Merge pull request #17 from Krocodial/feature-3

Feature 3

Jenkinsfile

@@ -38,7 +38,7 @@ def intTests(String env, String pr_num) {
         pods.objects()[0].metadata.name,
         "--",
         "bash -c '\
-            cd /opt/app-root/src; \
+            cd /opt/app-root; \
             python manage.py test integration-tests \
         '"
         )
@@ -69,7 +69,7 @@ def unitTests(String env, String pr_num) {
         pods.objects()[0].metadata.name,
         "--",
         "bash -c '\
-            cd /home/classy; \
+            cd /opt/app-root; \
             python manage.py test tests/unit-tests --noinput \
         '"
         )
@@ -183,7 +183,7 @@ pipeline {
     APP_NAME = 'classy'
 
     GIT_REPOSITORY = 'https://github.com/Krocodial/classy.git'
-    GIT_REF = 'release-2'
+    GIT_REF = 'feature-3'
 
     PR_NUM = "${BUILD_NUMBER}"
 
@@ -227,7 +227,7 @@ pipeline {
 
   agent any
   options {
-    timeout(time: 40, unit: 'MINUTES')
+    timeout(time: 50, unit: 'MINUTES')
   }
   stages {
     stage('preamble & sweeping floor') {

README.md

@@ -12,6 +12,8 @@ Release 2.0.0
 ## Technology Stack Used
 Python ~3.6 (Django)  
 PostgreSQL 9.6 (or latest)  
+NGINX 1.15.12  
+ModSecurity v3.2  
 
 ## Getting Started  
 These instructions will help you get a quick copy of the project up and running for development and testing purposes. See deployment if you want more in-depth setup instructions  
@@ -78,7 +80,7 @@ $ source envs/bin/activate
 $ python manage.py runserver <host>:<port>  
 ```  
 
-Congratz! You now have a running metadata classification repo  
+Congratulations! You now have a running metadata classification repository  
 
 # Deployment  
 
@@ -108,7 +110,7 @@ Authorization is a customization of Django's provided authorization functionalit
 
 Policies for use will be provided by the FLNR security team.  
 
-tes
+
 
 ## Files in this repository  
 ```sh  

conf/Dockerfile

@@ -1,46 +1,38 @@
-#ARG docker_repo=classy
-#RUN echo '${docker_repo}'
+FROM owasp/modsecurity:3-nginx
+RUN echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list && \
+    apt-get update && \
+    apt-get install -y certbot python-certbot-nginx -t stretch-backports
 
-#FROM "${docker_repo}" as builder
-#FROM docker-registry.default.svc:5000/l9fjgg-tools/classy as builder
-#RUN python manage.py collectstatic --noinput
-#RUN chmod -R +r conf
+WORKDIR /opt/modsecurity
+RUN wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.1.0.tar.gz && \
+    tar xzvf v3.1.0.tar.gz && \
+    cp /opt/modsecurity/owasp-modsecurity-crs-3.1.0/crs-setup.conf.example /etc/modsecurity.d/crs-setup.conf && \
+    cp -r /opt/modsecurity/owasp-modsecurity-crs-3.1.0/rules /etc/modsecurity.d/rules
 
-FROM nginx
-#FROM registry.access.redhat.com/rhscl/nginx-112-rhel7
-WORKDIR /etc/nginx
+RUN echo "include /etc/modsecurity.d/crs-setup.conf\ninclude /etc/modsecurity.d/rules/*.conf" >> /etc/modsecurity.d/include.conf
 
-#RUN rm -rf /usr/share/nginx/html/*
-RUN rm -f /etc/nginx/conf.d/default.conf
+RUN rm -f /etc/nginx/conf.d/*
 COPY html/ /var/www/classy/
-#COPY --from=builder /home/classy/conf/html /var/www/classy/
 COPY conf.d/classy.conf.tmpl /tmp/
 COPY nginx.conf /etc/nginx/nginx.conf
+#COPY modsecurity.conf /etc/modsecurity.d/modsecurity.conf
+
+RUN sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity.d/modsecurity.conf && \
+    sed -i 's/SecRequestBodyLimit 13107200/SecRequestBodyLimit 104857600/' /etc/modsecurity.d/modsecurity.conf
 
