Add support for 'X-Forwarded-For'; merge podman PR by @urfin00djuce

pull/145/head
Stefano Ortolani 2024-09-12 10:11:15 +01:00
parent b033daec4f
commit 663c154a97
18 changed files with 231 additions and 0 deletions

View File

@ -141,3 +141,65 @@ A GitHub Action builds both `misp-core` and `misp-modules` images automatically
- `misp-core:${commit-sha1}[0:7]` and `misp-modules:${commit-sha1}[0:7]` where `${commit-sha1}` is the commit hash triggering the build - `misp-core:${commit-sha1}[0:7]` and `misp-modules:${commit-sha1}[0:7]` where `${commit-sha1}` is the commit hash triggering the build
- `misp-core:latest` and `misp-modules:latest` in order to track the latest builds available - `misp-core:latest` and `misp-modules:latest` in order to track the latest builds available
- `misp-core:${CORE_TAG}` and `misp-modules:${MODULES_TAG}` reflecting the underlying version of MISP and MISP modules (as specified inside the `template.env` file at build time) - `misp-core:${CORE_TAG}` and `misp-modules:${MODULES_TAG}` reflecting the underlying version of MISP and MISP modules (as specified inside the `template.env` file at build time)
## Podman (experimental)
It is possible to run the image using `podman-systemd` rather than `docker` to:
- Run containers in **rootless** mode
- Manage containers with **systemd**
- Write container descriptions in an **ignition** file and deploy them (not covered in this documentation)
Note that this is **experimental** and it is **NOT SUPPORTED** (issues will be automatically closed).
### Configuration
Copy the following directories and files:
- Content of `experimental/podman-systemd` to `$USER/.config/containers/systemd/`
- `template.vars` to `$USER/.config/containers/systemd/vars.env`
Edit `vars.env`, and initialize the following MySQL settings:
```bash
MYSQL_HOST=
MYSQL_USER=
MYSQL_PASSWORD=
MYSQL_ROOT_PASSWORD=
MYSQL_DATABASE=
```
Set the Redis password:
```bash
REDIS_PASSWORD=
```
Set the base URL:
```bash
BASE_URL=https://<IP>:10443
```
### Run
Reload systemd user daemon:
```bash
systemctl --user daemon-reload
```
Start services:
```bash
systemctl --user start misp-mail.service
systemctl --user start misp-db.service
systemctl --user start misp-redis.service
systemctl --user start misp-core.service
systemctl --user start misp-modules.service
```
Wait a bit and check your service at `https://<IP>:10443`.
If everything checks out, you can make services persistent across reboots and logouts:
```bash
sudo loginctl enable-linger $USER
```
You can even set podman to check for new container versions by activating the specific timer `podman-auto-update.timer`:
```bash
systemctl --user enable podman-auto-update.timer --now
```

View File

@ -45,5 +45,8 @@ export PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}
export PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M} export PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}
export PHP_MAX_INPUT_TIME=${PHP_MAX_INPUT_TIME:-300} export PHP_MAX_INPUT_TIME=${PHP_MAX_INPUT_TIME:-300}
export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false}
export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}
# start supervisord using the main configuration file so we have a socket interface # start supervisord using the main configuration file so we have a socket interface
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf /usr/bin/supervisord -c /etc/supervisor/supervisord.conf

View File

@ -206,6 +206,26 @@ init_nginx() {
echo "... adjusting 'fastcgi_connect_timeout' to ${FASTCGI_CONNECT_TIMEOUT}" echo "... adjusting 'fastcgi_connect_timeout' to ${FASTCGI_CONNECT_TIMEOUT}"
sed -i "s/fastcgi_connect_timeout .*;/fastcgi_connect_timeout ${FASTCGI_CONNECT_TIMEOUT};/" /etc/nginx/includes/misp sed -i "s/fastcgi_connect_timeout .*;/fastcgi_connect_timeout ${FASTCGI_CONNECT_TIMEOUT};/" /etc/nginx/includes/misp
# Adjust forwarding header settings (clean up first)
sed -i '/real_ip_header/d' /etc/nginx/includes/misp
sed -i '/real_ip_recursive/d' /etc/nginx/includes/misp
sed -i '/set_real_ip_from/d' /etc/nginx/includes/misp
if [[ "$NGINX_X_FORWARDED_FOR" = "true" ]]; then
echo "... enabling X-Forwarded-For header"
echo "... setting 'real_ip_header X-Forwarded-For'"
echo "... setting 'real_ip_recursive on'"
sed -i "/index index.php/a real_ip_header X-Forwarded-For;\nreal_ip_recursive on;" /etc/nginx/includes/misp
if [[ ! -z "$NGINX_SET_REAL_IP_FROM" ]]; then
SET_REAL_IP_FROM_PRINT=$(echo $NGINX_SET_REAL_IP_FROM | tr ',' '\n')
for real_ip in ${SET_REAL_IP_FROM_PRINT[@]}; do
echo "... setting 'set_real_ip_from ${real_ip}'"
done
SET_REAL_IP_FROM=$(echo $NGINX_SET_REAL_IP_FROM | tr ',' '\n' | while read line; do echo -n "set_real_ip_from ${line};\n"; done)
SET_REAL_IP_FROM_ESCAPED=$(echo $SET_REAL_IP_FROM | sed '$!s/$/\\/' | sed 's/\\n$//')
sed -i "/real_ip_recursive on/a $SET_REAL_IP_FROM_ESCAPED" /etc/nginx/includes/misp
fi
fi
# Testing for files also test for links, and generalize better to mounted files # Testing for files also test for links, and generalize better to mounted files
if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
echo "... enabling port 80 redirect" echo "... enabling port 80 redirect"

