MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #22 from coolacid/nginx 

Make nginx the master
pull/1/head
Jason Kendall 2020-02-21 10:02:39 -05:00 committed by GitHub
parent 1a149d9297 d1a95be518
commit 4a7314d82b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 66 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker-compose.yml
View File

@ -35,7 +35,7 @@ services:
- "./server-configs/:/var/www/MISP/app/Config/" - "./server-configs/:/var/www/MISP/app/Config/"
- "./logs/:/var/www/MISP/app/tmp/logs/" - "./logs/:/var/www/MISP/app/tmp/logs/"
- "./files/:/var/www/MISP/app/files" - "./files/:/var/www/MISP/app/files"
- "./ssl/:/etc/apache2/ssl/" - "./ssl/:/etc/ssl/"
environment: environment:
- "CRON_USER_ID=1" - "CRON_USER_ID=1"
- "REDIS_FQDN=redis" - "REDIS_FQDN=redis"

24
server/Dockerfile
View File

@ -68,7 +68,7 @@ ARG PHP_VER
RUN apt-get update; apt-get install -y --no-install-recommends \ RUN apt-get update; apt-get install -y --no-install-recommends \
# Requirements: # Requirements:
sudo \ sudo \
apache2 \ nginx \
supervisor \ supervisor \
git \ git \
cron \ cron \
@ -88,6 +88,7 @@ ARG PHP_VER
php-mysql \ php-mysql \
php-redis \ php-redis \
php-gd \ php-gd \
php-fpm \
# Unsure we need these # Unsure we need these
zip unzip \ zip unzip \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@ -116,29 +117,16 @@ ARG PHP_VER
# To use the scheduler worker for scheduled tasks, do the following: # To use the scheduler worker for scheduled tasks, do the following:
;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php ;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
# Apache # nginx
# add HTTP MISP Config RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
RUN rm /etc/apache2/sites-enabled/*; COPY files/etc/nginx/misp /etc/nginx/sites-enabled/misp
COPY files/etc/apache2/sites-enabled/misp.conf /etc/apache2/sites-enabled/
COPY files/etc/apache2/sites-enabled/misp-ssl.conf /etc/apache2/sites-enabled/
COPY files/etc/apache2/ports.conf /etc/apache2/ports.conf
RUN set -eu \
;chmod 640 /etc/apache2/ports.conf \
;chown root.root /etc/apache2/ports.conf \
;chmod 640 /etc/apache2/sites-available/* \
;chown root.root /etc/apache2/sites-available/* \
# Configure Apache
;a2dismod status \
;a2enmod ssl \
;a2enmod rewrite \
;a2enmod headers
# Make a copy of the file store, so we can sync from it # Make a copy of the file store, so we can sync from it
RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
# Entrypoints # Entrypoints
COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/supervisord.conf COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/supervisord.conf
COPY files/entrypoint_apache.sh / COPY files/entrypoint_nginx.sh /
COPY files/entrypoint_cron.sh / COPY files/entrypoint_cron.sh /
COPY files/entrypoint_workers.sh / COPY files/entrypoint_workers.sh /
COPY files/entrypoint.sh / COPY files/entrypoint.sh /

28
server/files/entrypoint_apache.sh → server/files/entrypoint_nginx.sh
View File

@ -13,7 +13,7 @@ ENTRYPOINT_PID_FILE="/entrypoint_apache.install"
[ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE [ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE
change_php_vars(){ change_php_vars(){
for FILE in /etc/php/*/apache2/php.ini for FILE in /etc/php/*/fpm/php.ini
do do
[[ -e $FILE ]] || break [[ -e $FILE ]] || break
sed -i "s/memory_limit = .*/memory_limit = 2048M/" "$FILE" sed -i "s/memory_limit = .*/memory_limit = 2048M/" "$FILE"
@ -66,11 +66,11 @@ init_misp_files(){
} }
init_ssl() { init_ssl() {
if [[ (! -f /etc/apache2/ssl/dhparams.pem) || if [[ (! -f /etc/ssl/dhparams.pem) ||
(! -f /etc/apache2/ssl/cert.pem) || (! -f /etc/ssl/cert.pem) ||
(! -f /etc/apache2/ssl/key.pem) || (! -f /etc/ssl/key.pem) ||
(! -f /etc/apache2/ssl/chain.pem) ]]; then (! -f /etc/ssl/chain.pem) ]]; then
cd /etc/apache2/ssl cd /etc/ssl
openssl dhparam -out dhparams.pem 2048 openssl dhparam -out dhparams.pem 2048
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
cp cert.pem chain.pem cp cert.pem chain.pem
@ -99,12 +99,12 @@ init_mysql(){
$MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql $MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
} }
start_apache() { #start_apache() {
# Apache gets grumpy about PID files pre-existing # # Apache gets grumpy about PID files pre-existing
rm -f /run/apache2/apache2.pid # rm -f /run/apache2/apache2.pid
# execute APACHE2 # # execute APACHE2
/usr/sbin/apache2ctl -D FOREGROUND -k "$1" # /usr/sbin/apache2ctl -D FOREGROUND -k "$1"
} #}
# Things we should do when we have the INITIALIZE Env Flag # Things we should do when we have the INITIALIZE Env Flag
if [[ "$INIT" == true ]]; then if [[ "$INIT" == true ]]; then
@ -129,5 +129,5 @@ echo "... chmod -R g+ws /var/www/MISP/app/files/scripts/tmp ..." && chmod -R g+w
# delete pid file # delete pid file
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE [ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
# execute apache # Start NGINX
start_apache start nginx -g 'daemon off;'

15
server/files/etc/apache2/ports.conf
View File

@ -1,15 +0,0 @@
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

29
server/files/etc/apache2/sites-enabled/misp-ssl.conf
View File

@ -1,29 +0,0 @@
<VirtualHost *:443>
ServerName misp-server
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparams.pem"
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/key.pem
SSLCertificateChainFile /etc/apache2/ssl/chain.pem
LogLevel warn
ErrorLog /dev/stdout
CustomLog /dev/stdout combined
ServerSignature Off
# Header set X-Content-Type-Options nosniff
# Header set X-Frame-Options DENY
</VirtualHost>

21
server/files/etc/apache2/sites-enabled/misp.conf
View File

@ -1,21 +0,0 @@
<VirtualHost *:80>
ServerName misp-server
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Require all granted
</Directory>
LogLevel warn
ErrorLog /dev/stdout
CustomLog /dev/stdout combined
ServerSignature Off
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

32
server/files/etc/nginx/misp Normal file
View File

@ -0,0 +1,32 @@
server {
listen 80 default_server;
listen [::]:80;
server_name _;
return 301 https://$host$request_uri;
}
server {
server_name misp-server;
listen 443 ssl http2 spdy;
root /var/www/MISP/app/webroot;
index index.php;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
# enable HSTS
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
}
}

15
server/files/etc/supervisor/supervisor.conf
View File

@ -6,14 +6,25 @@ stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0 stderr_logfile_maxbytes=0
[program:apache2] [program:nginx]
command=/entrypoint_apache.sh command=/entrypoint_nginx.sh
autorestart=true autorestart=true
stdout_logfile=/dev/stdout stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0 stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0 stderr_logfile_maxbytes=0
[program:php-fpm]
command=/usr/sbin/php-fpm7.3 -R -F
process_name=%(program_name)s_%(process_num)02d
numprocs=1
autostart=true
autorestart=false
startsecs=0
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
[program:workers] [program:workers]
command=/entrypoint_workers.sh command=/entrypoint_workers.sh
stdout_logfile=/dev/stdout stdout_logfile=/dev/stdout