mirror of https://github.com/MISP/misp-docker
Add support for 'X-Forwarded-For'; merge podman PR by @urfin00djuce
Stefano Ortolani
parent
b033daec4f
commit
663c154a97
62
README.md
62
README.md
|
|
@ -141,3 +141,65 @@ A GitHub Action builds both `misp-core` and `misp-modules` images automatically
|
|||
- `misp-core:${commit-sha1}[0:7]` and `misp-modules:${commit-sha1}[0:7]` where `${commit-sha1}` is the commit hash triggering the build
|
||||
- `misp-core:latest` and `misp-modules:latest` in order to track the latest builds available
|
||||
- `misp-core:${CORE_TAG}` and `misp-modules:${MODULES_TAG}` reflecting the underlying version of MISP and MISP modules (as specified inside the `template.env` file at build time)
|
||||
|
||||
## Podman (experimental)
|
||||
|
||||
It is possible to run the image using `podman-systemd` rather than `docker` to:
|
||||
- Run containers in **rootless** mode
|
||||
- Manage containers with **systemd**
|
||||
- Write container descriptions in an **ignition** file and deploy them (not covered in this documentation)
|
||||
|
||||
Note that this is **experimental** and it is **NOT SUPPORTED** (issues will be automatically closed).
|
||||
|
||||
### Configuration
|
||||
|
||||
Copy the following directories and files:
|
||||
- Content of `experimental/podman-systemd` to `$USER/.config/containers/systemd/`
|
||||
- `template.vars` to `$USER/.config/containers/systemd/vars.env`
|
||||
|
||||
Edit `vars.env`, and initialize the following MySQL settings:
|
||||
```bash
|
||||
MYSQL_HOST=
|
||||
MYSQL_USER=
|
||||
MYSQL_PASSWORD=
|
||||
MYSQL_ROOT_PASSWORD=
|
||||
MYSQL_DATABASE=
|
||||
```
|
||||
|
||||
Set the Redis password:
|
||||
```bash
|
||||
REDIS_PASSWORD=
|
||||
```
|
||||
|
||||
Set the base URL:
|
||||
```bash
|
||||
BASE_URL=https://<IP>:10443
|
||||
```
|
||||
|
||||
### Run
|
||||
|
||||
Reload systemd user daemon:
|
||||
```bash
|
||||
systemctl --user daemon-reload
|
||||
```
|
||||
|
||||
Start services:
|
||||
```bash
|
||||
systemctl --user start misp-mail.service
|
||||
systemctl --user start misp-db.service
|
||||
systemctl --user start misp-redis.service
|
||||
systemctl --user start misp-core.service
|
||||
systemctl --user start misp-modules.service
|
||||
```
|
||||
|
||||
Wait a bit and check your service at `https://<IP>:10443`.
