From 8093b59122962fcc75dbc3152366d20351d29a1f Mon Sep 17 00:00:00 2001 From: Max H <10329648+8ear@users.noreply.github.com> Date: Tue, 2 Jul 2019 07:34:37 +0200 Subject: [PATCH] Feat/MDD-220: Improve Proxy Docker Container (#18) ## Feat/MDD-220: Improve Proxy Docker Container ### Update Information This release added a new misp-dockerized-proxy Docker container. ### General Changes The general CI files were changed. - Changed Gitlab CI Build tools from default `docker build` to `kaniko` - Added a Gitlab CI test job for all container - Added a Release Date variable for all container - Removed unused CI scripts ### Fixes and Improvements - Added new misp-dockerized-proxy:1.6-alpine Docker container ### Detailed Changes - Added new misp-dockerized-proxy:1.6-alpine Docker container This container supports: - Our MISP-dockerized-monitoring as reverse proxy. - The new MISP-dockerized variable scheme. - SSL web certificate passphrase option. --- .ci/01_before_install.sh | 24 -- .ci/02_build.sh | 85 ------ .ci/03_tagging.sh | 121 -------- .ci/04_push.sh | 50 ---- .ci/05_notify_hub.docker.com.sh | 11 - .ci/Makefile | 26 -- .gitlab-ci.yml | 56 +--- .legacy/.gitlab-ci.yml | 14 - .old/1.0.0-ubuntu/Dockerfile | 87 ------ .old/1.0.0-ubuntu/configuration.sh | 5 - .old/1.0.0-ubuntu/files/GLOBAL_allow_IPs | 1 - .../files/SERVER_HTTPS_and_redirected_HTTP | 32 -- .old/1.0.0-ubuntu/files/SERVER_HTTP_only.conf | 14 - .old/1.0.0-ubuntu/files/SERVER_MAINTENANCE | 13 - .old/1.0.0-ubuntu/files/maintenance.html | 18 -- .old/1.0.0-ubuntu/files/vars_common | 2 - .travis.yml | 44 +-- .travis/build.sh | 66 ----- .travis/generate-stackbrew-library.sh | 79 ----- .travis/main.sh | 64 ---- .travis/notify_hub.docker.com.sh | 12 - .travis/push.sh | 24 -- .travis/tagging.sh | 74 ----- .travis/travis-cli.sh | 25 -- 1.0-alpine/.gitlab-ci.yml | 10 + 1.0-alpine/configuration.sh | 5 - 1.1-alpine/.gitlab-ci.yml | 10 + 1.1-alpine/configuration.sh | 5 - 1.2-alpine/.gitlab-ci.yml | 10 + 1.2-alpine/configuration.sh | 5 - 1.3-alpine/.gitlab-ci.yml | 2 + 1.3-alpine/configuration.sh | 5 - 1.4-alpine/.gitlab-ci.yml | 2 + 1.4-alpine/configuration.sh | 5 - 1.5-alpine/.gitlab-ci.yml | 3 + 1.5-alpine/configuration.sh | 6 - 1.6-alpine/.gitlab-ci.yml | 14 + 1.6-alpine/Dockerfile | 77 +++++ 1.6-alpine/files/entrypoint_nginx.sh | 275 ++++++++++++++++++ .../files/nginx/conf.d}/GLOBAL_nginx_common | 10 +- .../nginx/conf.d}/GLOBAL_ssl_common.conf | 4 +- .../SERVER_HTTPS_and_redirected_HTTP.conf | 66 +++++ .../files/nginx/conf.d/SERVER_MAINTENANCE | 14 + .../files/nginx/conf.d/misp_vars_proxy | 7 +- 44 files changed, 531 insertions(+), 951 deletions(-) delete mode 100755 .ci/01_before_install.sh delete mode 100755 .ci/02_build.sh delete mode 100755 .ci/03_tagging.sh delete mode 100755 .ci/04_push.sh delete mode 100755 .ci/05_notify_hub.docker.com.sh delete mode 100644 .ci/Makefile delete mode 100644 .legacy/.gitlab-ci.yml delete mode 100644 .old/1.0.0-ubuntu/Dockerfile delete mode 100644 .old/1.0.0-ubuntu/configuration.sh delete mode 100644 .old/1.0.0-ubuntu/files/GLOBAL_allow_IPs delete mode 100644 .old/1.0.0-ubuntu/files/SERVER_HTTPS_and_redirected_HTTP delete mode 100644 .old/1.0.0-ubuntu/files/SERVER_HTTP_only.conf delete mode 100644 .old/1.0.0-ubuntu/files/SERVER_MAINTENANCE delete mode 100644 .old/1.0.0-ubuntu/files/maintenance.html delete mode 100644 .old/1.0.0-ubuntu/files/vars_common delete mode 100755 .travis/build.sh delete mode 100755 .travis/generate-stackbrew-library.sh delete mode 100755 .travis/main.sh delete mode 100755 .travis/notify_hub.docker.com.sh delete mode 100755 .travis/push.sh delete mode 100755 .travis/tagging.sh delete mode 100755 .travis/travis-cli.sh delete mode 100644 1.0-alpine/configuration.sh delete mode 100644 1.1-alpine/configuration.sh delete mode 100644 1.2-alpine/configuration.sh delete mode 100644 1.3-alpine/configuration.sh delete mode 100644 1.4-alpine/configuration.sh delete mode 100644 1.5-alpine/configuration.sh create mode 100644 1.6-alpine/.gitlab-ci.yml create mode 100644 1.6-alpine/Dockerfile create mode 100644 1.6-alpine/files/entrypoint_nginx.sh rename {.old/1.0.0-ubuntu/files => 1.6-alpine/files/nginx/conf.d}/GLOBAL_nginx_common (92%) rename {.old/1.0.0-ubuntu/files => 1.6-alpine/files/nginx/conf.d}/GLOBAL_ssl_common.conf (86%) create mode 100644 1.6-alpine/files/nginx/conf.d/SERVER_HTTPS_and_redirected_HTTP.conf create mode 100644 1.6-alpine/files/nginx/conf.d/SERVER_MAINTENANCE rename .old/1.0.0-ubuntu/files/vars_proxy => 1.6-alpine/files/nginx/conf.d/misp_vars_proxy (94%) diff --git a/.ci/01_before_install.sh b/.ci/01_before_install.sh deleted file mode 100755 index 8c3b7d8..0000000 --- a/.ci/01_before_install.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -set -e -STARTMSG="[before_install]" - -# Install Requirements -echo -echo "$STARTMSG Install requirements..." - [ ! -z "$(which apk)" ] && apk add --no-cache bash sudo git curl coreutils grep py-pip python-dev libffi-dev openssl-dev gcc libc-dev make - [ ! -z "$(which apt-get)" ] && apt-get update; - [ ! -z "$(which apt-get)" ] && apt-get install make bash sudo git curl coreutils grep python3 gcc - # Upgrade Docke - [ ! -z "$(which apt-get)" ] && apt-get install --only-upgrade docker-ce -y -# Install docker-compose - # https://stackoverflow.com/questions/42295457/using-docker-compose-in-a-gitlab-ci-pipeline - [ -z "$(which docker-compose)" ] && pip install docker-compose -# Show version of docker-compose: - docker-compose -v - -# Set Git Options - echo - echo "$STARTMSG Set Git options..." - git config --global user.name "MISP-dockerized-bot" - -echo "$STARTMSG $0 is finished." diff --git a/.ci/02_build.sh b/.ci/02_build.sh deleted file mode 100755 index 70566d0..0000000 --- a/.ci/02_build.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash -set -e -STARTMSG="[build]" - -[ -z "$1" ] && echo "$STARTMSG No parameter with the image version. Exit now." && exit 1 -[ "$1" == "dev" ] && echo "$STARTMSG False first argument. Abort." && exit 1 - -VERSION="$1" -if [[ "$2" == "true" ]]; then ENVIRONMENT="prod"; fi; - - -################# MANUAL VARIABLES ################# -# path of the script -SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" -# dockerfile name: -DOCKERFILE_NAME=Dockerfile -# Which Folder the script should use - -echo "$STARTMSG Index all versions..." -if [ -z $1 ] ;then - # build all you find - FOLDER=( */) - FOLDER=( "${FOLDER[@]%/}" ) -else - # build only the argumented one - FOLDER="$VERSION" -fi -######################################################### - -################# AUTOMATIC VARIABLES ################# -# Find Out Git Hub Repository -echo "$STARTMSG Set GIT_REPO..." -if [ ! -z "$(git remote get-url origin|grep git@)" ] -then - GIT_REPO="$(git remote get-url origin|sed 's,.*:,,'|sed 's,....$,,')" -elif [ ! -z "$(git remote get-url origin|grep http)" ] -then - GIT_REPO="$(git remote get-url origin|sed 's,http.*//.*/,,'|sed 's,....$,,')" -elif [ ! -z "$(echo "$GIT_REPO"|grep "$GITLAB_HOST")" ] -then - GIT_REPO="$(git remote get-url origin|sed 's,.*'${GITLAB_HOST}'/'${GITLAB_GROUP}'/,,'|sed 's,....$,,')" -else - echo "Can not found the Git URL. Exit now." - exit 1 -fi - -GIT_REPO_URL="https://github.com/$GIT_REPO" -# Dockerifle Settings -CONTAINER_NAME="$(echo "$GIT_REPO"|cut -d / -f 2|tr '[:upper:]' '[:lower:]')" -DOCKER_REPO="not2push/$CONTAINER_NAME" -######################################################### - -echo "$STARTMSG Start image building..." -for FOLD in ${FOLDER[@]} -do - # Find Out Version from folder - VERSION=$(echo $FOLD|cut -d- -f 1) - DOCKERFILE_PATH="$SCRIPTPATH/../$FOLD" - # Load Variables from configuration file - source "$DOCKERFILE_PATH/configuration.sh" - # Default mode add "-dev" tag. - if [ "$ENVIRONMENT" == "prod" ] - then - # PROD Version - TAGS="-t $DOCKER_REPO:$FOLD" - else - # DEV Version - TAGS="-t $DOCKER_REPO:$FOLD-dev" - fi - - # Default build args - BUILD_ARGS+=" - --build-arg BUILD_DATE="$(date -u +"%Y-%m-%d")" \ - --build-arg NAME="$CONTAINER_NAME" \ - --build-arg GIT_REPO="$GIT_REPO_URL" \ - --build-arg VCS_REF=$(git rev-parse --short HEAD) \ - --build-arg VERSION="$VERSION" \ - " - # build image - docker build \ - $BUILD_ARGS \ - -f "$DOCKERFILE_PATH/$DOCKERFILE_NAME" $TAGS "$DOCKERFILE_PATH"/ -done - -echo "$STARTMSG $0 is finished." diff --git a/.ci/03_tagging.sh b/.ci/03_tagging.sh deleted file mode 100755 index 1b70af9..0000000 --- a/.ci/03_tagging.sh +++ /dev/null @@ -1,121 +0,0 @@ -#!