diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..583decf --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" \ No newline at end of file diff --git a/.gitignore b/.gitignore index 07c7cdd..687d390 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ /logs/ /files/ /ssl/ -/server-configs/ \ No newline at end of file +/server-configs/ +docker-compose.override.yml \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..37e4dcb --- /dev/null +++ b/Makefile @@ -0,0 +1,30 @@ +# https://www.mkdocs.org/user-guide/deploying-your-docs/ + +.PHONY: build-docker-misp build-docker-misp-module update-readme-toc add-remote-url update-from-origin + +build-docker-misp: + cp build-docker-compose.yml docker-compose.override.yml + docker-compose build misp + +build-docker-misp-module: + cp build-docker-compose.yml docker-compose.override.yml + docker-compose -fbuild misp-module + +# DEV only +update-readme-toc: + docker run -v $(shell pwd)":/app" -w /app --rm -it sebdah/markdown-toc README.md --skip-headers 2 --replace --inline --header "## Table of Contents" + +docker-remove-build-run-logs-misp: + docker-compose down -v + $(MAKE) build-docker-misp + docker-compose up -d misp + docker-compose logs -f + +# For Git forks +## Add remote url for mainstream +add-remote-url: + git remote add base https://github.com/coolacid/docker-misp +## Update from mainstream +update-from-origin: + git fetch base + git merge base/master diff --git a/README.md b/README.md index 4963565..e580c97 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,20 @@ This is based on some of the work from the DSCO docker build, nearly all of the - Images directly from docker hub, no build required - Slimmed down images by using build stages and slim parent image, removes unnecessary files from images + +## Table of Contents + + 1. [Docker Tags](#docker-tags) + 1. [Getting Started](#getting-started) + 1. [Environment Variables](#environment-variables) + 1. [Development/Test](#development/test) + 1. [Using the image for development](#using-the-image-for-development) + 1. [Updating](#updating) + 1. [Production](#production) + 1. [Building](#building) + 1. [Image file sizes](#image-file-sizes) + + ## Docker Tags [Docker hub](https://hub.docker.com/r/coolacid/misp-docker) builds the images automatically based on git tags. I try and tag using the following details @@ -29,6 +43,28 @@ This is based on some of the work from the DSCO docker build, nearly all of the ## Getting Started +### Environment Variables +To modify settings a lot of different environment variables are used. +For this we use the file [default_vars.sh](server/files/default_vars.sh). On this file are all existing environment variables registered, described and can be set via Docker, docker-compose, Swarm or Kubernetes. + +Example for docker: +```bash +docker run -ti \ + -e MISP_ENTRYPOINT_NGINX_INIT=true \ + -e MISP_ENTRYPOINT_NGINX_SECURESSL=false \ + coolacid/misp-docker:core-latest +``` + +Example for docker-compose: +```bash +services: + misp: + image: coolacid/misp-docker:core-latest + environment: + - "MISP_ENTRYPOINT_NGINX_INIT=true" + - "MISP_ENTRYPOINT_NGINX_SECURESSL=false" +``` + ### Development/Test - Grab the `docker-compose.yml` and `server-configs/email.php` files (Keep directory structure) diff --git a/build-docker-compose.yml b/build-docker-compose.yml index 87ae843..d28c76d 100644 --- a/build-docker-compose.yml +++ b/build-docker-compose.yml @@ -7,7 +7,21 @@ services: args: - MISP_TAG=${MISP_TAG} - PHP_VER=${PHP_VER} - + ports: + - "80:80" + - "443:443" + volumes: + - "./server-configs/:/var/www/MISP/app/Config/" + - "./logs/:/var/www/MISP/app/tmp/logs/" + - "./files/:/var/www/MISP/app/files" + - "./ssl/:/etc/nginx/certs" +# - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh + environment: + - "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR + - "HOSTNAME=https://localhost" + - "REDIS_FQDN=redis" + - "CRON_USER_ID=1" # The MISP user ID to run cron jobs as + - "SYNCSERVERS=1 2 3 4" # The MISP Feed servers to sync in the cron job misp-modules: image: coolacid/misp-docker:modules-latest build: diff --git a/docker-compose.yml b/docker-compose.yml index 659aad2..c5ff40e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,10 +13,10 @@ services: command: --default-authentication-plugin=mysql_native_password restart: always environment: - - "MYSQL_USER=misp" - - "MYSQL_PASSWORD=example" - - "MYSQL_ROOT_PASSWORD=password" - - "MYSQL_DATABASE=misp" + - MYSQL_USER=${MISP_MYSQL_USER:-dbuser} + - MYSQL_PASSWORD=${MISP_MYSQL_PASSWORD:-ChangeMe!} + - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-ChangeMe!} + - MYSQL_DATABASE=${MISP_MYSQL_DB:-misp} volumes: - mysql_data:/var/lib/mysql cap_add: @@ -27,35 +27,80 @@ services: depends_on: - redis - db - ports: - - "80:80" - - "443:443" - volumes: - - "./server-configs/:/var/www/MISP/app/Config/" - - "./logs/:/var/www/MISP/app/tmp/logs/" - - "./files/:/var/www/MISP/app/files" - - "./ssl/:/etc/nginx/certs" + expose: + - "80" + - "443" + # volumes: + # Per default no volumes will be mounted, so that you as user has the change to choose + # your wanted mountpoint or volume. + # - "./server-configs/:/var/www/MISP/app/Config/" + # - "./logs/:/var/www/MISP/app/tmp/logs/" + # - "./files/:/var/www/MISP/app/files" + # - "./ssl/:/etc/nginx/certs" # - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh environment: - - "HOSTNAME=https://localhost" - - "REDIS_FQDN=redis" - - "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR - - "CRON_USER_ID=1" # The MISP user ID to run cron jobs as -# - "SYNCSERVERS=1 2 3 4" # The MISP Feed servers to sync in the cron job - # Database Configuration (And their defaults) -# - "MYSQL_HOST=db" -# - "MYSQL_USER=misp" -# - "MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. -# - "MYSQL_DATABASE=misp" - # Optional Settings -# - "NOREDIR=true" # Do not redirect port 80 -# - "DISIPV6=true" # Disable IPV6 in nginx -# - "SECURESSL=true" # Enable higher security SSL in nginx -# - "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url + # + # Please check server/files/devault_vars.sh to see the default values. + # Thses default values will be set if you do override it + # via .env, docker-compose.override.yml or your own docker-compose.yml file. + # + # NGINX + - MISP_ENTRYPOINT_NGINX_HOSTNAME=${MISP_ENTRYPOINT_NGINX_HOSTNAME} + - MISP_ENTRYPOINT_NGINX_NOREDIRECT=${MISP_ENTRYPOINT_NGINX_NOREDIRECT} + - MISP_ENTRYPOINT_NGINX_DISABLEIPV6=${MISP_ENTRYPOINT_NGINX_DISABLEIPV6} + - MISP_ENTRYPOINT_NGINX_SECURESSL=${MISP_ENTRYPOINT_NGINX_SECURESSL} + - MISP_ENTRYPOINT_NGINX_INIT=${MISP_ENTRYPOINT_NGINX_INIT} + # PHP-FPM + - ENTRYPOINT_FPM_PHP_MEMORY_LIMIT=${ENTRYPOINT_FPM_PHP_MEMORY_LIMIT} + - ENTRYPOINT_FPM_PHP_MAX_EXECUTION_TIME=${ENTRYPOINT_FPM_PHP_MAX_EXECUTION_TIME} + - ENTRYPOINT_FPM_PHP_UPLOAD_MAX_FILESIZE=${ENTRYPOINT_FPM_PHP_UPLOAD_MAX_FILESIZE} + - ENTRYPOINT_FPM_PHP_POST_MAX_SIZE=${ENTRYPOINT_FPM_PHP_POST_MAX_SIZE} + # Cron + - MISP_CRON_USER_ID=${MISP_CRON_USER_ID} + - MISP_CRON_SYNCSERVERS=${MISP_CRON_SYNCSERVERS} + # Redis + - MISP_REDIS_HOST=${MISP_REDIS_HOST} + - MISP_REDIS_PORT=${MISP_REDIS_PORT} + - MISP_REDIS_DB=${MISP_REDIS_DB} + - MISP_REDIS_PASSWORD=${MISP_REDIS_PASSWORD} + #MISP-Modules + - MISP_MISPMODULES_HOST=${MISP_MISPMODULES_HOST} + - MISP_MISPMODULES_PORT=${MISP_MISPMODULES_PORT} + - MISP_MISPMODULES_FQDN=${MISP_MISPMODULES_FQDN} + # MySQL + - MISP_MYSQL_HOST=${MISP_MYSQL_HOST} + - MISP_MYSQL_PORT=${MISP_MYSQL_PORT} + - MISP_MYSQL_USER=${MISP_MYSQL_USER} + - MISP_MYSQL_PASSWORD=${MISP_MYSQL_PASSWORD} + - MISP_MYSQL_DB=${MISP_MYSQL_DB} + - MISP_MYSQL_MYSQLCMD=${MISP_MYSQL_MYSQLCMD} + # MISP Settings + - MISP_MISP_BASEURL=${MISP_MISP_BASEURL} + - MISP_MISP_Base_LIVE=${MISP_MISP_Base_LIVE} + - MISP_MISP_PLUGIN_CUSTOMAUTH_ENABLE=${MISP_MISP_PLUGIN_CUSTOMAUTH_ENABLE} + # + # Add additional misp settings via MISP_MISP_NAME=value + # + ### Legacy vars: + # - "HOSTNAME=https://localhost" + # - "REDIS_FQDN=redis" + # - "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR + # - "CRON_USER_ID=1" # The MISP user ID to run cron jobs as + # - "SYNCSERVERS=1 2 3 4" # The MISP Feed servers to sync in the cron job + # Database Configuration (And their defaults) + # - "MYSQL_HOST=db" + # - "MYSQL_USER=misp" + # - "MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. + # - "MYSQL_DATABASE=misp" + # Optional Settings + # - "NOREDIR=true" # Do not redirect port 80 + # - "DISIPV6=true" # Disable IPV6 in nginx + # - "SECURESSL=true" # Enable higher security SSL in nginx + # - "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url misp-modules: image: coolacid/misp-docker:modules-latest environment: - - "REDIS_BACKEND=redis" + - REDIS_BACKEND=${MISP_REDIS_HOST:-redis} depends_on: - redis - db diff --git a/server/Dockerfile b/server/Dockerfile index dcba944..cb9fed3 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -160,6 +160,7 @@ ARG PHP_VER COPY files/entrypoint_cron.sh / COPY files/entrypoint_workers.sh / COPY files/entrypoint.sh / + COPY files/default_vars.sh / ENTRYPOINT [ "/entrypoint.sh" ] # Change Workdirectory diff --git a/server/files/default_vars.sh b/server/files/default_vars.sh new file mode 100644 index 0000000..0839dde --- /dev/null +++ b/server/files/default_vars.sh @@ -0,0 +1,114 @@ +#!/bin/sh + +# +# This file contains all valid environments variables and their default value, which is in entrypoint used. +# The structure of the environment variables are: +# MISP___ +# This file will used in the entrypoint.sh. +# + + +#### LEGACY ENV +# +# This area is added until 2022, to support the legacy variants of environment variables. +# +# For the following environment variable a extra check must be done, because it will be set always. +# https://linuxize.com/post/how-to-check-if-string-contains-substring-in-bash/ +# echo "$1" | grep -q "$2" +# shellcheck disable=SC2039 +[ $(echo "$HOSTNAME"|grep -q "http") ] || MISP_MISP_BASEURL=${HOSTNAME} +MISP_REDIS_HOST=${REDIS_FQDN} +MISP_ENTRYPOINT_NGINX_INIT=${INIT} +MISP_CRON_USER_ID=${CRON_USER_ID} +MISP_CRON_SYNCSERVERS=${SYNCSERVERS} +MISP_MYSQL_HOST=${MYSQL_HOST} +MISP_MYSQL_USER=${MYSQL_USER} +MISP_MYSQL_PASSWORD=${MYSQL_PASSWORD} +MISP_MYSQL_DB=${MYSQL_DATABASE} +MISP_ENTRYPOINT_NGINX_NOREDIRECT=${NOREDIR} +MISP_ENTRYPOINT_NGINX_DISABLEIPV6=${DISIPV6} +MISP_ENTRYPOINT_NGINX_SECURESSL=${SECURESSL} +MISP_MISPMODULES_FQDN=${MISP_MODULES_FQDN} +#### LEGACY END + +# Entrypoint NGINX +## Set PID file: +MISP_ENTRYPOINT_NGINX_PID_FILE=${MISP_ENTRYPOINT_NGINX_PID_FILE:-"/entrypoint_apache.install"} +## Set