deleted file mode 100644 index baa0928..0000000 --- a/deployment/APISIX/apisix-config/apisix.yaml +++ /dev/null @@ -1,9 +0,0 @@ -routes: - - - uri: / - upstream: - nodes: - "juiceshop-backend:3000": 1 - type: roundrobin - -#END diff --git a/deployment/APISIX/docker-compose.yaml b/deployment/APISIX/docker-compose.yaml deleted file mode 100644 index c416d9b..0000000 --- a/deployment/APISIX/docker-compose.yaml +++ /dev/null @@ -1,131 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with APISIX -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server=APISIX Server - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-apisix: - image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION} - container_name: appsec-apisix - ipc: service:appsec-agent - restart: always - environment: - - APISIX_STAND_ALONE=true - volumes: - - ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro - ports: - - "9080:9080/tcp" # HTTP API port - - "9443:9443/tcp" # HTTPS API port - - "9180:9180/tcp" # Admin API HTTP port - - "9091:9091/tcp" # Admin API HTTPS port - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: always - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: always -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: always - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: always - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/NGINX-Unified/.env b/deployment/NGINX-Unified/.env deleted file mode 100644 index f064232..0000000 --- a/deployment/NGINX-Unified/.env +++ /dev/null @@ -1,54 +0,0 @@ -## .env file for docker-compose deployments of open-appsec NGINX unified container -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG. -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -NGINX_CONFIG=./nginx-config - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder -## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf -## place the file above in NGINX_CONFIG folder -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/NGINX-Unified/docker-compose.yaml b/deployment/NGINX-Unified/docker-compose.yaml deleted file mode 100644 index 8d5c270..0000000 --- a/deployment/NGINX-Unified/docker-compose.yaml +++ /dev/null @@ -1,126 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec deployments of NGINX unified container -## - -version: "3.9" -services: - appsec-agent-nginx-unified: - image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION} - container_name: appsec-agent-nginx-unified - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - ipc: shareable - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - - ${NGINX_CONFIG}:/etc/nginx/conf.d -## advanced configuration - volume mount for nginx.conf file: -## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below -## make sure to include the line starting with "load_module" which loads the appsec attachment -## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container -# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf - ports: - - "80:80" - - "443:443" - command: /cp-nano-agent - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent-nginx-unified - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/NGINX-Unified/nginx-config/default.conf b/deployment/NGINX-Unified/nginx-config/default.conf deleted file mode 100644 index e3ca187..0000000 --- a/deployment/NGINX-Unified/nginx-config/default.conf +++ /dev/null @@ -1,47 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name _; - - #access_log /var/log/nginx/host.access.log main; - - location / { - proxy_pass http://juiceshop-backend:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -} diff --git a/deployment/apisix/apisix-example-config/apisix-standalone.yaml b/deployment/apisix/apisix-example-config/apisix-standalone.yaml deleted file mode 100644 index 97ce7b7..0000000 --- a/deployment/apisix/apisix-example-config/apisix-standalone.yaml +++ /dev/null @@ -1,12 +0,0 @@ - -# example local declarative configuration file for apisix in standalone mode - -routes: - - - uri: /anything - upstream: - nodes: - "httpbin.org:80": 1 - type: roundrobin - -#END diff --git a/deployment/apisix/docker-compose.yaml b/deployment/apisix/docker-compose.yaml deleted file mode 100644 index 5047b56..0000000 --- a/deployment/apisix/docker-compose.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -version: "3" - -services: - apisix: - container_name: apisix - image: "ghcr.io/openappsec/apisix-attachment:latest" - ipc: host - restart: always - volumes: - - ./apisix-localconfig/apisix-standalone.yaml:/usr/local/apisix/conf/apisix.yaml:ro - environment: - - APISIX_STAND_ALONE=true - ports: - - "9180:9180/tcp" - - "9080:9080/tcp" - - "9091:9091/tcp" - - "9443:9443/tcp" - - appsec-agent: - container_name: appsec-agent - image: 'ghcr.io/openappsec/agent:latest' - ipc: host - restart: unless-stopped - environment: - # adjust with your own email below - - user_email=user@email.com - - registered_server="APISIX Server" - - AGENT_TOKEN= - volumes: - - ./appsec-config:/etc/cp/conf - - ./appsec-data:/etc/cp/data - - ./appsec-logs:/var/log/nano_agent - - ./appsec-localconfig:/ext/appsec - command: /cp-nano-agent diff --git a/deployment/docker-compose/envoy/docker-compose.yaml b/deployment/docker-compose/envoy/docker-compose.yaml deleted file mode 100644 index 11088b2..0000000 --- a/deployment/docker-compose/envoy/docker-compose.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with Envoy -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server="Envoy Server" - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-envoy: - image: openappsec-envoy:${APPSEC_VERSION} -# for docs: image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION} - container_name: appsec-envoy - ipc: service:appsec-agent - restart: unless-stopped - environment: - - ENVOY_UID=0 - - CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC} - - CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER} - volumes: - - ${ENVOY_CONFIG}:/envoy.yaml - command: -c /envoy.yaml -## adjustment of threads is possible as follows: -# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY} - - ports: - - "80:80" - - "443:443" - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/envoy/.env b/deployment/envoy/.env deleted file mode 100644 index e2e3ded..0000000 --- a/deployment/envoy/.env +++ /dev/null @@ -1,57 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with Envoy -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -ENVOY_CONCURRENCY_CALC=numOfCores ## Possible values: "numOfCores" (default), "custom" -ENVOY_CONCURRENCY_NUMBER="" - -## Make sure to have a valid envoy.yaml Envoy configuration file present in the path below. -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -ENVOY_CONFIG=./envoy-config/envoy.yaml - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the envoy.yaml file in ENVOY_CONFIG path -## to add a routing configuration for forwarding external traffic on e.g. port 80 to the juiceshop-backend container -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/envoy/envoy.yaml -## place the file above in ENVOY_CONFIG path -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/envoy/envoy-config/envoy.yaml b/deployment/envoy/envoy-config/envoy.yaml deleted file mode 100644 index 8ab8070..0000000 --- a/deployment/envoy/envoy-config/envoy.yaml +++ /dev/null @@ -1,56 +0,0 @@ -static_resources: - listeners: - - name: listener_0 - address: - socket_address: - address: 0.0.0.0 - port_value: 80 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - http_filters: - ## The following 10 lines are required to load the envoy attachment filter for open-appsec - - name: envoy.filters.http.golang - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config - library_id: cp_nano_filter - library_path: "/usr/lib/libenvoy_attachment.so" - plugin_name: cp_nano_filter - plugin_config: - "@type": type.googleapis.com/xds.type.v3.TypedStruct - value: - prefix_localreply_body: "Configured local reply from go" - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - -## -## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file. -## - route_config: - name: local_route - virtual_hosts: - - name: local_service - domains: ["*"] - routes: - - match: - prefix: "/" - route: - cluster: juiceshop - - clusters: - - name: juiceshop - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: juiceshop - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: juiceshop-backend - port_value: 3000 diff --git a/deployment/kong/.env b/deployment/kong/.env deleted file mode 100644 index b5471ec..0000000 --- a/deployment/kong/.env +++ /dev/null @@ -1,57 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with Kong -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG. -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -KONG_CONFIG=./kong-config - -## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment -KONG_IMAGE=kong-attachment - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder -## to include service and route configuration for forwarding external traffic to the juiceshop-backend container -## (kong listens by default for HTTP/HTTPS on port 8000/8443) -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/kong/docker-compose.yaml b/deployment/kong/docker-compose.yaml deleted file mode 100644 index ad5c767..0000000 --- a/deployment/kong/docker-compose.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with Kong -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server=Kong Server - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-kong: - image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} - container_name: appsec-kong - ipc: service:appsec-agent -## This docker compose deploys Kong in DB-less mode with declarative Kong configuration -## please make sure to have a valid config present in {KONG_CONFIG}: - environment: - - KONG_DATABASE=off - - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml - volumes: - - ${KONG_CONFIG}:/opt/kong - restart: unless-stopped - ports: - - "8000:8000" - - "8443:8443" - - "127.0.0.1:8001:8001" - - "127.0.0.1:8444:8444" - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/kong/kong-config/kong.yaml b/deployment/kong/kong-config/kong.yaml deleted file mode 100644 index 60c4c32..0000000 --- a/deployment/kong/kong-config/kong.yaml +++ /dev/null @@ -1,9 +0,0 @@ -_format_version: "3.0" - -services: - - name: juiceshop-service - url: http://juiceshop-backend:3000 - routes: - - name: juiceshop-route - paths: - - / diff --git a/deployment/nginx-proxy-manager-centrally-managed/.env b/deployment/nginx-proxy-manager-centrally-managed/.env deleted file mode 100644 index 4795c2b..0000000 --- a/deployment/nginx-proxy-manager-centrally-managed/.env +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with NGINX Proxy Manager -## with open-appsec management via central open-appsec WebUI (SaaS) -## - -version: '3.9' - -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - ipc: shareable - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - nginxproxymanager=true - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-nginx-proxy-manager: - container_name: appsec-nginx-proxy-manager - image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} - ipc: service:appsec-agent - restart: unless-stopped - ports: - - 80:80 # Public HTTP Port - - 443:443 # Public HTTPS Port - - 81:81 # Admin Web Port - volumes: - - ${NPM_DATA}:/data - - ${NPM_LETSENCRYPT}:/etc/letsencrypt - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml b/deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml deleted file mode 100644 index 4795c2b..0000000 --- a/deployment/nginx-proxy-manager-centrally-managed/docker-compose.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with NGINX Proxy Manager -## with open-appsec management via central open-appsec WebUI (SaaS) -## - -version: '3.9' - -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - ipc: shareable - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - nginxproxymanager=true - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-nginx-proxy-manager: - container_name: appsec-nginx-proxy-manager - image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} - ipc: service:appsec-agent - restart: unless-stopped - ports: - - 80:80 # Public HTTP Port - - 443:443 # Public HTTPS Port - - 81:81 # Admin Web Port - volumes: - - ${NPM_DATA}:/data - - ${NPM_LETSENCRYPT}:/etc/letsencrypt - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/nginx-proxy-manager/.env b/deployment/nginx-proxy-manager/.env deleted file mode 100644 index 129653f..0000000 --- a/deployment/nginx-proxy-manager/.env +++ /dev/null @@ -1,48 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with NGINX Proxy Manager -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to true for changes -## of open-appsec configuration in the NGINX Proxy Manager WebUI to be applied automatically -APPSEC_AUTO_POLICY_LOAD=true - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -# Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file -NPM_DATA=./data -NPM_LETSENCRYPT=./letsencrypt - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also create a new proxy host in the NGINX Proxy Manager WebUI -## which accepts traffic on http port 80 and proxies traffic to juiceshop-backend on port 3000. -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/nginx-proxy-manager/docker-compose.yaml b/deployment/nginx-proxy-manager/docker-compose.yaml deleted file mode 100644 index fc80272..0000000 --- a/deployment/nginx-proxy-manager/docker-compose.yaml +++ /dev/null @@ -1,134 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with NGINX Proxy Manager -## with open-appsec management via NGINX Proxy Manager WebUI -## - -version: '3.9' - -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - ipc: shareable - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - nginxproxymanager=true - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-nginx-proxy-manager: - container_name: appsec-nginx-proxy-manager - image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION} - ipc: service:appsec-agent - restart: unless-stopped - ports: - - 80:80 # Public HTTP Port - - 443:443 # Public HTTPS Port - - 81:81 # Admin Web Port - volumes: - - ${NPM_DATA}:/data - - ${NPM_LETSENCRYPT}:/etc/letsencrypt - - ${APPSEC_LOGS}:/ext/appsec-logs - - ${APPSEC_LOCALCONFIG}:/ext/appsec - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/nginx/.env b/deployment/nginx/.env deleted file mode 100644 index 297335b..0000000 --- a/deployment/nginx/.env +++ /dev/null @@ -1,54 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with NGINX -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG. -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. -NGINX_CONFIG=./nginx-config - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder -## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container -## you can use the example file available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf -## place the file above in NGINX_CONFIG folder -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/nginx/docker-compose.yaml b/deployment/nginx/docker-compose.yaml deleted file mode 100644 index aee9fca..0000000 --- a/deployment/nginx/docker-compose.yaml +++ /dev/null @@ -1,136 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with NGINX -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server="NGINX Server" - ipc: shareable - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-nginx: - image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION} - container_name: appsec-nginx - ipc: service:appsec-agent - restart: unless-stopped - volumes: - - ${NGINX_CONFIG}:/etc/nginx/conf.d - -## advanced configuration - volume mount for nginx.conf file: -## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below -## then specify a desired local folder for NGINX_CONF_FILE in the .env file. -## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment -## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container. -# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf - - ports: - - "80:80" - - "443:443" - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - profiles: - - juiceshop - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/nginx/nginx-config/default.conf b/deployment/nginx/nginx-config/default.conf deleted file mode 100644 index e3ca187..0000000 --- a/deployment/nginx/nginx-config/default.conf +++ /dev/null @@ -1,47 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name _; - - #access_log /var/log/nginx/host.access.log main; - - location / { - proxy_pass http://juiceshop-backend:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -} diff --git a/deployment/swag-new/.env b/deployment/swag-new/.env deleted file mode 100644 index ceb0326..0000000 --- a/deployment/swag-new/.env +++ /dev/null @@ -1,76 +0,0 @@ -## .env file for docker-compose deployments of open-appsec integrated with SWAG -## for more info see https://docs.openappsec.io - -APPSEC_VERSION=latest -APPSEC_CONFIG=./appsec-config -APPSEC_DATA=./appsec-data -APPSEC_LOGS=./appsec-logs -APPSEC_LOCALCONFIG=./appsec-localconfig - -## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing -## open-appsec configuration via open-appsec Web UI. -## You can optionally set it to true when using local, declarative management for open-appsec, -## declarative configuration will then get applied automatically when changed. -APPSEC_AUTO_POLICY_LOAD=false - -## Example for configuring HTTPS Proxy: -## APPSEC_HTTPS_PROXY=user:password@proxy_address:port -APPSEC_HTTPS_PROXY= - -APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage -APPSEC_USER_EMAIL=user@email.com -APPSEC_DB_PASSWORD=pass -APPSEC_DB_USER=postgres -APPSEC_DB_HOST=appsec-db -APPSEC_POSTGRES_STORAGE=./appsec-postgres-data - -## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file -SWAG_CONFIG=./swag-config -## Make sure to have a valid nginx config default.conf in SWAG_NGINX_SITE_CONFS folder -SWAG_NGINX_SITE_CONFS=./swag-nginx-site-confs -## Make sure to have valid *.conf proxy configuration in SWAG_NGINX_PROXY_CONFS folder -SWAG_PROXY_CONFS=./swag-proxy-confs -## For deployment of a simple lab testing environment, you can deploy the example configuration provided -## for the vulnerable juice-shop container, see instructions further below. - -SWAG_TZ=Etc/UTC -SWAG_VALIDATION=http # configure "http" or "dns" as validation modes -SWAG_DNSPLUGIN="" # configure e.g. "route53" or some other DNS Plugin supported by SWAG if you set "dns" above - -## Examples parameters for "route53" DNS plugin (AWS DNS service), you can add others here as required, -## when you do make sure to also add them to the docker compose file -SWAG_AWS_ACCESS_KEY_ID="" -SWAG_AWS_SECRET_ACCESS_KEY="" -## - -SWAG_STAGING=true ## switch to 'false' after successful testing -SWAG_URL=yourdomain.url -SWAG_SUBDOMAINS="" -SWAG_ONLY_SUBDOMAINS="" -## replace yourdomain.url with your own domain -## make sure your domain's public IP resolves to -## the docker host for Let's Encrypt cert generation to succeed - -## To connect your deployment to central open-appsec WebUI provide the token for a profile -## which you created in open-appsec WebUI at https://my.openappsec.io -## Example: APPSEC_AGENT_TOKEN=111-22222-111 -APPSEC_AGENT_TOKEN= - -## Important: When not providing token for connection to central WebUI: -## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable -## sharing of learning between processes and allow you to perform tuning locally on CLI -COMPOSE_PROFILES= - -## JUICE SHOP DEMO CONTAINER: -## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!): -## Add the value "juiceshop" to the COMPOSE_PROFILES value above. - -## Make sure to put a juiceshop.subfolder.conf file in SWAG_PROXY_CONFS folder -## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in SWAG_NGINX_SITE_CONFS folder -## you can use the example files available here: -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/juiceshop.subfolder.conf -## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/default.conf -## note that juiceshop container listens on HTTP port 3000 by default - -## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here: -## COMPOSE_PROFILES=standalone,juiceshop diff --git a/deployment/swag-new/docker-compose.yaml b/deployment/swag-new/docker-compose.yaml deleted file mode 100644 index ecce3c2..0000000 --- a/deployment/swag-new/docker-compose.yaml +++ /dev/null @@ -1,145 +0,0 @@ -# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -# Licensed under the Apache License, Version 2.0 (the "License"); -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## -## Docker compose file for open-appsec integrated with SWAG -## - -version: "3.9" -services: - appsec-agent: - image: ghcr.io/openappsec/agent:${APPSEC_VERSION} - container_name: appsec-agent - restart: unless-stopped - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - LEARNING_HOST=appsec-smartsync - - TUNING_HOST=appsec-tuning-svc - - https_proxy=${APPSEC_HTTPS_PROXY} - - user_email=${APPSEC_USER_EMAIL} - - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - - registered_server=SWAG Server - ipc: shareable - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - - ${APPSEC_DATA}:/etc/cp/data - - ${APPSEC_LOGS}:/var/log/nano_agent - - ${APPSEC_LOCALCONFIG}:/ext/appsec - command: /cp-nano-agent - - appsec-swag: - image: ghcr.io/openappsec/swag-attachment:latest - container_name: appsec-swag - ipc: service:appsec-agent - restart: unless-stopped - cap_add: - - NET_ADMIN - environment: - - PUID=1000 - - PGID=1000 - - TZ=${SWAG_TZ} - - URL=${SWAG_URL} - - VALIDATION=${SWAG_VALIDATION} - - DNSPLUGIN=${SWAG_DNSPLUGIN} - - AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID} - - AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY} - - SUBDOMAINS=${SWAG_SUBDOMAINS} - - ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS} -## see https://docs.linuxserver.io/images/docker-swag/ for -## more cert generation/validation options - - STAGING=${SWAG_STAGING} - volumes: - - ${SWAG_CONFIG}:/config - - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs - - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs - ports: - - 443:443 - - 80:80 ## optional - - appsec-smartsync: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} - container_name: appsec-smartsync - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - restart: unless-stopped - depends_on: - - appsec-shared-storage - - appsec-shared-storage: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} - container_name: appsec-shared-storage - ipc: service:appsec-agent - restart: unless-stopped -## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment -## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db - user: root - volumes: - - ${APPSEC_SMART_SYNC_STORAGE}:/db:z -## instead of using local storage for local learning (see line above) -## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) -## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) -# - learning_nfs:/db:z - - appsec-tuning-svc: - profiles: - - standalone - image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} - container_name: appsec-tuning-svc - environment: - - SHARED_STORAGE_HOST=appsec-shared-storage - - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - - QUERY_DB_HOST=${APPSEC_DB_HOST} - - QUERY_DB_USER=${APPSEC_DB_USER} -## only relevant when deploying own DB -# - SSLMODE: - restart: unless-stopped - volumes: - - ${APPSEC_CONFIG}:/etc/cp/conf - depends_on: - - appsec-shared-storage - - appsec-db - - appsec-db: - profiles: - - standalone - image: postgres - container_name: appsec-db - restart: unless-stopped - environment: - - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - - POSTGRES_USER=${APPSEC_DB_USER} - volumes: - - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data - -## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) - juiceshop-backend: - image: bkimminich/juice-shop:latest - container_name: juiceshop-backend - - -## advanced configuration: learning_nfs volume for nfs storage in shared_storage container -## -## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) -## -#volumes: -# learning_nfs: -# driver: local -# driver_opts: -# type: nfs -# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport -# device: ":/" diff --git a/deployment/swag-new/swag-nginx-site-confs/default.conf b/deployment/swag-new/swag-nginx-site-confs/default.conf deleted file mode 100644 index 9412c18..0000000 --- a/deployment/swag-new/swag-nginx-site-confs/default.conf +++ /dev/null @@ -1,84 +0,0 @@ -## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample - -# redirect all traffic to https -server { - listen 80 default_server; - listen [::]:80 default_server; - - location / { - return 301 https://$host$request_uri; - } -} - -# main server block -server { - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - server_name _; - - include /config/nginx/ssl.conf; - -# root /config/www; -# index index.html index.htm index.php; - - # enable subfolder method reverse proxy confs - include /config/nginx/proxy-confs/*.subfolder.conf; - - # enable for ldap auth (requires ldap-location.conf in the location block) - #include /config/nginx/ldap-server.conf; - - # enable for Authelia (requires authelia-location.conf in the location block) - #include /config/nginx/authelia-server.conf; - - # enable for Authentik (requires authentik-location.conf in the location block) - #include /config/nginx/authentik-server.conf; - - #location / { - # enable for basic auth - #auth_basic "Restricted"; - #auth_basic_user_file /config/nginx/.htpasswd; - - # enable for ldap auth (requires ldap-server.conf in the server block) - #include /config/nginx/ldap-location.conf; - - # enable for Authelia (requires authelia-server.conf in the server block) - #include /config/nginx/authelia-location.conf; - - # enable for Authentik (requires authentik-server.conf in the server block) - #include /config/nginx/authentik-location.conf; - - # try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args; - #} - - location ~ ^(.