# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. # Licensed under the Apache License, Version 2.0 (the "License"); # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## ## Docker compose file for open-appsec integrated with Kong ## version: "3.9" services: appsec-agent: image: ghcr.io/openappsec/agent:${APPSEC_VERSION} container_name: appsec-agent environment: - SHARED_STORAGE_HOST=appsec-shared-storage - LEARNING_HOST=appsec-smartsync - TUNING_HOST=appsec-tuning-svc - https_proxy=${APPSEC_HTTPS_PROXY} - user_email=${APPSEC_USER_EMAIL} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - registered_server=Kong Server ipc: shareable restart: unless-stopped volumes: - ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_DATA}:/etc/cp/data - ${APPSEC_LOGS}:/var/log/nano_agent - ${APPSEC_LOCALCONFIG}:/ext/appsec command: /cp-nano-agent appsec-kong: image: ghcr.io/openappsec/kong-attachment:${APPSEC_VERSION} ## If you want to deploy Kong Gateway Enterprise Edition comment out the line above and uncomment the following line: # image: ghcr.io/openappsec/kong-gateway-attachment:${APPSEC_VERSION} container_name: appsec-kong ipc: service:appsec-agent ## If you want to deploy Kong in DB-less mode with declarative configuration ## please comment out the following five lines below and place the config in {KONG_CONF_DIR}: # environment: # - KONG_DATABASE=off # - KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml # volumes: # - ${KONG_CONFIG}:/opt/kong restart: unless-stopped ports: - "8000:8000" - "8443:8443" - "127.0.0.1:8001:8001" - "127.0.0.1:8444:8444" appsec-smartsync: profiles: - standalone image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION} container_name: appsec-smartsync environment: - SHARED_STORAGE_HOST=appsec-shared-storage restart: unless-stopped depends_on: - appsec-shared-storage appsec-shared-storage: profiles: - standalone image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} container_name: appsec-shared-storage ipc: service:appsec-agent restart: unless-stopped ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db user: root volumes: - ${APPSEC_SMART_SYNC_STORAGE}:/db:z ## instead of using local storage for local learning (see line above) ## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file) ## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above) # - learning_nfs:/db:z appsec-tuning-svc: profiles: - standalone image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION} container_name: appsec-tuning-svc environment: - SHARED_STORAGE_HOST=appsec-shared-storage - QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD} - QUERY_DB_HOST=${APPSEC_DB_HOST} - QUERY_DB_USER=${APPSEC_DB_USER} ## only relevant when deploying own DB # - SSLMODE: restart: unless-stopped volumes: - ${APPSEC_CONFIG}:/etc/cp/conf depends_on: - appsec-shared-storage - appsec-db appsec-db: profiles: - standalone image: postgres container_name: appsec-db restart: unless-stopped environment: - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD} - POSTGRES_USER=${APPSEC_DB_USER} volumes: - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV) ## ## uncomment this block for testing purposes only, make sure to also adjust the kong.yaml file in {KONG_CONFIG} folder ## to include service and route configuration for forwarding external traffic to the juiceshop-backend container ## (kong listens by default for HTTP/HTTPS on port 8000/8443) ## you can use the example file available here: ## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/kong.yaml ## in the appsec-kong service definition ## note that juiceshop container listens on HTTP port 3000 by default ## # juiceshop-backend: # image: bkimminich/juice-shop:latest # container_name: juiceshop-backend ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container ## ## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) ## #volumes: # learning_nfs: # driver: local # driver_opts: # type: nfs # o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport # device: ":/"