github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #226 from openappsec/oriane-23.12.24-adding-new-composes

Browse Source 
Oriane 23.12.24 adding new composes
This commit is contained in:
orianelou 2025-01-20 12:02:00 +02:00 committed by GitHub
commit fae4534e5c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
16 changed files with 1271 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
deployment/docker-compose/apisix/apisix-config/apisix.yaml Normal file
View File

@ -0,0 +1,9 @@
routes:
-
uri: /
upstream:
nodes:
"juiceshop-backend:3000": 1
type: roundrobin
#END

131
deployment/docker-compose/apisix/docker-compose.yaml Normal file
View File

@ -0,0 +1,131 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with APISIX
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=APISIX Server
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-apisix:
image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION}
container_name: appsec-apisix
ipc: service:appsec-agent
restart: always
environment:
- APISIX_STAND_ALONE=true
volumes:
- ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro
ports:
- "9080:9080/tcp" # HTTP API port
- "9443:9443/tcp" # HTTPS API port
- "9180:9180/tcp" # Admin API HTTP port
- "9091:9091/tcp" # Admin API HTTPS port
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: always
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: always
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: always
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: always
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

135
deployment/docker-compose/envoy/docker-compose.yaml Normal file
View File

@ -0,0 +1,135 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with Envoy
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="Envoy Server"
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-envoy:
image: openappsec-envoy:${APPSEC_VERSION}
# for docs: image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION}
container_name: appsec-envoy
ipc: service:appsec-agent
restart: unless-stopped
environment:
- ENVOY_UID=0
- CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC}
- CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER}
volumes:
- ${ENVOY_CONFIG}:/envoy.yaml
command: -c /envoy.yaml
## adjustment of threads is possible as follows:
# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY}
ports:
- "80:80"
- "443:443"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

56
deployment/docker-compose/envoy/envoy-config/envoy.yaml Normal file
View File

@ -0,0 +1,56 @@
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
http_filters:
## The following 10 lines are required to load the envoy attachment filter for open-appsec
- name: envoy.filters.http.golang
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config
library_id: cp_nano_filter
library_path: "/usr/lib/libenvoy_attachment.so"
plugin_name: cp_nano_filter
plugin_config:
"@type": type.googleapis.com/xds.type.v3.TypedStruct
value:
prefix_localreply_body: "Configured local reply from go"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
##
## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file.
##
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: juiceshop
clusters:
- name: juiceshop
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: juiceshop
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: juiceshop-backend
port_value: 3000

135
deployment/docker-compose/kong/docker-compose.yaml Normal file
View File

@ -0,0 +1,135 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with Kong
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=Kong Server
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-kong:
image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
container_name: appsec-kong
ipc: service:appsec-agent
## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
## please make sure to have a valid config present in {KONG_CONFIG}:
environment:
- KONG_DATABASE=off
- KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml
volumes:
- ${KONG_CONFIG}:/opt/kong
restart: unless-stopped
ports:
- "8000:8000"
- "8443:8443"
- "127.0.0.1:8001:8001"
- "127.0.0.1:8444:8444"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

9
deployment/docker-compose/kong/kong-config/kong.yaml Normal file
View File

@ -0,0 +1,9 @@
_format_version: "3.0"
services:
- name: juiceshop-service
url: http://juiceshop-backend:3000
routes:
- name: juiceshop-route
paths:
- /

132
deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml Normal file
View File

@ -0,0 +1,132 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX Proxy Manager
## with open-appsec management via central open-appsec WebUI (SaaS)
##
version: '3.9'
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
ipc: shareable
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- nginxproxymanager=true
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION}
ipc: service:appsec-agent
restart: unless-stopped
ports:
- 80:80 # Public HTTP Port
- 443:443 # Public HTTPS Port
- 81:81 # Admin Web Port
volumes:
- ${NPM_DATA}:/data
- ${NPM_LETSENCRYPT}:/etc/letsencrypt
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

134
deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml Normal file
View File

@ -0,0 +1,134 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX Proxy Manager
## with open-appsec management via NGINX Proxy Manager WebUI
##
version: '3.9'
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
ipc: shareable
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- nginxproxymanager=true
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION}
ipc: service:appsec-agent
restart: unless-stopped
ports:
- 80:80 # Public HTTP Port
- 443:443 # Public HTTPS Port
- 81:81 # Admin Web Port
volumes:
- ${NPM_DATA}:/data
- ${NPM_LETSENCRYPT}:/etc/letsencrypt
- ${APPSEC_LOGS}:/ext/appsec-logs
- ${APPSEC_LOCALCONFIG}:/ext/appsec
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

126
deployment/docker-compose/nginx-unifed/docker-compose.yaml Normal file
View File

@ -0,0 +1,126 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec deployments of NGINX unified container
##
version: "3.9"
services:
appsec-agent-nginx-unified:
image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION}
container_name: appsec-agent-nginx-unified
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
ipc: shareable
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
- ${NGINX_CONFIG}:/etc/nginx/conf.d
## advanced configuration - volume mount for nginx.conf file:
## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below
## make sure to include the line starting with "load_module" which loads the appsec attachment
## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container
# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
ports:
- "80:80"
- "443:443"
command: /cp-nano-agent
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent-nginx-unified
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

47
deployment/docker-compose/nginx-unifed/nginx-config/default.conf Normal file
View File

@ -0,0 +1,47 @@
server {
listen 80;
listen [::]:80;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://juiceshop-backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

