EDUCATIC
/
digitaldemocratic
mirror of https://gitlab.com/digitaldemocratic/digitaldemocratic
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

configure deploy modsecurity

GON-3874-DD-moodle
Manuel Caballero 2022-11-16 16:14:23 +00:00 committed by Evilham
parent 2af96ac3c0
commit 26728a3c72
No known key found for this signature in database
GPG Key ID: AE3EE30D970886BF
5 changed files with 26 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
dd-ctl
View File

@ -206,14 +206,18 @@ build_compose(){
if [ "$BEHIND_PROXY" = "true" ]; then
BEHIND="haproxy-behind.yml"
MODSECURITY="-f dd-waf/docker-compose-parts/haproxy.yml"
HAPROXY_WAF="-f dd-waf/docker-compose-parts/haproxy.yml"
else
BEHIND="haproxy.yml"
MODSECURITY="-f dd-waf/docker-compose-parts/haproxy.yml"
HAPROXY_WAF="-f dd-waf/docker-compose-parts/haproxy.yml"
fi
echo ${MODSECURITY} ${HAPROXY_WAF}
# Build compose ymls
docker-compose \
-f dd-waf/docker-compose-parts/haproxy.yml \
-f dd-waf/docker-compose-parts/modsecurity.yml \
${MODSECURITY} ${HAPROXY_WAF}
\
-f dd-sso/docker-compose-parts/$BEHIND \
-f dd-sso/docker-compose-parts/api.yml \

14
dd-sso/docker-compose-parts/haproxy.yml
View File

@ -20,8 +20,6 @@
version: '3.7'
services:
dd-sso-haproxy:
depends_on:
- dd-waf-haproxy
build:
args:
HAPROXY_IMG: ${HAPROXY_IMG-haproxy:2.4.12-alpine3.15}
@ -37,15 +35,15 @@ services:
networks:
- dd_net
ports:
- published: 8088
- published: 80
target: 80
- published: 8443
- published: 443
target: 443
# These are for cases when operators want to use PROXY protocol in front
# - published: 8888
# target: 8888
# - published: 591
# target: 591
- published: 8888
target: 8888
- published: 591
target: 591
env_file:
- .env
logging:

2
dd-sso/docker/haproxy/haproxy.conf
View File

@ -48,7 +48,7 @@ global
frontend website
mode http
bind :80
#redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
bind :443 ssl crt /certs/chain.pem

8
dd-waf/README.md
View File

@ -35,6 +35,14 @@ Tenemos diferentes ficheros para configurar este servicio
* En el fichero rules_apps.conf se configuran los falsos positivos, de las diferentes aplicaciones, que se tienen idenficados hasta el momento.
## Instalación
Para instalar el haproxy + modsecurity tendremos que definir a `true` la siguiente variable en el fichero `dd.conf`
```
BEHIND_PROXY=false
```
## Configuración
En la instalación el ModSecurity se encuentra deshabilitado para no interferir en el proceso de setup inicial del DD.

2
dd-waf/docker/haproxy/haproxy.cfg
View File

@ -28,7 +28,7 @@ defaults
frontend tf_waf
mode http
bind :80
# redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
http-request redirect scheme https code 301 unless { ssl_fc }
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
bind :443 ssl crt /certs/chain.pem