mirror of https://github.com/MISP/misp-docker
Merge branch 'MISP:master' into master
Koen Van Impe
GitHub
commit
040fe59d46
47
README.md
47
README.md
|
|
@ -95,6 +95,14 @@ To override these behaviours edit the docker-compose.yml file's misp-core volume
|
|||
If it is just a default setting that is meant to be set if not already set by the user, add it in one of the `*.default.json` files.
|
||||
If it is a setting controlled by an environment variable which is meant to override whatever is set, add it in one of the `*.envars.json` files (note that you can still specify a default value).
|
||||
|
||||
#### LDAP Authentication
|
||||
|
||||
You can configure LDAP authentication in MISP using 2 methods:
|
||||
- native plugin: LdapAuth (https://github.com/MISP/MISP/tree/2.5/app/Plugin/LdapAuth)
|
||||
- previous approach with ApacheSecureAuth (https://gist.github.com/Kagee/f35ed25216369481437210753959d372).
|
||||
|
||||
LdapAuth is to be recommended, because it doesn't require rproxy apache with the ldap module.
|
||||
|
||||
### Production
|
||||
|
||||
- It is recommended to specify the build you want run by editing `docker-compose.yml` (see here for the list of available tags https://github.com/orgs/MISP/packages)
|
||||
|
|
@ -141,6 +149,45 @@ Custom root CA certificates can be mounted under `/usr/local/share/ca-certificat
|
|||
- "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"
|
||||
```
|
||||
|
||||
## Database Management
|
||||
|
||||
It is possible to backup and restore the underlying database using volume archiving.
|
||||
The process is *NOT* battle-tested, so it is *NOT* to be followed uncritically.
|
||||
|
||||
### Backup
|
||||
|
||||
1. Stop the MISP containers:
|
||||
```bash
|
||||
docker compose down
|
||||
```
|
||||
|
||||
2. Create an archive of the `misp-docker_mysql_data` volume using `tar`:
|
||||
```bash
|
||||
tar -cvzf /root/misp_mysql_backup.tar.gz /var/lib/docker/volumes/misp-docker_mysql_data/
|
||||
```
|
||||
|
||||
3. Start the MISP containers:
|
||||
```bash
|
||||
docker compose up
|
||||
```
|
||||
|
||||
### Restore
|
||||
|
||||
1. Stop the MISP containers:
|
||||
```bash
|
||||
docker compose down
|
||||
```
|
||||
|
||||
2. Unpack the backup and overwrite existing data by using the `--overwrite` option to replace existing files:
|
||||
```bash
|
||||
tar -xvzf /path_to_backup/misp_mysql_backup.tar.gz -C /var/lib/docker/volumes/misp-docker_mysql_data/ --overwrite
|
||||
```
|
||||
|
||||
3. Start the MISP containers:
|
||||
```bash
|
||||
docker compose up
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
- Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/)
|
||||
|
|
|
|||
|
|
@ -155,36 +155,88 @@ set_up_oidc() {
|
|||
fi
|
||||
}
|
||||
|
||||
set_up_apachesecureauth() {
|
||||
if [[ "$APACHESECUREAUTH_LDAP_ENABLE" != "true" ]]; then
|
||||
echo "... LDAP APACHESECUREAUTH authentication disabled"
|
||||
return
|
||||
fi
|
||||
|
||||
|
||||
if [ ! -z "$APACHESECUREAUTH_LDAP_OLD_VAR_DETECT" ]; then
|
||||
echo "WARNING: old variables used for APACHESECUREAUTH bloc in env file. Switch to the new naming convention."
|
||||
fi
|
||||
|
||||
# Check required variables
|
||||
# APACHESECUREAUTH_LDAP_SEARCH_FILTER may be empty
|
||||
check_env_vars APACHESECUREAUTH_LDAP_APACHE_ENV APACHESECUREAUTH_LDAP_SERVER APACHESECUREAUTH_LDAP_STARTTLS APACHESECUREAUTH_LDAP_READER_USER APACHESECUREAUTH_LDAP_READER_PASSWORD APACHESECUREAUTH_LDAP_DN APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE APACHESECUREAUTH_LDAP_FILTER APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID APACHESECUREAUTH_LDAP_DEFAULT_ORG APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT APACHESECUREAUTH_LDAP_OPT_REFERRALS
|
||||
|
||||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||
\"ApacheSecureAuth\": {
|
||||
\"apacheEnv\": \"${APACHESECUREAUTH_LDAP_APACHE_ENV}\",
|
||||
\"ldapServer\": \"${APACHESECUREAUTH_LDAP_SERVER}\",
|
||||
\"starttls\": ${APACHESECUREAUTH_LDAP_STARTTLS},
|
||||
\"ldapProtocol\": ${APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION},
|
||||
\"ldapNetworkTimeout\": ${APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT},
|
||||
\"ldapReaderUser\": \"${APACHESECUREAUTH_LDAP_READER_USER}\",
|
||||
\"ldapReaderPassword\": \"${APACHESECUREAUTH_LDAP_READER_PASSWORD}\",
|
||||
\"ldapDN\": \"${APACHESECUREAUTH_LDAP_DN}\",
|
||||
\"ldapSearchFilter\": \"${APACHESECUREAUTH_LDAP_SEARCH_FILTER}\",
|
||||
\"ldapSearchAttribut\": \"${APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE}\",
|
||||
\"ldapFilter\": ${APACHESECUREAUTH_LDAP_FILTER},
|
||||
\"ldapDefaultRoleId\": ${APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID},
|
||||
\"ldapDefaultOrg\": \"${APACHESECUREAUTH_LDAP_DEFAULT_ORG}\",
|
||||
\"ldapAllowReferrals\": ${APACHESECUREAUTH_LDAP_OPT_REFERRALS},
|
||||
\"ldapEmailField\": ${APACHESECUREAUTH_LDAP_EMAIL_FIELD}
|
||||
}
|
||||
}" > /dev/null
|
||||
|
||||
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
|
||||
}
|
||||
|
||||
set_up_ldap() {
|
||||
if [[ "$LDAP_ENABLE" != "true" ]]; then
|
||||
echo "... LDAP authentication disabled"
|
||||
if [[ "$LDAPAUTH_ENABLE" != "true" ]]; then
|
||||
echo "... LDAPAUTH authentication disabled"
|
||||
return
|
||||
fi
|
||||
|
||||
# Check required variables
|
||||
# LDAP_SEARCH_FILTER may be empty
|
||||
check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS
|
||||
# LDAPAUTH_LDAPSEARCHFILTER may be empty
|
||||
check_env_vars LDAPAUTH_LDAPSERVER LDAPAUTH_LDAPDN LDAPAUTH_LDAPREADERUSER LDAPAUTH_LDAPREADERPASSWORD LDAPAUTH_LDAPSEARCHATTRIBUTE LDAPAUTH_LDAPDEFAULTROLEID LDAPAUTH_LDAPDEFAULTORGID LDAPAUTH_LDAPEMAILFIELD LDAPAUTH_LDAPNETWORKTIMEOUT LDAPAUTH_LDAPPROTOCOL LDAPAUTH_LDAPALLOWREFERRALS LDAPAUTH_STARTTLS LDAPAUTH_MIXEDAUTH LDAPAUTH_UPDATEUSER LDAPAUTH_DEBUG LDAPAUTH_LDAPTLSREQUIRECERT LDAPAUTH_LDAPTLSCUSTOMCACERT LDAPAUTH_LDAPTLSCRLCHECK LDAPAUTH_LDAPTLSPROTOCOLMIN
|
||||
|
||||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||
\"ApacheSecureAuth\": {
|
||||
\"apacheEnv\": \"${LDAP_APACHE_ENV}\",
|
||||
\"ldapServer\": \"${LDAP_SERVER}\",
|
||||
\"starttls\": ${LDAP_STARTTLS},
|
||||
\"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION},
|
||||
\"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT},
|
||||
\"ldapReaderUser\": \"${LDAP_READER_USER}\",
