From 0c84e0b71b9e7502ae84e3e1900b557767bac96d Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Wed, 7 Apr 2021 16:42:20 +0200 Subject: [PATCH 01/13] Configuring nginx for cert authentication If the user enables cert authentication on the docker-compose file we must do the following changes to allow CertAuth to work - Pass on SSL_CLIENT_I_DN and SSL_CLIENT_S_DN to PHP - Enable ssl_client_certificate using /etc/nginx/certs/ca.pem - Enable the CertAuth ( https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth ) plugin on the bootstrap.php file --- server/files/entrypoint_nginx.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 6bb0495..559c27f 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -168,6 +168,17 @@ if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048 fi +if [[ $CERTAUTH = @(optional|on) ]]; then + echo "Configure NGINX | Enabling SSL Cert Authentication" + grep -qxF 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' >> /etc/nginx/snippets/fastcgi-php.conf + grep -qxF 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' >> /etc/nginx/snippets/fastcgi-php.conf + grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp + grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp + + echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)" + sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php +fi + if [[ "$DISIPV6" == true ]]; then echo "Configure NGINX | Disabling IPv6" sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80 From 2ab1940bea926c5500a31a04ef97dea3ef818908 Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Wed, 7 Apr 2021 16:46:05 +0200 Subject: [PATCH 02/13] Add new option CERTAUTH --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index 659aad2..6c3eb68 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -50,6 +50,7 @@ services: # Optional Settings # - "NOREDIR=true" # Do not redirect port 80 # - "DISIPV6=true" # Disable IPV6 in nginx +# - "CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required # - "SECURESSL=true" # Enable higher security SSL in nginx # - "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url misp-modules: From a7f426c0586a2a8ca5613a951cd4c3afedc01246 Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Wed, 7 Apr 2021 16:46:59 +0200 Subject: [PATCH 03/13] Added reference to ca.pem --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4963565..3bf44c1 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,7 @@ Updating the images should be as simple as `docker-compose pull` which, unless c - Directory volume mount SSL Certs `./ssl`: `/etc/ssl/certs` - Certificate File: `cert.pem` - Certificate Key File: `key.pem` + - CA File for Cert Authentication (optional) `ca.pem` - Directory volume mount and create configs: `/var/www/MISP/app/Config/` From 2acb7d4a972f058a353dcb0449d308f6d29e9ec4 Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Thu, 8 Apr 2021 08:26:44 +0200 Subject: [PATCH 04/13] Making codacy happy --- server/files/entrypoint_nginx.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 559c27f..25be604 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -170,8 +170,8 @@ fi if [[ $CERTAUTH = @(optional|on) ]]; then echo "Configure NGINX | Enabling SSL Cert Authentication" - grep -qxF 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' >> /etc/nginx/snippets/fastcgi-php.conf - grep -qxF 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' >> /etc/nginx/snippets/fastcgi-php.conf + grep -qxF 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf + grep -qxF 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp From a0c35d7720cfd6fb83c63de4a6a7f97c9529280c Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Thu, 8 Apr 2021 08:34:57 +0200 Subject: [PATCH 05/13] Making codacy happy take 2 --- server/files/entrypoint_nginx.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 25be604..2d80fc1 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -170,8 +170,8 @@ fi if [[ $CERTAUTH = @(optional|on) ]]; then echo "Configure NGINX | Enabling SSL Cert Authentication" - grep -qxF 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf - grep -qxF 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf + grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf + grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp From 42a936b3d44bd9c676c06484c09c9a7c3ee40bcf Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Thu, 8 Apr 2021 08:40:57 +0200 Subject: [PATCH 06/13] Spacing OCD --- server/files/entrypoint_nginx.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 2d80fc1..c3021b7 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -172,8 +172,8 @@ if [[ $CERTAUTH = @(optional|on) ]]; then echo "Configure NGINX | Enabling SSL Cert Authentication" grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf - grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp - grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp + grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a \\ ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp + grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a \\ ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)" sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php From 87a324b0cd653ee3fd09262d87b0cfe24774fc10 Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Wed, 14 Apr 2021 14:02:31 +0200 Subject: [PATCH 07/13] Added support for rdkafka --- server/Dockerfile | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/server/Dockerfile b/server/Dockerfile index dcba944..845f417 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -13,9 +13,12 @@ FROM debian:buster-slim as php-build php \ php-dev \ php-pear \ + librdkafka-dev \ && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* - + + RUN pecl channel-update pecl.php.net RUN cp /usr/lib/x86_64-linux-gnu/libfuzzy.