mirror of https://github.com/MISP/misp-docker
Add ApacheSecureAuth configuration option
parent
5b91567810
commit
c8cebcfdab
21
README.md
21
README.md
|
@ -76,6 +76,27 @@ New options are added on a regular basis.
|
|||
- `./gnupg`: `/var/www/MISP/.gnupg/`
|
||||
- If you need to automatically run additional steps each time the container starts, create a new file `files/customize_misp.sh`, and replace the variable `${CUSTOM_PATH}` inside `docker-compose.yml` with its parent path.
|
||||
|
||||
## Installing custom root CA certificates
|
||||
|
||||
Custom root CA certificates can be mounted under `/usr/local/share/ca-certificates` and will be installed during the `misp-core` container start.
|
||||
|
||||
**Note:** It is important to have the .crt extension on the file, otherwise it will not be processed.
|
||||
|
||||
```yaml
|
||||
misp-core:
|
||||
# ...
|
||||
volumes:
|
||||
- "./configs/:/var/www/MISP/app/Config/"
|
||||
- "./logs/:/var/www/MISP/app/tmp/logs/"
|
||||
- "./files/:/var/www/MISP/app/files/"
|
||||
- "./ssl/:/etc/nginx/certs/"
|
||||
- "./gnupg/:/var/www/MISP/.gnupg/"
|
||||
# customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh'
|
||||
# - "${CUSTOM_PATH}/:/custom/"
|
||||
# mount custom ca root certificates
|
||||
- "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
- Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/)
|
||||
|
|
|
@ -169,6 +169,8 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim"
|
|||
php-gd \
|
||||
php-fpm \
|
||||
php-zip \
|
||||
php-ldap \
|
||||
libldap-common \
|
||||
librdkafka1 \
|
||||
libbrotli1 \
|
||||
libsimdjson5 \
|
||||
|
|
|
@ -12,6 +12,7 @@ source /utilities.sh
|
|||
[ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
|
||||
[ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
|
||||
[ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false"
|
||||
[ -z "$LDAP_ENABLE" ] && LDAP_ENABLE="false"
|
||||
|
||||
init_configuration(){
|
||||
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
|
||||
|
@ -125,6 +126,37 @@ set_up_oidc() {
|
|||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
|
||||
}
|
||||
|
||||
set_up_ldap() {
|
||||
if [[ "$LDAP_ENABLE" != "true" ]]; then
|
||||
echo "... LDAP authentication disabled"
|
||||
return
|
||||
fi
|
||||
|
||||
# Check required variables
|
||||
# LDAP_SEARCH_FILTER may be empty
|
||||
check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS
|
||||
|
||||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||
\"ApacheSecureAuth\": {
|
||||
\"apacheEnv\": \"${LDAP_APACHE_ENV}\",
|
||||
\"ldapServer\": \"${LDAP_SERVER}\",
|
||||
\"starttls\": ${LDAP_STARTTLS},
|
||||
\"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION},
|
||||
\"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT},
|
||||
\"ldapReaderUser\": \"${LDAP_READ_USER}\",
|
||||
\"ldapReaderPassword\": \"${LDAP_READ_PASSWORD}\",
|
||||
\"ldapDN\": \"${LDAP_DN}\",
|
||||
\"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\",
|
||||
\"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\",
|
||||
\"ldapFilter\": ${LDAP_FILTER},
|
||||
\"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID},
|
||||
\"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\",
|
||||
\"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS},
|
||||
\"ldapEmailField\": ${LDAP_EMAIL_FIELD}
|
||||
}
|
||||
}" > /dev/null
|
||||
}
|
||||
|
||||
apply_updates() {
|
||||
# Disable weird default
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
|
||||
|
@ -267,6 +299,7 @@ create_sync_servers() {
|
|||
done
|
||||
}
|
||||
|
||||