|
||||
\"ldapReaderPassword\": \"${LDAP_READER_PASSWORD}\",
|
||||
\"ldapDN\": \"${LDAP_DN}\",
|
||||
\"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\",
|
||||
\"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\",
|
||||
\"ldapFilter\": ${LDAP_FILTER},
|
||||
\"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID},
|
||||
\"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\",
|
||||
\"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS},
|
||||
\"ldapEmailField\": ${LDAP_EMAIL_FIELD}
|
||||
}
|
||||
\"LdapAuth\": {
|
||||
\"ldapServer\": \"${LDAPAUTH_LDAPSERVER}\",
|
||||
\"ldapDn\": \"${LDAPAUTH_LDAPDN}\",
|
||||
\"ldapReaderUser\": \"${LDAPAUTH_LDAPREADERUSER}\",
|
||||
\"ldapReaderPassword\": \"${LDAPAUTH_LDAPREADERPASSWORD}\",
|
||||
\"ldapSearchFilter\": \"${LDAPAUTH_LDAPSEARCHFILTER}\",
|
||||
\"ldapSearchAttribute\": \"${LDAPAUTH_LDAPSEARCHATTRIBUTE}\",
|
||||
\"ldapEmailField\": ${LDAPAUTH_LDAPEMAILFIELD},
|
||||
\"ldapNetworkTimeout\": ${LDAPAUTH_LDAPNETWORKTIMEOUT},
|
||||
\"ldapProtocol\": ${LDAPAUTH_LDAPPROTOCOL},
|
||||
\"ldapAllowReferrals\": ${LDAPAUTH_LDAPALLOWREFERRALS},
|
||||
\"starttls\": ${LDAPAUTH_STARTTLS},
|
||||
\"mixedAuth\": ${LDAPAUTH_MIXEDAUTH},
|
||||
\"ldapDefaultOrgId\": ${LDAPAUTH_LDAPDEFAULTORGID},
|
||||
\"ldapDefaultRoleId\": ${LDAPAUTH_LDAPDEFAULTROLEID},
|
||||
\"updateUser\": ${LDAPAUTH_UPDATEUSER},
|
||||
\"debug\": ${LDAPAUTH_DEBUG},
|
||||
\"ldapTlsRequireCert\": \"${LDAPAUTH_LDAPTLSREQUIRECERT}\",
|
||||
\"ldapTlsCustomCaCert\": ${LDAPAUTH_LDAPTLSCUSTOMCACERT},
|
||||
\"ldapTlsCrlCheck\": \"${LDAPAUTH_LDAPTLSCRLCHECK}\",
|
||||
\"ldapTlsProtocolMin\": \"${LDAPAUTH_LDAPTLSPROTOCOLMIN}\"
|
||||
}
|
||||
}" > /dev/null
|
||||
|
||||
# Configure LdapAuth in MISP
|
||||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||
\"Security\": {
|
||||
\"auth\": [\"LdapAuth.Ldap\"]
|
||||
}
|
||||
}" > /dev/null
|
||||
|
||||
|
||||
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
|
||||
}
|
||||
|
|
@ -449,6 +501,8 @@ echo "MISP | Create sync servers ..." && create_sync_servers
|
|||
|
||||
echo "MISP | Set Up OIDC ..." && set_up_oidc
|
||||
|
||||
echo "MISP | Set Up apachesecureauth ..." && set_up_apachesecureauth
|
||||
|
||||
echo "MISP | Set Up LDAP ..." && set_up_ldap
|
||||
|
||||
echo "MISP | Set Up AAD ..." && set_up_aad
|
||||
|
|
|
|||
|
|
@ -50,6 +50,7 @@ export PHP_MAX_EXECUTION_TIME=${PHP_MAX_EXECUTION_TIME:-300}
|
|||
export PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}
|
||||
export PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}
|
||||
export PHP_MAX_INPUT_TIME=${PHP_MAX_INPUT_TIME:-300}
|
||||
export PHP_MAX_FILE_UPLOADS=${PHP_MAX_FILE_UPLOADS:-50}
|
||||
|
||||
export PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN:-5}
|
||||
export PHP_FCGI_START_SERVERS=${PHP_FCGI_START_SERVERS:-2}
|
||||
|
|
@ -67,6 +68,7 @@ export PHP_SESSION_COOKIE_SAMESITE=${PHP_SESSION_COOKIE_SAMESITE:-Lax}
|
|||
|
||||
export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false}
|
||||
export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}
|
||||
export NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M}
|
||||
|
||||
