From 663c154a972029a344056d3c83722006371b6100 Mon Sep 17 00:00:00 2001
From: Stefano Ortolani <ortolanis@vmware.com>
Date: Thu, 12 Sep 2024 10:11:15 +0100
Subject: [PATCH] Add support for 'X-Forwarded-For'; merge podman PR by
 @urfin00djuce

---
 README.md                                     | 62 +++++++++++++++++++
 core/files/entrypoint.sh                      |  3 +
 core/files/entrypoint_nginx.sh                | 20 ++++++
 docker-compose.yml                            |  3 +
 experimental/podman-systemd/certs.volume      |  2 +
 experimental/podman-systemd/conf.volume       |  2 +
 experimental/podman-systemd/db.container      | 26 ++++++++
 experimental/podman-systemd/files.volume      |  2 +
 experimental/podman-systemd/gpg.volume        |  2 +
 experimental/podman-systemd/logs.volume       |  2 +
 experimental/podman-systemd/mail.container    | 15 +++++
 .../podman-systemd/misp-core.container        | 35 +++++++++++
 .../podman-systemd/misp-modules.container     | 19 ++++++
 experimental/podman-systemd/misp-net.network  |  3 +
 experimental/podman-systemd/mysql_data.volume |  2 +
 experimental/podman-systemd/redis.container   | 26 ++++++++
 experimental/podman-systemd/redis_data.volume |  2 +
 template.env                                  |  5 ++
 18 files changed, 231 insertions(+)
 create mode 100644 experimental/podman-systemd/certs.volume
 create mode 100644 experimental/podman-systemd/conf.volume
 create mode 100644 experimental/podman-systemd/db.container
 create mode 100644 experimental/podman-systemd/files.volume
 create mode 100644 experimental/podman-systemd/gpg.volume
 create mode 100644 experimental/podman-systemd/logs.volume
 create mode 100644 experimental/podman-systemd/mail.container
 create mode 100644 experimental/podman-systemd/misp-core.container
 create mode 100644 experimental/podman-systemd/misp-modules.container
 create mode 100644 experimental/podman-systemd/misp-net.network
 create mode 100644 experimental/podman-systemd/mysql_data.volume
 create mode 100644 experimental/podman-systemd/redis.container
 create mode 100644 experimental/podman-systemd/redis_data.volume

diff --git a/README.md b/README.md
index 68236dd..728ed58 100644
--- a/README.md
+++ b/README.md
@@ -141,3 +141,65 @@ A GitHub Action builds both `misp-core` and `misp-modules` images automatically
 -   `misp-core:${commit-sha1}[0:7]` and `misp-modules:${commit-sha1}[0:7]` where `${commit-sha1}` is the commit hash triggering the build
 -   `misp-core:latest` and `misp-modules:latest` in order to track the latest builds available 
 -   `misp-core:${CORE_TAG}` and `misp-modules:${MODULES_TAG}` reflecting the underlying version of MISP and MISP modules (as specified inside the `template.env` file at build time)
+
+## Podman (experimental)
+
+It is possible to run the image using `podman-systemd` rather than `docker` to:
+- Run containers in **rootless** mode
+- Manage containers with **systemd**
+- Write container descriptions in an **ignition** file and deploy them (not covered in this documentation)
+
+Note that this is **experimental** and it is **NOT SUPPORTED** (issues will be automatically closed).
+
+### Configuration
+
+Copy the following directories and files:
+- Content of `experimental/podman-systemd` to `$USER/.config/containers/systemd/`
+- `template.vars` to `$USER/.config/containers/systemd/vars.env`
+
+Edit `vars.env`, and initialize the following MySQL settings: 
+```bash
+MYSQL_HOST=
+MYSQL_USER=
+MYSQL_PASSWORD=
+MYSQL_ROOT_PASSWORD=
+MYSQL_DATABASE=
+```
+
+Set the Redis password:
+```bash
+REDIS_PASSWORD=
+```
+
+Set the base URL:
+```bash
+BASE_URL=https://<IP>:10443
+```
+
+### Run
+
+Reload systemd user daemon:
+```bash
+systemctl --user daemon-reload
+```
+
+Start services:
+```bash
+systemctl --user start misp-mail.service
+systemctl --user start misp-db.service
+systemctl --user start misp-redis.service
+systemctl --user start misp-core.service
+systemctl --user start misp-modules.service
+```
+
+Wait a bit and check your service at `https://<IP>:10443`.
