mirror of https://github.com/MISP/misp-docker
Allow disabling of SSL redirection
parent
81c9d9e00e
commit
6f8dd83d9a
|
@ -17,6 +17,7 @@ trap term_proc SIGTERM
|
|||
[ -z "$CRON_USER_ID" ] && export CRON_USER_ID="1"
|
||||
[ -z "$BASE_URL" ] && export BASE_URL="https://localhost"
|
||||
[ -z "$DISABLE_IPV6" ] && export DISABLE_IPV6=false
|
||||
[ -z "$DISABLE_SSL_REDIRECT" ] && export DISABLE_SSL_REDIRECT=false
|
||||
|
||||
init_mysql(){
|
||||
# Test when MySQL is ready....
|
||||
|
@ -197,7 +198,7 @@ flip_nginx() {
|
|||
|
||||
# must be valid for all roots
|
||||
echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
|
||||
sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp
|
||||
sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/includes/misp
|
||||
|
||||
if [[ "$reload" = "true" ]]; then
|
||||
echo "... nginx reloaded"
|
||||
|
@ -210,7 +211,16 @@ init_nginx() {
|
|||
if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
|
||||
echo "... enabling port 80 redirect"
|
||||
if [[ "$DISABLE_IPV6" = "true" ]]; then
|
||||
sed -i "/\[::\]/d" /etc/nginx/sites-available/misp80
|
||||
sed -i "s/[^#] listen \[/ # listen \[/" /etc/nginx/sites-available/misp80
|
||||
else
|
||||
sed -i "s/# listen \[/listen \[" /etc/nginx/sites-available/misp80
|
||||
fi
|
||||
if [[ "$DISABLE_SSL_REDIRECT" = "true" ]]; then
|
||||
sed -i "s/[^#] return / # return /" /etc/nginx/sites-available/misp80
|
||||
sed -i "s/# include /include /" /etc/nginx/sites-available/misp80
|
||||
else
|
||||
sed -i "s/[^#] include / # include /" /etc/nginx/sites-available/misp80
|
||||
sed -i "s/# return /return /" /etc/nginx/sites-available/misp80
|
||||
fi
|
||||
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
|
||||
else
|
||||
|
@ -218,12 +228,14 @@ init_nginx() {
|
|||
fi
|
||||
|
||||
# Testing for files also test for links, and generalize better to mounted files
|
||||
if [[ ! -f "/etc/nginx/sites-enabled/misp" ]]; then
|
||||
if [[ ! -f "/etc/nginx/sites-enabled/misp443" ]]; then
|
||||
echo "... enabling port 443"
|
||||
if [[ "$DISABLE_IPV6" = "true" ]]; then
|
||||
sed -i "/\[::\]/d" /etc/nginx/sites-available/misp
|
||||
sed -i "s/[^#] listen \[/ # listen \[/" /etc/nginx/sites-available/misp443
|
||||
else
|
||||
sed -i "s/# listen \[/listen \[" /etc/nginx/sites-available/misp443
|
||||
fi
|
||||
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
|
||||
ln -s /etc/nginx/sites-available/misp443 /etc/nginx/sites-enabled/misp443
|
||||
else
|
||||
echo "... port 443 already configured"
|
||||
fi
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
# define the root dir
|
||||
root /var/www/MISP/app/webroot;
|
||||
index index.php;
|
||||
|
||||
# incrase the maximum body size
|
||||
client_max_body_size 50M;
|
||||
|
||||
# added headers for hardening browser security
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
# remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$query_string;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
||||
fastcgi_read_timeout 300;
|
||||
}
|
|
@ -1,53 +0,0 @@
|
|||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
# define the root dir
|
||||
root /var/www/MISP/app/webroot;
|
||||
index index.php;
|
||||
|
||||
client_max_body_size 50M;
|
||||
|
||||
# disable access logs
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
error_log /dev/stderr error;
|
||||
|
||||
ssl_certificate /etc/nginx/certs/cert.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/key.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
# intermediate configuration
|
||||
ssl_dhparam /etc/nginx/certs/dhparams.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
# enable HSTS
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
# added headers for hardening browser security
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
# remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$query_string;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
||||
fastcgi_read_timeout 300;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
# disable access logs
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
error_log /dev/stderr error;
|
||||
|
||||
# ssl options
|
||||
ssl_certificate /etc/nginx/certs/cert.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/key.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
# ssl intermediate configuration
|
||||
ssl_dhparam /etc/nginx/certs/dhparams.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
# ssl enable HSTS
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
# include misp
|
||||
include includes/misp;
|
||||
}
|
|
@ -2,10 +2,11 @@ server {
|
|||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
# Disable access logs
|
||||
# disable access logs
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
error_log /dev/stderr error;
|
||||
|
||||
return 301 https://$host$request_uri;
|
||||
# include includes/misp;
|
||||
# return 301 https://$host$request_uri;
|
||||
}
|
||||
|
|
|
@ -65,6 +65,7 @@ services:
|
|||
- "BASE_URL=${BASE_URL}"
|
||||
- "CRON_USER_ID=${CRON_USER_ID}"
|
||||
- "DISABLE_IPV6=${DISABLE_IPV6}"
|
||||
- "DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT}"
|
||||
# standard settings
|
||||
- "ADMIN_EMAIL=${ADMIN_EMAIL}"
|
||||
- "ADMIN_PASSWORD=${ADMIN_PASSWORD}"
|
||||
|
|
|
@ -85,9 +85,12 @@ SYNCSERVERS_1_KEY=
|
|||
# if ADMIN_KEY is not set above (default true)
|
||||
# AUTOGEN_ADMIN_KEY=true
|
||||
|
||||
# Disable IPv6 completely (this setting will persist until the container is removed)
|
||||
# Disable IPv6 completely
|
||||
# DISABLE_IPV6=true
|
||||
|
||||
# Disable SSL redirect
|
||||
# DISABLE_SSL_REDIRECT=true
|
||||
|
||||
# Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/OidcAuth/README.md
|
||||
# OIDC_ENABLE=true
|
||||
# OIDC_PROVIDER_URL=
|
||||
|
|
Loading…
Reference in New Issue