Skip to content

Commit 904e6fb

Browse files
buehnerbuehner
committed
feat: use a modsecurity nginx firewall
1 parent abea87a commit 904e6fb

File tree

8 files changed

+49
-26
lines changed

8 files changed

+49
-26
lines changed

.gitignore

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@ shogun-postgis/postgresql_data
99
shogun-redis/redis_data
1010
shogun-solr/solr_data/data/search/data/
1111
shogun-solr/solr_data/logs/
12-
shogun-nginx/ssl/private/*.crt
13-
shogun-nginx/ssl/private/*.key
12+
*/ssl/private/*.crt
13+
*/ssl/private/*.key
1414

1515
*iml
1616
.idea

common-services.yml

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -66,9 +66,6 @@ services:
6666
- ./shogun-admin/config/admin-client-config.js:/usr/share/nginx/html/admin/config/admin-client-config.js
6767
- ./shogun-admin/modelconfigs/:/usr/share/nginx/html/admin/modelconfigs/
6868
- ./shogun-client/config/gis-client-config.js:/usr/share/nginx/html/client/gis-client-config.js
69-
ports:
70-
- "80:80"
71-
- "443:443"
7269
environment:
7370
KEYCLOAK_HOST: ${KEYCLOAK_HOST}
7471
depends_on:
@@ -80,6 +77,24 @@ services:
8077
- shogun-gis-client-docs
8178
- shogun-admin
8279
- shogun-admin-client-docs
80+
shogun-firewall:
81+
container_name: ${CONTAINER_NAME_PREFIX}-firewall
82+
image: owasp/modsecurity-crs:nginx-alpine
83+
ports:
84+
- "80:8080"
85+
- "443:8443"
86+
environment:
87+
BACKEND: http://shogun-nginx
88+
NGINX_ALWAYS_TLS_REDIRECT: on
89+
SSL_OCSP_STAPLING: on
90+
LOGLEVEL: info
91+
PARANOIA: 1
92+
BLOCKING_PARANOIA: 1
93+
ANOMALY_INBOUND: 5
94+
ANOMALY_OUTBOUND: 4
95+
REPORTING_LEVEL: 2
96+
depends_on:
97+
- shogun-nginx
8398
shogun-client:
8499
container_name: ${CONTAINER_NAME_PREFIX}-gis-client
85100
shogun-client-plugins:

docker-compose-prod.yml

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -39,9 +39,6 @@ services:
3939
file: ./common-services.yml
4040
service: shogun-nginx
4141
volumes:
42-
# makes sure that certificates exist in the environment or use a different image that already contains the certificates
43-
- ./shogun-nginx/ssl/private/localhost.crt:/etc/nginx/ssl/private/localhost.crt
44-
- ./shogun-nginx/ssl/private/localhost.key:/etc/nginx/ssl/private/localhost.key
4542
- ./shogun-nginx/prod/default.conf:/etc/nginx/templates/default.conf.template
4643
restart: unless-stopped
4744
healthcheck:
@@ -50,6 +47,20 @@ services:
5047
retries: 5
5148
start_period: 5s
5249
timeout: 10s
50+
shogun-firewall:
51+
extends:
52+
file: ./common-services.yml
53+
service: shogun-firewall
54+
volumes:
55+
- ./shogun-nginx/ssl/private/localhost.crt://etc/nginx/conf/server.crt
56+
- ./shogun-nginx/ssl/private/localhost.key:/etc/nginx/conf/server.key
57+
restart: unless-stopped
58+
healthcheck:
59+
test: curl --fail http://localhost || exit 1
60+
interval: 10s
61+
retries: 5
62+
start_period: 5s
63+
timeout: 10s
5364
shogun-admin:
5465
extends:
5566
file: ./common-services.yml

docker-compose.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,14 @@ services:
2222
file: ./common-services.yml
2323
service: shogun-nginx
2424
volumes:
25-
- ./shogun-nginx/ssl/private/localhost.crt:/etc/nginx/ssl/private/localhost.crt
26-
- ./shogun-nginx/ssl/private/localhost.key:/etc/nginx/ssl/private/localhost.key
2725
- ./shogun-nginx/dev/default.conf:/etc/nginx/templates/default.conf.template
26+
shogun-firewall:
27+
extends:
28+
file: ./common-services.yml
29+
service: shogun-firewall
30+
volumes:
31+
- ./shogun-firewall/ssl/private/localhost.crt:/etc/nginx/conf/server.crt
32+
- ./shogun-firewall/ssl/private/localhost.key:/etc/nginx/conf/server.key
2833
shogun-client:
2934
extends:
3035
file: ./common-services.yml

setEnvironment.sh

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -128,36 +128,36 @@ fi
128128