# start supervisord using the main configuration file so we have a socket interface
|
||||
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@ change_php_vars() {
|
|||
sed -i "s/max_execution_time = .*/max_execution_time = ${PHP_MAX_EXECUTION_TIME}/" "$FILE"
|
||||
echo "Configure PHP | Setting 'upload_max_filesize = ${PHP_UPLOAD_MAX_FILESIZE}'"
|
||||
sed -i "s/upload_max_filesize = .*/upload_max_filesize = ${PHP_UPLOAD_MAX_FILESIZE}/" "$FILE"
|
||||
echo "Configure PHP | Setting 'max_file_uploads = ${PHP_MAX_FILE_UPLOADS}'"
|
||||
sed -i "s/max_file_uploads = .*/max_file_uploads = ${PHP_MAX_FILE_UPLOADS}/" "$FILE"
|
||||
echo "Configure PHP | Setting 'post_max_size = ${PHP_POST_MAX_SIZE}'"
|
||||
sed -i "s/post_max_size = .*/post_max_size = ${PHP_POST_MAX_SIZE}/" "$FILE"
|
||||
echo "Configure PHP | Setting 'max_input_time = ${PHP_MAX_INPUT_TIME}'"
|
||||
|
|
|
|||
|
|
@ -225,6 +225,10 @@ init_nginx() {
|
|||
echo "... adjusting 'fastcgi_connect_timeout' to ${FASTCGI_CONNECT_TIMEOUT}"
|
||||
sed -i "s/fastcgi_connect_timeout .*;/fastcgi_connect_timeout ${FASTCGI_CONNECT_TIMEOUT};/" /etc/nginx/includes/misp
|
||||
|
||||
# Adjust maximum allowed size of the client request body
|
||||
echo "... adjusting 'client_max_body_size' to ${NGINX_CLIENT_MAX_BODY_SIZE}"
|
||||
sed -i "s/client_max_body_size .*;/client_max_body_size ${NGINX_CLIENT_MAX_BODY_SIZE};/" /etc/nginx/includes/misp
|
||||
|
||||
# Adjust forwarding header settings (clean up first)
|
||||
sed -i '/real_ip_header/d' /etc/nginx/includes/misp
|
||||
sed -i '/real_ip_recursive/d' /etc/nginx/includes/misp
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ add_header X-Download-Options "noopen" always;
|
|||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
# remove X-Powered-By and nginx version, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
<?php
|
||||
$proto = (isset($_SERVER['SERVER_PROTOCOL']))?($_SERVER['SERVER_PROTOCOL']):('HTTP/1.1');
|
||||
header($proto.' 503 Service Unavailable', true);
|
||||
header('cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
|
||||
header('cache-control: no-store, no-cache, must-revalidate');
|
||||
header('retry-after: 30');
|
||||
header('refresh: 30');
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -125,23 +125,46 @@ services:
|
|||
- "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}"
|
||||
- "OIDC_LOGOUT_URL=${OIDC_LOGOUT_URL}"
|
||||
- "OIDC_SCOPES=${OIDC_SCOPES}"
|
||||
# LDAP authentication settings
|
||||
- "LDAP_ENABLE=${LDAP_ENABLE}"
|
||||
- "LDAP_APACHE_ENV=${LDAP_APACHE_ENV}"
|
||||
- "LDAP_SERVER=${LDAP_SERVER}"
|
||||
- "LDAP_STARTTLS=${LDAP_STARTTLS}"
|
||||
- "LDAP_READER_USER=${LDAP_READER_USER}"
|
||||
- "LDAP_READER_PASSWORD=${LDAP_READER_PASSWORD}"
|
||||
- "LDAP_DN=${LDAP_DN}"
|
||||
- "LDAP_SEARCH_FILTER=${LDAP_SEARCH_FILTER}"
|
||||
- "LDAP_SEARCH_ATTRIBUTE=${LDAP_SEARCH_ATTRIBUTE}"
|
||||
- "LDAP_FILTER=${LDAP_FILTER}"
|
||||
- "LDAP_DEFAULT_ROLE_ID=${LDAP_DEFAULT_ROLE_ID}"
|
||||
- "LDAP_DEFAULT_ORG=${LDAP_DEFAULT_ORG}"
|
||||
- "LDAP_EMAIL_FIELD=${LDAP_EMAIL_FIELD}"
|
||||
- "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
|
||||
- "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