/bin/bash -set -e -STARTMSG="[tagging]" - -[ -z "$1" ] && echo "$STARTMSG No parameter with the image version. Exit now." && exit 1 -[ "$1" == "true" ] && echo "$STARTMSG False first argument. Abort." && exit 1 - -REGISTRY_URL="$1" -if [[ "$2" == "true" ]]; then ENVIRONMENT="prod"; fi; - -# change directory to the top level: -pushd .. - -# Docker Repo e.g. dcso/misp-dockerized-proxy -[ -z "$(git remote get-url origin|grep git@)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*:,,'|sed 's,....$,,')" -[ -z "$(git remote get-url origin|grep http)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*github.com/,,'|sed 's,....$,,')" -[ -z "$GITLAB_HOST" ] || [ -z "$(echo "$GIT_REPO"|grep "$GITLAB_HOST")" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*'${GITLAB_HOST}'/'${GITLAB_GROUP}'/,,'|sed 's,....$,,')" - -# Set Container Name -CONTAINER_NAME="$(echo $GIT_REPO|cut -d / -f 2|tr '[:upper:]' '[:lower:]')" - -# Show Images before tagging -echo "$STARTMSG ### Show images before tagging:" -docker images | grep "$CONTAINER_NAME" - -# Set Docker Repository -DOCKER_REPO="$REGISTRY_URL/$CONTAINER_NAME" -SOURCE_REPO="not2push" - -# Search the latest image - # Create the Array - FOLDER_ARRAY=( */) - FOLDER_ARRAY=( "${FOLDER_ARRAY[@]%/}" ) - # How many items in your Array: - index=${#FOLDER_ARRAY[@]} - - # SORT ARRAY - IFS=$'\n' - sorted=($(sort <<<"${FOLDER_ARRAY[*]}")) - unset IFS - - # Latest Version - LATEST=$(echo ${sorted[$index-1]}|cut -d- -f 1) - -# Search the current major version - # All Latest Major versions - MAJOR_LATEST="" - # Run over all FOLDER versions and add all first digit numbers - for i in ${sorted[@]} - do - # change from 1.0-ubuntu -> 1 - CURRENT_MAJOR_VERSION="$(echo "$i"|cut -d . -f 1)" - CURRENT_MINOR_VERSION="$(echo "$i"|cut -d . -f 2|cut -d - -f 1)" - - # Check if there is any Version available for the current MAJOR version: - [ -z ${MAJOR_LATEST[$CURRENT_MAJOR_LATEST]} ] && MAJOR_LATEST[$CURRENT_MAJOR_VERSION]=$i && continue - - # change the Folder Name which are written into the Array on position of the current_major_version from 1.0-ubuntu to 1 - LIST_MINOR_VERSION=$(echo ${MAJOR_LATEST[$CURRENT_MAJOR_VERSION]}|cut -d . -f 2|cut -d - -f 1) - # Check if the current minor digit from Elelement i is higher than the one which are saved in the array - [[ $LIST_MINOR_VERSION < $CURRENT_MINOR_VERSION ]] && MAJOR_LATEST[$CURRENT_MAJOR_VERSION]=$i && continue - done - - -# Lookup to all build versions of the current docker container -ALL_BUILD_DOCKER_VERSIONS=$(docker images --format '{{.Repository}}={{.Tag}}'|grep "$CONTAINER_NAME" | grep "$SOURCE_REPO" |cut -d = -f 2) - -# Tag Latest + Version Number -for i in $ALL_BUILD_DOCKER_VERSIONS -do - VERSION=$(echo "$i"|cut -d- -f 1) # for example 1.0 - BASE=$(echo "$i"|cut -d- -f 2) # for example ubuntu - CURRENT_MAJOR_VERSION="$(echo "$i"|cut -d . -f 1)" # for example 1 - - # Remove '-dev' tag - if [ "$ENVIRONMENT" == "prod" ]; then - # - # If prod=true, ~ prodcutin ready image - # - - # Add custom Docker registry tag - docker tag "$SOURCE_REPO/$CONTAINER_NAME:$i" "$DOCKER_REPO:$VERSION-$BASE" - - # Add latest tag - if [ "$VERSION" == "$LATEST" ]; then - docker tag "$SOURCE_REPO/$CONTAINER_NAME:$i" "$DOCKER_REPO":latest - fi - - # Add latest Major Version Tag - for k in ${MAJOR_LATEST[@]} - do - #CURRENT_MAJOR_VERSION="$(echo $k|cut -d . -f 1)" - [ "$i" == "$k-dev" ] && docker tag "$SOURCE_REPO/$CONTAINER_NAME:$i" "$DOCKER_REPO:$CURRENT_MAJOR_VERSION" - done - else - # - # Add '-dev' tag - # - - # Add custom Docker registry tag - docker tag "$SOURCE_REPO/$CONTAINER_NAME:$i" "$DOCKER_REPO:$VERSION-$BASE-dev" - - # Add latest tag - if [ "$VERSION" == "$LATEST" ]; then - docker tag "$SOURCE_REPO/$CONTAINER_NAME:$i" "$DOCKER_REPO:latest-dev" - fi - - # Add latest Major Version Tag - for k in ${MAJOR_LATEST[@]} - do - CURRENT_MAJOR_VERSION="$(echo "$k"|cut -d . -f 1)" - [ "$i" == "$k-dev" ] && docker tag "$SOURCE_REPO/$CONTAINER_NAME:$i" "$DOCKER_REPO:$CURRENT_MAJOR_VERSION-dev" - done - fi -done - -echo "$STARTMSG ### Show images after tagging:" -docker images | grep "$DOCKER_REPO" - -echo "$STARTMSG $0 is finished." - diff --git a/.ci/04_push.sh b/.ci/04_push.sh deleted file mode 100755 index b193d79..0000000 --- a/.ci/04_push.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash -set -e -STARTMSG="[push]" - -[ -z "$1" ] && echo "$STARTMSG No parameter with the Docker registry URL. Exit now." && exit 1 -[ "$1" == "NOT2PUSH" ] && echo "$STARTMSG The NOT2PUSH slug is only for local build and retag not for pushin to docker registries. Exit now." && exit 1 -[ -z "$2" ] && echo "$STARTMSG No parameter with the Docker registry username. Exit now." && exit 1 -[ -z "$3" ] && echo "$STARTMSG No parameter with the Docker registry password. Exit now." && exit 1 - -REGISTRY_URL="$1" -REGISTRY_USER="$2" -REGISTRY_PW="$3" - -################################## - -# Find the right Docker Repo name e.g. dcso/misp-dockerized-proxy -[ -z "$(git remote get-url origin|grep git@)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*:,,'|sed 's,....$,,')" -[ -z "$(git remote get-url origin|grep http)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*github.com/,,'|sed 's,....$,,')" -if [ ! -z "$GITLAB_HOST" ]; then - [ -z "$(echo "$GIT_REPO" | grep "$GITLAB_HOST")" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*'${GITLAB_HOST}'/'${GITLAB_GROUP}'/,,'|sed 's,....$,,')" -fi - -# Set Container Name in lower case -CONTAINER_NAME="$(echo "$GIT_REPO"|cut -d / -f 2|tr '[:upper:]' '[:lower:]')" - -# Set the right Docker Repository with the Docker registry URL -DOCKER_REPO="$REGISTRY_URL/$CONTAINER_NAME" - -# Find all builded versions of the current Docker image -ALL_BUILD_DOCKER_VERSIONS=$(docker images --format '{{.Repository}}={{.Tag}}'|grep "$DOCKER_REPO"|cut -d = -f 2) - -# Login to Docker registry -[ "$REGISTRY_URL" != "dcso" ] && DOCKER_LOGIN_OUTPUT="$(echo "$REGISTRY_PW" | docker login -u "$REGISTRY_USER" "$REGISTRY_URL" --password-stdin)" -[ "$REGISTRY_URL" = "dcso" ] && DOCKER_LOGIN_OUTPUT="$(echo "$REGISTRY_PW" | docker login -u "$REGISTRY_USER" --password-stdin)" -echo "$DOCKER_LOGIN_OUTPUT" -DOCKER_LOGIN_STATE="$(echo "$DOCKER_LOGIN_OUTPUT" | grep 'Login Succeeded')" - -if [ ! -z "$DOCKER_LOGIN_STATE" ]; then - # Push all Docker images - for i in $ALL_BUILD_DOCKER_VERSIONS - do - echo "$STARTMSG docker push $DOCKER_REPO:$i" && docker push "$DOCKER_REPO:$i" - [ "$?" -ne 0 ] && exit 1 - done -else - echo "$DOCKER_LOGIN_OUTPUT" - exit -fi - -echo "$STARTMSG $0 is finished." diff --git a/.ci/05_notify_hub.docker.com.sh b/.ci/05_notify_hub.docker.com.sh deleted file mode 100755 index 7040761..0000000 --- a/.ci/05_notify_hub.docker.com.