diff --git a/examples/zammad/.env b/examples/zammad/.env new file mode 100644 index 0000000..ad4a3d7 --- /dev/null +++ b/examples/zammad/.env @@ -0,0 +1,6 @@ +IMAGE_REPO=zammad/zammad-docker-compose +POSTGRES_PASS=zammad +POSTGRES_USER=zammad +RESTART=always +# don't forget to add the minus before the version +VERSION=-4.1.0-6 diff --git a/examples/zammad/docker-compose.yml b/examples/zammad/docker-compose.yml new file mode 100644 index 0000000..95695f5 --- /dev/null +++ b/examples/zammad/docker-compose.yml @@ -0,0 +1,150 @@ +version: '2' + +services: + + zammad-backup: + command: ["zammad-backup"] + depends_on: + - zammad-railsserver + entrypoint: /usr/local/bin/backup.sh + environment: + - BACKUP_SLEEP=86400 + - HOLD_DAYS=10 + - POSTGRESQL_USER=${POSTGRES_USER} + - POSTGRESQL_PASSWORD=${POSTGRES_PASS} + image: ${IMAGE_REPO}:zammad-postgresql${VERSION} + links: + - zammad-postgresql + restart: ${RESTART} + volumes: + - zammad-backup:/var/tmp/zammad + - zammad-data:/opt/zammad + + zammad-elasticsearch: + environment: + - discovery.type=single-node + image: ${IMAGE_REPO}:zammad-elasticsearch${VERSION} + restart: ${RESTART} + volumes: + - elasticsearch-data:/usr/share/elasticsearch/data + + zammad-init: + command: ["zammad-init"] + depends_on: + - zammad-postgresql + environment: + - POSTGRESQL_USER=${POSTGRES_USER} + - POSTGRESQL_PASS=${POSTGRES_PASS} + image: ${IMAGE_REPO}:zammad${VERSION} + links: + - zammad-elasticsearch + - zammad-postgresql + restart: on-failure + volumes: + - zammad-data:/opt/zammad + + zammad-memcached: + command: memcached -m 256M + image: memcached:1.6.9-alpine + restart: ${RESTART} + + zammad-postgresql: + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASS} + image: ${IMAGE_REPO}:zammad-postgresql${VERSION} + restart: ${RESTART} + volumes: + - postgresql-data:/var/lib/postgresql/data + + zammad-railsserver: + command: ["zammad-railsserver"] + depends_on: + - zammad-memcached + - zammad-postgresql + image: ${IMAGE_REPO}:zammad${VERSION} + links: + - zammad-elasticsearch + - zammad-memcached + - zammad-postgresql + restart: ${RESTART} + volumes: + - zammad-data:/opt/zammad + environment: + - RAILS_SERVE_STATIC_FILES=true + + zammad-scheduler: + command: ["zammad-scheduler"] + depends_on: + - zammad-memcached + - zammad-railsserver + image: ${IMAGE_REPO}:zammad${VERSION} + links: + - zammad-elasticsearch + - zammad-memcached + - zammad-postgresql + restart: ${RESTART} + volumes: + - zammad-data:/opt/zammad + + zammad-websocket: + command: ["zammad-websocket"] + depends_on: + - zammad-memcached + - zammad-railsserver + image: ${IMAGE_REPO}:zammad${VERSION} + links: + - zammad-postgresql + - zammad-memcached + restart: ${RESTART} + volumes: + - zammad-data:/opt/zammad + + bunkerity: + image: bunkerity/bunkerized-nginx + restart: always + ports: + - "80:8080" + - "443:8443" + volumes: + - ./letsencrypt:/etc/letsencrypt + - ./modsec-crs-confs:/modsec-crs-confs:ro # ModSecurity Core ignore false positive match error + - ./modsec-confs:/modsec-confs:ro # ModSecurity ignore false positive match error + - ./data:/www:ro + environment: + - AUTO_LETS_ENCRYPT=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - USE_REVERSE_PROXY=yes + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_PROXY_CACHE=yes + - USE_GZIP=yes + - LIMIT_REQ_RATE=20r/s # Number of request allowed per seconds, let him to 20 to don't get code 429 + - FEATURE_POLICY= # Need to be allowed to work with Chrome, Brave, Edge + - PERMISSIONS_POLICY= # Need to be allowed to work with Chrome, Brave, Edge + - SERVER_NAME=www.website.com # replace with your domain + - REVERSE_PROXY_URL_1=/ws + - REVERSE_PROXY_HOST_1=http://zammad-websocket:6042 + - REVERSE_PROXY_WS=yes # used to allow websocket redirect + - REVERSE_PROXY_URL_2=/ + - REVERSE_PROXY_HOST_2=http://zammad-railsserver:3000 + - ALLOWED_METHODS=GET|POST|HEAD|PUT|OPTIONS|DELETE|PATCH # All methods allowed by modSecurity used by default in zammad + depends_on: + - zammad-railsserver + - zammad-websocket + - zammad-backup + - zammad-elasticsearch + - zammad-init + - zammad-memcached + - zammad-postgresql + - zammad-scheduler + +volumes: + elasticsearch-data: + driver: local + postgresql-data: + driver: local + zammad-backup: + driver: local + zammad-data: + driver: local \ No newline at end of file diff --git a/examples/zammad/modsec-confs/zammad.conf b/examples/zammad/modsec-confs/zammad.conf new file mode 100644 index 0000000..c99a97f --- /dev/null +++ b/examples/zammad/modsec-confs/zammad.conf @@ -0,0 +1,7 @@ +SecRule REQUEST_FILENAME "^/api/v1/tickets" "id:1,nolog,ctl:ruleRemoveById=942100,ctl:ruleRemoveById=941100,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=capec/1000/152/242,ctl:ruleRemoveById=942170,ctl:ruleRemoveById=942190,ctl:ruleRemoveByTag=attack-sqli" +SecRule REQUEST_FILENAME "^/api/v1/taskbar" "id:2,nolog,ctl:ruleRemoveById=921110,ctl:ruleRemoveById=921130,ctl:ruleRemoveById=932100,ctl:ruleRemoveById=932130,ctl:ruleRemoveById=93215,ctl:ruleRemoveById=933100,ctl:ruleRemoveById=933160,ctl:ruleRemoveById=941100,ctl:ruleRemoveById=941160,ctl:ruleRemoveById=941170,ctl:ruleRemoveById=941210,ctl:ruleRemoveById=942100,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-rce" +SecRule REQUEST_FILENAME "^/api/v1/getting_started" "id:3,nolog,ctl:ruleRemoveById=941130,ctl:ruleRemoveById=941170" +SecRule REQUEST_FILENAME "^/api/v1/reports" "id:4,nolog,ctl:ruleRemoveById=930120" +SecRule REQUEST_FILENAME "^/api/v1/form_config" "id:5,nolog,ctl:ruleRemoveById=941130,ctl:ruleRemoveById=941170" +SecRule REQUEST_FILENAME "^/api/v1/settings" "id:6,nolog,ctl:ruleRemoveById=941130,ctl:ruleRemoveById=941170" +SecRule REQUEST_FILENAME "^/api/v1/integration" "id:7,nolog,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-sqli" diff --git a/examples/zammad/modsec-crs-confs/zammad.conf b/examples/zammad/modsec-crs-confs/zammad.conf new file mode 100644 index 0000000..9d56031 --- /dev/null +++ b/examples/zammad/modsec-crs-confs/zammad.conf @@ -0,0 +1,7 @@ +SecAction \ +"id:900200,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.allowed_methods=GET POST HEAD PUT OPTIONS DELETE PATCH'"