|
||||
- "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
|
||||
# APACHESECUREAUTH authentication settings
|
||||
- "APACHESECUREAUTH_LDAP_OLD_VAR_DETECT=${LDAP_ENABLE}"
|
||||
- "APACHESECUREAUTH_LDAP_ENABLE=${APACHESECUREAUTH_LDAP_ENABLE:-${LDAP_ENABLE}}"
|
||||
- "APACHESECUREAUTH_LDAP_APACHE_ENV=${APACHESECUREAUTH_LDAP_APACHE_ENV:-${LDAP_APACHE_ENV}}"
|
||||
- "APACHESECUREAUTH_LDAP_SERVER=${APACHESECUREAUTH_LDAP_SERVER:-${LDAP_SERVER}}"
|
||||
- "APACHESECUREAUTH_LDAP_STARTTLS=${APACHESECUREAUTH_LDAP_STARTTLS:-${LDAP_STARTTLS}}"
|
||||
- "APACHESECUREAUTH_LDAP_READER_USER=${APACHESECUREAUTH_LDAP_READER_USER:-${LDAP_READER_USER}}"
|
||||
- "APACHESECUREAUTH_LDAP_READER_PASSWORD=${APACHESECUREAUTH_LDAP_READER_PASSWORD:-${LDAP_READER_PASSWORD}}"
|
||||
- "APACHESECUREAUTH_LDAP_DN=${APACHESECUREAUTH_LDAP_DN:-${LDAP_DN}}"
|
||||
- "APACHESECUREAUTH_LDAP_SEARCH_FILTER=${APACHESECUREAUTH_LDAP_SEARCH_FILTER:-${LDAP_SEARCH_FILTER}}"
|
||||
- "APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE=${APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE:-${LDAP_SEARCH_ATTRIBUTE}}"
|
||||
- "APACHESECUREAUTH_LDAP_FILTER=${APACHESECUREAUTH_LDAP_FILTER:-${LDAP_FILTER}}"
|
||||
- "APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID=${APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID:-${LDAP_DEFAULT_ROLE_ID}}"
|
||||
- "APACHESECUREAUTH_LDAP_DEFAULT_ORG=${APACHESECUREAUTH_LDAP_DEFAULT_ORG:-${LDAP_DEFAULT_ORG}}"
|
||||
- "APACHESECUREAUTH_LDAP_EMAIL_FIELD=${APACHESECUREAUTH_LDAP_EMAIL_FIELD:-${LDAP_EMAIL_FIELD}}"
|
||||
- "APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION=${APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION:-${LDAP_OPT_PROTOCOL_VERSION}}"
|
||||
- "APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT=${APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT:-${LDAP_OPT_NETWORK_TIMEOUT}}"
|
||||
- "APACHESECUREAUTH_LDAP_OPT_REFERRALS=${APACHESECUREAUTH_LDAP_OPT_REFERRALS:-${LDAP_OPT_REFERRALS}}"
|
||||
# LdapAuth MISP authentication settings
|
||||
- "LDAPAUTH_ENABLE=${LDAPAUTH_ENABLE}"
|
||||
- "LDAPAUTH_LDAPSERVER=${LDAPAUTH_LDAPSERVER}"
|
||||
- "LDAPAUTH_LDAPDN=${LDAPAUTH_LDAPDN}"
|
||||
- "LDAPAUTH_LDAPREADERUSER=${LDAPAUTH_LDAPREADERUSER}"
|
||||
- "LDAPAUTH_LDAPREADERPASSWORD=${LDAPAUTH_LDAPREADERPASSWORD}"
|
||||
- "LDAPAUTH_LDAPSEARCHFILTER=${LDAPAUTH_LDAPSEARCHFILTER}"
|
||||
- "LDAPAUTH_LDAPSEARCHATTRIBUTE=${LDAPAUTH_LDAPSEARCHATTRIBUTE}"
|
||||
- "LDAPAUTH_LDAPEMAILFIELD=${LDAPAUTH_LDAPEMAILFIELD}"
|
||||
- "LDAPAUTH_LDAPNETWORKTIMEOUT=${LDAPAUTH_LDAPNETWORKTIMEOUT}"
|
||||
- "LDAPAUTH_LDAPPROTOCOL=${LDAPAUTH_LDAPPROTOCOL}"
|
||||
- "LDAPAUTH_LDAPALLOWREFERRALS=${LDAPAUTH_LDAPALLOWREFERRALS}"
|
||||
- "LDAPAUTH_STARTTLS=${LDAPAUTH_STARTTLS}"
|
||||
- "LDAPAUTH_MIXEDAUTH=${LDAPAUTH_MIXEDAUTH}"
|
||||
- "LDAPAUTH_LDAPDEFAULTORGID=${LDAPAUTH_LDAPDEFAULTORGID}"
|
||||
- "LDAPAUTH_LDAPDEFAULTROLEID=${LDAPAUTH_LDAPDEFAULTROLEID}"
|
||||
- "LDAPAUTH_UPDATEUSER=${LDAPAUTH_UPDATEUSER}"
|
||||
- "LDAPAUTH_DEBUG=${LDAPAUTH_DEBUG}"
|
||||
- "LDAPAUTH_LDAPTLSREQUIRECERT=${LDAPAUTH_LDAPTLSREQUIRECERT}"
|
||||
- "LDAPAUTH_LDAPTLSCUSTOMCACERT=${LDAPAUTH_LDAPTLSCUSTOMCACERT}"
|