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -set -e -STARTMSG="[notify_hob.docker.com]" - -NOTIFY_URL="$1" - -echo "$STARTMSG Notify hub.docker.com" - -curl -X POST -H "Content-Type: application/json" --data '{"docker_tag_name": "hub_automatic_untested"}' "$NOTIFY_URL" - -echo "$STARTMSG $0 is finished." diff --git a/.ci/Makefile b/.ci/Makefile deleted file mode 100644 index a93e4ea..0000000 --- a/.ci/Makefile +++ /dev/null @@ -1,26 +0,0 @@ -# -# Makefile -# -.PHONY: help build tags push notify-hub-docker-com - -help: - @echo -e "Please use a command: \n \ - make build v=<2.3-debian> \n \ - make build v=<2.3-debian> prod=true | If you want to build directly production ready images\n \ - make tags REPOURL= \n \ - make tags REPOURL= prod=true | If you want to add production ready images \n \ - make push REPOURL= USER= PW= \n \ - make notify-hub.docker.com URL= \n \ - " - -build: - @bash 02_build.sh $(v) $(prod) - -tags: - @bash 03_tagging.sh $(REPOURL) $(prod) - -push: - @bash 04_push.sh $(REPOURL) $(USER) $(PW) - -notify-hub-docker-com: - @bash 05_notify_hub.docker.com.sh $(URL) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6c7b7a4..ba96efc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,54 +1,22 @@ -image: docker:latest -services: - - docker:dind -stages: -- test -- build +notify: + extends: .notify variables: - # The following variables are setup via gitlab project group: - # DOCKER_HUB_NOTIFY_URL - # DOCKER_SLUG - # DOCKER_USERNAME - # DOCKER_PASSWORD - # CUSTOM_REGISTRY_URL - # CUSTOM_REGISTRY_USER - # CUSTOM_REGISTRY_PW - -before_script: -- .ci/01_before_install.sh - -.test: - stage: test - except: - - master - script: - - make -C .ci build v=$VERSION - - make -C .ci tags REPOURL=$CUSTOM_REGISTRY_URL - - make -C .ci tags REPOURL=$DOCKER_SLUG - -.build: - stage: build - only: - - master - script: - - make -C .ci build v=$VERSION - - make -C .ci tags REPOURL=$CUSTOM_REGISTRY_URL - - make -C .ci tags REPOURL=$DOCKER_SLUG - - make -C .ci push REPOURL=$CUSTOM_REGISTRY_URL USER=$CUSTOM_REGISTRY_USER PW=$CUSTOM_REGISTRY_PW - - make -C .ci push REPOURL=$DOCKER_SLUG USER=$DOCKER_USERNAME PW=$DOCKER_PASSWORD - - make -C .ci notify-hub-docker-com URL=$DOCKER_HUB_NOTIFY_URL + COMPONENT: proxy +include: + - project: 'MISP/helper-containers' + ref: master + file: '/.gitlab-ci-template.yml' # # For a cleaner Gitlab CI file include all subfolder which should be build: # -include: - - '.legacy/.gitlab-ci.yml' - #- '1.0-alpine/.gitlab-ci.yml' - #- '1.1-alpine/.gitlab-ci.yml' - #- '1.2-alpine/.gitlab-ci.yml' + - '1.0-alpine/.gitlab-ci.yml' + - '1.1-alpine/.gitlab-ci.yml' + - '1.2-alpine/.gitlab-ci.yml' #- '1.3-alpine/.gitlab-ci.yml' #- '1.4-alpine/.gitlab-ci.yml' - - '1.5-alpine/.gitlab-ci.yml' + #- '1.5-alpine/.gitlab-ci.yml' + - '1.6-alpine/.gitlab-ci.yml' diff --git a/.legacy/.gitlab-ci.yml b/.legacy/.gitlab-ci.yml deleted file mode 100644 index 94402d3..0000000 --- a/.legacy/.gitlab-ci.yml +++ /dev/null @@ -1,14 +0,0 @@ -build_alpine_1.0.2: - extends: .build - variables: - VERSION: "1.0.2-alpine" - -build_alpine_1.0.1: - extends: .build - variables: - VERSION: "1.0.1-alpine" - -build_alpine_1.0.0: - extends: .build - variables: - VERSION: "1.0.0-alpine" diff --git a/.old/1.0.0-ubuntu/Dockerfile b/.old/1.0.0-ubuntu/Dockerfile deleted file mode 100644 index 3883012..0000000 --- a/.old/1.0.0-ubuntu/Dockerfile +++ /dev/null @@ -1,87 +0,0 @@ -#FROM nginx:1.13.9 -FROM ubuntu:16.04 - -# Variables: -# for Labels: -ARG VENDOR="DCSO GmbH " -ARG RELEASE_DATE -ARG IS_PRODUCTION="false" -ARG MAINTAINER="DCSO MISP " -ARG BUILD_DATE -ARG NAME -ARG GIT_REPO -ARG VCS_REF -ARG VERSION -# END Variables - -#LABEL de.dcso.misp-server.version="0.0.1-alpha" -LABEL vendor=${VENDOR} -LABEL de.dcso.misp-server.release-date=${RELEASE_DATE} -LABEL de.dcso.misp-server.is-production=${IS_PRODUCTION} -LABEL maintainer=${MAINTAINER} -LABEL org.label-schema.build-date="${BUILD_DATE}" \ - org.label-schema.name="MISP-dockerized ${NAME}" \ - org.label-schema.description="This docker container is part of the DCSO MISP dockerized environment." \ - org.label-schema.vcs-ref="${VCS_REF}" \ - org.label-schema.vcs-url="${GIT_REPO}" \ - org.label-schema.vendor="${VENDOR}" \ - org.label-schema.version="${VERSION}" \ - org.label-schema.schema-version="1.0.0-rc1" - -# Install core components -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update -y && apt-get autoremove -y && apt-get clean -y -RUN apt-get install -y software-properties-common -RUN apt-get install -y \ -supervisor \ -nano \ -vim \ -curl \ -gcc \ -make \ -locales \ -zip \ -iputils-ping \ -curl \ -make \ -openssl \ -vim \ -net-tools \ -sudo - -# Install NGINX -RUN apt-get install -y nginx - -# Set locals -RUN locale-gen en_US.UTF-8 -ENV LANG en_US.UTF-8 - -# Creating DH Params - https://weakdh.org/sysadmin.html -# Will be created via misp-robot. -#RUN openssl dhparam -out /etc/ssl/dhparams.pem 2048 - -# Copy the default config -COPY files/GLOBAL* files/SERVER* files/vars* /etc/nginx/conf.d/ -# Add directory for maintenance File -RUN mkdir /var/www/maintenance -# Copy Maintenance config -COPY files/maintenance.html /var/www/maintenance/ -# Deactivate NGINX Default config && rename orig nginx.conf && place own nginx.conf -RUN rm -f /etc/nginx/sites-enabled/default && mv /etc/nginx/nginx.conf /etc/nginx/nginx.orig && ln -s /etc/nginx/conf.d/GLOBAL_nginx_common /etc/nginx/nginx.conf - -# RUN mkdir /etc/ssl/private -RUN chmod -R 640 /etc/ssl/private - -# Environment Variable for Proxy -ENV HTTP_PROXY="" -ENV HTTPS_PROXY="" -ENV NO_PROXY="0.0.0.0" -# Environment Variable to check Version -ENV VERSION=${VERSION} - -# Add Healthcheck Config -HEALTHCHECK --interval=2m --timeout=15s --retries=3 CMD curl -f http://localhost/ || exit 1 - -# Install core components -ENTRYPOINT ["nginx"] -CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/.old/1.0.0-ubuntu/configuration.sh b/.old/1.0.0-ubuntu/configuration.sh deleted file mode 100644 index 907da7b..0000000 --- a/.old/1.0.0-ubuntu/configuration.sh +++ /dev/null @@ -1,5 +0,0 @@ -################################################## -# Build Arguments -BUILD_ARGS=" -" -################################################## diff --git a/.old/1.0.0-ubuntu/files/GLOBAL_allow_IPs b/.old/1.0.0-ubuntu/files/GLOBAL_allow_IPs deleted file mode 100644 index 1b1879e..0000000 --- a/.old/1.0.0-ubuntu/files/GLOBAL_allow_IPs +++ /dev/null @@ -1 +0,0 @@ -allow 0.0.0.0; \ No newline at end of file diff --git a/.old/1.0.0-ubuntu/files/SERVER_HTTPS_and_redirected_HTTP b/.old/1.0.0-ubuntu/files/SERVER_HTTPS_and_redirected_HTTP deleted file mode 100644 index fe7d073..0000000 --- a/.old/1.0.0-ubuntu/files/SERVER_HTTPS_and_redirected_HTTP +++ /dev/null @@ -1,32 +0,0 @@ -# HTTP Config to redirect traffic to HTTPS -server { - listen 80; - include conf.d/vars_common; - - # Logfiles - access_log /var/log/nginx/misp-server/access.80.log; - error_log /var/log/nginx/misp-server/error.80.log; - - # redirect to HTTPS - return 301 https://$host$request_uri; - -} - -# HTTPS Config to Proxy traffic to misp-server -server { - listen 443 ssl http2; - - include conf.d/vars_common; - - # SSL Certificate and Key - ssl_certificate /etc/nginx/conf.d/ssl/cert.pem; - ssl_certificate_key /etc/nginx/conf.d/ssl/key.pem; - - # Logfiles - access_log /var/log/nginx/misp-server/access.443.log; - error_log /var/log/nginx/misp-server/error.443.log; - - location / { - include conf.d/vars_proxy; - } -} \ No newline at end of file diff --git a/.old/1.0.0-ubuntu/files/SERVER_HTTP_only.conf b/.old/1.0.0-ubuntu/files/SERVER_HTTP_only.conf deleted file mode 100644 index 7b470f9..0000000 --- a/.old/1.0.0-ubuntu/files/SERVER_HTTP_only.conf +++ /dev/null @@ -1,14 +0,0 @@ -# HTTP Config to redirect traffic to HTTPS -server { - listen 80; - include conf.d/vars_common; - - # Logfiles - access_log /var/log/nginx/misp-server/access.80.log; - error_log /var/log/nginx/misp-server/error.80.log; - - location / { - include conf.d/vars_proxy; - } - -} diff --git a/.old/1.0.0-ubuntu/files/SERVER_MAINTENANCE b/.old/1.0.0-ubuntu/files/SERVER_MAINTENANCE deleted file mode 100644 index 464e8d6..0000000 --- a/.old/1.0.0-ubuntu/files/SERVER_MAINTENANCE +++ /dev/null @@ -1,13 +0,0 @@ -# HTTP / HTTPS Config for maintenance -server { - listen 80; - listen 443 ssl http2; - include conf.d/vars_common; - - # Logfiles - access_log /var/log/nginx/misp-server/maintenance_access.log; - error_log /var/log/nginx/misp-server/maintenance_error.log; - - root /var/www/html; - index index.html; -} \ No newline at end of file diff --git a/.old/1.0.0-ubuntu/files/maintenance.html b/.old/1.0.0-ubuntu/files/maintenance.html deleted file mode 100644 index fb35c77..0000000 --- a/.old/1.0.0-ubuntu/files/maintenance.html +++ /dev/null @@ -1,18 +0,0 @@ - -Site Maintenance - - -
-

We’ll be back soon!