+If everything checks out, you can make services persistent across reboots and logouts:
+```bash
+sudo loginctl enable-linger $USER
+```
+
+You can even set podman to check for new container versions by activating the specific timer `podman-auto-update.timer`:
+```bash
+systemctl --user enable podman-auto-update.timer --now
+```
+
diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh
index 9168886..60a3f96 100755
--- a/core/files/entrypoint.sh
+++ b/core/files/entrypoint.sh
@@ -45,5 +45,8 @@ export PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}
 export PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}
 export PHP_MAX_INPUT_TIME=${PHP_MAX_INPUT_TIME:-300}
 
+export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false}
+export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}
+
 # start supervisord using the main configuration file so we have a socket interface
 /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh
index 173821f..d815e50 100755
--- a/core/files/entrypoint_nginx.sh
+++ b/core/files/entrypoint_nginx.sh
@@ -206,6 +206,26 @@ init_nginx() {
     echo "... adjusting 'fastcgi_connect_timeout' to ${FASTCGI_CONNECT_TIMEOUT}"
     sed -i "s/fastcgi_connect_timeout .*;/fastcgi_connect_timeout ${FASTCGI_CONNECT_TIMEOUT};/" /etc/nginx/includes/misp
 
+    # Adjust forwarding header settings (clean up first)
+    sed -i '/real_ip_header/d' /etc/nginx/includes/misp
+    sed -i '/real_ip_recursive/d' /etc/nginx/includes/misp
+    sed -i '/set_real_ip_from/d' /etc/nginx/includes/misp
+    if [[ "$NGINX_X_FORWARDED_FOR" = "true" ]]; then
+        echo "... enabling X-Forwarded-For header"
+        echo "... setting 'real_ip_header X-Forwarded-For'"
+        echo "... setting 'real_ip_recursive on'"
+        sed -i "/index index.php/a real_ip_header X-Forwarded-For;\nreal_ip_recursive on;" /etc/nginx/includes/misp
+        if [[ ! -z "$NGINX_SET_REAL_IP_FROM" ]]; then
+            SET_REAL_IP_FROM_PRINT=$(echo $NGINX_SET_REAL_IP_FROM | tr ',' '\n')
+            for real_ip in ${SET_REAL_IP_FROM_PRINT[@]}; do
+                echo "... setting 'set_real_ip_from ${real_ip}'"
+            done
+            SET_REAL_IP_FROM=$(echo $NGINX_SET_REAL_IP_FROM | tr ',' '\n' | while read line; do echo -n "set_real_ip_from ${line};\n"; done)
+            SET_REAL_IP_FROM_ESCAPED=$(echo $SET_REAL_IP_FROM | sed '$!s/$/\\/' | sed 's/\\n$//')
+            sed -i "/real_ip_recursive on/a $SET_REAL_IP_FROM_ESCAPED" /etc/nginx/includes/misp
+        fi
+    fi
+
     # Testing for files also test for links, and generalize better to mounted files
     if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
         echo "... enabling port 80 redirect"
diff --git a/docker-compose.yml b/docker-compose.yml
index 0cb7ef5..175ad39 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -146,6 +146,9 @@ services:
       - "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}"
       - "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}"
       - "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}"
+      # Nginx settings
+      - "NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR}"
+      - "NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}"
       # Proxy settings
       - "PROXY_ENABLE=${PROXY_ENABLE}"
       - "PROXY_HOST=${PROXY_HOST}"
diff --git a/experimental/podman-systemd/certs.volume b/experimental/podman-systemd/certs.volume
new file mode 100644
index 0000000..77f7794
--- /dev/null
+++ b/experimental/podman-systemd/certs.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=certs
diff --git a/experimental/podman-systemd/conf.volume b/experimental/podman-systemd/conf.volume
new file mode 100644
index 0000000..30e2be0
--- /dev/null
+++ b/experimental/podman-systemd/conf.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=conf
diff --git a/experimental/podman-systemd/db.container b/experimental/podman-systemd/db.container
new file mode 100644
index 0000000..5fdc543
--- /dev/null
+++ b/experimental/podman-systemd/db.container
@@ -0,0 +1,26 @@
+[Unit]
+Description=MISP Database system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=db
+Image=docker.io/library/mariadb:10.11
+Network=misp-net
+Volume=mysql_data:/var/lib/mysql
+PodmanArgs=--network-alias db
+EnvironmentFile=vars.env
+AddCapability=SYS_NICE
+HealthCmd=mysqladmin --user=${MYSQL_USER} --password=${MYSQL_PASSWORD} status
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target
diff --git a/experimental/podman-systemd/files.volume b/experimental/podman-systemd/files.volume
new file mode 100644
index 0000000..a247b21
--- /dev/null