||||
- "LDAPAUTH_LDAPTLSCRLCHECK=${LDAPAUTH_LDAPTLSCRLCHECK}"
|
||||
- "LDAPAUTH_LDAPTLSPROTOCOLMIN=${LDAPAUTH_LDAPTLSPROTOCOLMIN}"
|
||||
# AAD authentication settings
|
||||
- "AAD_ENABLE=${AAD_ENABLE}"
|
||||
- "AAD_CLIENT_ID=${AAD_CLIENT_ID}"
|
||||
|
|
@ -157,6 +180,7 @@ services:
|
|||
# Nginx settings
|
||||
- "NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR}"
|
||||
- "NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}"
|
||||
- "NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M}"
|
||||
# Proxy settings
|
||||
- "PROXY_ENABLE=${PROXY_ENABLE}"
|
||||
- "PROXY_HOST=${PROXY_HOST}"
|
||||
|
|
@ -201,6 +225,7 @@ services:
|
|||
- "PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}"
|
||||
- "PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}"
|
||||
- "PHP_MAX_INPUT_TIME:${PHP_MAX_INPUT_TIME:-300}"
|
||||
- "PHP_MAX_FILE_UPLOADS=${PHP_MAX_FILE_UPLOADS:-50}"
|
||||
# PHP FPM pool setup
|
||||
- "PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN:-5}"
|
||||
- "PHP_FCGI_START_SERVERS=${PHP_FCGI_START_SERVERS:-2}"
|
||||
|
|
|
|||
61
template.env
61
template.env
|
|
@ -134,22 +134,46 @@ SYNCSERVERS_1_PULL_RULES=
|
|||
# users should not be able to control the HTTP header configured in LDAP_APACHE_ENV
|
||||
# (e.g. REMOTE_USER), this means you must not allow direct access to MISP.
|
||||
# NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word".
|
||||
# LDAP_ENABLE=true
|
||||
# LDAP_APACHE_ENV="REMOTE_USER"
|
||||
# LDAP_SERVER="ldap://your_domain_controller"
|
||||
# LDAP_STARTTLS=true
|
||||
# LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net"
|
||||
# LDAP_READER_PASSWORD="password"
|
||||
# LDAP_DN="OU=Users,DC=domain,DC=net"
|
||||
# LDAP_SEARCH_FILTER=""
|
||||
# LDAP_SEARCH_ATTRIBUTE="uid"
|
||||
# LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]"
|
||||
# LDAP_DEFAULT_ROLE_ID="3"
|
||||
# LDAP_DEFAULT_ORG="1"
|
||||
# LDAP_EMAIL_FIELD="[\"mail\"]"
|
||||
# LDAP_OPT_PROTOCOL_VERSION="3"
|
||||
# LDAP_OPT_NETWORK_TIMEOUT="-1"
|
||||
# LDAP_OPT_REFERRALS=false
|
||||
# APACHESECUREAUTH_LDAP_ENABLE=true
|
||||
# APACHESECUREAUTH_LDAP_APACHE_ENV="REMOTE_USER"
|
||||
# APACHESECUREAUTH_LDAP_SERVER="ldap://your_domain_controller"
|
||||
# APACHESECUREAUTH_LDAP_STARTTLS=true
|
||||
# APACHESECUREAUTH_LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net"
|
||||
# APACHESECUREAUTH_LDAP_READER_PASSWORD="password"
|
||||
# APACHESECUREAUTH_LDAP_DN="OU=Users,DC=domain,DC=net"
|
||||
# APACHESECUREAUTH_LDAP_SEARCH_FILTER=""
|
||||
# APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE="uid"
|
||||
# APACHESECUREAUTH_LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]"
|
||||
# APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID="3"
|
||||
# APACHESECUREAUTH_LDAP_DEFAULT_ORG="1"
|
||||
# APACHESECUREAUTH_LDAP_EMAIL_FIELD="[\"mail\"]"
|
||||
# APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION="3"
|
||||
# APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT="-1"
|
||||
# APACHESECUREAUTH_LDAP_OPT_REFERRALS=false
|
||||
|
||||
# Enable LDAP (using the MISP plugin native) authentication, according to https://github.com/MISP/MISP/tree/2.5/app/Plugin/LdapAuth