145
deployment/docker-compose/swag/docker-compose.yaml Normal file
View File

@ -0,0 +1,145 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with SWAG
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=SWAG Server
ipc: shareable
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-swag:
image: ghcr.io/openappsec/swag-attachment:latest
container_name: appsec-swag
ipc: service:appsec-agent
restart: unless-stopped
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=${SWAG_TZ}
- URL=${SWAG_URL}
- VALIDATION=${SWAG_VALIDATION}
- DNSPLUGIN=${SWAG_DNSPLUGIN}
- AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY}
- SUBDOMAINS=${SWAG_SUBDOMAINS}
- ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS}
## see https://docs.linuxserver.io/images/docker-swag/ for
## more cert generation/validation options
- STAGING=${SWAG_STAGING}
volumes:
- ${SWAG_CONFIG}:/config
- ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs
- ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs
ports:
- 443:443
- 80:80 ## optional
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

84
deployment/docker-compose/swag/swag-nginx-site-confs/default.conf Normal file
View File

@ -0,0 +1,84 @@
## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
include /config/nginx/ssl.conf;
# root /config/www;
# index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
#location / {
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
# try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
#}
location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

22
deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf Normal file
View File

@ -0,0 +1,22 @@
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app juiceshop-backend;
set $upstream_port 3000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}

28
deployment/nginx/.env
View File

@ -1,28 +0,0 @@
## .env file for docker-compose deployments of open-appsec integrated with NGINX
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
SMART_SYNC_STORAGE=./smartsync-storage
USER_EMAIL=user@email.com
DB_PASSWORD=pass
DB_USER=postgres
DB_HOST=appsec-db
POSTGRES_STORAGE=./postgres-data
NGINX_CONF_DIR=./nginx-proxy-config
## To connect your deployment to central WebUI you can uncomment following line
## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## When not providing token for connection to central WebUI please uncomment following line
## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI
# COMPOSE_PROFILES=standalone

88
deployment/nginx/docker-compose.yaml
View File

@ -1,4 +1,21 @@
version: "2" # Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX
##
version: "3.9"
services: services:
appsec-agent: appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION} image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
@ -8,35 +25,38 @@ services:
- LEARNING_HOST=appsec-smartsync - LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc - TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY} - https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${USER_EMAIL} - user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="NGINX Server" - registered_server="NGINX Server"
ipc: shareable ipc: shareable
restart: unless-stopped
volumes: volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data - ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent - ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec - ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent command: /cp-nano-agent
appsec-nginx: appsec-nginx:
image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION} image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION}
container_name: appsec-nginx container_name: appsec-nginx
ipc: service:appsec-agent ipc: service:appsec-agent
## when mounting own external nginx config uncomment the two lines below, place the config in {NGINX_CONF_DIR} restart: unless-stopped
# volumes: volumes:
# - ${NGINX_CONF_DIR}:/etc/nginx/conf.d - ${NGINX_CONFIG}:/etc/nginx/conf.d
## advanced configuration - volume mount for nginx.conf file: ## advanced configuration - volume mount for nginx.conf file:
## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below ## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below
## make sure to include the line starting with "load_module" which loads the appsec attachment ## then specify a desired local folder for NGINX_CONF_FILE in the .env file.
## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container ## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment
## make sure to only have one "volumes:" key ## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container.
# volumes:
# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf # - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
appsec-smartsync: appsec-smartsync:
profiles: profiles:
- standalone - standalone
@ -44,23 +64,27 @@ services:
container_name: appsec-smartsync container_name: appsec-smartsync
environment: environment:
- SHARED_STORAGE_HOST=appsec-shared-storage - SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on: depends_on:
- appsec-shared-storage - appsec-shared-storage
appsec-shared-storage: appsec-shared-storage:
profiles: profiles:
- standalone - standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage container_name: appsec-shared-storage
ipc: service:appsec-agent ipc: service:appsec-agent
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment restart: unless-stopped
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root user: root
volumes: volumes:
- ${SMART_SYNC_STORAGE}:/db:z - ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above) ## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) ## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) ## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z # - learning_nfs:/db:z
appsec-tuning-svc: appsec-tuning-svc:
profiles: profiles:
- standalone - standalone
@ -68,48 +92,42 @@ services:
container_name: appsec-tuning-svc container_name: appsec-tuning-svc
environment: environment:
- SHARED_STORAGE_HOST=appsec-shared-storage - SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${DB_PASSWORD} - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${DB_HOST} - QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${DB_USER} - QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB ## only relevant when deploying own DB
# - SSLMODE: # - SSLMODE:
restart: unless-stopped
volumes: volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_CONFIG}:/etc/cp/conf
depends_on: depends_on:
- appsec-shared-storage - appsec-shared-storage
- appsec-db - appsec-db
appsec-db: appsec-db:
profiles: profiles:
- standalone - standalone
image: postgres image: postgres
container_name: appsec-db container_name: appsec-db
restart: always restart: unless-stopped
environment: environment:
- POSTGRES_PASSWORD=${DB_PASSWORD} - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${DB_USER} - POSTGRES_USER=${APPSEC_DB_USER}
volumes: volumes:
- ${POSTGRES_STORAGE}:/var/lib/postgresql/data - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
## juiceshop-backend:
## uncomment this block for testing purposes only, make sure to also adjust the nginx.conf file image: bkimminich/juice-shop:latest
## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container container_name: juiceshop-backend
## you can use the example file available here: profiles:
## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/default.conf - juiceshop
## place the file above in {NGINX_CONF_DIR} and uncomment the two lines for creating a volume mount
## in the appsec-nginx service definition
## note that juiceshop container listens on HTTP port 3000 by default
#
# juiceshop-backend:
# image: bkimminich/juice-shop:latest
# container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
## ##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) ## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
# ##
# volumes: #volumes:
# learning_nfs: # learning_nfs:
# driver: local # driver: local
# driver_opts: # driver_opts:

47
deployment/nginx/nginx-config/default.conf Normal file
View File

@ -0,0 +1,47 @@
server {
listen 80;
listen [::]:80;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://juiceshop-backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}