+\.php)(.*)$ { - # enable the next two lines for http auth - #auth_basic "Restricted"; - #auth_basic_user_file /config/nginx/.htpasswd; - - # enable for ldap auth (requires ldap-server.conf in the server block) - #include /config/nginx/ldap-location.conf; - - # enable for Authelia (requires authelia-server.conf in the server block) - #include /config/nginx/authelia-location.conf; - - # enable for Authentik (requires authentik-server.conf in the server block) - #include /config/nginx/authentik-location.conf; - - fastcgi_split_path_info ^(.+\.php)(.*)$; - if (!-f $document_root$fastcgi_script_name) { return 404; } - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include /etc/nginx/fastcgi_params; - } - - # deny access to .htaccess/.htpasswd files - location ~ /\.ht { - deny all; - } -} - -# enable subdomain method reverse proxy confs -include /config/nginx/proxy-confs/*.subdomain.conf; -# enable proxy cache for auth -proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf b/deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf deleted file mode 100644 index e94c276..0000000 --- a/deployment/swag-new/swag-proxy-confs/juiceshop.subfolder.conf +++ /dev/null @@ -1,22 +0,0 @@ -location / { - # enable the next two lines for http auth - #auth_basic "Restricted"; - #auth_basic_user_file /config/nginx/.htpasswd; - - # enable for ldap auth (requires ldap-server.conf in the server block) - #include /config/nginx/ldap-location.conf; - - # enable for Authelia (requires authelia-server.conf in the server block) - #include /config/nginx/authelia-location.conf; - - # enable for Authentik (requires authentik-server.conf in the server block) - #include /config/nginx/authentik-location.conf; - - include /config/nginx/proxy.conf; - include /config/nginx/resolver.conf; - set $upstream_app juiceshop-backend; - set $upstream_port 3000; - set $upstream_proto http; - proxy_pass $upstream_proto://$upstream_app:$upstream_port; - -} diff --git a/deployment/swag/docker-compose.yaml b/deployment/swag/docker-compose.yaml deleted file mode 100644 index dcd5fbf..0000000 --- a/deployment/swag/docker-compose.yaml +++ /dev/null @@ -1,46 +0,0 @@ -services: - swag-attachment: - image: ghcr.io/openappsec/swag-attachment:latest - ipc: service:appsec-agent - restart: unless-stopped - container_name: swag-attachment - cap_add: - - NET_ADMIN - environment: - - PUID=1000 - - PGID=1000 - - TZ=Etc/UTC - - URL=yourdomain.url # replace yourdomain.url with your own domain - # make sure your domain's public IP resolves to - # the docker host for Let's Encrypt cert generation to succeed - - VALIDATION=http - # see https://docs.linuxserver.io/images/docker-swag/ for - # more cert generation/validation options - - STAGING=true # switch to 'false' after successful testing - volumes: - - ./swag-config:/config - ports: - - 443:443 - - 80:80 #optional - - appsec-agent: - container_name: appsec-agent - image: ghcr.io/openappsec/agent:latest - ipc: shareable - restart: unless-stopped - environment: - - user_email=user@email.com # adjust with your own email - - registered_server=SWAG Server - # if autoPolicyLoad is set to true, open-appsec will apply - # changes in local_policy.yaml automatically - - autoPolicyLoad=true - # To connect to open-appsec central management WebUI - ## create your WebUI profile at https://my.openappsec.io, - ## enforce policy, copy the profile token from WebUI and add it below - - AGENT_TOKEN= - volumes: - - ./appsec-config:/etc/cp/conf - - ./appsec-data:/etc/cp/data - - ./appsec-logs:/var/log/nano_agent - - ./appsec-localconfig:/ext/appsec - command: /cp-nano-agent From 923a8a804be56af774845dc0e6907328d6c5b309 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 20 Jan 2025 12:00:49 +0200 Subject: [PATCH 38/38] Add files via upload --- .../apisix-standalone.yaml | 12 ++ deployment/apisix/docker-compose.yaml | 47 ++++++ .../apisix/apisix-config/apisix.yaml | 9 ++ .../docker-compose/apisix/docker-compose.yaml | 131 ++++++++++++++++ .../docker-compose/envoy/docker-compose.yaml | 135 ++++++++++++++++ .../envoy/envoy-config/envoy.yaml | 56 +++++++ .../docker-compose/kong/docker-compose.yaml | 135 ++++++++++++++++ .../docker-compose/kong/kong-config/kong.yaml | 9 ++ .../docker-compose.yaml | 132 ++++++++++++++++ .../nginx-proxy-manager/docker-compose.yaml | 134 ++++++++++++++++ .../nginx-unifed/docker-compose.yaml | 126 +++++++++++++++ .../nginx-unifed/nginx-config/default.conf | 47 ++++++ .../docker-compose/swag/docker-compose.yaml | 145 ++++++++++++++++++ .../swag/swag-nginx-site-confs/default.conf | 84 ++++++++++ .../swag-proxy-confs/juiceshop.subfolder.conf | 22 +++ deployment/nginx/docker-compose.yaml | 136 ++++++++++++++++ deployment/nginx/nginx-config/default.conf | 47 ++++++ deployment/swag/docker-compose.yaml | 46 ++++++ 18 files changed, 1453 insertions(+) create mode 100644 deployment/apisix/apisix-example-config/apisix-standalone.yaml create mode 100644 deployment/apisix/docker-compose.yaml create mode 100644 deployment/docker-compose/apisix/apisix-config/apisix.yaml create mode 100644 deployment/docker-compose/apisix/docker-compose.yaml create mode 100644 deployment/docker-compose/envoy/docker-compose.yaml create mode 100644 deployment/docker-compose/envoy/envoy-config/envoy.yaml create mode 100644 deployment/docker-compose/kong/docker-compose.yaml create mode 100644 deployment/docker-compose/kong/kong-config/kong.yaml create mode 100644 deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml create mode 100644 deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml create mode 100644 deployment/docker-compose/nginx-unifed/docker-compose.yaml create mode 100644 deployment/docker-compose/nginx-unifed/nginx-config/default.conf create mode 100644 deployment/docker-compose/swag/docker-compose.yaml create mode 100644 deployment/docker-compose/swag/swag-nginx-site-confs/default.conf create mode 100644 deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf create mode 100644 deployment/nginx/docker-compose.yaml create mode 100644 deployment/nginx/nginx-config/default.conf