* /usr/lib; pecl install ssdeep + RUN pecl install rdkafka FROM debian:buster-slim as python-build RUN apt-get update; apt-get install -y --no-install-recommends \ @@ -129,9 +132,16 @@ ARG PHP_VER # PHP # Install ssdeep prebuild, latest composer, then install the app's PHP deps COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so + COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so + COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin + + RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done\ + phpenmod rdkafka + RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done \ + RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done ;phpenmod redis \ # Enable CakeResque with php-gnupgp ;phpenmod gnupg \ From d3ef1564d2f127922889e3c61f0bcc36b6e1da6d Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Wed, 14 Apr 2021 14:04:17 +0200 Subject: [PATCH 08/13] Added support for rdkafka --- server/Dockerfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/server/Dockerfile b/server/Dockerfile index 845f417..b696c90 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -137,12 +137,11 @@ ARG PHP_VER COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin - RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done\ - phpenmod rdkafka + RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka + RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done \ - RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done - ;phpenmod redis \ + ;phpenmod redis \ # Enable CakeResque with php-gnupgp ;phpenmod gnupg \ # Enable ssdeep we build earlier From fd30185aa931722013f39ee041d92de6cacf746a Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Wed, 14 Apr 2021 14:06:54 +0200 Subject: [PATCH 09/13] Added support for rdkafka --- server/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/server/Dockerfile b/server/Dockerfile index b696c90..8233f67 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -115,6 +115,7 @@ ARG PHP_VER php-gd \ php-fpm \ php-zip \ + librdkafka1 \ # Unsure we need these zip unzip \ && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* From a3074400e019cfc5f7b5bb796a127f29d8014d7b Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Wed, 14 Apr 2021 14:11:16 +0200 Subject: [PATCH 10/13] Added support for brotli --- server/Dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/server/Dockerfile b/server/Dockerfile index 8233f67..0c97eec 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -17,8 +17,9 @@ FROM debian:buster-slim as php-build && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* RUN pecl channel-update pecl.php.net - RUN cp /usr/lib/x86_64-linux-gnu/libfuzzy.* /usr/lib; pecl install ssdeep - RUN pecl install rdkafka + RUN cp /usr/lib/x86_64-linux-gnu/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka + RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./config && ./configure && make && make install + FROM debian:buster-slim as python-build RUN apt-get update; apt-get install -y --no-install-recommends \ @@ -134,12 +135,13 @@ ARG PHP_VER # Install ssdeep prebuild, latest composer, then install the app's PHP deps COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so + COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka - + RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done \ ;phpenmod redis \ From 3a3f0637e42d9717f7bfc4917578b8973e79fb0f Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Wed, 14 Apr 2021 14:13:37 +0200 Subject: [PATCH 11/13] Added support for brotli --- server/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/server/Dockerfile b/server/Dockerfile index 0c97eec..a486309 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -14,6 +14,7 @@ FROM debian:buster-slim as php-build php-dev \ php-pear \ librdkafka-dev \ + git \ && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* RUN pecl channel-update pecl.php.net @@ -117,6 +118,7 @@ ARG PHP_VER php-fpm \ php-zip \ librdkafka1 \ + libbrotli1 \ # Unsure we need these zip unzip \ && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* From 7f6fcdde85ea9d3b43227e3b94db6ed6e712da8d Mon Sep 17 00:00:00 2001 From: Eduardo Balsa Date: Wed, 14 Apr 2021 14:20:49 +0200 Subject: [PATCH 12/13] Added support for brotli --- server/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/Dockerfile b/server/Dockerfile index a486309..b3b5e2c 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -19,7 +19,7 @@ FROM debian:buster-slim as php-build RUN pecl channel-update pecl.php.net RUN cp /usr/lib/x86_64-linux-gnu/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka - RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./config && ./configure && make && make install + RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install FROM debian:buster-slim as python-build From 7d11153c5963c16b0f63b98d08af72c820fcf074 Mon Sep 17 00:00:00 2001 From: Jason Kendall Date: Mon, 19 Apr 2021 10:54:53 -0400 Subject: [PATCH 13/13] Bump MISP/Modules versions --- .env | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.env b/.env index eba5e7c..5677fa2 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ -MISP_TAG=v2.4.140 -MODULES_TAG=v2.4.136 +MISP_TAG=v2.4.141 +MODULES_TAG=v2.4.141 PHP_VER=20180731