Allow disabling of SSL redirection

pull/21/head
Stefano Ortolani 2024-03-01 12:57:53 +00:00
parent 81c9d9e00e
commit 6f8dd83d9a
7 changed files with 82 additions and 61 deletions

View File

@ -17,6 +17,7 @@ trap term_proc SIGTERM
[ -z "$CRON_USER_ID" ] && export CRON_USER_ID="1"
[ -z "$BASE_URL" ] && export BASE_URL="https://localhost"
[ -z "$DISABLE_IPV6" ] && export DISABLE_IPV6=false
[ -z "$DISABLE_SSL_REDIRECT" ] && export DISABLE_SSL_REDIRECT=false
init_mysql(){
# Test when MySQL is ready....
@ -197,7 +198,7 @@ flip_nginx() {
# must be valid for all roots
echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp
sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/includes/misp
if [[ "$reload" = "true" ]]; then
echo "... nginx reloaded"
@ -210,7 +211,16 @@ init_nginx() {
if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
echo "... enabling port 80 redirect"
if [[ "$DISABLE_IPV6" = "true" ]]; then
sed -i "/\[::\]/d" /etc/nginx/sites-available/misp80
sed -i "s/[^#] listen \[/ # listen \[/" /etc/nginx/sites-available/misp80
else
sed -i "s/# listen \[/listen \[" /etc/nginx/sites-available/misp80
fi
if [[ "$DISABLE_SSL_REDIRECT" = "true" ]]; then
sed -i "s/[^#] return / # return /" /etc/nginx/sites-available/misp80
sed -i "s/# include /include /" /etc/nginx/sites-available/misp80
else
sed -i "s/[^#] include / # include /" /etc/nginx/sites-available/misp80
sed -i "s/# return /return /" /etc/nginx/sites-available/misp80
fi
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
else
@ -218,12 +228,14 @@ init_nginx() {
fi
# Testing for files also test for links, and generalize better to mounted files
if [[ ! -f "/etc/nginx/sites-enabled/misp" ]]; then
if [[ ! -f "/etc/nginx/sites-enabled/misp443" ]]; then
echo "... enabling port 443"
if [[ "$DISABLE_IPV6" = "true" ]]; then
sed -i "/\[::\]/d" /etc/nginx/sites-available/misp
sed -i "s/[^#] listen \[/ # listen \[/" /etc/nginx/sites-available/misp443
else
sed -i "s/# listen \[/listen \[" /etc/nginx/sites-available/misp443
fi
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
ln -s /etc/nginx/sites-available/misp443 /etc/nginx/sites-enabled/misp443
else
echo "... port 443 already configured"
fi

View File

@ -0,0 +1,28 @@
# define the root dir
root /var/www/MISP/app/webroot;
index index.php;
# incrase the maximum body size
client_max_body_size 50M;
# added headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_read_timeout 300;
}

View File

@ -1,53 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# define the root dir
root /var/www/MISP/app/webroot;
index index.php;
client_max_body_size 50M;
# disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# intermediate configuration
ssl_dhparam /etc/nginx/certs/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# enable HSTS
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN;
# added headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_read_timeout 300;
}
}

View File

@ -0,0 +1,29 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
# ssl options
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# ssl intermediate configuration
ssl_dhparam /etc/nginx/certs/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# ssl enable HSTS
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN;
# include misp
include includes/misp;
}

View File

@ -2,10 +2,11 @@ server {
listen 80 default_server;
listen [::]:80 default_server;
# Disable access logs
# disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
return 301 https://$host$request_uri;
# include includes/misp;
# return 301 https://$host$request_uri;
}

View File

@ -65,6 +65,7 @@ services:
- "BASE_URL=${BASE_URL}"
- "CRON_USER_ID=${CRON_USER_ID}"
- "DISABLE_IPV6=${DISABLE_IPV6}"
- "DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT}"
# standard settings
- "ADMIN_EMAIL=${ADMIN_EMAIL}"
- "ADMIN_PASSWORD=${ADMIN_PASSWORD}"

View File

@ -85,9 +85,12 @@ SYNCSERVERS_1_KEY=
# if ADMIN_KEY is not set above (default true)
# AUTOGEN_ADMIN_KEY=true
# Disable IPv6 completely (this setting will persist until the container is removed)
# Disable IPv6 completely
# DISABLE_IPV6=true
# Disable SSL redirect
# DISABLE_SSL_REDIRECT=true
# Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/OidcAuth/README.md
# OIDC_ENABLE=true
# OIDC_PROVIDER_URL=