From c57f2669ec8f34a934fc089b2c263f607dc4bbc6 Mon Sep 17 00:00:00 2001 From: Jason Kendall Date: Thu, 27 Feb 2020 15:28:21 -0500 Subject: [PATCH] ENV to disable port 80 redirect - fixes #34 --- .env | 2 +- docker-compose.yml | 1 + server/Dockerfile | 3 ++- server/files/entrypoint_nginx.sh | 6 +++++ server/files/etc/nginx/misp80-noredir | 32 +++++++++++++++++++++++++++ 5 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 server/files/etc/nginx/misp80-noredir diff --git a/.env b/.env index 327c34d..e383695 100644 --- a/.env +++ b/.env @@ -1,2 +1,2 @@ -MISP_TAG=v2.4.122 +MISP_TAG=v2.4.121 PHP_VER=20180731 diff --git a/docker-compose.yml b/docker-compose.yml index 9f5b34b..64276d2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -42,6 +42,7 @@ services: - "MYSQL_PASSWORD=example" - "HOSTNAME=https://localhost" - "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR +# - "NOREDIR=true" #Do not redirect port 80 misp-modules: image: coolacid/misp-docker:modules-latest diff --git a/server/Dockerfile b/server/Dockerfile index f8deade..6456992 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -121,7 +121,8 @@ ARG PHP_VER # nginx RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php COPY files/etc/nginx/misp /etc/nginx/sites-enabled/misp - COPY files/etc/nginx/misp80 /etc/nginx/sites-enabled/misp80 + COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80 + COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir # Make a copy of the file store, so we can sync from it RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 40d0b31..80a6564 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -112,5 +112,11 @@ if [[ ! -f /var/www/MISP/PyMISP/pymisp/data/describeTypes.json ]]; then ln -s /usr/local/lib/python3.7/dist-packages/pymisp/data/describeTypes.json /var/www/MISP/PyMISP/pymisp/data/describeTypes.json fi +if [[ "$NOREDIR" == true ]]; then + ln -s /etc/nginx/sites-available/misp80-noredir /etc/nginx/sites-enabled/misp80 +else + ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80 +fi + # Start NGINX nginx -g 'daemon off;' diff --git a/server/files/etc/nginx/misp80-noredir b/server/files/etc/nginx/misp80-noredir new file mode 100644 index 0000000..ef5a2ee --- /dev/null +++ b/server/files/etc/nginx/misp80-noredir @@ -0,0 +1,32 @@ +server { + listen 80; + listen [::]:80; + root /var/www/MISP/app/webroot; + index index.php; + + # Disable access logs + access_log off; + log_not_found off; + error_log /dev/stderr error; + + # Aded headers for hardening browser security + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + location / { + try_files $uri $uri/ /index.php; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + } +}