DOCS: Updated docker instructions

Signed-off-by: Sebastian Waldbauer <waldbauer@cert.at>
certtools · Aug 23, 2021 · b78e2e4 · b78e2e4
1 parent 75e0e16
commit b78e2e4
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 3 deletions.
diff --git a/docs/user/FAQ.rst b/docs/user/FAQ.rst
@@ -131,3 +131,29 @@ Multithreading is not available for some bots and AMQP broker is necessary. Poss
  * Some bots' operations are not thread safe. Look a the bot's documentation for more information.
 
 If you think this mapping is wrong, please report a bug.
+
+.. _docker security headers:
+Docker: Security Headers
+-------------------------------------------------------------------
+
+If you run our docker image in production, we recommend you to set security headers.
+You can do this by creating a new file called ``example_config/nginx/security.conf`` in the cloned ``intelmq-docker`` repository.
+
+Write the following inside the configuration file, and change the ``http(s)://<your-domain>`` to your domain name.
+
+.. code-block:: bash
+
+   server_tokens off; # turn off server_token, instead of nginx/13.2 now it will only show nginx
+   add_header X-Frame-Options SAMEORIGIN; # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+   add_header X-Content-Type-Options nosniff; # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+   add_header X-XSS-Protection "1; mode=block"; # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+   add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' http(s)://<your-domain>; frame-src 'self' http(s)://<your-domain>; object-src 'self' http(s)://<your-domain>"; # https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+
+After you created the file, edit the ``docker-compose.yml`` and mount it to the ``nginx`` with
+
+.. code-block:: bash
+
+   volumes:
+   - ./example_config/nginx/security.conf:/etc/nginx/conf.d/security.conf
+
+**IMPORTANT** Mount the exact name & not the directory, because otherwise you would overwrite the whole directory and the other files would be gone inside the container.
diff --git a/docs/user/installation.rst b/docs/user/installation.rst
@@ -150,14 +150,26 @@ Docker **with** docker-compose (recommended)
 
 Navigate to your preferred installation directory and run the following commands.
 
+**NOTE** If not already installed, please install `Docker <https://docs.docker.com/get-docker/>`_
+
+Before you start using docker-compose or any docker related tools, make sure docker is running
+
 .. code-block:: bash
 
-   git clone https://github.com/certat/intelmq-docker.git --recursive
+   # To start the docker daemon
+   systemctl start docker.service
 
-   sudo docker-compose pull
+   # To enable the docker daemon for the future
+   systemctl enable docker.service
+
+.. code-block:: bash
+
+   git clone https://github.com/certat/intelmq-docker.git --recursive
 
    cd intelmq-docker
 
+   sudo docker-compose pull
+
    sudo docker-compose up
 
 Your installation should be successful now. You're now able to visit ``http://127.0.0.1:1337/`` to access the intelmq-manager.
@@ -167,6 +179,8 @@ NOTE: If you get an `Permission denied`, you should use `chown -R $USER:$USER ex
 Docker without docker-compose
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+**NOTE** If not already installed, please install `Docker <https://docs.docker.com/get-docker/>`_
+
 Navigate to your preferred installation directory and run ``git clone https://github.com/certat/intelmq-docker.git --recursive``.
 
 You need to prepare some volumes & configs. Edit the left-side after -v, to change paths.

diff --git a/docs/user/intelmq-api.rst b/docs/user/intelmq-api.rst
@@ -199,7 +199,7 @@ Can I just install it from the deb/rpm packages while installing IntelMQ from a
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Yes, you can install the API and the Manager from the deb/rpm repositories, and install your IntelMQ from a somewhere else, e.g. a local repository.
-However, knowledge about Python system administration experience is recommended if you do so.
+However, knowledge about Python and system administration experience is recommended if you do so.
 
 The packages install IntelMQ to ``/usr/lib/python3*/site-packages/intelmq/``.
 Installing with ``pip`` results in ``/usr/local/lib/python3*/site-packages/intelmq/`` (and some other accompaning resources) which overrides the installation in ``/usr/lib/``.