+++ b/experimental/podman-systemd/files.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=files
diff --git a/experimental/podman-systemd/gpg.volume b/experimental/podman-systemd/gpg.volume
new file mode 100644
index 0000000..f07288f
--- /dev/null
+++ b/experimental/podman-systemd/gpg.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=gpg
diff --git a/experimental/podman-systemd/logs.volume b/experimental/podman-systemd/logs.volume
new file mode 100644
index 0000000..c06a057
--- /dev/null
+++ b/experimental/podman-systemd/logs.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=logs
diff --git a/experimental/podman-systemd/mail.container b/experimental/podman-systemd/mail.container
new file mode 100644
index 0000000..ceb7b25
--- /dev/null
+++ b/experimental/podman-systemd/mail.container
@@ -0,0 +1,15 @@
+[Unit]
+Description=MISP Mail system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=mail
+Image=docker.io/ixdotai/smtp
+Network=misp-net
+PodmanArgs=--network-alias mail
+EnvironmentFile=vars.env
+
+[Install]
+WantedBy=default.target
diff --git a/experimental/podman-systemd/misp-core.container b/experimental/podman-systemd/misp-core.container
new file mode 100644
index 0000000..c3cd196
--- /dev/null
+++ b/experimental/podman-systemd/misp-core.container
@@ -0,0 +1,35 @@
+[Unit]
+Description=MISP Core
+After=db.service
+After=redis.service
+Requires=db.service
+Requires=redis.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=misp-core
+Image=ghcr.io/misp/misp-docker/misp-core:latest
+PublishPort=10443:443
+Network=misp-net
+PodmanArgs=--network-alias misp-core
+Volume=conf:/var/www/MISP/app/Config/
+Volume=logs:/var/www/MISP/app/tmp/logs/
+Volume=files:/var/www/MISP/app/files/
+Volume=certs:/etc/nginx/certs/
+Volume=gpg:/var/www/MISP/.gnupg/
+EnvironmentFile=vars.env
+AddCapability=AUDIT_WRITE
+HealthCmd=curl -ks ${BASE_URL}/users/heartbeat > /dev/null || exit 1
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+HealthStartupInterval=30s
+
+[Service]
+ExecStartPre=/bin/sleep 30
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target
diff --git a/experimental/podman-systemd/misp-modules.container b/experimental/podman-systemd/misp-modules.container
new file mode 100644
index 0000000..178e7f5
--- /dev/null
+++ b/experimental/podman-systemd/misp-modules.container
@@ -0,0 +1,19 @@
+[Unit]
+Description=MISP Modules
+After=redis.service
+Requires=redis.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=misp-modules
+Image=ghcr.io/misp/misp-docker/misp-modules:latest
+Network=misp-net
+PodmanArgs=--network-alias misp-modules
+EnvironmentFile=vars.env
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+ExecStartPre=/bin/sleep 30
+
+[Install]
+WantedBy=default.target
diff --git a/experimental/podman-systemd/misp-net.network b/experimental/podman-systemd/misp-net.network
new file mode 100644
index 0000000..aa59c92
--- /dev/null
+++ b/experimental/podman-systemd/misp-net.network
@@ -0,0 +1,3 @@
+[Network]
+NetworkName=misp-net
+DisableDNS=false
diff --git a/experimental/podman-systemd/mysql_data.volume b/experimental/podman-systemd/mysql_data.volume
new file mode 100644
index 0000000..a733180
--- /dev/null
+++ b/experimental/podman-systemd/mysql_data.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=mysql_data
diff --git a/experimental/podman-systemd/redis.container b/experimental/podman-systemd/redis.container
new file mode 100644
index 0000000..72a8b38
--- /dev/null
+++ b/experimental/podman-systemd/redis.container
@@ -0,0 +1,26 @@
+[Unit]
+Description=MISP Redis system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+EnvironmentFile=vars.env
+AutoUpdate=registry
+ContainerName=redis
+Image=docker.io/valkey/valkey:7.2
+Network=misp-net
+Volume=redis_data:/data
+PodmanArgs=--network-alias redis
+Exec=--requirepass ${REDIS_PASSWORD}
+HealthCmd=valkey-cli -a ${REDIS_PASSWORD} ping
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target
diff --git a/experimental/podman-systemd/redis_data.volume b/experimental/podman-systemd/redis_data.volume
new file mode 100644
index 0000000..ed541eb
--- /dev/null
+++ b/experimental/podman-systemd/redis_data.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=redis_data
diff --git a/template.env b/template.env
index 6f4e257..5a80ea6 100644
--- a/template.env
+++ b/template.env
@@ -193,3 +193,8 @@ SYNCSERVERS_1_PULL_RULES=
 # INNODB_READ_IO_THREADS=16
 # INNODB_STATS_PERSISTENT=ON
 # INNODB_WRITE_IO_THREADS=4
+
+# Whether to enable processing of the X-Forwarded-For header (default to false)
+# NGINX_X_FORWARDED_FOR=true
+# Comma separated list of trusted IP addresses
+# NGINX_SET_REAL_IP_FROM=127.0.0.1