configure deploy modsecurity
parent
2af96ac3c0
commit
26728a3c72
16
dd-ctl
16
dd-ctl
|
@ -206,22 +206,26 @@ build_compose(){
|
||||||
|
|
||||||
if [ "$BEHIND_PROXY" = "true" ]; then
|
if [ "$BEHIND_PROXY" = "true" ]; then
|
||||||
BEHIND="haproxy-behind.yml"
|
BEHIND="haproxy-behind.yml"
|
||||||
|
MODSECURITY="-f dd-waf/docker-compose-parts/haproxy.yml"
|
||||||
|
HAPROXY_WAF="-f dd-waf/docker-compose-parts/haproxy.yml"
|
||||||
else
|
else
|
||||||
BEHIND="haproxy.yml"
|
BEHIND="haproxy.yml"
|
||||||
|
MODSECURITY="-f dd-waf/docker-compose-parts/haproxy.yml"
|
||||||
|
HAPROXY_WAF="-f dd-waf/docker-compose-parts/haproxy.yml"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
echo ${MODSECURITY} ${HAPROXY_WAF}
|
||||||
# Build compose ymls
|
# Build compose ymls
|
||||||
docker-compose \
|
docker-compose \
|
||||||
-f dd-waf/docker-compose-parts/haproxy.yml \
|
${MODSECURITY} ${HAPROXY_WAF}
|
||||||
-f dd-waf/docker-compose-parts/modsecurity.yml \
|
\
|
||||||
\
|
-f dd-sso/docker-compose-parts/$BEHIND \
|
||||||
-f dd-sso/docker-compose-parts/$BEHIND \
|
|
||||||
-f dd-sso/docker-compose-parts/api.yml \
|
-f dd-sso/docker-compose-parts/api.yml \
|
||||||
-f dd-sso/docker-compose-parts/keycloak.yml \
|
-f dd-sso/docker-compose-parts/keycloak.yml \
|
||||||
-f dd-sso/docker-compose-parts/avatars.yml \
|
-f dd-sso/docker-compose-parts/avatars.yml \
|
||||||
-f dd-apps/docker/postgresql/postgresql.yml \
|
-f dd-apps/docker/postgresql/postgresql.yml \
|
||||||
-f dd-sso/docker-compose-parts/admin.yml \
|
-f dd-sso/docker-compose-parts/admin.yml \
|
||||||
\
|
\
|
||||||
-f dd-apps/docker/moodle/moodle.yml \
|
-f dd-apps/docker/moodle/moodle.yml \
|
||||||
-f dd-apps/docker/nextcloud/nextcloud.yml \
|
-f dd-apps/docker/nextcloud/nextcloud.yml \
|
||||||
-f dd-apps/docker/wordpress/wordpress.yml \
|
-f dd-apps/docker/wordpress/wordpress.yml \
|
||||||
|
|
|
@ -20,8 +20,6 @@
|
||||||
version: '3.7'
|
version: '3.7'
|
||||||
services:
|
services:
|
||||||
dd-sso-haproxy:
|
dd-sso-haproxy:
|
||||||
depends_on:
|
|
||||||
- dd-waf-haproxy
|
|
||||||
build:
|
build:
|
||||||
args:
|
args:
|
||||||
HAPROXY_IMG: ${HAPROXY_IMG-haproxy:2.4.12-alpine3.15}
|
HAPROXY_IMG: ${HAPROXY_IMG-haproxy:2.4.12-alpine3.15}
|
||||||
|
@ -37,15 +35,15 @@ services:
|
||||||
networks:
|
networks:
|
||||||
- dd_net
|
- dd_net
|
||||||
ports:
|
ports:
|
||||||
- published: 8088
|
- published: 80
|
||||||
target: 80
|
target: 80
|
||||||
- published: 8443
|
- published: 443
|
||||||
target: 443
|
target: 443
|
||||||
# These are for cases when operators want to use PROXY protocol in front
|
# These are for cases when operators want to use PROXY protocol in front
|
||||||
# - published: 8888
|
- published: 8888
|
||||||
# target: 8888
|
target: 8888
|
||||||
# - published: 591
|
- published: 591
|
||||||
# target: 591
|
target: 591
|
||||||
env_file:
|
env_file:
|
||||||
- .env
|
- .env
|
||||||
logging:
|
logging:
|
||||||
|
|
|
@ -48,7 +48,7 @@ global
|
||||||
frontend website
|
frontend website
|
||||||
mode http
|
mode http
|
||||||
bind :80
|
bind :80
|
||||||
#redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
|
redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
|
||||||
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
|
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
|
||||||
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
|
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
|
||||||
bind :443 ssl crt /certs/chain.pem
|
bind :443 ssl crt /certs/chain.pem
|
||||||
|
|
|
@ -35,6 +35,14 @@ Tenemos diferentes ficheros para configurar este servicio
|
||||||
* En el fichero rules_apps.conf se configuran los falsos positivos, de las diferentes aplicaciones, que se tienen idenficados hasta el momento.
|
* En el fichero rules_apps.conf se configuran los falsos positivos, de las diferentes aplicaciones, que se tienen idenficados hasta el momento.
|
||||||
|
|
||||||
|
|
||||||
|
## Instalación
|
||||||
|
|
||||||
|
Para instalar el haproxy + modsecurity tendremos que definir a `true` la siguiente variable en el fichero `dd.conf`
|
||||||
|
|
||||||
|
```
|
||||||
|
BEHIND_PROXY=false
|
||||||
|
```
|
||||||
|
|
||||||
## Configuración
|
## Configuración
|
||||||
|
|
||||||
En la instalación el ModSecurity se encuentra deshabilitado para no interferir en el proceso de setup inicial del DD.
|
En la instalación el ModSecurity se encuentra deshabilitado para no interferir en el proceso de setup inicial del DD.
|
||||||
|
|
|
@ -28,7 +28,7 @@ defaults
|
||||||
frontend tf_waf
|
frontend tf_waf
|
||||||
mode http
|
mode http
|
||||||
bind :80
|
bind :80
|
||||||
# redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
|
http-request redirect scheme https code 301 unless { ssl_fc }
|
||||||
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
|
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
|
||||||
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
|
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
|
||||||
bind :443 ssl crt /certs/chain.pem
|
bind :443 ssl crt /certs/chain.pem
|
||||||
|
|
Loading…
Reference in New Issue