Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

reverse-proxy-zammad

Browse Source
This commit is contained in:
alexis 2021-06-28 09:42:52 +02:00
parent 0114c7b09f
commit 4a8da40cf2
3 changed files with 164 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
examples/reverse-proxy-zammad/docker-compose.yml Normal file
View File

@ -0,0 +1,150 @@
version: '2'
services:
zammad-backup:
command: ["zammad-backup"]
depends_on:
- zammad-railsserver
entrypoint: /usr/local/bin/backup.sh
environment:
- BACKUP_SLEEP=86400
- HOLD_DAYS=10
- POSTGRESQL_USER=${POSTGRES_USER}
- POSTGRESQL_PASSWORD=${POSTGRES_PASS}
image: ${IMAGE_REPO}:zammad-postgresql${VERSION}
links:
- zammad-postgresql
restart: ${RESTART}
volumes:
- zammad-backup:/var/tmp/zammad
- zammad-data:/opt/zammad
zammad-elasticsearch:
environment:
- discovery.type=single-node
image: ${IMAGE_REPO}:zammad-elasticsearch${VERSION}
restart: ${RESTART}
volumes:
- elasticsearch-data:/usr/share/elasticsearch/data
zammad-init:
command: ["zammad-init"]
depends_on:
- zammad-postgresql
environment:
- POSTGRESQL_USER=${POSTGRES_USER}
- POSTGRESQL_PASS=${POSTGRES_PASS}
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-elasticsearch
- zammad-postgresql
restart: on-failure
volumes:
- zammad-data:/opt/zammad
zammad-memcached:
command: memcached -m 256M
image: memcached:1.6.9-alpine
restart: ${RESTART}
zammad-postgresql:
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASS}
image: ${IMAGE_REPO}:zammad-postgresql${VERSION}
restart: ${RESTART}
volumes:
- postgresql-data:/var/lib/postgresql/data
zammad-railsserver:
command: ["zammad-railsserver"]
depends_on:
- zammad-memcached
- zammad-postgresql
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-elasticsearch
- zammad-memcached
- zammad-postgresql
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad
environment:
- RAILS_SERVE_STATIC_FILES=true
zammad-scheduler:
command: ["zammad-scheduler"]
depends_on:
- zammad-memcached
- zammad-railsserver
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-elasticsearch
- zammad-memcached
- zammad-postgresql
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad
zammad-websocket:
command: ["zammad-websocket"]
depends_on:
- zammad-memcached
- zammad-railsserver
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-postgresql
- zammad-memcached
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad
bunkerity:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- "80:8080"
- "443:8443"
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./modsec-crs-confs:/modsec-crs-confs:ro # ModSecurity Core ignore false positive match error
- ./modsec-confs:/modsec-confs:ro # ModSecurity ignore false positive match error
- ./data:/www:ro
environment:
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- USE_REVERSE_PROXY=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_PROXY_CACHE=yes
- USE_GZIP=yes
- LIMIT_REQ_RATE=20r/s # Number of request allowed per seconds, let him to 20 to don't get code 429
- FEATURE_POLICY= # Need to be allowed to work with Chrome, Brave, Edge
- PERMISSIONS_POLICY= # Need to be allowed to work with Chrome, Brave, Edge
- SERVER_NAME=www.website.com # replace with your domain
- www.website.com_REVERSE_PROXY_URL_1=/ws
- www.website.com_REVERSE_PROXY_HOST_1=http://zammad-websocket:6042
- www.website.com_REVERSE_PROXY_WS=yes # used to allow websocket redirect
- www.website.com_REVERSE_PROXY_URL_2=/
- www.website.com_REVERSE_PROXY_HOST_2=http://zammad-railsserver:3000
- ALLOWED_METHODS=GET|POST|HEAD|PUT|OPTIONS|DELETE|PATCH # All methods allowed by modSecurity used by default in zammad
depends_on:
- zammad-railsserver
- zammad-websocket
- zammad-backup
- zammad-elasticsearch
- zammad-init
- zammad-memcached
- zammad-postgresql
- zammad-scheduler
volumes:
elasticsearch-data:
driver: local
postgresql-data:
driver: local
zammad-backup:
driver: local
zammad-data:
driver: local

7
examples/reverse-proxy-zammad/modsec-confs/zammad.conf Normal file
View File

@ -0,0 +1,7 @@
SecRule REQUEST_FILENAME "^/api/v1/tickets" "id:1,nolog,ctl:ruleRemoveById=942100,ctl:ruleRemoveById=941100,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=capec/1000/152/242,ctl:ruleRemoveById=942170,ctl:ruleRemoveById=942190,ctl:ruleRemoveByTag=attack-sqli"
SecRule REQUEST_FILENAME "^/api/v1/taskbar" "id:2,nolog,ctl:ruleRemoveById=921110,ctl:ruleRemoveById=921130,ctl:ruleRemoveById=932100,ctl:ruleRemoveById=932130,ctl:ruleRemoveById=93215,ctl:ruleRemoveById=933100,ctl:ruleRemoveById=933160,ctl:ruleRemoveById=941100,ctl:ruleRemoveById=941160,ctl:ruleRemoveById=941170,ctl:ruleRemoveById=941210,ctl:ruleRemoveById=942100,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-rce"
SecRule REQUEST_FILENAME "^/api/v1/getting_started" "id:3,nolog,ctl:ruleRemoveById=941130,ctl:ruleRemoveById=941170"
SecRule REQUEST_FILENAME "^/api/v1/reports" "id:4,nolog,ctl:ruleRemoveById=930120"
SecRule REQUEST_FILENAME "^/api/v1/form_config" "id:5,nolog,ctl:ruleRemoveById=941130,ctl:ruleRemoveById=941170"
SecRule REQUEST_FILENAME "^/api/v1/settings" "id:6,nolog,ctl:ruleRemoveById=941130,ctl:ruleRemoveById=941170"
SecRule REQUEST_FILENAME "^/api/v1/integration" "id:7,nolog,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-sqli"

7
examples/reverse-proxy-zammad/modsec-crs-confs/zammad.conf Normal file
View File

@ -0,0 +1,7 @@
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET POST HEAD PUT OPTIONS DELETE PATCH'"