View File

@ -146,6 +146,9 @@ services:
- "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}" - "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}"
- "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}" - "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}"
- "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}" - "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}"
# Nginx settings
- "NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR}"
- "NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}"
# Proxy settings # Proxy settings
- "PROXY_ENABLE=${PROXY_ENABLE}" - "PROXY_ENABLE=${PROXY_ENABLE}"
- "PROXY_HOST=${PROXY_HOST}" - "PROXY_HOST=${PROXY_HOST}"

View File

@ -0,0 +1,2 @@
[Volume]
VolumeName=certs

View File

@ -0,0 +1,2 @@
[Volume]
VolumeName=conf

View File

@ -0,0 +1,26 @@
[Unit]
Description=MISP Database system
Requires=misp-net-network.service
After=misp-net-network.service
[Container]
AutoUpdate=registry
ContainerName=db
Image=docker.io/library/mariadb:10.11
Network=misp-net
Volume=mysql_data:/var/lib/mysql
PodmanArgs=--network-alias db
EnvironmentFile=vars.env
AddCapability=SYS_NICE
HealthCmd=mysqladmin --user=${MYSQL_USER} --password=${MYSQL_PASSWORD} status
HealthInterval=2s
HealthTimeout=1s
HealthRetries=3
HealthStartPeriod=30s
[Service]
EnvironmentFile=%h/.config/containers/systemd/vars.env
Restart=always
[Install]
WantedBy=default.target

View File

@ -0,0 +1,2 @@
[Volume]
VolumeName=files

View File

@ -0,0 +1,2 @@
[Volume]
VolumeName=gpg

View File

@ -0,0 +1,2 @@
[Volume]
VolumeName=logs

View File

@ -0,0 +1,15 @@
[Unit]
Description=MISP Mail system
Requires=misp-net-network.service
After=misp-net-network.service
[Container]
AutoUpdate=registry
ContainerName=mail
Image=docker.io/ixdotai/smtp
Network=misp-net
PodmanArgs=--network-alias mail
EnvironmentFile=vars.env
[Install]
WantedBy=default.target

View File

@ -0,0 +1,35 @@
[Unit]
Description=MISP Core
After=db.service
After=redis.service
Requires=db.service
Requires=redis.service
[Container]
AutoUpdate=registry
ContainerName=misp-core
Image=ghcr.io/misp/misp-docker/misp-core:latest
PublishPort=10443:443
Network=misp-net
PodmanArgs=--network-alias misp-core
Volume=conf:/var/www/MISP/app/Config/
Volume=logs:/var/www/MISP/app/tmp/logs/
Volume=files:/var/www/MISP/app/files/
Volume=certs:/etc/nginx/certs/
Volume=gpg:/var/www/MISP/.gnupg/
EnvironmentFile=vars.env
AddCapability=AUDIT_WRITE
HealthCmd=curl -ks ${BASE_URL}/users/heartbeat > /dev/null || exit 1
HealthInterval=2s
HealthTimeout=1s
HealthRetries=3
HealthStartPeriod=30s
HealthStartupInterval=30s
[Service]
ExecStartPre=/bin/sleep 30
EnvironmentFile=%h/.config/containers/systemd/vars.env
Restart=always
[Install]
WantedBy=default.target

View File

@ -0,0 +1,19 @@
[Unit]
Description=MISP Modules
After=redis.service
Requires=redis.service
[Container]
AutoUpdate=registry
ContainerName=misp-modules
Image=ghcr.io/misp/misp-docker/misp-modules:latest
Network=misp-net
PodmanArgs=--network-alias misp-modules
EnvironmentFile=vars.env
[Service]
EnvironmentFile=%h/.config/containers/systemd/vars.env
ExecStartPre=/bin/sleep 30
[Install]
WantedBy=default.target

View File

@ -0,0 +1,3 @@
[Network]
NetworkName=misp-net
DisableDNS=false

View File

@ -0,0 +1,2 @@
[Volume]
VolumeName=mysql_data

View File

@ -0,0 +1,26 @@
[Unit]
Description=MISP Redis system
Requires=misp-net-network.service
After=misp-net-network.service
[Container]
EnvironmentFile=vars.env
AutoUpdate=registry
ContainerName=redis
Image=docker.io/valkey/valkey:7.2
Network=misp-net
Volume=redis_data:/data
PodmanArgs=--network-alias redis
Exec=--requirepass ${REDIS_PASSWORD}
HealthCmd=valkey-cli -a ${REDIS_PASSWORD} ping
HealthInterval=2s
HealthTimeout=1s
HealthRetries=3
HealthStartPeriod=30s
[Service]
EnvironmentFile=%h/.config/containers/systemd/vars.env
Restart=always
[Install]
WantedBy=default.target

View File

@ -0,0 +1,2 @@
[Volume]
VolumeName=redis_data

View File

@ -193,3 +193,8 @@ SYNCSERVERS_1_PULL_RULES=
# INNODB_READ_IO_THREADS=16 # INNODB_READ_IO_THREADS=16
# INNODB_STATS_PERSISTENT=ON # INNODB_STATS_PERSISTENT=ON
# INNODB_WRITE_IO_THREADS=4 # INNODB_WRITE_IO_THREADS=4
# Whether to enable processing of the X-Forwarded-For header (default to false)
# NGINX_X_FORWARDED_FOR=true
# Comma separated list of trusted IP addresses
# NGINX_SET_REAL_IP_FROM=127.0.0.1