create mode 100644 deployment/swag/docker-compose.yaml diff --git a/deployment/apisix/apisix-example-config/apisix-standalone.yaml b/deployment/apisix/apisix-example-config/apisix-standalone.yaml new file mode 100644 index 0000000..97ce7b7 --- /dev/null +++ b/deployment/apisix/apisix-example-config/apisix-standalone.yaml @@ -0,0 +1,12 @@ + +# example local declarative configuration file for apisix in standalone mode + +routes: + - + uri: /anything + upstream: + nodes: + "httpbin.org:80": 1 + type: roundrobin + +#END diff --git a/deployment/apisix/docker-compose.yaml b/deployment/apisix/docker-compose.yaml new file mode 100644 index 0000000..5047b56 --- /dev/null +++ b/deployment/apisix/docker-compose.yaml @@ -0,0 +1,47 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: "3" + +services: + apisix: + container_name: apisix + image: "ghcr.io/openappsec/apisix-attachment:latest" + ipc: host + restart: always + volumes: + - ./apisix-localconfig/apisix-standalone.yaml:/usr/local/apisix/conf/apisix.yaml:ro + environment: + - APISIX_STAND_ALONE=true + ports: + - "9180:9180/tcp" + - "9080:9080/tcp" + - "9091:9091/tcp" + - "9443:9443/tcp" + + appsec-agent: + container_name: appsec-agent + image: 'ghcr.io/openappsec/agent:latest' + ipc: host + restart: unless-stopped + environment: + # adjust with your own email below + - user_email=user@email.com + - registered_server="APISIX Server" + - AGENT_TOKEN= + volumes: + - ./appsec-config:/etc/cp/conf + - ./appsec-data:/etc/cp/data + - ./appsec-logs:/var/log/nano_agent + - ./appsec-localconfig:/ext/appsec + command: /cp-nano-agent diff --git a/deployment/docker-compose/apisix/apisix-config/apisix.yaml b/deployment/docker-compose/apisix/apisix-config/apisix.yaml new file mode 100644 index 0000000..baa0928 --- /dev/null +++ b/deployment/docker-compose/apisix/apisix-config/apisix.yaml @@ -0,0 +1,9 @@ +routes: + - + uri: / + upstream: + nodes: + "juiceshop-backend:3000": 1 + type: roundrobin + +#END diff --git a/deployment/docker-compose/apisix/docker-compose.yaml b/deployment/docker-compose/apisix/docker-compose.yaml new file mode 100644 index 0000000..d4ed4da --- /dev/null +++ b/deployment/docker-compose/apisix/docker-compose.yaml @@ -0,0 +1,131 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with APISIX +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=APISIX Server + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-apisix: + image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION} + container_name: appsec-apisix + ipc: service:appsec-agent + restart: always + environment: + - APISIX_STAND_ALONE=true + volumes: + - ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro + ports: + - "9080:9080/tcp" # HTTP API port + - "9443:9443/tcp" # HTTPS API port + - "9180:9180/tcp" # Admin API HTTP port + - "9091:9091/tcp" # Admin API HTTPS port + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: always + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: always +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: always + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: always + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" \ No newline at end of file diff --git a/deployment/docker-compose/envoy/docker-compose.yaml b/deployment/docker-compose/envoy/docker-compose.yaml new file mode 100644 index 0000000..11088b2 --- /dev/null +++ b/deployment/docker-compose/envoy/docker-compose.yaml @@ -0,0 +1,135 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with Envoy +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server="Envoy Server" + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-envoy: + image: openappsec-envoy:${APPSEC_VERSION} +# for docs: image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION} + container_name: appsec-envoy + ipc: service:appsec-agent + restart: unless-stopped + environment: + - ENVOY_UID=0 + - CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC} + - CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER} + volumes: + - ${ENVOY_CONFIG}:/envoy.yaml + command: -c /envoy.yaml +## adjustment of threads is possible as follows: +# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY} + + ports: + - "80:80" + - "443:443" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/envoy/envoy-config/envoy.yaml b/deployment/docker-compose/envoy/envoy-config/envoy.yaml new file mode 100644 index 0000000..8ab8070 --- /dev/null +++ b/deployment/docker-compose/envoy/envoy-config/envoy.yaml @@ -0,0 +1,56 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 80 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + http_filters: + ## The following 10 lines are required to load the envoy attachment filter for open-appsec + - name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: cp_nano_filter + library_path: "/usr/lib/libenvoy_attachment.so" + plugin_name: cp_nano_filter + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + prefix_localreply_body: "Configured local reply from go" + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + +## +## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file. +## + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: juiceshop + + clusters: + - name: juiceshop + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: juiceshop + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: juiceshop-backend + port_value: 3000 diff --git a/deployment/docker-compose/kong/docker-compose.yaml b/deployment/docker-compose/kong/docker-compose.yaml new file mode 100644 index 0000000..ad5c767 --- /dev/null +++ b/deployment/docker-compose/kong/docker-compose.yaml @@ -0,0 +1,135 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with Kong +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=Kong Server + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-kong: + image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} + container_name: appsec-kong + ipc: service:appsec-agent +## This docker compose deploys Kong in DB-less mode with declarative Kong configuration +## please make sure to have a valid config present in {KONG_CONFIG}: + environment: + - KONG_DATABASE=off + - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml + volumes: + - ${KONG_CONFIG}:/opt/kong + restart: unless-stopped + ports: + - "8000:8000" + - "8443:8443" + - "127.0.0.1:8001:8001" + - "127.0.0.1:8444:8444" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/kong/kong-config/kong.yaml