From 4a8da40cf2bee2bfe3a0ec674b835ea4eda41629 Mon Sep 17 00:00:00 2001 From: alexis Date: Mon, 28 Jun 2021 09:42:52 +0200 Subject: [PATCH 1/3] reverse-proxy-zammad --- .../reverse-proxy-zammad/docker-compose.yml | 150 ++++++++++++++++++ .../modsec-confs/zammad.conf | 7 + .../modsec-crs-confs/zammad.conf | 7 + 3 files changed, 164 insertions(+) create mode 100644 examples/reverse-proxy-zammad/docker-compose.yml create mode 100644 examples/reverse-proxy-zammad/modsec-confs/zammad.conf create mode 100644 examples/reverse-proxy-zammad/modsec-crs-confs/zammad.conf diff --git a/examples/reverse-proxy-zammad/docker-compose.yml b/examples/reverse-proxy-zammad/docker-compose.yml new file mode 100644 index 0000000..a1d4e92 --- /dev/null +++ b/examples/reverse-proxy-zammad/docker-compose.yml @@ -0,0 +1,150 @@ +version: '2' + +services: + + zammad-backup: + command: ["zammad-backup"] + depends_on: + - zammad-railsserver + entrypoint: /usr/local/bin/backup.sh + environment: + - BACKUP_SLEEP=86400 + - HOLD_DAYS=10 + - POSTGRESQL_USER=${POSTGRES_USER} + - POSTGRESQL_PASSWORD=${POSTGRES_PASS} + image: ${IMAGE_REPO}:zammad-postgresql${VERSION} + links: + - zammad-postgresql + restart: ${RESTART} + volumes: + - zammad-backup:/var/tmp/zammad + - zammad-data:/opt/zammad + + zammad-elasticsearch: + environment: + - discovery.type=single-node + image: ${IMAGE_REPO}:zammad-elasticsearch${VERSION} + restart: ${RESTART} + volumes: + - elasticsearch-data:/usr/share/elasticsearch/data + + zammad-init: + command: ["zammad-init"] + depends_on: + - zammad-postgresql + environment: + - POSTGRESQL_USER=${POSTGRES_USER} + - POSTGRESQL_PASS=${POSTGRES_PASS} + image: ${IMAGE_REPO}:zammad${VERSION} + links: + - zammad-elasticsearch + - zammad-postgresql + restart: on-failure + volumes: + - zammad-data:/opt/zammad + + zammad-memcached: + command: memcached -m 256M + image: memcached:1.6.9-alpine + restart: ${RESTART} + + zammad-postgresql: + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASS} + image: ${IMAGE_REPO}:zammad-postgresql${VERSION} + restart: ${RESTART} + volumes: + - postgresql-data:/var/lib/postgresql/data + + zammad-railsserver: + command: ["zammad-railsserver"] + depends_on: + - zammad-memcached + - zammad-postgresql + image: ${IMAGE_REPO}:zammad${VERSION} + links: + - zammad-elasticsearch + - zammad-memcached + - zammad-postgresql + restart: ${RESTART} + volumes: + - zammad-data:/opt/zammad + environment: + - RAILS_SERVE_STATIC_FILES=true + + zammad-scheduler: + command: ["zammad-scheduler"] + depends_on: + - zammad-memcached + - zammad-railsserver + image: ${IMAGE_REPO}:zammad${VERSION} + links: + - zammad-elasticsearch + - zammad-memcached + - zammad-postgresql + restart: ${RESTART} + volumes: + - zammad-data:/opt/zammad + + zammad-websocket: + command: ["zammad-websocket"] + depends_on: + - zammad-memcached + - zammad-railsserver + image: ${IMAGE_REPO}:zammad${VERSION} + links: + - zammad-postgresql + - zammad-memcached + restart: ${RESTART} + volumes: + - zammad-data:/opt/zammad + + bunkerity: + image: bunkerity/bunkerized-nginx + restart: always + ports: + - "80:8080" + - "443:8443" + volumes: + - ./letsencrypt:/etc/letsencrypt + - ./modsec-crs-confs:/modsec-crs-confs:ro # ModSecurity Core ignore false positive match error + - ./modsec-confs:/modsec-confs:ro # ModSecurity ignore false positive match error + - ./data:/www:ro + environment: + - AUTO_LETS_ENCRYPT=yes + - REDIRECT_HTTP_TO_HTTPS=yes + - USE_REVERSE_PROXY=yes + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_PROXY_CACHE=yes + - USE_GZIP=yes + - LIMIT_REQ_RATE=20r/s # Number of request allowed per seconds, let him to 20 to don't get code 429 + - FEATURE_POLICY= # Need to be allowed to work with Chrome, Brave, Edge + - PERMISSIONS_POLICY= # Need to be allowed to work with Chrome, Brave, Edge + - SERVER_NAME=www.website.com # replace with your domain + - www.website.com_REVERSE_PROXY_URL_1=/ws + - www.website.com_REVERSE_PROXY_HOST_1=http://zammad-websocket:6042 + - www.website.com_REVERSE_PROXY_WS=yes # used to allow websocket redirect + - www.website.com_REVERSE_PROXY_URL_2=/ + - www.website.com_REVERSE_PROXY_HOST_2=http://zammad-railsserver:3000 + - ALLOWED_METHODS=GET|POST|HEAD|PUT|OPTIONS|DELETE|PATCH # All methods allowed by modSecurity used by default in zammad + depends_on: + - zammad-railsserver + - zammad-websocket + - zammad-backup + - zammad-elasticsearch + - zammad-init + - zammad-memcached + - zammad-postgresql + - zammad-scheduler + +volumes: + elasticsearch-data: + driver: local + postgresql-data: + driver: local + zammad-backup: + driver: local + zammad-data: + driver: local \ No newline at end of file diff --git a/examples/reverse-proxy-zammad/modsec-confs/zammad.conf b/examples/reverse-proxy-zammad/modsec-confs/zammad.conf new file mode 100644 index 0000000..c99a97f --- /dev/null +++ b/examples/reverse-proxy-zammad/modsec-confs/zammad.conf @@ -0,0 +1,7 @@ +SecRule REQUEST_FILENAME "^/api/v1/tickets" "id:1,nolog,ctl:ruleRemoveById=942100,ctl:ruleRemoveById=941100,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=capec/1000/152/242,ctl:ruleRemoveById=942170,ctl:ruleRemoveById=942190,ctl:ruleRemoveByTag=attack-sqli" +SecRule REQUEST_FILENAME "^/api/v1/taskbar" "id:2,nolog,ctl:ruleRemoveById=921110,ctl:ruleRemoveById=921130,ctl:ruleRemoveById=932100,ctl:ruleRemoveById=932130,ctl:ruleRemoveById=93215,ctl:ruleRemoveById=933100,ctl:ruleRemoveById=933160,ctl:ruleRemoveById=941100,ctl:ruleRemoveById=941160,ctl:ruleRemoveById=941170,ctl:ruleRemoveById=941210,ctl:ruleRemoveById=942100,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-rce" +SecRule REQUEST_FILENAME "^/api/v1/getting_started" "id:3,nolog,ctl:ruleRemoveById=941130,ctl:ruleRemoveById=941170" +SecRule REQUEST_FILENAME "^/api/v1/reports" "id:4,nolog,ctl:ruleRemoveById=930120" +SecRule REQUEST_FILENAME "^/api/v1/form_config" "id:5,nolog,ctl:ruleRemoveById=941130,ctl:ruleRemoveById=941170" +SecRule REQUEST_FILENAME "^/api/v1/settings" "id:6,nolog,ctl:ruleRemoveById=941130,ctl:ruleRemoveById=941170" +SecRule REQUEST_FILENAME "^/api/v1/integration" "id:7,nolog,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-sqli" diff --git a/examples/reverse-proxy-zammad/modsec-crs-confs/zammad.conf b/examples/reverse-proxy-zammad/modsec-crs-confs/zammad.conf new file mode 100644 index 0000000..9d56031 --- /dev/null +++ b/examples/reverse-proxy-zammad/modsec-crs-confs/zammad.conf @@ -0,0 +1,7 @@ +SecAction \ +"id:900200,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.allowed_methods=GET POST HEAD PUT OPTIONS DELETE PATCH'" From 8504299861670266fbd2afcd2f7943f046536a9b Mon Sep 17 00:00:00 2001 From: alexis Date: Mon, 28 Jun 2021 15:22:57 +0200 Subject: [PATCH 2/3] Correction MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Modification nom fichier Correction des lignes 126 à 130 --- .../docker-compose.yml | 10 +++++----- .../modsec-confs/zammad.conf | 0 .../modsec-crs-confs/zammad.conf | 0 3 files changed, 5 insertions(+), 5 deletions(-) rename examples/{reverse-proxy-zammad => zammad}/docker-compose.yml (93%) rename examples/{reverse-proxy-zammad => zammad}/modsec-confs/zammad.conf (100%) rename examples/{reverse-proxy-zammad => zammad}/modsec-crs-confs/zammad.conf (100%) diff --git a/examples/reverse-proxy-zammad/docker-compose.yml b/examples/zammad/docker-compose.yml similarity index 93% rename from examples/reverse-proxy-zammad/docker-compose.yml rename to examples/zammad/docker-compose.yml index a1d4e92..95695f5 100644 --- a/examples/reverse-proxy-zammad/docker-compose.yml +++ b/examples/zammad/docker-compose.yml @@ -123,11 +123,11 @@ services: - FEATURE_POLICY= # Need to be allowed to work with Chrome, Brave, Edge - PERMISSIONS_POLICY= # Need to be allowed to work with Chrome, Brave, Edge - SERVER_NAME=www.website.com # replace with your domain - - www.website.com_REVERSE_PROXY_URL_1=/ws - - www.website.com_REVERSE_PROXY_HOST_1=http://zammad-websocket:6042 - - www.website.com_REVERSE_PROXY_WS=yes # used to allow websocket redirect - - www.website.com_REVERSE_PROXY_URL_2=/ - - www.website.com_REVERSE_PROXY_HOST_2=http://zammad-railsserver:3000 + - REVERSE_PROXY_URL_1=/ws + - REVERSE_PROXY_HOST_1=http://zammad-websocket:6042 + - REVERSE_PROXY_WS=yes # used to allow websocket redirect + - REVERSE_PROXY_URL_2=/ + - REVERSE_PROXY_HOST_2=http://zammad-railsserver:3000 - ALLOWED_METHODS=GET|POST|HEAD|PUT|OPTIONS|DELETE|PATCH # All methods allowed by modSecurity used by default in zammad depends_on: - zammad-railsserver diff --git a/examples/reverse-proxy-zammad/modsec-confs/zammad.conf b/examples/zammad/modsec-confs/zammad.conf similarity index 100% rename from examples/reverse-proxy-zammad/modsec-confs/zammad.conf rename to examples/zammad/modsec-confs/zammad.conf diff --git a/examples/reverse-proxy-zammad/modsec-crs-confs/zammad.conf b/examples/zammad/modsec-crs-confs/zammad.conf similarity index 100% rename from examples/reverse-proxy-zammad/modsec-crs-confs/zammad.conf rename to examples/zammad/modsec-crs-confs/zammad.conf From f97ea6785501e47f2d81e94cc25a612cc77fa5bb Mon Sep 17 00:00:00 2001 From: alexis Date: Mon, 28 Jun 2021 16:22:01 +0200 Subject: [PATCH 3/3] Create .env --- examples/zammad/.env | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 examples/zammad/.env diff --git a/examples/zammad/.env b/examples/zammad/.env new file mode 100644 index 0000000..ad4a3d7 --- /dev/null +++ b/examples/zammad/.env @@ -0,0 +1,6 @@ +IMAGE_REPO=zammad/zammad-docker-compose +POSTGRES_PASS=zammad +POSTGRES_USER=zammad +RESTART=always +# don't forget to add the minus before the version +VERSION=-4.1.0-6