|
||||
If everything checks out, you can make services persistent across reboots and logouts:
|
||||
```bash
|
||||
sudo loginctl enable-linger $USER
|
||||
```
|
||||
|
||||
You can even set podman to check for new container versions by activating the specific timer `podman-auto-update.timer`:
|
||||
```bash
|
||||
systemctl --user enable podman-auto-update.timer --now
|
||||
```
|
||||
|
||||
|
|
|
|||
|
|
@ -45,5 +45,8 @@ export PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}
|
|||
export PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}
|
||||
export PHP_MAX_INPUT_TIME=${PHP_MAX_INPUT_TIME:-300}
|
||||
|
||||
export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false}
|
||||
export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}
|
||||
|
||||
# start supervisord using the main configuration file so we have a socket interface
|
||||
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
|
||||
|
|
|
|||
|
|
@ -206,6 +206,26 @@ init_nginx() {
|
|||
echo "... adjusting 'fastcgi_connect_timeout' to ${FASTCGI_CONNECT_TIMEOUT}"
|
||||
sed -i "s/fastcgi_connect_timeout .*;/fastcgi_connect_timeout ${FASTCGI_CONNECT_TIMEOUT};/" /etc/nginx/includes/misp
|
||||
|
||||
# Adjust forwarding header settings (clean up first)
|
||||
sed -i '/real_ip_header/d' /etc/nginx/includes/misp
|
||||
sed -i '/real_ip_recursive/d' /etc/nginx/includes/misp
|
||||
sed -i '/set_real_ip_from/d' /etc/nginx/includes/misp
|
||||
if [[ "$NGINX_X_FORWARDED_FOR" = "true" ]]; then
|
||||
echo "... enabling X-Forwarded-For header"
|
||||
echo "... setting 'real_ip_header X-Forwarded-For'"
|
||||
echo "... setting 'real_ip_recursive on'"
|
||||
sed -i "/index index.php/a real_ip_header X-Forwarded-For;\nreal_ip_recursive on;" /etc/nginx/includes/misp
|
||||
if [[ ! -z "$NGINX_SET_REAL_IP_FROM" ]]; then
|
||||
SET_REAL_IP_FROM_PRINT=$(echo $NGINX_SET_REAL_IP_FROM | tr ',' '\n')
|
||||
for real_ip in ${SET_REAL_IP_FROM_PRINT[@]}; do
|
||||
echo "... setting 'set_real_ip_from ${real_ip}'"
|
||||
done
|
||||
SET_REAL_IP_FROM=$(echo $NGINX_SET_REAL_IP_FROM | tr ',' '\n' | while read line; do echo -n "set_real_ip_from ${line};\n"; done)
|
||||
SET_REAL_IP_FROM_ESCAPED=$(echo $SET_REAL_IP_FROM | sed '$!s/$/\\/' | sed 's/\\n$//')
|
||||
sed -i "/real_ip_recursive on/a $SET_REAL_IP_FROM_ESCAPED" /etc/nginx/includes/misp
|
||||
fi
|
||||
fi
|
||||
|
||||
# Testing for files also test for links, and generalize better to mounted files
|
||||
if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
|
||||
echo "... enabling port 80 redirect"
|
||||
|
|
|
|||
|
|
@ -146,6 +146,9 @@ services:
|
|||
- "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}"
|
||||
- "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}"
|
||||
- "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}"
|
||||
# Nginx settings
|
||||
- "NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR}"
|
||||
- "NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}"
|
||||
# Proxy settings
|
||||
- "PROXY_ENABLE=${PROXY_ENABLE}"
|
||||
- "PROXY_HOST=${PROXY_HOST}"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
[Volume]
|
||||
VolumeName=certs
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
[Volume]
|
||||
VolumeName=conf
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
[Unit]
|
||||
Description=MISP Database system
|
||||
Requires=misp-net-network.service
|
||||
After=misp-net-network.service
|
||||
|
||||
[Container]
|
||||
AutoUpdate=registry
|
||||
ContainerName=db
|
||||
Image=docker.io/library/mariadb:10.11
|
||||
Network=misp-net
|
||||
Volume=mysql_data:/var/lib/mysql
|
||||
PodmanArgs=--network-alias db
|
||||
EnvironmentFile=vars.env
|
||||
AddCapability=SYS_NICE
|
||||
HealthCmd=mysqladmin --user=${MYSQL_USER} --password=${MYSQL_PASSWORD} status
|
||||
HealthInterval=2s
|
||||