-#RUN useradd --gid 0 -c "SVR usr" www-svr &&\
 RUN touch /var/run/nginx.pid && \
     mkdir /etc/nginx/logs
-#RUN chown -R www-svr:0 /var/run/nginx.pid
-#RUN chown -R www-svr:0 /var/cache/nginx
-#RUN chown -R www-svr:0 /usr/share/nginx
-#RUN chown -R www-svr:0 /etc/nginx
-#RUN chown -R www-svr:0 /var/log/nginx
-#RUN chown -R www-svr:0 /tmp/classy.conf.tmpl
-
-#USER www-svr
-
-#RUN ln -sf /dev/stdout /etc/nginx/logs/nginx-proxy.access.log;
-#RUN ln -sf /dev/stderr /etc/nginx/logs/nginx-proxy.error.log;
 
-#RUN chmod g+rw /var/run/nginx.pid
 RUN chmod -R g+rwx /var/cache/nginx/ && \
     chmod -R g+rw /etc/nginx /var/log/nginx /tmp/classy.conf.tmpl /var/run/nginx.pid && \
-    chmod -R g+r /var/www/classy
-#RUN chmod +rw /etc/nginx/conf.d
-#RUN chown -R nginx:nginx /usr/share/nginx
-#RUN chown -R nginx:nginx /etc/nginx
-#USER nginx
+    chmod -R g+r /var/www/classy && \
+    touch /var/log/modsec_audit.log && chmod g+rw /var/log/modsec_audit.log 
+#    chmod -R g+r /etc/modsecurity.d/ /opt/
+#    mkdir -p /opt/modsecurity/uploads/ && \
+
+
 USER 1001
+
 CMD /bin/bash -c "envsubst < /tmp/classy.conf.tmpl > /etc/nginx/conf.d/classy.conf && exec nginx -g 'daemon off;'"
 
 EXPOSE 1337

conf/nginx.conf

@@ -1,3 +1,4 @@
+load_module modules/ngx_http_modsecurity_module.so;
 
 worker_processes  auto;
 
@@ -11,6 +12,9 @@ events {
 
 
 http {
+    modsecurity on;
+    modsecurity_rules_file /etc/modsecurity.d/include.conf;
+
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 

openshift/templates/classy-dc.json

@@ -81,7 +81,7 @@
         "name": "upload"
       },
       "spec": {
-        "schedule": "* * * * *",
+        "schedule": "*/5 * * * *",
         "concurrencyPolicy": "Forbid",
         "successfulJobsHistoryLimit": 3,
         "failedJobsHistoryLimit": 1,
@@ -164,7 +164,7 @@
         "name": "counter"
       },
       "spec": {
-        "schedule": "* * * * *",
+        "schedule": "*/5 * * * *",
         "concurrencyPolicy": "Forbid",
         "successfulJobsHistoryLimit": 3,
         "failedJobsHistoryLimit": 1,

openshift/templates/nginx-dc.json

@@ -165,6 +165,10 @@
                 {
                     "mountPath": "/etc/nginx/logs",
                     "name": "nginx-logs"
+                },
+                {
+                    "mountPath": "/opt/modsecurity",
+                    "name": "modsecurity-files"
                 }
                 ],
                 "readinessProbe": {
@@ -207,6 +211,12 @@
                 "persistentVolumeClaim": {
                   "claimName": "nginx-logs"
                 }
+              },
+              {
+                "name": "modsecurity-files",
+                "persistentVolumeClaim": {
+                  "claimName": "modsecurity-files"
+                }
               }
             ]
           }