Hostname for selfsigned certificate +# shellcheck disable=SC2039 +MISP_ENTRYPOINT_NGINX_HOSTNAME=${MISP_ENTRYPOINT_NGINX_HOSTNAME:-"$HOSTNAME"} +## Do not redirect port 80: +MISP_ENTRYPOINT_NGINX_NOREDIRECT=${MISP_ENTRYPOINT_NGINX_NOREDIRECT:-"true"} +## Disable IPV6 in NGINX: +MISP_ENTRYPOINT_NGINX_DISABLEIPV6=${MISP_ENTRYPOINT_NGINX_DISABLEIPV6:-"true"} +## Enable higher security SSL in NIGNX: +MISP_ENTRYPOINT_NGINX_SECURESSL=${MISP_ENTRYPOINT_NGINX_SECURESSL:-"true"} +## Deactivate intitialization if it is not explicit set: +MISP_ENTRYPOINT_NGINX_INIT=${MISP_ENTRYPOINT_NGINX_INIT:-"false"} + + +# Entrypoint Workers +## Set Worker Path +ENTRYPOINT_WORKERS_BIN_FILE=${ENTRYPOINT_WORKERS_BIN_FILE:-"/var/www/MISP/app/Console/worker/start.sh"} + +# Entrypoint FPM +## Set memory_limit in MB: +ENTRYPOINT_FPM_PHP_MEMORY_LIMIT=${ENTRYPOINT_FPM_PHP_MEMORY_LIMIT:-"2048M"} +## Set max_execution_time in seconds: +ENTRYPOINT_FPM_PHP_MAX_EXECUTION_TIME=${ENTRYPOINT_FPM_PHP_MAX_EXECUTION_TIME:-"300"} +## Set upload_max_filesize in MB: +ENTRYPOINT_FPM_PHP_UPLOAD_MAX_FILESIZE=${ENTRYPOINT_FPM_PHP_UPLOAD_MAX_FILESIZE:-"50M"} +## Set post_max_size in MB: +ENTRYPOINT_FPM_PHP_POST_MAX_SIZE=${ENTRYPOINT_FPM_PHP_POST_MAX_SIZE:-"50M"} + +# Cake +## Set Cake File Path +MISP_CAKE_FILE=${MISP_CAKE_FILE:-"/var/www/MISP/app/Console/cake"} + +# Cron +MISP_CRON_USER_ID=${MISP_CRON_USER_ID:-"1"} +MISP_CRON_SYNCSERVERS=${MISP_CRON_SYNCSERVERS:-""} + +# Redis +## Set Redis Server Host: +MISP_REDIS_HOST=${MISP_REDIS_HOST:-"redis"} +## Set Redis Server Port: +MISP_REDIS_PORT=${MISP_REDIS_PORT:-"6379"} +## Set Redis Database which should be used for MISP: +MISP_REDIS_DB=${MISP_REDIS_DB:-"0"} +## Set Redis Password if authentication is activated: +MISP_REDIS_PASSWORD=${MISP_REDIS_PASSWORD:-""} + +# MISP-Modules +## Set MISP-Module Host: +MISP_MISPMODULES_HOST=${MISP_MISPMODULES_HOST:-"misp-modules"} +## Set MISP-Module Port: +MISP_MISPMODULES_PORT=${MISP_MISPMODULES_PORT:-"6666"} +## Set MISP-Module FQDN: +MISP_MISPMODULES_FQDN=${MISP_MISPMODULES_FQDN:-"http://${MISP_MISPMODULES_HOST}:${MISP_MISPMODULES_PORT}"} + +# MySQL +## Set MySQL Host: +MISP_MYSQL_HOST=${MISP_MYSQL_HOST:-"db"} +## Set MySQL Port: +MISP_MYSQL_PORT=${MISP_MYSQL_PORT:-"3306"} +## Set MySQL username: +MISP_MYSQL_USER=${MISP_MYSQL_USER:-"dbuser"} +## Set MySQL user password: +MISP_MYSQL_PASSWORD=${MISP_MYSQL_PASSWORD:-"ChangeMe!"} +## Set MySQL database: +MISP_MYSQL_DB=${MISP_MYSQL_DB:-"misp"} +## Set Default MySQL CMD: +MISP_MYSQL_MYSQLCMD=${MISP_MYSQL_MYSQLCMD:-"mysql -u $MISP_MYSQL_USER -p$MISP_MYSQL_PASSWORD -P $MISP_MYSQL_PORT -h $MISP_MYSQL_HOST -r -N $MISP_MYSQL_DB"} + + +# MISP Settings +## Set MISP App Config Path: +MISP_MISP_APP_CONFIG_PATH=${MISP_MISP_APP_CONFIG_PATH:-"/var/www/MISP/app/Config"} +## Set BaseURL +MISP_MISP_BASEURL=${MISP_MISP_BASEURL:-"$ENTRYPOINT_NGINX_HOSTNAME"} +## Activate MISP Instance on start: +MISP_MISP_Base_LIVE=${MISP_MISP_Base_LIVE:-"true"} +## Activate CustomAuth_Enable setting: +MISP_MISP_PLUGIN_CUSTOMAUTH_ENABLE=${MISP_MISP_PLUGIN_CUSTOMAUTH_ENABLE:-"true"} + diff --git a/server/files/entrypoint.sh b/server/files/entrypoint.sh index 5a7aa71..4f1b52a 100755 --- a/server/files/entrypoint.sh +++ b/server/files/entrypoint.sh @@ -1,3 +1,8 @@ #!/bin/bash + +# Include default vars file: +# shellcheck disable=SC1091 +source "/default_vars.sh" + # start supervisord /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf diff --git a/server/files/entrypoint_cron.sh b/server/files/entrypoint_cron.sh index 98977b7..c6a284e 100755 --- a/server/files/entrypoint_cron.sh +++ b/server/files/entrypoint_cron.sh @@ -1,26 +1,38 @@ #!