From 26728a3c72c3887f2d5a3ac4a3da45dce4ed6760 Mon Sep 17 00:00:00 2001 From: Manuel Caballero Date: Wed, 16 Nov 2022 16:14:23 +0000 Subject: [PATCH] configure deploy modsecurity --- dd-ctl | 16 ++++++++++------ dd-sso/docker-compose-parts/haproxy.yml | 14 ++++++-------- dd-sso/docker/haproxy/haproxy.conf | 2 +- dd-waf/README.md | 8 ++++++++ dd-waf/docker/haproxy/haproxy.cfg | 2 +- 5 files changed, 26 insertions(+), 16 deletions(-) diff --git a/dd-ctl b/dd-ctl index 4ed3207..84c89e5 100755 --- a/dd-ctl +++ b/dd-ctl @@ -206,22 +206,26 @@ build_compose(){ if [ "$BEHIND_PROXY" = "true" ]; then BEHIND="haproxy-behind.yml" + MODSECURITY="-f dd-waf/docker-compose-parts/haproxy.yml" + HAPROXY_WAF="-f dd-waf/docker-compose-parts/haproxy.yml" else BEHIND="haproxy.yml" + MODSECURITY="-f dd-waf/docker-compose-parts/haproxy.yml" + HAPROXY_WAF="-f dd-waf/docker-compose-parts/haproxy.yml" fi + echo ${MODSECURITY} ${HAPROXY_WAF} # Build compose ymls - docker-compose \ - -f dd-waf/docker-compose-parts/haproxy.yml \ - -f dd-waf/docker-compose-parts/modsecurity.yml \ - \ - -f dd-sso/docker-compose-parts/$BEHIND \ + docker-compose \ + ${MODSECURITY} ${HAPROXY_WAF} + \ + -f dd-sso/docker-compose-parts/$BEHIND \ -f dd-sso/docker-compose-parts/api.yml \ -f dd-sso/docker-compose-parts/keycloak.yml \ -f dd-sso/docker-compose-parts/avatars.yml \ -f dd-apps/docker/postgresql/postgresql.yml \ -f dd-sso/docker-compose-parts/admin.yml \ - \ + \ -f dd-apps/docker/moodle/moodle.yml \ -f dd-apps/docker/nextcloud/nextcloud.yml \ -f dd-apps/docker/wordpress/wordpress.yml \ diff --git a/dd-sso/docker-compose-parts/haproxy.yml b/dd-sso/docker-compose-parts/haproxy.yml index d33d204..24452b5 100644 --- a/dd-sso/docker-compose-parts/haproxy.yml +++ b/dd-sso/docker-compose-parts/haproxy.yml @@ -20,8 +20,6 @@ version: '3.7' services: dd-sso-haproxy: - depends_on: - - dd-waf-haproxy build: args: HAPROXY_IMG: ${HAPROXY_IMG-haproxy:2.4.12-alpine3.15} @@ -37,15 +35,15 @@ services: networks: - dd_net ports: - - published: 8088 + - published: 80 target: 80 - - published: 8443 + - published: 443 target: 443 # These are for cases when operators want to use PROXY protocol in front -# - published: 8888 -# target: 8888 -# - published: 591 -# target: 591 + - published: 8888 + target: 8888 + - published: 591 + target: 591 env_file: - .env logging: diff --git a/dd-sso/docker/haproxy/haproxy.conf b/dd-sso/docker/haproxy/haproxy.conf index 42446c2..4f11c19 100644 --- a/dd-sso/docker/haproxy/haproxy.conf +++ b/dd-sso/docker/haproxy/haproxy.conf @@ -48,7 +48,7 @@ global frontend website mode http bind :80 - #redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc } + redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc } http-request del-header ssl_client_cert unless { ssl_fc_has_crt } http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt } bind :443 ssl crt /certs/chain.pem diff --git a/dd-waf/README.md b/dd-waf/README.md index 341084c..76c5713 100644 --- a/dd-waf/README.md +++ b/dd-waf/README.md @@ -35,6 +35,14 @@ Tenemos diferentes ficheros para configurar este servicio * En el fichero rules_apps.conf se configuran los falsos positivos, de las diferentes aplicaciones, que se tienen idenficados hasta el momento. +## Instalación + +Para instalar el haproxy + modsecurity tendremos que definir a `true` la siguiente variable en el fichero `dd.conf` + +``` +BEHIND_PROXY=false +``` + ## Configuración En la instalación el ModSecurity se encuentra deshabilitado para no interferir en el proceso de setup inicial del DD. diff --git a/dd-waf/docker/haproxy/haproxy.cfg b/dd-waf/docker/haproxy/haproxy.cfg index a7a11b9..723a598 100644 --- a/dd-waf/docker/haproxy/haproxy.cfg +++ b/dd-waf/docker/haproxy/haproxy.cfg @@ -28,7 +28,7 @@ defaults frontend tf_waf mode http bind :80 - # redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc } + http-request redirect scheme https code 301 unless { ssl_fc } http-request del-header ssl_client_cert unless { ssl_fc_has_crt } http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt } bind :443 ssl crt /certs/chain.pem