b/deployment/docker-compose/kong/kong-config/kong.yaml new file mode 100644 index 0000000..60c4c32 --- /dev/null +++ b/deployment/docker-compose/kong/kong-config/kong.yaml @@ -0,0 +1,9 @@ +_format_version: "3.0" + +services: + - name: juiceshop-service + url: http://juiceshop-backend:3000 + routes: + - name: juiceshop-route + paths: + - / diff --git a/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml b/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml new file mode 100644 index 0000000..4795c2b --- /dev/null +++ b/deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml @@ -0,0 +1,132 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## with open-appsec management via central open-appsec WebUI (SaaS) +## + +version: '3.9' + +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + ipc: shareable + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - nginxproxymanager=true + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx-proxy-manager: + container_name: appsec-nginx-proxy-manager + image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} + ipc: service:appsec-agent + restart: unless-stopped + ports: + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port + volumes: + - ${NPM_DATA}:/data + - ${NPM_LETSENCRYPT}:/etc/letsencrypt + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml b/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml new file mode 100644 index 0000000..fc80272 --- /dev/null +++ b/deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml @@ -0,0 +1,134 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX Proxy Manager +## with open-appsec management via NGINX Proxy Manager WebUI +## + +version: '3.9' + +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + ipc: shareable + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - nginxproxymanager=true + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx-proxy-manager: + container_name: appsec-nginx-proxy-manager + image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION} + ipc: service:appsec-agent + restart: unless-stopped + ports: + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port + volumes: + - ${NPM_DATA}:/data + - ${NPM_LETSENCRYPT}:/etc/letsencrypt + - ${APPSEC_LOGS}:/ext/appsec-logs + - ${APPSEC_LOCALCONFIG}:/ext/appsec + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/nginx-unifed/docker-compose.yaml b/deployment/docker-compose/nginx-unifed/docker-compose.yaml new file mode 100644 index 0000000..8d5c270 --- /dev/null +++ b/deployment/docker-compose/nginx-unifed/docker-compose.yaml @@ -0,0 +1,126 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec deployments of NGINX unified container +## + +version: "3.9" +services: + appsec-agent-nginx-unified: + image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION} + container_name: appsec-agent-nginx-unified + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + ipc: shareable + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + - ${NGINX_CONFIG}:/etc/nginx/conf.d +## advanced configuration - volume mount for nginx.conf file: +## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below +## make sure to include the line starting with "load_module" which loads the appsec attachment +## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container +# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf + ports: + - "80:80" + - "443:443" + command: /cp-nano-agent + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent-nginx-unified + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/nginx-unifed/nginx-config/default.conf b/deployment/docker-compose/nginx-unifed/nginx-config/default.conf new file mode 100644 index 0000000..e3ca187 --- /dev/null +++ b/deployment/docker-compose/nginx-unifed/nginx-config/default.conf @@ -0,0 +1,47 @@ +server { + listen 80; + listen [::]:80; + server_name _; + + #access_log /var/log/nginx/host.access.log main; + + location / { + proxy_pass http://juiceshop-backend:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} diff --git a/deployment/docker-compose/swag/docker-compose.yaml b/deployment/docker-compose/swag/docker-compose.yaml new file mode 100644 index 0000000..ecce3c2 --- /dev/null +++ b/deployment/docker-compose/swag/docker-compose.yaml @@ -0,0 +1,145 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with SWAG +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + restart: unless-stopped + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server=SWAG Server + ipc: shareable + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-swag: + image: ghcr.io/openappsec/swag-attachment:latest + container_name: appsec-swag + ipc: service:appsec-agent + restart: unless-stopped + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - TZ=${SWAG_TZ} + - URL=${SWAG_URL} + - VALIDATION=${SWAG_VALIDATION} + - DNSPLUGIN=${SWAG_DNSPLUGIN} + - AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID} + - AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY} + - SUBDOMAINS=${SWAG_SUBDOMAINS} + - ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS} +## see https://docs.linuxserver.io/images/docker-swag/ for +## more cert generation/validation options + - STAGING=${SWAG_STAGING} + volumes: + - ${SWAG_CONFIG}:/config + - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs + - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs + ports: + - 443:443 + - 80:80 ## optional + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf b/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf new file mode 100644 index 0000000..9412c18 --- /dev/null +++ b/deployment/docker-compose/swag/swag-nginx-site-confs/default.conf @@ -0,0 +1,84 @@ +## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample + +# redirect all traffic to https +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } +} + +# main server block +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + + include /config/nginx/ssl.conf; + +# root /config/www; +# index index.html index.htm index.php; + + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + #location / { + # enable for basic auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + # try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args; + #} + + location ~ ^(.+\.php)(.*)$ { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + fastcgi_split_path_info ^(.+\.php)(.