/bin/bash +# Include default vars file: +# shellcheck disable=SC1091 +source "/default_vars.sh" + +# Wait until entrypoint NGINX is ready +while (true) +do + sleep 2 + [ -f "$MISP_ENTRYPOINT_NGINX_PID_FILE" ] && continue + break +done + # Create the misp cron tab cat << EOF > /etc/cron.d/misp -20 2 * * * www-data /var/www/MISP/app/Console/cake Server cacheFeed "$CRON_USER_ID" all >/tmp/cronlog 2>/tmp/cronlog -30 2 * * * www-data /var/www/MISP/app/Console/cake Server fetchFeed "$CRON_USER_ID" all >/tmp/cronlog 2>/tmp/cronlog +20 2 * * * www-data $MISP_CAKE_FILE Server cacheFeed "$MISP_CRON_USER_ID" all >/tmp/cronlog 2>/tmp/cronlog +30 2 * * * www-data $MISP_CAKE_FILE Server fetchFeed "$MISP_CRON_USER_ID" all >/tmp/cronlog 2>/tmp/cronlog -00 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateGalaxies >/tmp/cronlog 2>/tmp/cronlog -10 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies >/tmp/cronlog 2>/tmp/cronlog -20 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateWarningLists >/tmp/cronlog 2>/tmp/cronlog -30 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists >/tmp/cronlog 2>/tmp/cronlog -45 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates >/tmp/cronlog 2>/tmp/cronlog +00 3 * * * www-data $MISP_CAKE_FILE Admin updateGalaxies >/tmp/cronlog 2>/tmp/cronlog +10 3 * * * www-data $MISP_CAKE_FILE Admin updateTaxonomies >/tmp/cronlog 2>/tmp/cronlog +20 3 * * * www-data $MISP_CAKE_FILE Admin updateWarningLists >/tmp/cronlog 2>/tmp/cronlog +30 3 * * * www-data $MISP_CAKE_FILE Admin updateNoticeLists >/tmp/cronlog 2>/tmp/cronlog +45 3 * * * www-data $MISP_CAKE_FILE Admin updateObjectTemplates >/tmp/cronlog 2>/tmp/cronlog EOF -if [ ! -z "$SYNCSERVERS" ]; +if [ -n "$MISP_CRON_SYNCSERVERS" ]; then TIME=0 - for SYNCSERVER in $SYNCSERVERS + for SYNCSERVER in $MISP_CRON_SYNCSERVERS do cat << EOF >> /etc/cron.d/misp -$TIME 0 * * * www-data /var/www/MISP/app/Console/cake Server pull "$CRON_USER_ID" "$SYNCSERVER">/tmp/cronlog 2>/tmp/cronlog -$TIME 1 * * * www-data /var/www/MISP/app/Console/cake Server push "$CRON_USER_ID" "$SYNCSERVER">/tmp/cronlog 2>/tmp/cronlog +$TIME 0 * * * www-data $MISP_CAKE_FILE Server pull "$MISP_CRON_USER_ID" "$SYNCSERVER">/tmp/cronlog 2>/tmp/cronlog +$TIME 1 * * * www-data $MISP_CAKE_FILE Server push "$MISP_CRON_USER_ID" "$SYNCSERVER">/tmp/cronlog 2>/tmp/cronlog EOF ((TIME+=5)) diff --git a/server/files/entrypoint_fpm.sh b/server/files/entrypoint_fpm.sh index 825624b..44ed116 100755 --- a/server/files/entrypoint_fpm.sh +++ b/server/files/entrypoint_fpm.sh @@ -1,13 +1,17 @@ #!/bin/bash +# Include default vars file: +# shellcheck disable=SC1091 +source "/default_vars.sh" + change_php_vars(){ for FILE in /etc/php/*/fpm/php.ini do [[ -e $FILE ]] || break - sed -i "s/memory_limit = .*/memory_limit = 2048M/" "$FILE" - sed -i "s/max_execution_time = .*/max_execution_time = 300/" "$FILE" - sed -i "s/upload_max_filesize = .*/upload_max_filesize = 50M/" "$FILE" - sed -i "s/post_max_size = .*/post_max_size = 50M/" "$FILE" + sed -i "s/memory_limit = .*/memory_limit = $ENTRYPOINT_FPM_PHP_MEMORY_LIMIT/" "$FILE" + sed -i "s/max_execution_time = .*/max_execution_time = $ENTRYPOINT_FPM_PHP_MAX_EXECUTION_TIME/" "$FILE" + sed -i "s/upload_max_filesize = .*/upload_max_filesize = $ENTRYPOINT_FPM_PHP_UPLOAD_MAX_FILESIZE/" "$FILE" + sed -i "s/post_max_size = .