MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Default to modern nginx security - resolves #50

pull/1/head
Jason Kendall 2020-05-28 19:33:54 -04:00
parent 5083315a00
commit 9d2e722140
4 changed files with 31 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker-compose.yml
View File

@ -48,7 +48,7 @@ services:
# Optional Settings
# - "NOREDIR=true" # Do not redirect port 80
# - "DISIPV6=true" # Disable IPV6 in nginx
# - "SECURESSL=true" # Enable higher security SSL in nginx
misp-modules:
image: coolacid/misp-docker:modules-latest
environment:

3
server/Dockerfile
View File

@ -120,7 +120,8 @@ ARG PHP_VER
# nginx
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
COPY files/etc/nginx/misp /etc/nginx/sites-enabled/misp
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir

15
server/files/entrypoint_nginx.sh
View File

@ -123,6 +123,21 @@ else
echo "Configure NGINX | Port 80 already configured"
fi
if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then
echo "Configure NGINX | Using Secure SSL"
ln -s /etc/nginx/sites-available/misp-secure /etc/nginx/sites-enabled/misp
elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
echo "Configure NGINX | Using Standard SSL"
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
if [[ ! -f /etc/ssl/certs/dhparams.pem ]]; then
echo "Configure NGINX | Building dhparams.pem"
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
fi
else
echo "Configure NGINX | SSL already configured"
fi
if [[ "$DISIPV6" == true ]]; then
echo "Configure NGINX | Disabling IPv6"
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80

24
server/files/etc/nginx/misp
View File

@ -16,9 +16,11 @@ server {
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.3;
# intermediate configuration
ssl_dhparam /etc/ssl/certs/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# enable HSTS
@ -26,14 +28,14 @@ server {
add_header X-Frame-Options SAMEORIGIN;
# Aded headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;