Merge pull request #1 from arnydo/misp-proxy

Add NGINX Reverse Proxy option

README.md

@@ -15,6 +15,17 @@ The build is based on Ubuntu and will install all the required components. The f
 * Creation of the MySQL database
 * Generation of the admin PGP key
 
+
+# Optional NGINX config
+
+Included is an optional Docker Compose file 'docker-compose-nginx.yml' to spin up a reverse proxy to sit in front of MISP.
+
+## Config
+* add your "*.crt" and "*.key" files to the ./misp-proxy/ssl folder
+If not implementing SSL (not recommended) then simply comment out the appropriate lines in the "./misp-proxy/default.conf" file.
+* Update "server_name" in default.conf file (will implement ENVIRONMENT VARIABLE in the future)
+
+
 # Building your image
 
 ## Fetch files
@@ -33,4 +44,16 @@ Edit the docker-compose.yml and change the following environment variables:
 ## Build the containers
 ```
 # docker-compose build
+or
+# docker-compose -f docker-compose-nginx.yml build
 ```
+
+## Run containers
+```
+# docker-compose up
+or
+# docker-compose -f docker-compose-nginx.yml up
+```
+
+
+

docker-compose-nginx.yml

@@ -0,0 +1,61 @@
+version: '2'
+
+services:
+  proxy:
+    build:
+      context: misp-proxy
+    container_name: misp-proxy
+    depends_on:
+      - misp-web
+    hostname: misp-proxy
+    image: misp-proxy:latest
+    networks:
+      - misp-network
+    ports:
+      - 81:80
+      - 4443:443
+
+  misp-web:
+    build: misp-web
+    depends_on:
+      - misp-db
+    container_name: misp-web
+    hostname: misp-web
+    image: misp-web:latest
+    restart: always
+    networks:
+      - misp-network
+    links:
+      - misp-db
+    volumes:
+      - /dev/urandom:/dev/random
+      - /data/misp:/var/www/MISP
+    environment:
+      - MYSQL_ROOT_PASSWORD=xxxxxxxx
+      - MYSQL_MISP_PASSWORD=xxxxxxxx
+      - MYSQL_HOST=misp-db
+      - MISP_ADMIN_EMAIL=admin@admin.test
+      - MISP_ADMIN_PASSPHRASE=xxxxxxxxx
+      - MISP_BASEURL=http:\/\/misp\.test
+      - POSTFIX_RELAY_HOST=relay.fqdn
+      - TIMEZONE=Europe/Brussels
+
+  misp-db:
+    build: 
+      context: misp-db
+      args:
+        MYSQL_MISP_PASSWORD: xxxxxxxx
+    container_name: misp-db
+    hostname: misp-db
+    image: misp-db:latest
+    restart: always
+    networks:
+      - misp-network
+    volumes:
+      - /data/mysql:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=xxxxxxxx
+
+networks:
+  misp-network:
+    driver: bridge

misp-proxy/Dockerfile

@@ -0,0 +1,13 @@
+FROM nginx:1.9
+
+#  default conf for proxy service
+COPY ./default.conf /etc/nginx/conf.d/default.conf
+
+# NOT FOUND response
+COPY ./backend-not-found.html /var/www/html/backend-not-found.html
+
+#  Proxy and SSL configurations
+COPY ./includes/ /etc/nginx/includes/
+
+# Proxy SSL certificates
+COPY ./ssl/ /etc/ssl/certs/nginx/

misp-proxy/backend-not-found.html

@@ -0,0 +1,6 @@
+<html>
+<head><title>Proxy Backend Not Found</title></head>
+<body >
+<h2>Proxy Backend  Not Found</h2>
+</body>
+</html>

misp-proxy/default.conf

@@ -0,0 +1,45 @@
+# web service1 config.
+server {
+    listen 80;
+    listen 443 ssl http2;
+    server_name misp.test;
+
+    if ($scheme != "https") {
+    	rewrite ^ https://$host$uri permanent;
+	}
+    
+    # Path for SSL config/key/certificate
+    ssl_certificate /etc/ssl/certs/nginx/misp.crt;
+    ssl_certificate_key /etc/ssl/certs/nginx/misp.key;
+    include /etc/nginx/includes/ssl.conf;
+
+    location / {
+        include /etc/nginx/includes/proxy.conf;
+        proxy_pass http://misp-web;
+    }
+
+    access_log off;
+    error_log  /var/log/nginx/error.log error;
+}
+
+# Default
+server {
+    listen 80 default_server;
+
+    server_name _;
+    root /var/www/html;
+
+    charset UTF-8;
+
+    error_page 404 /backend-not-found.html;
+    location = /backend-not-found.html {
+        allow   all;
+    }
+    location / {
+        return 404;
+    }
+
+    access_log off;
+    log_not_found off;
+    error_log  /var/log/nginx/error.log error;
+}

misp-proxy/includes/proxy.conf

@@ -0,0 +1,8 @@
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_buffering off;
+proxy_request_buffering off;
+proxy_http_version 1.1;
+proxy_intercept_errors on;

misp-proxy/includes/ssl.conf

@@ -0,0 +1,7 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHAECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ssl_prefer_server_ciphers on;