-
-

Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!

-

— The Team

-
-
\ No newline at end of file diff --git a/.old/1.0.0-ubuntu/files/vars_common b/.old/1.0.0-ubuntu/files/vars_common deleted file mode 100644 index a08f0bc..0000000 --- a/.old/1.0.0-ubuntu/files/vars_common +++ /dev/null @@ -1,2 +0,0 @@ -server_name misp.example.com; -client_max_body_size 50M; \ No newline at end of file diff --git a/.travis.yml b/.travis.yml index 5ecde83..c20db97 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,32 +7,32 @@ addons: env: global: - # The following variables are setup via gitlab project group: - # - DOCKER_HUB_TOKEN - # - DOCKER_SLUG - # - DOCKER_USERNAME - # - DOCKER_PASSWORD + #- DOCKER_COMPOSE_VERSION=1.4.2 + - COMPONENT=proxy + matrix: - #- VERSION=1.0-alpine - #- VERSION=1.1-alpine - #- VERSION=1.2-alpine - #- VERSION=1.3-alpine - #- VERSION=1.4-alpine - - VERSION=1.5-alpine + #- FOLDER=1.0-alpine + #- FOLDER=1.1-alpine + #- FOLDER=1.2-alpine + - FOLDER=1.3-alpine + - FOLDER=1.4-alpine + - FOLDER=1.5-alpine + - FOLDER=1.6-alpine # legacy - - VERSION=1.0.0-alpine - - VERSION=1.0.1-alpine - - VERSION=1.0.2-alpine - - - -before_install: -- sudo .ci/01_before_install.sh + - FOLDER=1.0.0-alpine + - FOLDER=1.0.1-alpine + - FOLDER=1.0.2-alpine script: -- make -C .ci build v=${VERSION} prod=false # Set prod=true, if you want to build NO '-dev' tag -- make -C .ci tags REPOURL=$DOCKER_SLUG prod=false # Set prod=true, if you want tags NO '-dev' tag +- docker build -f "$TRAVIS_BUILD_DIR/$FOLDER/Dockerfile" + --build-arg VCS_REF="$TRAVIS_COMMIT" + --build-arg VERSION="$FOLDER" + --build-arg GIT_REPO="https://github.com/$TRAVIS_REPO_SLUG" + --build-arg COMPONENT="$COMPONENT" + --build-arg BUILD_DATE="$(date -u +"%Y-%m-%d")" + "$TRAVIS_BUILD_DIR/$FOLDER" + +# don't notify me when things fail notifications: - # don't notify me when things fail email: false diff --git a/.travis/build.sh b/.travis/build.sh deleted file mode 100755 index 58183d3..0000000 --- a/.travis/build.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash -# Set an option to exit immediately if any error appears -set -xe - -################# MANUAL VARIABLES ################# -# path of the script -SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" -# dockerfile name: -DOCKERFILE_NAME=Dockerfile -# Which Folder the script should use -[ "$1" == "dev" ] && echo "false first argument. Abort." && exit 1 -if [ -z $1 ] ;then - # build all you find - FOLDER=( */) - FOLDER=( "${FOLDER[@]%/}" ) -else - # build only the argumented one - FOLDER=$1 -fi -######################################################### - -################# AUTOMATIC VARIABLES ################# -# Find Out Git Hub Repository -[ -z "$(git remote get-url origin|grep git@)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*:,,'|sed 's,....$,,')" -[ -z "$(git remote get-url origin|grep http)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*github.com/,,'|sed 's,....$,,')" -[ -z "$(echo $GIT_REPO|grep $GITLAB_HOST)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*'${GITLAB_HOST}'/'${GITLAB_GROUP}'/,,'|sed 's,....$,,')" - -GIT_REPO_URL="https://github.com/$GIT_REPO" -# Dockerifle Settings -CONTAINER_NAME="$(echo $GIT_REPO|cut -d / -f 2|tr '[:upper:]' '[:lower:]')" -DOCKER_REPO="dcso/$CONTAINER_NAME" -######################################################### - -for FOLD in ${FOLDER[@]} -do - #Find Out Version from folder - VERSION=$(echo $FOLD|cut -d- -f 1) - DOCKERFILE_PATH="$SCRIPTPATH/../$FOLD" - # load Variables from configuration file - source $DOCKERFILE_PATH/configuration.sh - ### Add -dev to tag if dev is set as a second argument - if [ "$2" == "prod" ] - then - # PROD Version - TAGS="-t $DOCKER_REPO:$FOLD" - [ -z "$INTERNAL_REGISTRY_HOST" ] || TAGS+=" -t $INTERNAL_REGISTRY_HOST/$CONTAINER_NAME:$FOLD" - else - # DEV Version - TAGS="-t $DOCKER_REPO:$FOLD-dev" - [ -z "$INTERNAL_REGISTRY_HOST" ] || TAGS+=" -t $INTERNAL_REGISTRY_HOST/$CONTAINER_NAME:$FOLD-dev" - fi - - # Default Build Args - BUILD_ARGS+=" - --build-arg RELEASE_DATE="$(date +"%Y-%m-%d")" \ - --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \ - --build-arg NAME="$CONTAINER_NAME" \ - --build-arg GIT_REPO="$GIT_REPO_URL" \ - --build-arg VCS_REF=$(git rev-parse --short HEAD) \ - --build-arg VERSION="$VERSION" \ - " - # build container - docker build \ - $BUILD_ARGS \ - -f $DOCKERFILE_PATH/$DOCKERFILE_NAME $TAGS $DOCKERFILE_PATH/ -done diff --git a/.travis/generate-stackbrew-library.sh b/.travis/generate-stackbrew-library.sh deleted file mode 100755 index 1b3583d..0000000 --- a/.travis/generate-stackbrew-library.sh +++ /dev/null @@ -1,79 +0,0 @@ -#!/bin/bash -set -eu - -declare -A aliases -aliases=( - [2.4.88]='2.4 latest' -) - -self="$(basename "$BASH_SOURCE")" -cd "$(dirname "$(readlink -f "$BASH_SOURCE")")" -#base=stretch -base= - -versions=( */ ) -versions=( "${versions[@]%/}" ) - -# get the most recent commit which modified any of "$@" -fileCommit() { - git log -1 --format='format:%H' HEAD -- "$@" -} - -# get the most recent commit which modified "$1/Dockerfile" or any file COPY'd from "$1/Dockerfile" -dirCommit() { - local dir="$1"; shift - ( - cd "$dir" - fileCommit \ - Dockerfile \ - $(git show HEAD:./Dockerfile | awk ' - toupper($1) == "COPY" { - for (i = 2; i < NF; i++) { - print $i - } - } - ') - ) -} - -cat <<-EOH -# this file is generated via https://github.com/DCSO/MISP-dockerized/blob/$(fileCommit "$self")/$self - -Maintainers: DCSO GmbH (@dcso) -GitRepo: https://github.com/DCSO/MISP-dockerized -EOH - -# prints "$2$1$3$1...$N" -join() { - local sep="$1"; shift - local out; printf -v out "${sep//%/%%}%s" "$@" - echo "${out#$sep}" -} - -for version in "${versions[@]}"; do - # with base: - #commit="$(dirCommit "$version/$base")" - # without base: - commit="$(dirCommit "$version")" - - #with base: - #fullVersion="$(git show "$commit":"$version/$base/Dockerfile" | awk '$1 == "ENV" && $2 == "MISP_TAG" { print $3; exit }')" - # without base: - fullVersion="$(git show "$commit":"$version/Dockerfile" | awk '$1 == "ENV" && $2 == "MISP_TAG" { print $3; exit }')" - fullVersion="${fullVersion%[.-]*}" - - versionAliases=( $fullVersion ) - if [ "$version" != "$fullVersion" ]; then - versionAliases+=( $version ) - fi - versionAliases+=( ${aliases[$version]:-} ) - - echo - cat <<-EOE - Tags: $(join ', ' "${versionAliases[@]}") - Architectures: amd64 - GitCommit: $commit - Directory: $version/$base - EOE - -done diff --git a/.travis/main.sh b/.travis/main.sh deleted file mode 100755 index f5a8486..0000000 --- a/.travis/main.