HealthTimeout=1s
|
||||
HealthRetries=3
|
||||
HealthStartPeriod=30s
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=%h/.config/containers/systemd/vars.env
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
[Volume]
|
||||
VolumeName=files
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
[Volume]
|
||||
VolumeName=gpg
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
[Volume]
|
||||
VolumeName=logs
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
[Unit]
|
||||
Description=MISP Mail system
|
||||
Requires=misp-net-network.service
|
||||
After=misp-net-network.service
|
||||
|
||||
[Container]
|
||||
AutoUpdate=registry
|
||||
ContainerName=mail
|
||||
Image=docker.io/ixdotai/smtp
|
||||
Network=misp-net
|
||||
PodmanArgs=--network-alias mail
|
||||
EnvironmentFile=vars.env
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
[Unit]
|
||||
Description=MISP Core
|
||||
After=db.service
|
||||
After=redis.service
|
||||
Requires=db.service
|
||||
Requires=redis.service
|
||||
|
||||
[Container]
|
||||
AutoUpdate=registry
|
||||
ContainerName=misp-core
|
||||
Image=ghcr.io/misp/misp-docker/misp-core:latest
|
||||
PublishPort=10443:443
|
||||
Network=misp-net
|
||||
PodmanArgs=--network-alias misp-core
|
||||
Volume=conf:/var/www/MISP/app/Config/
|
||||
Volume=logs:/var/www/MISP/app/tmp/logs/
|
||||
Volume=files:/var/www/MISP/app/files/
|
||||
Volume=certs:/etc/nginx/certs/
|
||||
Volume=gpg:/var/www/MISP/.gnupg/
|
||||
EnvironmentFile=vars.env
|
||||
AddCapability=AUDIT_WRITE
|
||||
HealthCmd=curl -ks ${BASE_URL}/users/heartbeat > /dev/null || exit 1
|
||||
HealthInterval=2s
|
||||
HealthTimeout=1s
|
||||
HealthRetries=3
|
||||
HealthStartPeriod=30s
|
||||
HealthStartupInterval=30s
|
||||
|
||||
[Service]
|
||||
ExecStartPre=/bin/sleep 30
|
||||
EnvironmentFile=%h/.config/containers/systemd/vars.env
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
[Unit]
|
||||
Description=MISP Modules
|
||||
After=redis.service
|
||||
Requires=redis.service
|
||||
|
||||
[Container]
|
||||
AutoUpdate=registry
|
||||
ContainerName=misp-modules
|
||||
Image=ghcr.io/misp/misp-docker/misp-modules:latest
|
||||
Network=misp-net
|
||||
PodmanArgs=--network-alias misp-modules
|
||||
EnvironmentFile=vars.env
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=%h/.config/containers/systemd/vars.env
|
||||
ExecStartPre=/bin/sleep 30
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
[Network]
|
||||
NetworkName=misp-net
|
||||
DisableDNS=false
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
[Volume]
|
||||
VolumeName=mysql_data
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
[Unit]
|
||||
Description=MISP Redis system
|
||||
Requires=misp-net-network.service
|
||||
After=misp-net-network.service
|
||||
|
||||
[Container]
|
||||
EnvironmentFile=vars.env
|
||||
AutoUpdate=registry
|
||||
ContainerName=redis
|
||||
Image=docker.io/valkey/valkey:7.2
|
||||
Network=misp-net
|
||||
Volume=redis_data:/data
|
||||
PodmanArgs=--network-alias redis
|
||||
Exec=--requirepass ${REDIS_PASSWORD}
|
||||
HealthCmd=valkey-cli -a ${REDIS_PASSWORD} ping
|
||||
HealthInterval=2s
|
||||
HealthTimeout=1s
|
||||
HealthRetries=3
|
||||
HealthStartPeriod=30s
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=%h/.config/containers/systemd/vars.env
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
[Volume]
|
||||
VolumeName=redis_data
|
||||
|
|
@ -193,3 +193,8 @@ SYNCSERVERS_1_PULL_RULES=
|
|||
# INNODB_READ_IO_THREADS=16
|
||||
# INNODB_STATS_PERSISTENT=ON
|
||||
# INNODB_WRITE_IO_THREADS=4
|
||||
|
||||
# Whether to enable processing of the X-Forwarded-For header (default to false)
|
||||
# NGINX_X_FORWARDED_FOR=true
|
||||
# Comma separated list of trusted IP addresses
|
||||
# NGINX_SET_REAL_IP_FROM=127.0.0.1
|
||||
|
|
|
|||
Loading…
Reference in New Issue