configure deploy modsecurity

dd-ctl

@@ -206,22 +206,26 @@ build_compose(){
 
 	if [ "$BEHIND_PROXY" = "true" ]; then
 		BEHIND="haproxy-behind.yml"
+		MODSECURITY="-f dd-waf/docker-compose-parts/haproxy.yml"
+		HAPROXY_WAF="-f dd-waf/docker-compose-parts/haproxy.yml"
 	else
 		BEHIND="haproxy.yml"
+		MODSECURITY="-f dd-waf/docker-compose-parts/haproxy.yml"
+                HAPROXY_WAF="-f dd-waf/docker-compose-parts/haproxy.yml"
 	fi
 
+	echo ${MODSECURITY} ${HAPROXY_WAF}
 	# Build compose ymls
-	docker-compose	\
-	    -f dd-waf/docker-compose-parts/haproxy.yml \
-      -f dd-waf/docker-compose-parts/modsecurity.yml \
-                  \
-      -f dd-sso/docker-compose-parts/$BEHIND \
+	docker-compose \
+	       		${MODSECURITY} ${HAPROXY_WAF}
+				\
+			-f dd-sso/docker-compose-parts/$BEHIND \
 			-f dd-sso/docker-compose-parts/api.yml \
 			-f dd-sso/docker-compose-parts/keycloak.yml \
 			-f dd-sso/docker-compose-parts/avatars.yml \
 			-f dd-apps/docker/postgresql/postgresql.yml \
 			-f dd-sso/docker-compose-parts/admin.yml \
-								  \
+					\
 			-f dd-apps/docker/moodle/moodle.yml \
 			-f dd-apps/docker/nextcloud/nextcloud.yml \
 			-f dd-apps/docker/wordpress/wordpress.yml \

dd-sso/docker-compose-parts/haproxy.yml

@@ -20,8 +20,6 @@
 version: '3.7'
 services:
   dd-sso-haproxy:
-    depends_on:
-      - dd-waf-haproxy
     build:
       args:
         HAPROXY_IMG: ${HAPROXY_IMG-haproxy:2.4.12-alpine3.15}
@@ -37,15 +35,15 @@ services:
     networks:
       - dd_net
     ports:
-    - published: 8088
+    - published: 80
       target: 80
-    - published: 8443
+    - published: 443
       target: 443
     # These are for cases when operators want to use PROXY protocol in front
-#    - published: 8888
-#      target: 8888
-#    - published: 591
-#      target: 591
+    - published: 8888
+      target: 8888
+    - published: 591
+      target: 591
     env_file:
       - .env
     logging:

dd-sso/docker/haproxy/haproxy.conf

@@ -48,7 +48,7 @@ global
 frontend website
     mode http
     bind :80
-    #redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
+    redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
     http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
     http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
     bind :443 ssl crt /certs/chain.pem

dd-waf/README.md

@@ -35,6 +35,14 @@ Tenemos diferentes ficheros para configurar este servicio
 * En el fichero rules_apps.conf se configuran los falsos positivos, de las diferentes aplicaciones, que se tienen idenficados hasta el momento.
 
 
+## Instalación
+
+Para instalar el haproxy + modsecurity tendremos que definir a `true` la siguiente variable en el fichero `dd.conf` 
+
+```
+BEHIND_PROXY=false
+```
+
 ## Configuración
 
 En la instalación el ModSecurity se encuentra deshabilitado para no interferir en el proceso de setup inicial del DD.

dd-waf/docker/haproxy/haproxy.cfg

@@ -28,7 +28,7 @@ defaults
 frontend tf_waf
   mode http
   bind :80
-  # redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
+  http-request redirect scheme https code 301 unless { ssl_fc }
   http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
   http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
   bind :443 ssl crt /certs/chain.pem