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Set an option to exit immediately if any error appears -set -o errexit - -# Main function that describes the behavior of the -# script. -# By making it a function we can place our methods -# below and have the main execution described in a -# concise way via function invocations. -main() { - setup_dependencies - update_docker_configuration - echo "#########################################################" - echo "SUCCESS: Done! Finished setting up Travis machine. " - echo "#########################################################" -} - -# Prepare the dependencies that the machine need. -# Here I'm just updating the apt references and then -# installing both python and python-pip. This allows -# us to make use of `pip` to fetch the latest `docker-compose` -# later. -# We also upgrade `docker-ce` so that we can get the -# latest docker version which allows us to perform -# image squashing as well as multi-stage builds. -setup_dependencies() { - echo "#########################################################" - echo "INFO: Setting up dependencies." - echo "#########################################################" - - - sudo apt-get update -y - sudo apt-get install realpath python python-pip -y - sudo apt-get install --only-upgrade docker-ce -y - #sudo pip install docker-compose || true - - #docker info - #docker-compose --version - - git config --global user.name "MISP-dockerized-bot" - #git clone --recurse-submodules https://github.com/8ear/MISP-dockerized-documentation.git ~/misp-docs - -} - -# Tweak the daemon configuration so that we -# can make use of experimental features (like image -# squashing) as well as have a bigger amount of -# concurrent downloads and uploads. -update_docker_configuration() { - echo "#########################################################" - echo "INFO: Updating docker configuration" - echo "#########################################################" - - echo '{ - "experimental": true, - "storage-driver": "overlay2", - "max-concurrent-downloads": 50, - "max-concurrent-uploads": 50 -}' | sudo tee /etc/docker/daemon.json - sudo service docker restart -} - -main \ No newline at end of file diff --git a/.travis/notify_hub.docker.com.sh b/.travis/notify_hub.docker.com.sh deleted file mode 100755 index d7f2519..0000000 --- a/.travis/notify_hub.docker.com.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# Set an option to exit immediately if any error appears -set -xe - -# Docker Repo e.g. dcso/misp-dockerized-proxy -[ -z "$(git remote get-url origin|grep git@)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*:,,'|sed 's,....$,,')" -[ -z "$(git remote get-url origin|grep http)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*github.com/,,'|sed 's,....$,,')" -[ -z "$(echo $GIT_REPO|grep $GITLAB_HOST)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*'${GITLAB_HOST}'/'${GITLAB_GROUP}'/,,'|sed 's,....$,,')" - -DOCKER_REPO="dcso/$(echo $GIT_REPO|cut -d / -f 2|tr '[:upper:]' '[:lower:]')" - -curl -X POST -H "Content-Type: application/json" --data '{"docker_tag_name": "hub_automatic_untested"}' https://registry.hub.docker.com/u/$DOCKER_REPO/trigger/$1/ \ No newline at end of file diff --git a/.travis/push.sh b/.travis/push.sh deleted file mode 100755 index b346c22..0000000 --- a/.travis/push.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -# Set an option to exit immediately if any error appears -set -xe - -# Docker Repo e.g. dcso/misp-dockerized-proxy -[ -z "$(git remote get-url origin|grep git@)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*:,,'|sed 's,....$,,')" -[ -z "$(git remote get-url origin|grep http)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*github.com/,,'|sed 's,....$,,')" -[ -z "$(echo $GIT_REPO|grep $GITLAB_HOST)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*'${GITLAB_HOST}'/'${GITLAB_GROUP}'/,,'|sed 's,....$,,')" - -CONTAINER_NAME="$(echo $GIT_REPO|cut -d / -f 2|tr '[:upper:]' '[:lower:]')" - -[ -z "$INTERNAL_REGISTRY_HOST" ] && DOCKER_REPO="dcso/$CONTAINER_NAME" -[ -z "$INTERNAL_REGISTRY_HOST" ] || DOCKER_REPO="$INTERNAL_REGISTRY_HOST/$CONTAINER_NAME" - - -# Lookup to all build versions of the current docker container -ALL_BUILD_DOCKER_VERSIONS=$(docker images --format '{{.Repository}}={{.Tag}}'|grep $DOCKER_REPO|cut -d = -f 2) - - - -for i in $ALL_BUILD_DOCKER_VERSIONS -do - docker push $DOCKER_REPO:$i -done \ No newline at end of file diff --git a/.travis/tagging.sh b/.travis/tagging.sh deleted file mode 100755 index 0c28def..0000000 --- a/.travis/tagging.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash -# Set an option to exit immediately if any error appears -set -xv - -echo "### Show Images before Tagging:" -docker images - -# Docker Repo e.g. dcso/misp-dockerized-proxy -[ -z "$(git remote get-url origin|grep git@)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*:,,'|sed 's,....$,,')" -[ -z "$(git remote get-url origin|grep http)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*github.com/,,'|sed 's,....$,,')" -[ -z "$GITLAB_HOST" ] || [ -z "$(echo $GIT_REPO|grep $GITLAB_HOST)" ] || GIT_REPO="$(git remote get-url origin|sed 's,.*'${GITLAB_HOST}'/'${GITLAB_GROUP}'/,,'|sed 's,....$,,')" - -CONTAINER_NAME="$(echo $GIT_REPO|cut -d / -f 2|tr '[:upper:]' '[:lower:]')" - -[ -z "$INTERNAL_REGISTRY_HOST" ] && DOCKER_REPO="dcso/$CONTAINER_NAME" -[ -z "$INTERNAL_REGISTRY_HOST" ] || DOCKER_REPO="$INTERNAL_REGISTRY_HOST/$CONTAINER_NAME" - -# Create the Array -FOLDER_ARRAY=( */) -FOLDER_ARRAY=( "${FOLDER_ARRAY[@]%/}" ) -# How many items in your Array: -index=${#FOLDER_ARRAY[@]} - -# SORT ARRAY -IFS=$'\n' - sorted=($(sort <<<"${FOLDER_ARRAY[*]}")) -unset IFS - -# Latest Version -LATEST=$(echo ${sorted[$index-1]}|cut -d- -f 1) - -# All Latest Major Versions -MAJOR_LATEST="" -# Run over all FOLDER versions and add all first digit numbers -for i in ${sorted[@]} -do - # change from 1.0-ubuntu -> 1 - CURRENT_MAJOR_VERSION="$(echo $i|cut -d . -f 1)" - CURRENT_MINOR_VERSION="$(echo $i|cut -d . -f 2|cut -d - -f 1)" - - # Check if there is any Version available for the current MAJOR version: - [ -z ${MAJOR_LATEST[$CURRENT_MAJOR_LATEST]} ] && MAJOR_LATEST[$CURRENT_MAJOR_VERSION]=$i && continue - - # change the Folder Name which are written into the Array on position of the current_major_version from 1.0-ubuntu to 1 - LIST_MINOR_VERSION=$(echo ${MAJOR_LATEST[$CURRENT_MAJOR_VERSION]}|cut -d . -f 2|cut -d - -f 1) - # Check if the current minor digit from Elelement i is higher than the one which are saved in the array - [[ $LIST_MINOR_VERSION < $CURRENT_MINOR_VERSION ]] && MAJOR_LATEST[$CURRENT_MAJOR_VERSION]=$i && continue -done - - -# Lookup to all build versions of the current docker container -ALL_BUILD_DOCKER_VERSIONS=$(docker images --format '{{.Repository}}={{.Tag}}'|grep $DOCKER_REPO|cut -d = -f 2) - -# Tag Latest + Version Number -for i in $ALL_BUILD_DOCKER_VERSIONS -do - VERSION=$(echo $i|cut -d- -f 1) # for example 1.0 - BASE=$(echo $i|cut -d- -f 2) # for example ubuntu - MAJOR_VERSION="$(echo $i|cut -d . -f 1)" # for example 1 - - # Add latest Tag - [ $VERSION == $LATEST ] && docker tag $DOCKER_REPO:$i $DOCKER_REPO:latest-dev - - # Add latest Major Version Tag - for k in ${MAJOR_LATEST[@]} - do - CURRENT_MAJOR_VERSION="$(echo $k|cut -d . -f 1)" - [ $i == $k"-dev" ] && docker tag $DOCKER_REPO:$i $DOCKER_REPO:$CURRENT_MAJOR_VERSION-dev - done - -done - -echo "### Show Images after Tagging:" -docker images diff --git a/.travis/travis-cli.sh b/.travis/travis-cli.sh deleted file mode 100755 index dc09914..0000000 --- a/.travis/travis-cli.