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + # deny access to .htaccess/.htpasswd files + location ~ /\.ht { + deny all; + } +} + +# enable subdomain method reverse proxy confs +include /config/nginx/proxy-confs/*.subdomain.conf; +# enable proxy cache for auth +proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf b/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf new file mode 100644 index 0000000..e94c276 --- /dev/null +++ b/deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf @@ -0,0 +1,22 @@ +location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app juiceshop-backend; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + +} diff --git a/deployment/nginx/docker-compose.yaml b/deployment/nginx/docker-compose.yaml new file mode 100644 index 0000000..aee9fca --- /dev/null +++ b/deployment/nginx/docker-compose.yaml @@ -0,0 +1,136 @@ +# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## +## Docker compose file for open-appsec integrated with NGINX +## + +version: "3.9" +services: + appsec-agent: + image: ghcr.io/openappsec/agent:${APPSEC_VERSION} + container_name: appsec-agent + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - LEARNING_HOST=appsec-smartsync + - TUNING_HOST=appsec-tuning-svc + - https_proxy=${APPSEC_HTTPS_PROXY} + - user_email=${APPSEC_USER_EMAIL} + - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} + - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} + - registered_server="NGINX Server" + ipc: shareable + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + - ${APPSEC_DATA}:/etc/cp/data + - ${APPSEC_LOGS}:/var/log/nano_agent + - ${APPSEC_LOCALCONFIG}:/ext/appsec + command: /cp-nano-agent + + appsec-nginx: + image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION} + container_name: appsec-nginx + ipc: service:appsec-agent + restart: unless-stopped + volumes: + - ${NGINX_CONFIG}:/etc/nginx/conf.d + +## advanced configuration - volume mount for nginx.conf file: +## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below +## then specify a desired local folder for NGINX_CONF_FILE in the .env file. +## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment +## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container. +# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf + + ports: + - "80:80" + - "443:443" + + appsec-smartsync: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} + container_name: appsec-smartsync + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + restart: unless-stopped + depends_on: + - appsec-shared-storage + + appsec-shared-storage: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} + container_name: appsec-shared-storage + ipc: service:appsec-agent + restart: unless-stopped +## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment +## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db + user: root + volumes: + - ${APPSEC_SMART_SYNC_STORAGE}:/db:z +## instead of using local storage for local learning (see line above) +## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) +## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) +# - learning_nfs:/db:z + + appsec-tuning-svc: + profiles: + - standalone + image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} + container_name: appsec-tuning-svc + environment: + - SHARED_STORAGE_HOST=appsec-shared-storage + - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} + - QUERY_DB_HOST=${APPSEC_DB_HOST} + - QUERY_DB_USER=${APPSEC_DB_USER} +## only relevant when deploying own DB +# - SSLMODE: + restart: unless-stopped + volumes: + - ${APPSEC_CONFIG}:/etc/cp/conf + depends_on: + - appsec-shared-storage + - appsec-db + + appsec-db: + profiles: + - standalone + image: postgres + container_name: appsec-db + restart: unless-stopped + environment: + - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} + - POSTGRES_USER=${APPSEC_DB_USER} + volumes: + - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data + +## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) + juiceshop-backend: + image: bkimminich/juice-shop:latest + container_name: juiceshop-backend + profiles: + - juiceshop + +## advanced configuration: learning_nfs volume for nfs storage in shared_storage container +## +## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) +## +#volumes: +# learning_nfs: +# driver: local +# driver_opts: +# type: nfs +# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport +# device: ":/" diff --git a/deployment/nginx/nginx-config/default.conf b/deployment/nginx/nginx-config/default.conf new file mode 100644 index 0000000..e3ca187 --- /dev/null +++ b/deployment/nginx/nginx-config/default.conf @@ -0,0 +1,47 @@ +server { + listen 80; + listen [::]:80; + server_name _; + + #access_log /var/log/nginx/host.access.log main; + + location / { + proxy_pass http://juiceshop-backend:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} diff --git a/deployment/swag/docker-compose.yaml b/deployment/swag/docker-compose.yaml new file mode 100644 index 0000000..dcd5fbf --- /dev/null +++ b/deployment/swag/docker-compose.yaml @@ -0,0 +1,46 @@ +services: + swag-attachment: + image: ghcr.io/openappsec/swag-attachment:latest + ipc: service:appsec-agent + restart: unless-stopped + container_name: swag-attachment + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - TZ=Etc/UTC + - URL=yourdomain.url # replace yourdomain.url with your own domain + # make sure your domain's public IP resolves to + # the docker host for Let's Encrypt cert generation to succeed + - VALIDATION=http + # see https://docs.linuxserver.io/images/docker-swag/ for + # more cert generation/validation options + - STAGING=true # switch to 'false' after successful testing + volumes: + - ./swag-config:/config + ports: + - 443:443 + - 80:80 #optional + + appsec-agent: + container_name: appsec-agent + image: ghcr.io/openappsec/agent:latest + ipc: shareable + restart: unless-stopped + environment: + - user_email=user@email.com # adjust with your own email + - registered_server=SWAG Server + # if autoPolicyLoad is set to true, open-appsec will apply + # changes in local_policy.yaml automatically + - autoPolicyLoad=true + # To connect to open-appsec central management WebUI + ## create your WebUI profile at https://my.openappsec.io, + ## enforce policy, copy the profile token from WebUI and add it below + - AGENT_TOKEN= + volumes: + - ./appsec-config:/etc/cp/conf + - ./appsec-data:/etc/cp/data + - ./appsec-logs:/var/log/nano_agent + - ./appsec-localconfig:/ext/appsec + command: /cp-nano-agent