|
||||
# NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word".
|
||||
# LDAPAUTH_ENABLE=true
|
||||
# LDAPAUTH_LDAPSERVER="ldap://your_domain_controller"
|
||||
# LDAPAUTH_LDAPDN="OU=Users,DC=domain,DC=net"
|
||||
# LDAPAUTH_LDAPREADERUSER="CN=service_account_name,OU=Users,DC=domain,DC=net"
|
||||
# LDAPAUTH_LDAPREADERPASSWORD="password"
|
||||
# LDAPAUTH_LDAPSEARCHFILTER=""
|
||||
# LDAPAUTH_LDAPSEARCHATTRIBUTE="mail"
|
||||
# LDAPAUTH_LDAPEMAILFIELD="[\"mail\"]"
|
||||
# LDAPAUTH_LDAPNETWORKTIMEOUT="-1"
|
||||
# LDAPAUTH_LDAPPROTOCOL="3"
|
||||
# LDAPAUTH_LDAPALLOWREFERRALS=true
|
||||
# LDAPAUTH_STARTTLS=false
|
||||
# LDAPAUTH_MIXEDAUTH=true
|
||||
# LDAPAUTH_LDAPDEFAULTORGID="1"
|
||||
# LDAPAUTH_LDAPDEFAULTROLEID="3"
|
||||
# LDAPAUTH_UPDATEUSER=true
|
||||
# LDAPAUTH_DEBUG=false
|
||||
# LDAPAUTH_LDAPTLSREQUIRECERT="LDAP_OPT_X_TLS_ALLOW"
|
||||
# LDAPAUTH_LDAPTLSCUSTOMCACERT=false
|
||||
# LDAPAUTH_LDAPTLSCRLCHECK="LDAP_OPT_X_TLS_CRL_PEER"
|
||||
# LDAPAUTH_LDAPTLSPROTOCOLMIN="LDAP_OPT_X_TLS_PROTOCOL_TLS1_2"
|
||||
|
||||
# Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
|
||||
# AAD_ENABLE=true
|
||||
|
|
@ -200,6 +224,8 @@ SYNCSERVERS_1_PULL_RULES=
|
|||
# PHP_POST_MAX_SIZE=50M
|
||||
# Maximum time PHP spends parsing input data in seconds.
|
||||
# PHP_MAX_INPUT_TIME=300
|
||||
# Maximum number of file to upload per request.
|
||||
# PHP_MAX_FILE_UPLOADS=50
|
||||
|
||||
## PHP FPM pool setup
|
||||
# Maximum number of php-fpm processes, limits the number of simultaneous requests.
|
||||
|
|
@ -252,6 +278,9 @@ SYNCSERVERS_1_PULL_RULES=
|
|||
# Options: DENY, SAMEORIGIN, ALLOW-FROM <URL> Default: SAMEORIGIN
|
||||
# X_FRAME_OPTIONS=
|
||||
|
||||
# NGINX maximum allowed size of the client request body.
|
||||
# NGINX_CLIENT_MAX_BODY_SIZE=50M
|
||||
|
||||
# Content-Security-Policy (CSP) configuration: defines allowed resources and prevents attacks like XSS.
|
||||
# Example: "frame-src 'self' https://*.example.com; frame-ancestors 'self' https://*.example.com; object-src 'none'; report-uri https://example.com/cspReport"
|
||||
# CONTENT_SECURITY_POLICY=
|
||||
|
|
|
|||
Loading…
Reference in New Issue