MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #22 from coolacid/nginx 

Make nginx the master
pull/1/head
Jason Kendall 2020-02-21 10:02:39 -05:00 committed by GitHub
parent 1a149d9297 d1a95be518
commit 4a7314d82b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 66 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker-compose.yml
View File

@ -35,7 +35,7 @@ services:
- "./server-configs/:/var/www/MISP/app/Config/"
- "./logs/:/var/www/MISP/app/tmp/logs/"
- "./files/:/var/www/MISP/app/files"
- "./ssl/:/etc/apache2/ssl/"
- "./ssl/:/etc/ssl/"
environment:
- "CRON_USER_ID=1"
- "REDIS_FQDN=redis"

24
server/Dockerfile
View File

@ -68,7 +68,7 @@ ARG PHP_VER
RUN apt-get update; apt-get install -y --no-install-recommends \
# Requirements:
sudo \
apache2 \
nginx \
supervisor \
git \
cron \
@ -88,6 +88,7 @@ ARG PHP_VER
php-mysql \
php-redis \
php-gd \
php-fpm \
# Unsure we need these
zip unzip \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@ -116,29 +117,16 @@ ARG PHP_VER
# To use the scheduler worker for scheduled tasks, do the following:
;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
# Apache
# add HTTP MISP Config
RUN rm /etc/apache2/sites-enabled/*;
COPY files/etc/apache2/sites-enabled/misp.conf /etc/apache2/sites-enabled/
COPY files/etc/apache2/sites-enabled/misp-ssl.conf /etc/apache2/sites-enabled/
COPY files/etc/apache2/ports.conf /etc/apache2/ports.conf
RUN set -eu \
;chmod 640 /etc/apache2/ports.conf \
;chown root.root /etc/apache2/ports.conf \
;chmod 640 /etc/apache2/sites-available/* \
;chown root.root /etc/apache2/sites-available/* \
# Configure Apache
;a2dismod status \
;a2enmod ssl \
;a2enmod rewrite \
;a2enmod headers
# nginx
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
COPY files/etc/nginx/misp /etc/nginx/sites-enabled/misp
# Make a copy of the file store, so we can sync from it
RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
# Entrypoints
COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/supervisord.conf
COPY files/entrypoint_apache.sh /
COPY files/entrypoint_nginx.sh /
COPY files/entrypoint_cron.sh /
COPY files/entrypoint_workers.sh /
COPY files/entrypoint.sh /

28
server/files/entrypoint_apache.sh → server/files/entrypoint_nginx.sh
View File

@ -13,7 +13,7 @@ ENTRYPOINT_PID_FILE="/entrypoint_apache.install"
[ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE
change_php_vars(){
for FILE in /etc/php/*/apache2/php.ini
for FILE in /etc/php/*/fpm/php.ini
do
[[ -e $FILE ]] || break
sed -i "s/memory_limit = .*/memory_limit = 2048M/" "$FILE"
@ -66,11 +66,11 @@ init_misp_files(){
}
init_ssl() {
if [[ (! -f /etc/apache2/ssl/dhparams.pem) ||
(! -f /etc/apache2/ssl/cert.pem) ||
(! -f /etc/apache2/ssl/key.pem) ||
(! -f /etc/apache2/ssl/chain.pem) ]]; then
cd /etc/apache2/ssl
if [[ (! -f /etc/ssl/dhparams.pem) ||
(! -f /etc/ssl/cert.pem) ||
(! -f /etc/ssl/key.pem) ||
(! -f /etc/ssl/chain.pem) ]]; then
cd /etc/ssl
openssl dhparam -out dhparams.pem 2048
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
cp cert.pem chain.pem
@ -99,12 +99,12 @@ init_mysql(){
$MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
}
start_apache() {
# Apache gets grumpy about PID files pre-existing
rm -f /run/apache2/apache2.pid
# execute APACHE2
/usr/sbin/apache2ctl -D FOREGROUND -k "$1"
}
#start_apache() {
# # Apache gets grumpy about PID files pre-existing
# rm -f /run/apache2/apache2.pid
# # execute APACHE2
# /usr/sbin/apache2ctl -D FOREGROUND -k "$1"
#}
# Things we should do when we have the INITIALIZE Env Flag
if [[ "$INIT" == true ]]; then
@ -129,5 +129,5 @@ echo "... chmod -R g+ws /var/www/MISP/app/files/scripts/tmp ..." && chmod -R g+w
# delete pid file
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
# execute apache
start_apache start
# Start NGINX
nginx -g 'daemon off;'

15
server/files/etc/apache2/ports.conf
View File

@ -1,15 +0,0 @@
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

29
server/files/etc/apache2/sites-enabled/misp-ssl.conf
View File

@ -1,29 +0,0 @@
<VirtualHost *:443>
ServerName misp-server
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparams.pem"
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/key.pem
SSLCertificateChainFile /etc/apache2/ssl/chain.pem
LogLevel warn
ErrorLog /dev/stdout
CustomLog /dev/stdout combined
ServerSignature Off
# Header set X-Content-Type-Options nosniff
# Header set X-Frame-Options DENY
</VirtualHost>

21
server/files/etc/apache2/sites-enabled/misp.conf
View File

@ -1,21 +0,0 @@
<VirtualHost *:80>
ServerName misp-server
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Require all granted
</Directory>
LogLevel warn
ErrorLog /dev/stdout
CustomLog /dev/stdout combined
ServerSignature Off
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

32
server/files/etc/nginx/misp Normal file
View File

@ -0,0 +1,32 @@
server {
listen 80 default_server;
listen [::]:80;
server_name _;
return 301 https://$host$request_uri;
}
server {
server_name misp-server;
listen 443 ssl http2 spdy;
root /var/www/MISP/app/webroot;
index index.php;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
# enable HSTS
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
}
}

15
server/files/etc/supervisor/supervisor.conf
View File

@ -6,14 +6,25 @@ stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:apache2]
command=/entrypoint_apache.sh
[program:nginx]
command=/entrypoint_nginx.sh
autorestart=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:php-fpm]
command=/usr/sbin/php-fpm7.3 -R -F
process_name=%(program_name)s_%(process_num)02d
numprocs=1
autostart=true
autorestart=false
startsecs=0
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
[program:workers]
command=/entrypoint_workers.sh
stdout_logfile=/dev/stdout