echo "MISP | Update CA certificates ..." && update-ca-certificates
|
||||
|
||||
echo "MISP | Initialize configuration ..." && init_configuration
|
||||
|
||||
|
@ -288,5 +321,7 @@ echo "MISP | Update components ..." && update_components
|
|||
|
||||
echo "MISP | Set Up OIDC ..." && set_up_oidc
|
||||
|
||||
echo "MISP | Set Up LDAP ..." && set_up_ldap
|
||||
|
||||
echo "MISP | Mark instance live"
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
|
||||
|
|
|
@ -59,6 +59,8 @@ services:
|
|||
- "./gnupg/:/var/www/MISP/.gnupg/"
|
||||
# customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh'
|
||||
# - "${CUSTOM_PATH}/:/custom/"
|
||||
# mount custom ca root certificates
|
||||
# - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"
|
||||
environment:
|
||||
- "BASE_URL=${BASE_URL}"
|
||||
- "CRON_USER_ID=${CRON_USER_ID}"
|
||||
|
@ -69,7 +71,7 @@ services:
|
|||
- "ADMIN_KEY=${ADMIN_KEY}"
|
||||
- "ADMIN_ORG=${ADMIN_ORG}"
|
||||
- "GPG_PASSPHRASE=${GPG_PASSPHRASE}"
|
||||
# authentication settings
|
||||
# OIDC authentication settings
|
||||
- "OIDC_ENABLE=${OIDC_ENABLE}"
|
||||
- "OIDC_PROVIDER_URL=${OIDC_PROVIDER_URL}"
|
||||
- "OIDC_CLIENT_ID=${OIDC_CLIENT_ID}"
|
||||
|
@ -77,6 +79,23 @@ services:
|
|||
- "OIDC_ROLES_PROPERTY=${OIDC_ROLES_PROPERTY}"
|
||||
- "OIDC_ROLES_MAPPING=${OIDC_ROLES_MAPPING}"
|
||||
- "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}"
|
||||
# LDAP authentication settings
|
||||
- "LDAP_ENABLE=${LDAP_ENABLE}"
|
||||
- "LDAP_APACHE_ENV=${LDAP_APACHE_ENV}"
|
||||
- "LDAP_SERVER=${LDAP_SERVER}"
|
||||
- "LDAP_STARTTLS=${LDAP_STARTTLS}"
|
||||
- "LDAP_READER_USER=${LDAP_READER_USER}"
|
||||
- "LDAP_READER_PASSWORD=${LDAP_READER_PASSWORD}"
|
||||
- "LDAP_DN=${LDAP_DN}"
|
||||
- "LDAP_SEARCH_FILTER=${LDAP_SEARCH_FILTER}"
|
||||
- "LDAP_SEARCH_ATTRIBUTE=${LDAP_SEARCH_ATTRIBUTE}"
|
||||
- "LDAP_FILTER=${LDAP_FILTER}"
|
||||
- "LDAP_DEFAULT_ROLE_ID=${LDAP_DEFAULT_ROLE_ID}"
|
||||
- "LDAP_DEFAULT_ORG=${LDAP_DEFAULT_ORG}"
|
||||
- "LDAP_EMAIL_FIELD=${LDAP_EMAIL_FIELD}"
|
||||
- "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
|
||||
- "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
|
||||
- "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
|
||||
# sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
|
||||
- "SYNCSERVERS=${SYNCSERVERS}"
|
||||
- |
|
||||
|
|
20
template.env
20
template.env
|
@ -96,3 +96,23 @@ SYNCSERVERS_1_KEY=
|
|||
# OIDC_ROLES_PROPERTY="roles"
|
||||
# OIDC_ROLES_MAPPING={"admin": "1","sync-user": "5"}
|
||||
# OIDC_DEFAULT_ORG=
|
||||
|
||||
# Enable LDAP (using the ApacheSecureAuth component) authentication, according to https://github.com/MISP/MISP/issues/6189
|
||||
# NOTE: Once you enable LDAP authentication with the ApacheSecureAuth component, users should not be able to control the HTTP header configured in LDAP_APACHE_ENV (e.g. REMOTE_USER).
|
||||
# This means you must not allow direct access to MISP.
|
||||
# LDAP_ENABLE=true
|
||||
# LDAP_APACHE_ENV="REMOTE_USER"
|
||||
# LDAP_SERVER="ldap://your_domain_controller"
|
||||
# LDAP_STARTTLS=true
|
||||
# LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net"
|
||||
# LDAP_READER_PASSWORD="password"
|
||||
# LDAP_DN="OU=Users,DC=domain,DC=net"
|
||||
# LDAP_SEARCH_FILTER=""
|
||||
# LDAP_SEARCH_ATTRIBUTE="uid"
|
||||
# LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]"
|
||||
# LDAP_DEFAULT_ROLE_ID="3"
|
||||
# LDAP_DEFAULT_ORG="1"
|
||||
# LDAP_EMAIL_FIELD="[\"mail\"]"
|
||||
# LDAP_OPT_PROTOCOL_VERSION="3"
|
||||
# LDAP_OPT_NETWORK_TIMEOUT="-1"
|
||||
# LDAP_OPT_REFERRALS=false
|
||||
|
|
Loading…
Reference in New Issue