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -#examples: -#lint .travis.yml - -# travis cli -function check_via_travis_cli(){ - docker run -ti -v $(pwd):/project --rm skandyla/travis-cli "$1" "$2" $3 -} - -while (($#)); do - case "${1}" in - check) - check_via_travis_cli lint .travis.yml - exit 0 - ;; - encrypt) - [ -z $2 ] && [ -z $3 ] && echo -e "Please use the command as followed:\n$@ " && exit 1 - check_via_travis_cli encrypt "$2=$3" "$4" - exit 0 - ;; - *) - exit 1 - esac -done \ No newline at end of file diff --git a/1.0-alpine/.gitlab-ci.yml b/1.0-alpine/.gitlab-ci.yml index 057f2bf..8bde9c5 100644 --- a/1.0-alpine/.gitlab-ci.yml +++ b/1.0-alpine/.gitlab-ci.yml @@ -2,3 +2,13 @@ build 1.0-alpine: extends: .build variables: VERSION: "1.0-alpine" + TAGS: "${VERSION}-dev 1.0.0-alpine-dev" + RELEASE_DATE: 2018-11 + +test 1.0-alpine: + extends: .test + variables: + VERSION: "1.0-alpine" + only: + changes: + - 1.0-alpine/* \ No newline at end of file diff --git a/1.0-alpine/configuration.sh b/1.0-alpine/configuration.sh deleted file mode 100644 index 907da7b..0000000 --- a/1.0-alpine/configuration.sh +++ /dev/null @@ -1,5 +0,0 @@ -################################################## -# Build Arguments -BUILD_ARGS=" -" -################################################## diff --git a/1.1-alpine/.gitlab-ci.yml b/1.1-alpine/.gitlab-ci.yml index 47b9600..b588e57 100644 --- a/1.1-alpine/.gitlab-ci.yml +++ b/1.1-alpine/.gitlab-ci.yml @@ -2,3 +2,13 @@ build 1.1-alpine: extends: .build variables: VERSION: "1.1-alpine" + TAGS: "${VERSION}-dev 1.0.1-alpine-dev" + RELEASE_DATE: 2018-11 + +test 1.1-alpine: + extends: .test + variables: + VERSION: "1.1-alpine" + only: + changes: + - 1.1-alpine/* \ No newline at end of file diff --git a/1.1-alpine/configuration.sh b/1.1-alpine/configuration.sh deleted file mode 100644 index 907da7b..0000000 --- a/1.1-alpine/configuration.sh +++ /dev/null @@ -1,5 +0,0 @@ -################################################## -# Build Arguments -BUILD_ARGS=" -" -################################################## diff --git a/1.2-alpine/.gitlab-ci.yml b/1.2-alpine/.gitlab-ci.yml index 3e1fc9d..581ad78 100644 --- a/1.2-alpine/.gitlab-ci.yml +++ b/1.2-alpine/.gitlab-ci.yml @@ -2,3 +2,13 @@ build 1.2-alpine: extends: .build variables: VERSION: "1.2-alpine" + TAGS: "${VERSION}-dev 1.0.2-alpine-dev" + RELEASE_DATE: 2018-11 + +test 1.2-alpine: + extends: .test + variables: + VERSION: "1.2-alpine" + only: + changes: + - 1.2-alpine/* \ No newline at end of file diff --git a/1.2-alpine/configuration.sh b/1.2-alpine/configuration.sh deleted file mode 100644 index 907da7b..0000000 --- a/1.2-alpine/configuration.sh +++ /dev/null @@ -1,5 +0,0 @@ -################################################## -# Build Arguments -BUILD_ARGS=" -" -################################################## diff --git a/1.3-alpine/.gitlab-ci.yml b/1.3-alpine/.gitlab-ci.yml index 66bcf80..d7ee0ce 100644 --- a/1.3-alpine/.gitlab-ci.yml +++ b/1.3-alpine/.gitlab-ci.yml @@ -2,6 +2,8 @@ build 1.3-alpine: extends: .build variables: VERSION: "1.3-alpine" + TAGS: "${VERSION}-dev" + RELEASE_DATE: 2018-12 test 1.3-alpine: extends: .test diff --git a/1.3-alpine/configuration.sh b/1.3-alpine/configuration.sh deleted file mode 100644 index 907da7b..0000000 --- a/1.3-alpine/configuration.sh +++ /dev/null @@ -1,5 +0,0 @@ -################################################## -# Build Arguments -BUILD_ARGS=" -" -################################################## diff --git a/1.4-alpine/.gitlab-ci.yml b/1.4-alpine/.gitlab-ci.yml index af8c85a..f7115fc 100644 --- a/1.4-alpine/.gitlab-ci.yml +++ b/1.4-alpine/.gitlab-ci.yml @@ -2,6 +2,8 @@ build 1.4-alpine: extends: .build variables: VERSION: "1.4-alpine" + TAGS: "${VERSION}-dev" + RELEASE_DATE: 2018-12 test 1.4-alpine: extends: .test diff --git a/1.4-alpine/configuration.sh b/1.4-alpine/configuration.sh deleted file mode 100644 index 907da7b..0000000 --- a/1.4-alpine/configuration.sh +++ /dev/null @@ -1,5 +0,0 @@ -################################################## -# Build Arguments -BUILD_ARGS=" -" -################################################## diff --git a/1.5-alpine/.gitlab-ci.yml b/1.5-alpine/.gitlab-ci.yml index 8654b7d..07eac2b 100644 --- a/1.5-alpine/.gitlab-ci.yml +++ b/1.5-alpine/.gitlab-ci.yml @@ -2,6 +2,9 @@ build 1.5-alpine: extends: .build variables: VERSION: "1.5-alpine" + #DEBUG: "true" + TAGS: "${VERSION}-dev" + RELEASE_DATE: 2018-12 test 1.5-alpine: extends: .test diff --git a/1.5-alpine/configuration.sh b/1.5-alpine/configuration.sh deleted file mode 100644 index 0878eb3..0000000 --- a/1.5-alpine/configuration.sh +++ /dev/null @@ -1,6 +0,0 @@ -################################################## -# Build Arguments -BUILD_ARGS=" - --build-arg RELEASE_DATE=2018-12 -" -################################################## diff --git a/1.6-alpine/.gitlab-ci.yml b/1.6-alpine/.gitlab-ci.yml new file mode 100644 index 0000000..3bf4933 --- /dev/null +++ b/1.6-alpine/.gitlab-ci.yml @@ -0,0 +1,14 @@ +build 1.6-alpine: + extends: .build + variables: + VERSION: "1.6-alpine" + RELEASE_DATE: 2019-06 + TAGS: "$VERSION-dev latest-dev 1-dev" + +test 1.6-alpine: + extends: .test + variables: + VERSION: "1.6-alpine" + only: + changes: + - 1.6-alpine/* \ No newline at end of file diff --git a/1.6-alpine/Dockerfile b/1.6-alpine/Dockerfile new file mode 100644 index 0000000..6565c51 --- /dev/null +++ b/1.6-alpine/Dockerfile @@ -0,0 +1,77 @@ +FROM nginx:stable-alpine + +# Install Curl for Healthcheck +RUN apk add --no-cache \ + curl \ + openssl \ + apache2-utils + +# Copy the NGINX configs +COPY files/nginx/conf.d/* /etc/nginx/conf.d/ + +# rename orig nginx.conf && place own nginx.conf +RUN mv /etc/nginx/nginx.conf /etc/nginx/nginx.orig \ + # Link own Global NGINX configuration to /etc/nginx/nginx.conf + && ln -s /etc/nginx/conf.d/GLOBAL_nginx_common /etc/nginx/nginx.conf \ + # Remove default configuration + && rm -f /etc/nginx/conf.d/default.conf \ + # create self signed cert + && mkdir -p /etc/nginx/ssl; + +# Add Healthcheck Config + HEALTHCHECK --interval=2m --timeout=15s --retries=3 CMD curl -fk https://localhost/ || exit 1 + +# COPY Entrypoint script + COPY files/entrypoint_nginx.sh / +# Activate Entrypoint + ENTRYPOINT [ "/entrypoint_nginx.sh" ] +# Expose Ports + EXPOSE 443 80 + + +# Variables for Labels: +ARG VENDOR="DCSO GmbH" +ARG COMPONENT="proxy" +ARG BUILD_DATE +ARG GIT_REPO +ARG VCS_REF +ARG VERSION +ARG RELEASE_DATE +ARG NAME="MISP-dockerized-${COMPONENT}" +ARG DESCRIPTION="This docker container is part of the DCSO MISP dockerized environment." +ARG DOCUMENTATION="https://github.com/DCSO/MISP-dockerized" +ARG AUTHOR="DCSO MISP Docker Team " +ARG LICENSE="BSD-3-Clause" +# END Variables + +# Environment Variable to check Version +ENV NAME ${NAME} \ + VERSION ${VERSION} \ + RELEASE_DATE ${RELEASE_DATE} + + + +######################################### +LABEL org.label-schema.build-date="${BUILD_DATE}" \ + org.label-schema.name="${NAME}" \ + org.label-schema.description="${DESCRIPTION}" \ + org.label-schema.vcs-ref="${VCS_REF}" \ + org.label-schema.vcs-url="${GIT_REPO}" \ + org.label-schema.url="${GIT_REPO}" \ + org.label-schema.vendor="${VENDOR}" \ + org.label-schema.version="${VERSION}" \ + org.label-schema.usage="${DOCUMENTATION}" \ + org.label-schema.schema-version="1.0.0-rc1" + +LABEL org.opencontainers.image.created="${BUILD_DATE}" \ + org.opencontainers.image.url="${GIT_REPO}" \ + org.opencontainers.image.source="${GIT_REPO}" \ + org.opencontainers.image.version="${VERSION}" \ + org.opencontainers.image.revision="${VCS_REF}" \ + org.opencontainers.image.vendor="${VENDOR}" \ + org.opencontainers.image.title="${NAME}" \ + org.opencontainers.image.description="${DESCRIPTION}" \ + org.opencontainers.image.documentation="${DOCUMENTATION}" \ + org.opencontainers.image.authors="${AUTHOR}" \ + org.opencontainers.image.licenses="${LICENSE}" +######################################### diff --git a/1.6-alpine/files/entrypoint_nginx.sh b/1.6-alpine/files/entrypoint_nginx.sh new file mode 100644 index 0000000..08e2ba7 --- /dev/null +++ b/1.6-alpine/files/entrypoint_nginx.sh @@ -0,0 +1,275 @@ +#!/bin/sh +set -eu + +# Variables +NC='\033[0m' # No Color +Light_Green='\033[1;32m' +STARTMSG="${Light_Green}[ENTRYPOINT_PROXY]${NC}" +SSL_DH_FILE="/etc/nginx/ssl/dhparams.pem" +SSL_KEY="/etc/nginx/ssl/key.pem" +SSL_CERT="/etc/nginx/ssl/cert.pem" +VARS_COMMON="/etc/nginx/conf.d/vars_common" +GLOBAL_allow_IPs="/etc/nginx/conf.d/GLOBAL_allow_IPs" +HTTPS_CONFIG="/etc/nginx/conf.d/SERVER_HTTPS_and_redirected_HTTP" +HTTP_CONFIG="/etc/nginx/conf.d/SERVER_HTTP_only" +MAINTENANCE_CONFIG="/etc/nginx/conf.d/SERVER_MAINTENANCE" +STATUS_CONFIG_FILE="/etc/nginx/conf.d/status.conf" +PID_CERT_CREATER="/etc/nginx/ssl/SSL_create.pid" +MAINTENANCE_HTML_PATH="/var/www/maintenance" +MAINTENANCE_HTML_FILE="$MAINTENANCE_HTML_PATH/index.html" +SSL_PASSPHRASE_FILE="/etc/nginx/ssl/ssl.passphrase" + +# Functions +echo (){ + command echo -e "$STARTMSG $*" +} + + +# Environment +MISP_FQDN=${MISP_FQDN:-"misp.example.com"} +MAIL_CONTACT_ADDRESS=${MAIL_CONTACT_ADDRESS:-"no-reply@$MISP_FQDN"} +PROXY_IP_RESTRICTION=${PROXY_IP_RESTRICTION:-"all"} +PROXY_HTTPS_PORT=${PROXY_HTTPS_PORT:-"443"} +PROXY_HTTP_PORT=${PROXY_HTTP_PORT:-"80"} +PROXY_QUESTION_USE_IP_RESTRICTION=${PROXY_QUESTION_USE_IP_RESTRICTION:-"yes"} +PROXY_CLIENT_MAX_BODY_SIZE=${PROXY_CLIENT_MAX_BODY_SIZE:-"50M"} +PROXY_BASIC_AUTH_USER=${PROXY_BASIC_AUTH_USER:-} +PROXY_BASIC_AUTH_PASSWORD=${PROXY_BASIC_AUTH_PASSWORD:-} +SSL_PASSPHRASE=${SSL_PASSPHRASE:-} +SSL_PASSPHRASE_ENABLE=${SSL_PASSPHRASE_ENABLE:-"no"} + +#Functions +ssl_generate_cert(){ + # If a valid SSL certificate is not already created for the server, create a self-signed certificate: + i=0 + while [ -f "$PID_CERT_CREATER.server" ] + do + echo "$(date +%T) - misp-server container create currently the certificate. misp-proxy until misp-server is finish." + # added to escape a deadlock from proxy 1.4-alpine with misp server 2.4.97-2.4.99. + i=$((i+1)) + sleep 2 + [ "$i" -eq 30 ] && rm "$PID_CERT_CREATER.server" + # END added to escape a deadlock from proxy 1.4-alpine with misp server 2.4.97-2.4.99. + done + + ( [ ! -f "$SSL_CERT" ] && [ ! -f "$SSL_KEY" ] ) && touch "$PID_CERT_CREATER.proxy" && echo "Create SSL Certificate..." && openssl req -x509 -newkey rsa:4096 -keyout "$SSL_KEY" -out "$SSL_CERT" -days 365 -sha256 -subj "'/CN=${MISP_FQDN}'" -nodes && rm "$PID_CERT_CREATER.proxy" --extfile openssl.cnf + + echo "... ssl_generate_cert...finished" +} + +ssl_generate_DH(){ + # If a valid SSL certificate is not already created for the server, create a self-signed certificate: + i=0 + while [ -f "$PID_CERT_CREATER.server" ] + do + echo "$(date +%T) - misp-server container create currently the certificate. misp-proxy until misp-server is finish." + # added to escape a deadlock from proxy 1.4-alpine with misp server 2.4.97-2.4.99. + i=$((i+1)) + sleep 2 + [ "$i" -eq 30 ] && rm "$PID_CERT_CREATER.server" + # END added to escape a deadlock from proxy 1.4-alpine with misp server 2.4.97-2.4.99. + done + + [ ! -f "$SSL_DH_FILE" ] && touch "$PID_CERT_CREATER.proxy" && echo "Create DH params - This can take a long time, so take a break and enjoy a cup of tea or coffee." && openssl dhparam -out $SSL_DH_FILE 2048 && rm $PID_CERT_CREATER.proxy + echo "... ssl_generate_DH...finished" +} + +ssl_passphrase() { + if [ "$SSL_PASSPHRASE_ENABLE" = "yes" ] + then + # Check if SSL_PASSPHRASE as environment variable exists, if not use file + if [ -n "$SSL_PASSPHRASE" ] + then + echo "... ... Copy environment variable into file..." + command echo "$SSL_PASSPHRASE" > "$SSL_PASSPHRASE_FILE" + echo "... ... Copy environment variable into file...finished" + else + echo "... ... No Environment variable exists will try passphrase file..." + if [ ! -f "$SSL_PASSPHRASE_FILE" ] + then + echo "... ... No passphrase file found: $SSL_PASSPHRASE_FILE" + echo "... ... Please add your file in config/ssl/" + echo "... ... For more information please go to: https://dcso.github.io/MISP-dockerized-docs/admin/ssl_passphrase.html" + echo "... ... Exit now." + exit 1 + fi + fi + # Activate configuration + sed -i "s,.*#ssl_password_file.*,ssl_password_file ${SSL_PASSPHRASE_FILE};," "$HTTPS_CONFIG.conf" + # write in disabled maintenance config + [ -f "$MAINTENANCE_CONFIG" ] && sed -i "s,.*#ssl_password_file.*,ssl_password_file ${SSL_PASSPHRASE_FILE};," "$MAINTENANCE_CONFIG" + # write in enabled maintenance config + [ -f "$MAINTENANCE_CONFIG.conf" ] && sed -i "s,.*#ssl_password_file.*,ssl_password_file ${SSL_PASSPHRASE_FILE};," "$MAINTENANCE_CONFIG.conf" + echo "... ... Passphrase file mode enabled." + else + echo "... SSL passphrase mode is deactivated." + fi +} + +deactivate_http_config(){ + [ -f "$HTTP_CONFIG.conf" ] && echo "mv $HTTP_CONFIG.conf $HTTP_CONFIG" && mv "$HTTP_CONFIG.conf" "$HTTP_CONFIG" + echo "... deactivate_http_config...finished" +} + +activate_https_config() { + [ -f "$HTTPS_CONFIG" ] && echo "mv $HTTPS_CONFIG $HTTPS_CONFIG.conf" && mv "$HTTPS_CONFIG" "$HTTPS_CONFIG.conf" + echo "... activate_https_config...finished" +} + +file_global_allow_ips(){ +IP="$1" + + +if [ -z "$IP" ] || [ "$PROXY_QUESTION_USE_IP_RESTRICTION" != "yes" ] +then + # If no param is given allow all IP +cat << EOF > $GLOBAL_allow_IPs +allow all; +EOF +else + # If param is given include only the valid ips + [ -f $GLOBAL_allow_IPs ] && rm $GLOBAL_allow_IPs + for i in $IP + do +cat << EOF >> $GLOBAL_allow_IPs +allow $i; +EOF + done + fi + + chmod 644 $GLOBAL_allow_IPs + echo "... file_global_allow_ips...finished" +} + +file_vars_common() +{ +cat << EOF > $VARS_COMMON +server_name $MISP_FQDN; +client_max_body_size $PROXY_CLIENT_MAX_BODY_SIZE; + +EOF +chmod 644 $VARS_COMMON +echo "... file_vars_common...finished" +} + +file_maintenance_html(){ + +[ ! -d $MAINTENANCE_HTML_PATH ] && echo "... ... mkdir -p $MAINTENANCE_HTML_PATH" && mkdir -p $MAINTENANCE_HTML_PATH; # Add directory for maintenance File + Copy Maintenance config + +cat << EOF > $MAINTENANCE_HTML_FILE + +Site Maintenance + + +
+

We’ll be back soon!

