mirror of
https://github.com/openappsec/openappsec.git
synced 2025-06-28 16:41:02 +03:00
156 lines
5.7 KiB
YAML
156 lines
5.7 KiB
YAML
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# You may obtain a copy of the License at
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
##
|
|
## Docker compose file for open-appsec integrated with SWAG
|
|
##
|
|
|
|
version: "3.9"
|
|
services:
|
|
appsec-agent:
|
|
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
|
|
container_name: appsec-agent
|
|
restart: unless-stopped
|
|
environment:
|
|
- SHARED_STORAGE_HOST=appsec-shared-storage
|
|
- LEARNING_HOST=appsec-smartsync
|
|
- TUNING_HOST=appsec-tuning-svc
|
|
- https_proxy=${APPSEC_HTTPS_PROXY}
|
|
- user_email=${APPSEC_USER_EMAIL}
|
|
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
|
|
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
|
|
- registered_server=SWAG Server
|
|
ipc: shareable
|
|
volumes:
|
|
- ${APPSEC_CONFIG}:/etc/cp/conf
|
|
- ${APPSEC_DATA}:/etc/cp/data
|
|
- ${APPSEC_LOGS}:/var/log/nano_agent
|
|
- ${APPSEC_LOCALCONFIG}:/ext/appsec
|
|
command: /cp-nano-agent
|
|
|
|
appsec-swag:
|
|
image: ghcr.io/openappsec/swag-attachment:latest
|
|
container_name: appsec-swag
|
|
ipc: service:appsec-agent
|
|
restart: unless-stopped
|
|
cap_add:
|
|
- NET_ADMIN
|
|
environment:
|
|
- PUID=1000
|
|
- PGID=1000
|
|
- TZ=${SWAG_TZ}
|
|
- URL=${SWAG_URL}
|
|
- VALIDATION=${SWAG_VALIDATION}
|
|
- DNSPLUGIN=${SWAG_DNSPLUGIN}
|
|
- AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID}
|
|
- AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY}
|
|
- SUBDOMAINS=${SWAG_SUBDOMAINS}
|
|
- ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS}
|
|
## see https://docs.linuxserver.io/images/docker-swag/ for
|
|
## more cert generation/validation options
|
|
- STAGING=${SWAG_STAGING} ## switch to 'false' after successful testing
|
|
volumes:
|
|
- ${SWAG_CONFIG}:/config
|
|
## when mounting own external nginx config uncomment the line below, place the config in {SWAG_NGINX_CONFIG} folder
|
|
# - ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs
|
|
## when mounting own proxy.conf files uncomment the line below, place the proxy config files in {SWAG_PROXY_CONFS} folder
|
|
# - ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs
|
|
ports:
|
|
- 443:443
|
|
- 80:80 ## optional
|
|
|
|
appsec-smartsync:
|
|
profiles:
|
|
- standalone
|
|
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
|
|
container_name: appsec-smartsync
|
|
environment:
|
|
- SHARED_STORAGE_HOST=appsec-shared-storage
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- appsec-shared-storage
|
|
|
|
appsec-shared-storage:
|
|
profiles:
|
|
- standalone
|
|
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
|
|
container_name: appsec-shared-storage
|
|
ipc: service:appsec-agent
|
|
restart: unless-stopped
|
|
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
|
|
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
|
|
user: root
|
|
volumes:
|
|
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
|
|
## instead of using local storage for local learning (see line above)
|
|
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
|
|
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
|
|
# - learning_nfs:/db:z
|
|
|
|
appsec-tuning-svc:
|
|
profiles:
|
|
- standalone
|
|
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
|
|
container_name: appsec-tuning-svc
|
|
environment:
|
|
- SHARED_STORAGE_HOST=appsec-shared-storage
|
|
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
|
|
- QUERY_DB_HOST=${APPSEC_DB_HOST}
|
|
- QUERY_DB_USER=${APPSEC_DB_USER}
|
|
## only relevant when deploying own DB
|
|
# - SSLMODE:
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ${APPSEC_CONFIG}:/etc/cp/conf
|
|
depends_on:
|
|
- appsec-shared-storage
|
|
- appsec-db
|
|
|
|
appsec-db:
|
|
profiles:
|
|
- standalone
|
|
image: postgres
|
|
container_name: appsec-db
|
|
restart: unless-stopped
|
|
environment:
|
|
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
|
|
- POSTGRES_USER=${APPSEC_DB_USER}
|
|
volumes:
|
|
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
|
|
|
|
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
|
|
##
|
|
## uncomment this block for testing purposes only, make sure to put a juiceshop.subfolder.conf file in {SWAG_PROXY_CONFS} folder
|
|
## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in {SWAG_NGINX_SITE_CONFS} folder
|
|
## you can use the example files available here:
|
|
## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/swag/juiceshop.subfolder.conf
|
|
## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/swag/default.conf
|
|
## note that juiceshop container listens on HTTP port 3000 by default
|
|
#
|
|
# juiceshop-backend:
|
|
# image: bkimminich/juice-shop:latest
|
|
# container_name: juiceshop-backend
|
|
|
|
|
|
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
|
|
##
|
|
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
|
|
##
|
|
#volumes:
|
|
# learning_nfs:
|
|
# driver: local
|
|
# driver_opts:
|
|
# type: nfs
|
|
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
|
|
# device: ":/"
|