Allow disabling of SSL redirection

core/files/entrypoint_nginx.sh

@@ -17,6 +17,7 @@ trap term_proc SIGTERM
 [ -z "$CRON_USER_ID" ] && export CRON_USER_ID="1"
 [ -z "$BASE_URL" ] && export BASE_URL="https://localhost"
 [ -z "$DISABLE_IPV6" ] && export DISABLE_IPV6=false
+[ -z "$DISABLE_SSL_REDIRECT" ] && export DISABLE_SSL_REDIRECT=false
 
 init_mysql(){
     # Test when MySQL is ready....
@@ -197,7 +198,7 @@ flip_nginx() {
 
     # must be valid for all roots
     echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
-    sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp
+    sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/includes/misp
 
     if [[ "$reload" = "true" ]]; then
         echo "... nginx reloaded"
@@ -210,7 +211,16 @@ init_nginx() {
     if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
         echo "... enabling port 80 redirect"
         if [[ "$DISABLE_IPV6" = "true" ]]; then
-            sed -i "/\[::\]/d" /etc/nginx/sites-available/misp80
+            sed -i "s/[^#] listen \[/  # listen \[/" /etc/nginx/sites-available/misp80
+        else
+            sed -i "s/# listen \[/listen \[" /etc/nginx/sites-available/misp80
+        fi
+        if [[ "$DISABLE_SSL_REDIRECT" = "true" ]]; then
+            sed -i "s/[^#] return /  # return /" /etc/nginx/sites-available/misp80
+            sed -i "s/# include /include /" /etc/nginx/sites-available/misp80
+        else
+            sed -i "s/[^#] include /  # include /" /etc/nginx/sites-available/misp80
+            sed -i "s/# return /return /" /etc/nginx/sites-available/misp80
         fi
         ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
     else
@@ -218,12 +228,14 @@ init_nginx() {
     fi
 
     # Testing for files also test for links, and generalize better to mounted files
-    if [[ ! -f "/etc/nginx/sites-enabled/misp" ]]; then
+    if [[ ! -f "/etc/nginx/sites-enabled/misp443" ]]; then
         echo "... enabling port 443"
         if [[ "$DISABLE_IPV6" = "true" ]]; then
-            sed -i "/\[::\]/d" /etc/nginx/sites-available/misp
+            sed -i "s/[^#] listen \[/  # listen \[/" /etc/nginx/sites-available/misp443
+        else
+            sed -i "s/# listen \[/listen \[" /etc/nginx/sites-available/misp443
         fi
-        ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
+        ln -s /etc/nginx/sites-available/misp443 /etc/nginx/sites-enabled/misp443
     else
         echo "... port 443 already configured"
     fi

core/files/etc/nginx/includes/misp

@@ -0,0 +1,28 @@
+# define the root dir
+root /var/www/MISP/app/webroot;
+index index.php;
+
+# incrase the maximum body size
+client_max_body_size 50M;
+
+# added headers for hardening browser security
+add_header Referrer-Policy "no-referrer" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Download-Options "noopen" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-Permitted-Cross-Domain-Policies "none" always;
+add_header X-Robots-Tag "none" always;
+add_header X-XSS-Protection "1; mode=block" always;
+
+# remove X-Powered-By, which is an information leak
+fastcgi_hide_header X-Powered-By;
+
+location / {
+    try_files $uri $uri/ /index.php$is_args$query_string;
+}
+
+location ~ \.php$ {
+    include snippets/fastcgi-php.conf;
+    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+    fastcgi_read_timeout 300;
+}

core/files/etc/nginx/sites-available/misp

@@ -1,53 +0,0 @@
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    # define the root dir
-    root /var/www/MISP/app/webroot;
-    index index.php;
-
-    client_max_body_size 50M;
-
-    # disable access logs
-    access_log off;
-    log_not_found off;
-    error_log  /dev/stderr error;
-
-    ssl_certificate /etc/nginx/certs/cert.pem;
-    ssl_certificate_key /etc/nginx/certs/key.pem;
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
-    ssl_session_tickets off;
-
-    # intermediate configuration
-    ssl_dhparam /etc/nginx/certs/dhparams.pem;
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers off;
-
-    # enable HSTS
-    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
-    add_header X-Frame-Options SAMEORIGIN;
-
-    # added headers for hardening browser security
-    add_header Referrer-Policy "no-referrer" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Download-Options "noopen" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Permitted-Cross-Domain-Policies "none" always;
-    add_header X-Robots-Tag "none" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-
-    # remove X-Powered-By, which is an information leak
-    fastcgi_hide_header X-Powered-By;
-
-    location / {
-        try_files $uri $uri/ /index.php$is_args$query_string;
-    }
-
-    location ~ \.php$ {
-        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
-        fastcgi_read_timeout 300;
-    }
-}

core/files/etc/nginx/sites-available/misp443

@@ -0,0 +1,29 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # disable access logs
+    access_log off;
+    log_not_found off;
+    error_log  /dev/stderr error;
+
+    # ssl options
+    ssl_certificate /etc/nginx/certs/cert.pem;
+    ssl_certificate_key /etc/nginx/certs/key.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # ssl intermediate configuration
+    ssl_dhparam /etc/nginx/certs/dhparams.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # ssl enable HSTS
+    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
+    add_header X-Frame-Options SAMEORIGIN;
+
+    # include misp
+    include includes/misp;
+}

core/files/etc/nginx/sites-available/misp80

@@ -2,10 +2,11 @@ server {
     listen 80 default_server;
     listen [::]:80 default_server;
 
-    # Disable access logs
+    # disable access logs
     access_log off;
     log_not_found off;
     error_log  /dev/stderr error;
 
-    return 301 https://$host$request_uri;
+    # include includes/misp;
+    # return 301 https://$host$request_uri;
 }

docker-compose.yml

@@ -65,6 +65,7 @@ services:
       - "BASE_URL=${BASE_URL}"
       - "CRON_USER_ID=${CRON_USER_ID}"
       - "DISABLE_IPV6=${DISABLE_IPV6}"
+      - "DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT}"
       # standard settings
       - "ADMIN_EMAIL=${ADMIN_EMAIL}"
       - "ADMIN_PASSWORD=${ADMIN_PASSWORD}"

template.env

@@ -85,9 +85,12 @@ SYNCSERVERS_1_KEY=
 # if ADMIN_KEY is not set above (default true)
 # AUTOGEN_ADMIN_KEY=true
 
-# Disable IPv6 completely (this setting will persist until the container is removed)
+# Disable IPv6 completely
 # DISABLE_IPV6=true
 
+# Disable SSL redirect
+# DISABLE_SSL_REDIRECT=true
+
 # Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/OidcAuth/README.md
 # OIDC_ENABLE=true
 # OIDC_PROVIDER_URL=