+
+

Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!

+

— Your MISP Support Team

+
+
+ +EOF +echo "... file_maintenance_html...finished" +} + + +file_status_conf() { + ALLOWED_IP_RANGE="" + for i in $(ip a|grep global|cut -d " " -f 6) + do + if grep "127.0.0.1" "$i"; then continue; fi + ALLOWED_IP_RANGE="${ALLOWED_IP_RANGE}allow $i; " + done + cat << EOF > $STATUS_CONFIG_FILE + server { + listen 82; + + location /stub_status { + stub_status on; + access_log off; + $ALLOWED_IP_RANGE + deny all; + } + } + +EOF + echo "... file_status_conf...finished" +} + +generate_basic_auth(){ + ( [ -z "$PROXY_BASIC_AUTH_USER" ] || [ -z "$PROXY_BASIC_AUTH_PASSWORD" ] ) && echo "Please set PROXY_BASIC_AUTH_PASSWORD and PROXY_BASIC_AUTH_USER environment variables." && exit 1 + # Create a new basic_auth password file (-c), with bcrypt algorithm (-B) and read the password form commandline (-b) + htpasswd -cBb /etc/nginx/passwords "$PROXY_BASIC_AUTH_USER" "$PROXY_BASIC_AUTH_PASSWORD" +} + +enable_maintenance(){ + # deactivate https + [ -f $HTTPS_CONFIG.conf ] && echo "mv $HTTPS_CONFIG.conf $HTTPS_CONFIG" && mv $HTTPS_CONFIG.conf $HTTPS_CONFIG + [ -f $MAINTENANCE_CONFIG ] && echo "mv $MAINTENANCE_CONFIG $MAINTENANCE_CONFIG.conf" && mv $MAINTENANCE_CONFIG $MAINTENANCE_CONFIG.conf + nginx -t + echo "... enable_maintenance...finished" + exit +} + +disable_maintenance(){ + [ -f $HTTPS_CONFIG ] && echo "mv $HTTPS_CONFIG $HTTPS_CONFIG.conf" && mv $HTTPS_CONFIG $HTTPS_CONFIG.conf + [ -f $MAINTENANCE_CONFIG.conf ] && echo "mv $MAINTENANCE_CONFIG.conf $MAINTENANCE_CONFIG" && mv $MAINTENANCE_CONFIG.conf $MAINTENANCE_CONFIG + nginx -t + echo "... disable_maintenance...finished" + exit +} + + + +# +##################### MAIN ################### +# +# generate vars_common +echo "Create variables file..." && file_vars_common +# generate global_allow_IPs +echo "Create file for IP restrictions..." && file_global_allow_ips "$PROXY_IP_RESTRICTION" +# check if ssl cert is required to generate +echo "Check if cert is required..." && ssl_generate_cert +# check if DH file is required to generate +echo "Check if DH is required..." && ssl_generate_DH +# check if SSL passphrase file is required to generate +echo "Check if SSL passphrase is required..." && ssl_passphrase +# create maintenance file +echo "Create maintenance file..." && file_maintenance_html +# create status config for monitoring +echo "Create status config for monitoring..." && file_status_conf +# create basic_auth file +echo "Create Basic Auth File..." && generate_basic_auth + +# activate maintenance +[ "${1-}" = "enable-maintenance" ] && echo "Enable Maintenante mode..." && enable_maintenance + +# deactivate maintenance +[ "${1-}" = "disable-maintenance" ] && echo "Disable Maintenante mode..." && disable_maintenance + + +# test nginx config +if ! nginx -t +then + echo "NGINX configurations failed. Exit now." + exit 1 +fi + + +# check if a command parameter exists +if [ $# = 0 ] +then + exec nginx -g "daemon off;" +else + # execute any COMMAND + exec nginx -g "daemon off;" & + exec "$@" +fi diff --git a/.old/1.0.0-ubuntu/files/GLOBAL_nginx_common b/1.6-alpine/files/nginx/conf.d/GLOBAL_nginx_common similarity index 92% rename from .old/1.0.0-ubuntu/files/GLOBAL_nginx_common rename to 1.6-alpine/files/nginx/conf.d/GLOBAL_nginx_common index 970307d..4f22d1c 100644 --- a/.old/1.0.0-ubuntu/files/GLOBAL_nginx_common +++ b/1.6-alpine/files/nginx/conf.d/GLOBAL_nginx_common @@ -34,13 +34,15 @@ http { # Logging Settings ## - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - log_format main '$host - $remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; - # access_log /var/log/nginx/access.log main; + + #access_log /var/log/nginx/access.log; + access_log /dev/stdout main; + #error_log /var/log/nginx/error.log; + error_log /dev/stderr; + #access_log /var/log/nginx/access_main__log_format.log main; ## diff --git a/.old/1.0.0-ubuntu/files/GLOBAL_ssl_common.conf b/1.6-alpine/files/nginx/conf.d/GLOBAL_ssl_common.conf similarity index 86% rename from .old/1.0.0-ubuntu/files/GLOBAL_ssl_common.conf rename to 1.6-alpine/files/nginx/conf.d/GLOBAL_ssl_common.conf index bf93604..8dc666b 100644 --- a/.old/1.0.0-ubuntu/files/GLOBAL_ssl_common.conf +++ b/1.6-alpine/files/nginx/conf.d/GLOBAL_ssl_common.conf @@ -7,11 +7,11 @@ ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits -ssl_dhparam /etc/nginx/conf.d/ssl/dhparams.pem; +ssl_dhparam /etc/nginx/ssl/dhparams.pem; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1.2; -ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; +ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months / 86400 seconds = 60 days) diff --git a/1.6-alpine/files/nginx/conf.d/SERVER_HTTPS_and_redirected_HTTP.conf b/1.6-alpine/files/nginx/conf.d/SERVER_HTTPS_and_redirected_HTTP.conf new file mode 100644 index 0000000..184a286 --- /dev/null +++ b/1.6-alpine/files/nginx/conf.d/SERVER_HTTPS_and_redirected_HTTP.conf @@ -0,0 +1,66 @@ +# HTTP Config to redirect traffic to HTTPS +upstream monitoring_backend { + server misp-monitoring:19999; + keepalive 1024; +} + +server { + listen 80; + include conf.d/vars_common; + + # redirect to HTTPS + return 301 https://$host$request_uri; + +} + +# HTTPS Config to Proxy traffic to misp-server +server { + listen 443 ssl http2; + + include conf.d/vars_common; + + ssl_certificate /etc/nginx/ssl/cert.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; + #ssl_password_file /etc/nginx/ssl/ssl.passphrase; + + location / { + include conf.d/misp_vars_proxy; + } + + location = /monitoring { + return 301 /monitoring/; + } + + location ~ /monitoring/(?.*) { + auth_basic "Protected"; + auth_basic_user_file passwords; + + proxy_redirect off; + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_set_header Connection "keep-alive"; + proxy_store off; + + proxy_pass http://monitoring_backend/$ndpath$is_args$args; + + gzip on; + gzip_proxied any; + gzip_types *; + + # Block any HTTP requests other than GET, HEAD, and OPTIONS + limit_except GET HEAD OPTIONS { + deny all; + } + + # WordPress Pingback Request Denial + if ($http_user_agent ~* "WordPress") { + return 403; + } + } + +} diff --git a/1.6-alpine/files/nginx/conf.d/SERVER_MAINTENANCE b/1.6-alpine/files/nginx/conf.d/SERVER_MAINTENANCE new file mode 100644 index 0000000..1c55dae --- /dev/null +++ b/1.6-alpine/files/nginx/conf.d/SERVER_MAINTENANCE @@ -0,0 +1,14 @@ +# HTTP / HTTPS Config for maintenance +server { + listen 80; + listen 443 ssl http2; + include conf.d/vars_common; + + # SSL Certificate and Key + ssl_certificate /etc/nginx/ssl/cert.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; + #ssl_password_file /etc/nginx/ssl/ssl.passphrase; + + root /var/www/maintenance; + index index.html; +} \ No newline at end of file diff --git a/.old/1.0.0-ubuntu/files/vars_proxy b/1.6-alpine/files/nginx/conf.d/misp_vars_proxy similarity index 94% rename from .old/1.0.0-ubuntu/files/vars_proxy rename to 1.6-alpine/files/nginx/conf.d/misp_vars_proxy index ee58ff0..25348f9 100644 --- a/.old/1.0.0-ubuntu/files/vars_proxy +++ b/1.6-alpine/files/nginx/conf.d/misp_vars_proxy @@ -20,6 +20,10 @@ proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Accept-Encoding ""; proxy_set_header Connection ""; +proxy_buffering off; +proxy_request_buffering off; +proxy_intercept_errors on; + # Determines whether SSL sessions can be reused when working with the proxied server. # If the errors “SSL3_GET_FINISHED:digest check failed” appear in the logs, # try disabling session reuse. Default: @@ -39,4 +43,5 @@ proxy_read_timeout 300; # 200, 201 (1.3.10), 204, 206, 301, 302, 303, 304, 307 (1.1.16, 1.0.13), or 308 (1.13.0). # The value can contain variables. # If the always parameter is specified (1.7.5), the header field will be added regardless of the response code -add_header Cache-Control "public, must-revalidate"; \ No newline at end of file +add_header Cache-Control "public, must-revalidate"; +