Skip to content
Permalink
Browse files

Merge pull request #17 from Krocodial/feature-3

Feature 3
  • Loading branch information
Krocodial committed Jun 6, 2019
2 parents 0e6ace3 + 759f43f commit 05b2bcd3ec15209423200b78ef5c379ebf1c6636
Showing with 46 additions and 38 deletions.
  1. +4 −4 Jenkinsfile
  2. +4 −2 README.md
  3. +22 −30 conf/Dockerfile
  4. +4 −0 conf/nginx.conf
  5. +2 −2 openshift/templates/classy-dc.json
  6. +10 −0 openshift/templates/nginx-dc.json
@@ -38,7 +38,7 @@ def intTests(String env, String pr_num) {
pods.objects()[0].metadata.name,
"--",
"bash -c '\
cd /opt/app-root/src; \
cd /opt/app-root; \
python manage.py test integration-tests \
'"
)
@@ -69,7 +69,7 @@ def unitTests(String env, String pr_num) {
pods.objects()[0].metadata.name,
"--",
"bash -c '\
cd /home/classy; \
cd /opt/app-root; \
python manage.py test tests/unit-tests --noinput \
'"
)
@@ -183,7 +183,7 @@ pipeline {
APP_NAME = 'classy'

GIT_REPOSITORY = 'https://github.com/Krocodial/classy.git'
GIT_REF = 'release-2'
GIT_REF = 'feature-3'

PR_NUM = "${BUILD_NUMBER}"

@@ -227,7 +227,7 @@ pipeline {

agent any
options {
timeout(time: 40, unit: 'MINUTES')
timeout(time: 50, unit: 'MINUTES')
}
stages {
stage('preamble & sweeping floor') {
@@ -12,6 +12,8 @@ Release 2.0.0
## Technology Stack Used
Python ~3.6 (Django)
PostgreSQL 9.6 (or latest)
NGINX 1.15.12
ModSecurity v3.2

## Getting Started
These instructions will help you get a quick copy of the project up and running for development and testing purposes. See deployment if you want more in-depth setup instructions
@@ -78,7 +80,7 @@ $ source envs/bin/activate
$ python manage.py runserver <host>:<port>
```

Congratz! You now have a running metadata classification repo
Congratulations! You now have a running metadata classification repository

# Deployment

@@ -108,7 +110,7 @@ Authorization is a customization of Django's provided authorization functionalit

Policies for use will be provided by the FLNR security team.

tes


## Files in this repository
```sh
@@ -1,46 +1,38 @@
#ARG docker_repo=classy
#RUN echo '${docker_repo}'
FROM owasp/modsecurity:3-nginx
RUN echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list && \
apt-get update && \
apt-get install -y certbot python-certbot-nginx -t stretch-backports

#FROM "${docker_repo}" as builder
#FROM docker-registry.default.svc:5000/l9fjgg-tools/classy as builder
#RUN python manage.py collectstatic --noinput
#RUN chmod -R +r conf
WORKDIR /opt/modsecurity
RUN wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.1.0.tar.gz && \
tar xzvf v3.1.0.tar.gz && \
cp /opt/modsecurity/owasp-modsecurity-crs-3.1.0/crs-setup.conf.example /etc/modsecurity.d/crs-setup.conf && \
cp -r /opt/modsecurity/owasp-modsecurity-crs-3.1.0/rules /etc/modsecurity.d/rules

FROM nginx
#FROM registry.access.redhat.com/rhscl/nginx-112-rhel7
WORKDIR /etc/nginx
RUN echo "include /etc/modsecurity.d/crs-setup.conf\ninclude /etc/modsecurity.d/rules/*.conf" >> /etc/modsecurity.d/include.conf

#RUN rm -rf /usr/share/nginx/html/*
RUN rm -f /etc/nginx/conf.d/default.conf
RUN rm -f /etc/nginx/conf.d/*
COPY html/ /var/www/classy/
#COPY --from=builder /home/classy/conf/html /var/www/classy/
COPY conf.d/classy.conf.tmpl /tmp/
COPY nginx.conf /etc/nginx/nginx.conf
#COPY modsecurity.conf /etc/modsecurity.d/modsecurity.conf

RUN sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity.d/modsecurity.conf && \
sed -i 's/SecRequestBodyLimit 13107200/SecRequestBodyLimit 104857600/' /etc/modsecurity.d/modsecurity.conf

#RUN useradd --gid 0 -c "SVR usr" www-svr &&\
RUN touch /var/run/nginx.pid && \
mkdir /etc/nginx/logs
#RUN chown -R www-svr:0 /var/run/nginx.pid
#RUN chown -R www-svr:0 /var/cache/nginx
#RUN chown -R www-svr:0 /usr/share/nginx
#RUN chown -R www-svr:0 /etc/nginx
#RUN chown -R www-svr:0 /var/log/nginx
#RUN chown -R www-svr:0 /tmp/classy.conf.tmpl

#USER www-svr

#RUN ln -sf /dev/stdout /etc/nginx/logs/nginx-proxy.access.log;
#RUN ln -sf /dev/stderr /etc/nginx/logs/nginx-proxy.error.log;

#RUN chmod g+rw /var/run/nginx.pid
RUN chmod -R g+rwx /var/cache/nginx/ && \
chmod -R g+rw /etc/nginx /var/log/nginx /tmp/classy.conf.tmpl /var/run/nginx.pid && \
chmod -R g+r /var/www/classy
#RUN chmod +rw /etc/nginx/conf.d
#RUN chown -R nginx:nginx /usr/share/nginx
#RUN chown -R nginx:nginx /etc/nginx
#USER nginx
chmod -R g+r /var/www/classy && \
touch /var/log/modsec_audit.log && chmod g+rw /var/log/modsec_audit.log
# chmod -R g+r /etc/modsecurity.d/ /opt/
# mkdir -p /opt/modsecurity/uploads/ && \


USER 1001

CMD /bin/bash -c "envsubst < /tmp/classy.conf.tmpl > /etc/nginx/conf.d/classy.conf && exec nginx -g 'daemon off;'"

EXPOSE 1337
@@ -1,3 +1,4 @@
load_module modules/ngx_http_modsecurity_module.so;

worker_processes auto;

@@ -11,6 +12,9 @@ events {


http {
modsecurity on;
modsecurity_rules_file /etc/modsecurity.d/include.conf;

include /etc/nginx/mime.types;
default_type application/octet-stream;

@@ -81,7 +81,7 @@
"name": "upload"
},
"spec": {
"schedule": "* * * * *",
"schedule": "*/5 * * * *",
"concurrencyPolicy": "Forbid",
"successfulJobsHistoryLimit": 3,
"failedJobsHistoryLimit": 1,
@@ -164,7 +164,7 @@
"name": "counter"
},
"spec": {
"schedule": "* * * * *",
"schedule": "*/5 * * * *",
"concurrencyPolicy": "Forbid",
"successfulJobsHistoryLimit": 3,
"failedJobsHistoryLimit": 1,
@@ -165,6 +165,10 @@
{
"mountPath": "/etc/nginx/logs",
"name": "nginx-logs"
},
{
"mountPath": "/opt/modsecurity",
"name": "modsecurity-files"
}
],
"readinessProbe": {
@@ -207,6 +211,12 @@
"persistentVolumeClaim": {
"claimName": "nginx-logs"
}
},
{
"name": "modsecurity-files",
"persistentVolumeClaim": {
"claimName": "modsecurity-files"
}
}
]
}

0 comments on commit 05b2bcd

Please sign in to comment.
You can’t perform that action at this time.