diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index 090a023..c3d1a36 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -17,6 +17,7 @@ trap term_proc SIGTERM [ -z "$CRON_USER_ID" ] && export CRON_USER_ID="1" [ -z "$BASE_URL" ] && export BASE_URL="https://localhost" [ -z "$DISABLE_IPV6" ] && export DISABLE_IPV6=false +[ -z "$DISABLE_SSL_REDIRECT" ] && export DISABLE_SSL_REDIRECT=false init_mysql(){ # Test when MySQL is ready.... @@ -197,7 +198,7 @@ flip_nginx() { # must be valid for all roots echo "... nginx docroot set to ${NGINX_DOC_ROOT}" - sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp + sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/includes/misp if [[ "$reload" = "true" ]]; then echo "... nginx reloaded" @@ -210,7 +211,16 @@ init_nginx() { if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then echo "... enabling port 80 redirect" if [[ "$DISABLE_IPV6" = "true" ]]; then - sed -i "/\[::\]/d" /etc/nginx/sites-available/misp80 + sed -i "s/[^#] listen \[/ # listen \[/" /etc/nginx/sites-available/misp80 + else + sed -i "s/# listen \[/listen \[" /etc/nginx/sites-available/misp80 + fi + if [[ "$DISABLE_SSL_REDIRECT" = "true" ]]; then + sed -i "s/[^#] return / # return /" /etc/nginx/sites-available/misp80 + sed -i "s/# include /include /" /etc/nginx/sites-available/misp80 + else + sed -i "s/[^#] include / # include /" /etc/nginx/sites-available/misp80 + sed -i "s/# return /return /" /etc/nginx/sites-available/misp80 fi ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80 else @@ -218,12 +228,14 @@ init_nginx() { fi # Testing for files also test for links, and generalize better to mounted files - if [[ ! -f "/etc/nginx/sites-enabled/misp" ]]; then + if [[ ! -f "/etc/nginx/sites-enabled/misp443" ]]; then echo "... enabling port 443" if [[ "$DISABLE_IPV6" = "true" ]]; then - sed -i "/\[::\]/d" /etc/nginx/sites-available/misp + sed -i "s/[^#] listen \[/ # listen \[/" /etc/nginx/sites-available/misp443 + else + sed -i "s/# listen \[/listen \[" /etc/nginx/sites-available/misp443 fi - ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp + ln -s /etc/nginx/sites-available/misp443 /etc/nginx/sites-enabled/misp443 else echo "... port 443 already configured" fi diff --git a/core/files/etc/nginx/includes/misp b/core/files/etc/nginx/includes/misp new file mode 100644 index 0000000..1f26465 --- /dev/null +++ b/core/files/etc/nginx/includes/misp @@ -0,0 +1,28 @@ +# define the root dir +root /var/www/MISP/app/webroot; +index index.php; + +# incrase the maximum body size +client_max_body_size 50M; + +# added headers for hardening browser security +add_header Referrer-Policy "no-referrer" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Download-Options "noopen" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header X-Robots-Tag "none" always; +add_header X-XSS-Protection "1; mode=block" always; + +# remove X-Powered-By, which is an information leak +fastcgi_hide_header X-Powered-By; + +location / { + try_files $uri $uri/ /index.php$is_args$query_string; +} + +location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + fastcgi_read_timeout 300; +} diff --git a/core/files/etc/nginx/sites-available/misp b/core/files/etc/nginx/sites-available/misp deleted file mode 100644 index 8eda5ae..0000000 --- a/core/files/etc/nginx/sites-available/misp +++ /dev/null @@ -1,53 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - # define the root dir - root /var/www/MISP/app/webroot; - index index.php; - - client_max_body_size 50M; - - # disable access logs - access_log off; - log_not_found off; - error_log /dev/stderr error; - - ssl_certificate /etc/nginx/certs/cert.pem; - ssl_certificate_key /etc/nginx/certs/key.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; - - # intermediate configuration - ssl_dhparam /etc/nginx/certs/dhparams.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - # enable HSTS - add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; - add_header X-Frame-Options SAMEORIGIN; - - # added headers for hardening browser security - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - location / { - try_files $uri $uri/ /index.php$is_args$query_string; - } - - location ~ \.php$ { - include snippets/fastcgi-php.conf; - fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; - fastcgi_read_timeout 300; - } -} diff --git a/core/files/etc/nginx/sites-available/misp443 b/core/files/etc/nginx/sites-available/misp443 new file mode 100644 index 0000000..d38b810 --- /dev/null +++ b/core/files/etc/nginx/sites-available/misp443 @@ -0,0 +1,29 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # disable access logs + access_log off; + log_not_found off; + error_log /dev/stderr error; + + # ssl options + ssl_certificate /etc/nginx/certs/cert.pem; + ssl_certificate_key /etc/nginx/certs/key.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # ssl intermediate configuration + ssl_dhparam /etc/nginx/certs/dhparams.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # ssl enable HSTS + add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; + add_header X-Frame-Options SAMEORIGIN; + + # include misp + include includes/misp; +} diff --git a/core/files/etc/nginx/sites-available/misp80 b/core/files/etc/nginx/sites-available/misp80 index f3d5a0d..1404252 100644 --- a/core/files/etc/nginx/sites-available/misp80 +++ b/core/files/etc/nginx/sites-available/misp80 @@ -2,10 +2,11 @@ server { listen 80 default_server; listen [::]:80 default_server; - # Disable access logs + # disable access logs access_log off; log_not_found off; error_log /dev/stderr error; - return 301 https://$host$request_uri; + # include includes/misp; + # return 301 https://$host$request_uri; } diff --git a/docker-compose.yml b/docker-compose.yml index 83817de..1f4e54d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -65,6 +65,7 @@ services: - "BASE_URL=${BASE_URL}" - "CRON_USER_ID=${CRON_USER_ID}" - "DISABLE_IPV6=${DISABLE_IPV6}" + - "DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT}" # standard settings - "ADMIN_EMAIL=${ADMIN_EMAIL}" - "ADMIN_PASSWORD=${ADMIN_PASSWORD}" diff --git a/template.env b/template.env index 454b3aa..327d331 100644 --- a/template.env +++ b/template.env @@ -85,9 +85,12 @@ SYNCSERVERS_1_KEY= # if ADMIN_KEY is not set above (default true) # AUTOGEN_ADMIN_KEY=true -# Disable IPv6 completely (this setting will persist until the container is removed) +# Disable IPv6 completely # DISABLE_IPV6=true +# Disable SSL redirect +# DISABLE_SSL_REDIRECT=true + # Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/OidcAuth/README.md # OIDC_ENABLE=true # OIDC_PROVIDER_URL=