*/post_max_size = $ENTRYPOINT_FPM_PHP_POST_MAX_SIZE/" "$FILE" done } diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 6bb0495..17676cb 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -1,55 +1,49 @@ #!/bin/bash -MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config -[ -z "$MYSQL_HOST" ] && MYSQL_HOST=db -[ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306 -[ -z "$MYSQL_USER" ] && MYSQL_USER=misp -[ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example -[ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp -[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis -[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules" -[ -z "$MYSQLCMD" ] && MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE" - -ENTRYPOINT_PID_FILE="/entrypoint_apache.install" -[ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE +# Include default vars file: +# shellcheck disable=SC1091 +source "/default_vars.sh" + +# Check if installation is already done: +[ ! -f "$MISP_ENTRYPOINT_NGINX_PID_FILE" ] && touch "$MISP_ENTRYPOINT_NGINX_PID_FILE" setup_cake_config(){ - sed -i "s/'host' => 'localhost'.*/'host' => '$REDIS_FQDN', \/\/ Redis server hostname/" "/var/www/MISP/app/Plugin/CakeResque/Config/config.php" - sed -i "s/'host' => '127.0.0.1'.*/'host' => '$REDIS_FQDN', \/\/ Redis server hostname/" "/var/www/MISP/app/Plugin/CakeResque/Config/config.php" + sed -i "s/'host' => 'localhost'.*/'host' => '$MISP_REDIS_HOST', \/\/ Redis server hostname/" "/var/www/MISP/app/Plugin/CakeResque/Config/config.php" + sed -i "s/'host' => '127.0.0.1'.*/'host' => '$MISP_REDIS_HOST', \/\/ Redis server hostname/" "/var/www/MISP/app/Plugin/CakeResque/Config/config.php" } init_misp_config(){ - [ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php - [ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php - [ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php - [ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php - [ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php - [ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php + [ -f "$MISP_MISP_APP_CONFIG_PATH/bootstrap.php" ] || cp "$MISP_MISP_APP_CONFIG_PATH.dist/bootstrap.default.php" "$MISP_MISP_APP_CONFIG_PATH/bootstrap.php" + [ -f "$MISP_MISP_APP_CONFIG_PATH/database.php" ] || cp "$MISP_MISP_APP_CONFIG_PATH.dist/database.default.php" "$MISP_MISP_APP_CONFIG_PATH/database.php" + [ -f "$MISP_MISP_APP_CONFIG_PATH/core.php" ] || cp "$MISP_MISP_APP_CONFIG_PATH.dist/core.default.php" "$MISP_MISP_APP_CONFIG_PATH/core.php" + [ -f "$MISP_MISP_APP_CONFIG_PATH/config.php" ] || cp "$MISP_MISP_APP_CONFIG_PATH.dist/config.default.php" "$MISP_MISP_APP_CONFIG_PATH/config.php" + [ -f "$MISP_MISP_APP_CONFIG_PATH/email.php" ] || cp "$MISP_MISP_APP_CONFIG_PATH.dist/email.php" "$MISP_MISP_APP_CONFIG_PATH/email.php" + [ -f "$MISP_MISP_APP_CONFIG_PATH/routes.php" ] || cp "$MISP_MISP_APP_CONFIG_PATH.dist/routes.php" "$MISP_MISP_APP_CONFIG_PATH/routes.php" echo "Configure MISP | Set DB User, Password and Host in database.php" - sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php - sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php - sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php - sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php + sed -i "s/localhost/$MISP_MYSQL_HOST/" "$MISP_MISP_APP_CONFIG_PATH/database.php" + sed -i "s/db\s*login/$MISP_MYSQL_USER/" "$MISP_MISP_APP_CONFIG_PATH/database.php" + sed -i "s/db\s*password/$MISP_MYSQL_PASSWORD/" "$MISP_MISP_APP_CONFIG_PATH/database.php" + sed -i "s/'database' => */'database' => '$MISP_MYSQL_DB',/" "$MISP_MISP_APP_CONFIG_PATH/database.php" echo "Configure sane defaults" - /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN" - /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME" - /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3) + $MISP_CAKE_FILE Admin setSetting "MISP.redis_host" "$MISP_REDIS_HOST" + $MISP_CAKE_FILE Admin setSetting "MISP.baseurl" "$MISP_MISP_BASEURL" + $MISP_CAKE_FILE Admin setSetting "MISP.python_bin" $(which python3) - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN" - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true + $MISP_CAKE_FILE Admin setSetting "Plugin.ZeroMQ_redis_host" "$MISP_REDIS_HOST" + $MISP_CAKE_FILE Admin setSetting "Plugin.ZeroMQ_enable" true - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN" + $MISP_CAKE_FILE Admin setSetting "Plugin.Enrichment_services_enable" true + $MISP_CAKE_FILE Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MISPMODULES_FQDN" - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN" + $MISP_CAKE_FILE Admin setSetting "Plugin.Import_services_enable" true + $MISP_CAKE_FILE Admin setSetting "Plugin.Import_services_url" "$MISP_MISPMODULES_FQDN" - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN" + $MISP_CAKE_FILE Admin setSetting "Plugin.Export_services_enable" true + $MISP_CAKE_FILE Admin setSetting "Plugin.Export_services_url" "$MISP_MISPMODULES_FQDN" - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false + $MISP_CAKE_FILE Admin setSetting "Plugin.Cortex_services_enable" false } init_misp_files(){ @@ -62,8 +56,9 @@ init_misp_files(){ init_ssl() { if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]]; then + # shellcheck disable=SC2164 cd /etc/nginx/certs - openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 + openssl req -x509 -subj "/CN=$MISP_MISP_HOSTNAME" -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 fi } @@ -71,36 +66,39 @@ init_mysql(){ # Test when MySQL is ready.... # wait for Database come ready isDBup () { - echo "SHOW STATUS" | $MYSQLCMD 1>/dev/null + echo "SHOW STATUS" | $MISP_MYSQL_MYSQLCMD 1>/dev/null echo $? } isDBinitDone () { # Table attributes has existed since at least v2.1 - echo "DESCRIBE attributes" | $MYSQLCMD 1>/dev/null + echo "DESCRIBE attributes" | $MISP_MYSQL_MYSQLCMD 1>/dev/null echo $? } RETRY=100 + # shellcheck disable=SC2046 until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do echo "Waiting for database to come up" sleep 5 RETRY=$(( RETRY - 1)) done if [ $RETRY -le 0 ]; then - >&2 echo "Error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT" + >&2 echo "Error: Could not connect to Database on $MISP_MYSQL_HOST:$MISP_MYSQL_PORT" exit 1 fi + # shellcheck disable=SC2046 if [ $(isDBinitDone) -eq 0 ]; then echo "Database has already been initialized" else echo "Database has not been initialized, importing MySQL scheme..." - $MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql + $MISP_MYSQL_MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql fi } sync_files(){ + # shellcheck disable=SC2045 for DIR in $(ls /var/www/MISP/app/files.dist); do rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/" done @@ -116,14 +114,14 @@ for CERT in cert.pem dhparams.pem key.pem; do done # Things we should do when we have the INITIALIZE Env Flag -if [[ "$INIT" == true ]]; then +if [[ "$MISP_ENTRYPOINT_NGINX_INIT" == true ]]; then echo "Setup MySQL..." && init_mysql echo "Setup MISP files dir..." && init_misp_files echo "Ensure SSL certs exist..." && init_ssl fi # Things that should ALWAYS happen -echo "Configure Cake | Change Redis host to $REDIS_FQDN ... " && setup_cake_config +echo "Configure Cake | Change Redis host to $MISP_REDIS_HOST ... " && setup_cake_config # Things we should do if we're configuring MISP via ENV echo "Configure MISP | Initialize misp base config..." && init_misp_config @@ -143,7 +141,7 @@ if [[ ! -f /var/www/MISP/PyMISP/pymisp/data/describeTypes.json ]]; then ln -s /usr/local/lib/python3.7/dist-packages/pymisp/data/describeTypes.json /var/www/MISP/PyMISP/pymisp/data/describeTypes.json fi -if [[ ! -L "/etc/nginx/sites-enabled/misp80" && "$NOREDIR" == true ]]; then +if [[ ! -L "/etc/nginx/sites-enabled/misp80" && "$MISP_ENTRYPOINT_NGINX_NOREDIRECT" == true ]]; then echo "Configure NGINX | Disabling Port 80 Redirect" ln -s /etc/nginx/sites-available/misp80-noredir /etc/nginx/sites-enabled/misp80 elif [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then @@ -153,7 +151,7 @@ else echo "Configure NGINX | Port 80 already configured" fi -if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then +if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$MISP_ENTRYPOINT_NGINX_SECURESSL" == true ]]; then echo "Configure NGINX | Using Secure SSL" ln -s /etc/nginx/sites-available/misp-secure /etc/nginx/sites-enabled/misp elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then @@ -163,12 +161,12 @@ else echo "Configure NGINX | SSL already configured" fi -if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then +if [[ ! "$MISP_ENTRYPOINT_NGINX_SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then echo "Configure NGINX | Building dhparams.pem" openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048 fi -if [[ "$DISIPV6" == true ]]; then +if [[ "$MISP_ENTRYPOINT_NGINX_DISABLEIPV6" == true ]]; then echo "Configure NGINX | Disabling IPv6" sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80 sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp @@ -179,7 +177,7 @@ if [[ -x /custom-entrypoint.sh ]]; then fi # delete pid file -[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE +[ -f "$MISP_ENTRYPOINT_NGINX_PID_FILE" ] && rm "$MISP_ENTRYPOINT_NGINX_PID_FILE" if [[ "$WARNING53" == true ]]; then echo "WARNING - WARNING - WARNING" diff --git a/server/files/entrypoint_workers.sh b/server/files/entrypoint_workers.sh index 2e23fbb..b548020 100755 --- a/server/files/entrypoint_workers.sh +++ b/server/files/entrypoint_workers.sh @@ -1,17 +1,21 @@ #!/bin/bash -# Wait until entrypoint apache is ready +# Include default vars file: +# shellcheck disable=SC1091 +source "/default_vars.sh" + +# Wait until entrypoint NGINX is ready while (true) do sleep 2 - [ -f /entrypoint_apache.install ] && continue + [ -f "$MISP_ENTRYPOINT_NGINX_PID_FILE" ] && continue break done while true do echo "Start Workers..." - sudo -u www-data /var/www/MISP/app/Console/worker/start.sh + sudo -u www-data "$ENTRYPOINT_WORKERS_BIN_FILE" echo "Start Workers...finished" sleep 3600 done diff --git a/server/files/etc/supervisor/supervisor.conf b/server/files/etc/supervisor/supervisor.conf index ed23d98..1a7806c 100644 --- a/server/files/etc/supervisor/supervisor.conf +++ b/server/files/etc/supervisor/supervisor.conf @@ -34,7 +34,7 @@ stderr_logfile_maxbytes=0 autostart=true [program:cron] -environment=CRON_USER_ID=%(ENV_CRON_USER_ID)s +#environment=CRON_USER_ID=%(ENV_MISP_CRON_USER_ID)s command=/entrypoint_cron.sh stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0