From 6cc2cc3d2d371e48c3a077180736ca5860867e84 Mon Sep 17 00:00:00 2001 From: Steven Date: Tue, 9 Mar 2021 22:45:11 +0100 Subject: [PATCH] - Clean up repository - Don't run redis as daemon as it does not work in container --- docker-compose-nginx.yml | 44 -------------------------------------- docker-compose.yml | 3 ++- proxy/Dockerfile | 10 --------- proxy/default.conf | 26 ---------------------- proxy/includes/proxy.conf | 8 ------- proxy/includes/ssl.conf | 7 ------ proxy/ssl/place_certs_here | 0 web/Dockerfile | 14 +----------- web/run.sh | 10 +++++++-- 9 files changed, 11 insertions(+), 111 deletions(-) delete mode 100644 docker-compose-nginx.yml delete mode 100644 proxy/Dockerfile delete mode 100644 proxy/default.conf delete mode 100644 proxy/includes/proxy.conf delete mode 100644 proxy/includes/ssl.conf delete mode 100644 proxy/ssl/place_certs_here diff --git a/docker-compose-nginx.yml b/docker-compose-nginx.yml deleted file mode 100644 index c5fcfc9..0000000 --- a/docker-compose-nginx.yml +++ /dev/null @@ -1,44 +0,0 @@ -version: '2' - -services: - proxy: - build: - context: proxy - container_name: misp_proxy - restart: unless-stopped - image: misp-proxy:latest - ports: - - 80:80 - - 443:443 - - web: - build: web - container_name: misp_web - image: misp:latest - restart: unless-stopped - volumes: - - /dev/urandom:/dev/random - - ${DATA_DIR}/web:/var/www/MISP - environment: - - MYSQL_HOST=${MYSQL_HOST} - - MYSQL_DATABASE=${MYSQL_DATABASE} - - MYSQL_USER=${MYSQL_USER} - - MYSQL_PASSWORD=${MYSQL_PASSWORD} - - MISP_ADMIN_EMAIL=${MISP_ADMIN_EMAIL} - - MISP_ADMIN_PASSPHRASE=${MISP_ADMIN_PASSPHRASE} - - MISP_BASEURL=${MISP_BASEURL} - - POSTFIX_RELAY_HOST=${POSTFIX_RELAY_HOST} - - TIMEZONE=${TIMEZONE} - - db: - container_name: misp_db - image: mysql/mysql-server:5.7 - restart: unless-stopped - volumes: - - ${DATA_DIR}/db:/var/lib/mysql - environment: - - MYSQL_DATABASE=${MYSQL_DATABASE} - - MYSQL_USER=${MYSQL_USER} - - MYSQL_PASSWORD=${MYSQL_PASSWORD} - - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} - diff --git a/docker-compose.yml b/docker-compose.yml index 05ce870..2d87ef2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,4 @@ -version: '2' +version: '3' services: web: @@ -10,6 +10,7 @@ services: restart: unless-stopped ports: - "80:80" + - "443:443" volumes: - /dev/urandom:/dev/random - ${DATA_DIR}/web:/var/www/MISP diff --git a/proxy/Dockerfile b/proxy/Dockerfile deleted file mode 100644 index 60aad83..0000000 --- a/proxy/Dockerfile +++ /dev/null @@ -1,10 +0,0 @@ -FROM nginx:1.18 - -# default conf for proxy service -COPY ./default.conf /etc/nginx/conf.d/default.conf - -# Proxy and SSL configurations -COPY ./includes/ /etc/nginx/includes/ - -# Proxy SSL certificates -COPY ./ssl/ /etc/ssl/certs/nginx/ diff --git a/proxy/default.conf b/proxy/default.conf deleted file mode 100644 index 8a0f3f8..0000000 --- a/proxy/default.conf +++ /dev/null @@ -1,26 +0,0 @@ -# plain http redirect to https -server { - listen 80; - listen [::]:80; - server_name localhost; - return 301 https://$server_name$request_uri; -} -# main server, reverse proxy to 'web' container -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - server_name localhost; - - # Path for SSL config/key/certificate - ssl_certificate /etc/ssl/certs/nginx/misp.crt; - ssl_certificate_key /etc/ssl/certs/nginx/misp.key; - include /etc/nginx/includes/ssl.conf; - - location / { - include /etc/nginx/includes/proxy.conf; - proxy_pass http://web; - } - - access_log off; - error_log /var/log/nginx/error.log error; -} diff --git a/proxy/includes/proxy.conf b/proxy/includes/proxy.conf deleted file mode 100644 index 716d590..0000000 --- a/proxy/includes/proxy.conf +++ /dev/null @@ -1,8 +0,0 @@ -proxy_set_header Host $host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_buffering off; -proxy_request_buffering off; -proxy_http_version 1.1; -proxy_intercept_errors on; diff --git a/proxy/includes/ssl.conf b/proxy/includes/ssl.conf deleted file mode 100644 index 6501d91..0000000 --- a/proxy/includes/ssl.conf +++ /dev/null @@ -1,7 +0,0 @@ -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; -ssl_session_tickets off; - -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHAECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; -ssl_prefer_server_ciphers on; diff --git a/proxy/ssl/place_certs_here b/proxy/ssl/place_certs_here deleted file mode 100644 index e69de29..0000000 diff --git a/web/Dockerfile b/web/Dockerfile index a207266..56086c2 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -9,7 +9,7 @@ RUN apt-get update && \ apt-get install -y software-properties-common && \ apt-get install -y postfix && \ apt-get install -y mysql-client curl gcc git gnupg-agent \ - make python openssl redis-server sudo vim zip locales wget supervisor + make python3 openssl redis-server sudo vim zip locales wget supervisor RUN locale-gen en_US.UTF-8 ENV LANG en_US.UTF-8 @@ -28,17 +28,6 @@ RUN bash INSTALL_NODB.sh -A -u USER root -# Install MISP Modules -WORKDIR /opt -RUN git clone --branch v2.4.134 https://github.com/MISP/misp-modules.git -RUN cd misp-modules && \ - pip3 install --upgrade pip setuptools wheel && \ - pip3 install scikit-build && \ - pip3 install opencv-python && \ - pip3 install -I -r REQUIREMENTS && \ - pip3 install -I . && \ - echo "sudo -u www-data misp-modules -s -l 127.0.0.1 &" >>/etc/rc.local - # Supervisord Setup RUN ( \ echo '[supervisord]'; \ @@ -74,7 +63,6 @@ RUN ( \ # Trigger to perform first boot operations ADD run.sh /run.sh RUN chmod 0755 /run.sh && touch /.firstboot.tmp - # Make a backup of /var/www/MISP to restore it to the local moint point at first boot WORKDIR /var/www/MISP RUN tar czpf /root/MISP.tgz . diff --git a/web/run.sh b/web/run.sh index 3b77cfb..31035bd 100755 --- a/web/run.sh +++ b/web/run.sh @@ -2,10 +2,12 @@ # # MISP docker startup script # Xavier Mertens +# Steven Goossens # # 2017/05/17 - Created # 2017/05/31 - Fixed small errors # 2019/10/17 - Use built-in mysql docker DB creation and use std env names (dafal) +# 2021/03/09 - Update to work with the install script provided by MISP. Includes https support, Python venv,... # set -e @@ -89,7 +91,7 @@ if [ -r /.firstboot.tmp ]; then # MISP configuration echo "Creating MISP configuration files" cd /var/www/MISP/app/Config - cp -a database.default.php database.php + cp -a database.default.php database.php sed -i "s/localhost/$MYSQL_HOST/" database.php sed -i "s/db\s*login/$MYSQL_USER/" database.php sed -i "s/8889/3306/" database.php @@ -102,7 +104,10 @@ if [ -r /.firstboot.tmp ]; then echo "Fixing the MISP base URL ($MISP_BASEURL) ..." sed -i "s@'baseurl'[\t ]*=>[\t ]*'',@'baseurl' => '$MISP_BASEURL',@g" /var/www/MISP/app/Config/config.php fi - + + #Redis should not run as a daemon + sed -i "s/daemonize yes/daemonize no/g" /etc/redis/redis.conf + # Generate the admin user PGP key echo "Creating admin GnuPG key" if [ -z "$MISP_ADMIN_EMAIL" -o -z "$MISP_ADMIN_PASSPHRASE" ]; then @@ -141,6 +146,7 @@ fi # non-live will make it live again if the container restarts. That seems # better than the default which is that MISP is non-live on container restart. # Ideally live/non-live would be persisted in the database. +/var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" "/var/www/MISP/venv/bin/python" /var/www/MISP/app/Console/cake live 1 chown www-data:www-data /var/www/MISP/app/Config/config.php*