Rename docker-compose.yaml to docker-compose.yaml

Oct 14 2024 dev

deployment/nginx/.env

@@ -0,0 +1,28 @@
+## .env file for docker-compose deployments of open-appsec integrated with NGINX
+## for more info see https://docs.openappsec.io
+
+APPSEC_VERSION=latest
+APPSEC_CONFIG=./appsec-config
+APPSEC_DATA=./appsec-data
+APPSEC_LOGS=./appsec-logs
+APPSEC_LOCALCONFIG=./appsec-localconfig
+APPSEC_AUTO_POLICY_LOAD=false
+## Example for configuring HTTPS Proxy:
+## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
+APPSEC_HTTPS_PROXY=
+SMART_SYNC_STORAGE=./smartsync-storage
+USER_EMAIL=user@email.com
+DB_PASSWORD=pass
+DB_USER=postgres
+DB_HOST=appsec-db
+POSTGRES_STORAGE=./postgres-data
+NGINX_CONF_DIR=./nginx-proxy-config
+
+## To connect your deployment to central WebUI you can uncomment following line
+## and provide the token for a profile which you created in open-appsec WebUI at https://my.openappsec.io
+## Example: APPSEC_AGENT_TOKEN=111-22222-111
+APPSEC_AGENT_TOKEN=
+
+## When not providing token for connection to central WebUI please uncomment following line
+## which will enable sharing of learning between processes and allow you to perform tuning locally on CLI
+# COMPOSE_PROFILES=standalone

deployment/nginx/docker-compose.yaml

@@ -0,0 +1,117 @@
+version: "2"
+services:
+  appsec-agent:
+    image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
+    container_name: appsec-agent
+    environment:
+      - SHARED_STORAGE_HOST=appsec-shared-storage
+      - LEARNING_HOST=appsec-smartsync
+      - TUNING_HOST=appsec-tuning-svc
+      - https_proxy=${APPSEC_HTTPS_PROXY}
+      - user_email=${USER_EMAIL}
+      - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
+      - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
+    ipc: shareable
+    volumes:
+      - ${APPSEC_CONFIG}:/etc/cp/conf
+      - ${APPSEC_DATA}:/etc/cp/data
+      - ${APPSEC_LOGS}:/var/log/nano_agent
+      - ${APPSEC_LOCALCONFIG}:/ext/appsec
+    command: /cp-nano-agent
+  appsec-nginx:
+    image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION}
+    container_name: appsec-nginx
+    ipc: service:appsec-agent
+## when mounting own external nginx config uncomment the two lines below, place the config in {NGINX_CONF_DIR}
+#   volumes:
+#     - ${NGINX_CONF_DIR}:/etc/nginx/conf.d
+
+## advanced configuration - volume mount for nginx.conf file:
+## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below
+## make sure to include the line starting with "load_module" which loads the appsec attachment
+## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container
+## make sure to only have one "volumes:" key
+#   volumes:
+#     - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
+    ports:
+      - "80:80"
+      - "443:443"
+  appsec-smartsync:
+    profiles:
+      - standalone
+    image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
+    container_name: appsec-smartsync
+    environment:
+      - SHARED_STORAGE_HOST=appsec-shared-storage
+    depends_on:
+      - appsec-shared-storage
+  appsec-shared-storage:
+    profiles:
+      - standalone
+    image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
+    container_name: appsec-shared-storage
+    ipc: service:appsec-agent
+    ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
+    ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
+    user: root
+    volumes:
+      - ${SMART_SYNC_STORAGE}:/db:z
+## instead of using local storage for local learning (see line above)
+## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
+## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) 
+#     - learning_nfs:/db:z
+  appsec-tuning-svc:
+    profiles:
+      - standalone
+    image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
+    container_name: appsec-tuning-svc
+    environment:
+      - SHARED_STORAGE_HOST=appsec-shared-storage
+      - QUERY_DB_PASSWORD=${DB_PASSWORD}
+      - QUERY_DB_HOST=${DB_HOST}
+      - QUERY_DB_USER=${DB_USER}
+## only relevant when deploying own DB 
+#     - SSLMODE:
+    volumes:
+      - ${APPSEC_CONFIG}:/etc/cp/conf
+    depends_on:
+      - appsec-shared-storage
+      - appsec-db
+  appsec-db:
+    profiles:
+      - standalone
+    image: postgres
+    container_name: appsec-db
+    restart: always
+    environment:
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - POSTGRES_USER=${DB_USER} 
+    volumes:
+      - ${POSTGRES_STORAGE}:/var/lib/postgresql/data
+
+## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
+##
+## uncomment this block for testing purposes only, make sure to also adjust the nginx.conf file 
+## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container
+## you can use the example file available here:
+## https://github.com/openappsec/openappsec/blob/main/examples/juiceshop/default.conf
+## place the file above in {NGINX_CONF_DIR} and uncomment the two lines for creating a volume mount
+## in the appsec-nginx service definition
+## note that juiceshop container listens on HTTP port 3000 by default
+#
+# juiceshop-backend:
+#   image: bkimminich/juice-shop:latest
+#   container_name: juiceshop-backend
+
+
+## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
+##
+## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
+# 
+# volumes:
+#   learning_nfs:
+#     driver: local
+#     driver_opts:
+#       type: nfs
+#       o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
+#       device: ":/"

examples/juiceshop/default.conf

@@ -0,0 +1,47 @@
+server {
+    listen       80;
+    listen  [::]:80;
+    server_name  localhost;
+
+    #access_log  /var/log/nginx/host.access.log  main;
+
+    location / {
+        proxy_pass http://juiceshop-backend:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }    
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+    #
+    #location ~ \.php$ {
+    #    proxy_pass   http://127.0.0.1;
+    #}
+
+    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+    #
+    #location ~ \.php$ {
+    #    root           html;
+    #    fastcgi_pass   127.0.0.1:9000;
+    #    fastcgi_index  index.php;
+    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
+    #    include        fastcgi_params;
+    #}
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    #location ~ /\.ht {
+    #    deny  all;
+    #}
+}