129129
printf "Updating the SSL certificate\n"
130130

131-
sed -i -E "s/IP.2 = (.+)/IP.2 = ${KEYCLOAK_HOST}/g" shogun-nginx/ssl/localhost.conf
131+
sed -i -E "s/IP.2 = (.+)/IP.2 = ${KEYCLOAK_HOST}/g" shogun-firewall/ssl/localhost.conf
132132

133133
openssl req \
134-
-config ./shogun-nginx/ssl/localhost.conf \
134+
-config ./shogun-firewall/ssl/localhost.conf \
135135
-addext basicConstraints=critical,CA:TRUE,pathlen:1 \
136136
-batch \
137137
-x509 \
138138
-nodes \
139139
-days 3650 \
140140
-newkey rsa:2048 \
141-
-keyout ./shogun-nginx/ssl/private/localhost.key \
142-
-out ./shogun-nginx/ssl/private/localhost.crt
141+
-keyout ./shogun-firewall/ssl/private/localhost.key \
142+
-out ./shogun-firewall/ssl/private/localhost.crt
143143

144144
printf "Updating the keystore of shogun-boot\n"
145145

146146
if keytool -list -alias DEV -keystore ./shogun-boot/keystore/cacerts -noprompt -storepass changeit > /dev/null 2>&1; then
147147
keytool -delete -alias DEV -keystore ./shogun-boot/keystore/cacerts -noprompt -storepass changeit
148148
fi
149-
keytool -import -file ./shogun-nginx/ssl/private/localhost.crt -alias DEV -keystore ./shogun-boot/keystore/cacerts -noprompt -storepass changeit
149+
keytool -import -file ./shogun-firewall/ssl/private/localhost.crt -alias DEV -keystore ./shogun-boot/keystore/cacerts -noprompt -storepass changeit
150150

151151
printf "Updating the keystore of shogun-geoserver\n"
152152

153153
if keytool -list -alias DEV -keystore ./shogun-geoserver/keystore/cacerts -noprompt -storepass changeit > /dev/null 2>&1; then
154154
keytool -delete -alias DEV -keystore ./shogun-geoserver/keystore/cacerts -noprompt -storepass changeit
155155
fi
156-
keytool -import -file ./shogun-nginx/ssl/private/localhost.crt -alias DEV -keystore ./shogun-geoserver/keystore/cacerts -noprompt -storepass changeit
156+
keytool -import -file ./shogun-firewall/ssl/private/localhost.crt -alias DEV -keystore ./shogun-geoserver/keystore/cacerts -noprompt -storepass changeit
157157

158158
printf "Updating the keystore of shogun-keycloak\n"
159159

160160
if keytool -list -alias DEV -keystore ./shogun-keycloak/keystore/cacerts -noprompt -storepass changeit > /dev/null 2>&1; then
161161
keytool -delete -alias DEV -keystore ./shogun-keycloak/keystore/cacerts -noprompt -storepass changeit
162162
fi
163-
keytool -import -file ./shogun-nginx/ssl/private/localhost.crt -alias DEV -keystore ./shogun-keycloak/keystore/cacerts -noprompt -storepass changeit
163+
keytool -import -file ./shogun-firewall/ssl/private/localhost.crt -alias DEV -keystore ./shogun-keycloak/keystore/cacerts -noprompt -storepass changeit

shogun-nginx/ssl/localhost.conf renamed to shogun-firewall/ssl/localhost.conf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,4 +23,4 @@ subjectAltName = @alt_names
2323
[alt_names]
2424
DNS.1 = localhost
2525
IP.1 = 127.0.0.1
26-
IP.2 = 1.2.3.4
26+
IP.2 = 192.168.192.60

shogun-nginx/ssl/private/.gitkeep renamed to shogun-firewall/ssl/private/.gitkeep

File renamed without changes.

shogun-nginx/dev/default.conf

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,7 @@ server {
77
listen 80 default_server;
88
listen [::]:80 default_server;
99
server_name localhost;
10-
return 308 https://$http_host$request_uri;
11-
}
1210

13-
server {
1411
client_max_body_size 0;
1512
client_header_buffer_size 1024k;
1613
large_client_header_buffers 4 64k;
@@ -24,12 +21,7 @@ server {
2421
gzip_proxied any;
2522
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/javascript application/json;
2623

27-
listen 443 ssl default_server;
28-
listen [::]:443 ssl default_server;
2924
http2 on;
30-
ssl_certificate /etc/nginx/ssl/private/localhost.crt;
31-
ssl_certificate_key /etc/nginx/ssl/private/localhost.key;
32-
server_name localhost;
3325

3426
location /auth/ {
3527
proxy_pass http://shogun-keycloak:8080/auth/;

0 commit comments

Comments
 (0)