started crowdsec v1 integration
This commit is contained in:
bunkerity
parent
fd7afa17b3
commit
09a984c86b
|
|
@ -6,18 +6,12 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
|
|
|||
|
|
@ -6,18 +6,12 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
|
|
|||
|
|
@ -13,18 +13,12 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
|
|
|||
|
|
@ -13,18 +13,12 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
|
|
|||
|
|
@ -6,18 +6,12 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
|
|
|||
32
compile.sh
32
compile.sh
|
|
@ -30,7 +30,7 @@ function git_secure_clone() {
|
|||
NTASK=$(nproc)
|
||||
|
||||
# install build dependencies
|
||||
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev
|
||||
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev gd-dev gnupg brotli-dev openssl-dev
|
||||
|
||||
# compile and install ModSecurity library
|
||||
cd /tmp
|
||||
|
|
@ -111,6 +111,36 @@ git_secure_clone https://github.com/ledgetech/lua-resty-http.git 984fdc260543763
|
|||
cd lua-resty-http
|
||||
make install
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
|
||||
cd lualogging
|
||||
cp -r src/* /usr/local/lib/lua
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/diegonehab/luasocket.git 5b18e475f38fcf28429b1cc4b17baee3b9793a62
|
||||
cd luasocket
|
||||
make -j $NTASK
|
||||
mkdir /usr/local/lib/lua/socket
|
||||
cp src/*.lua /usr/local/lib/lua/socket
|
||||
cp src/*.so /usr/local/lib/lua/5.1/
|
||||
mv /usr/local/lib/lua/5.1/socket*.so /usr/local/lib/5.1/socket.so
|
||||
mv /usr/local/lib/lua/5.1/mime*.so /usr/local/lib/5.1/mime.so
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/brunoos/luasec.git c6704919bdc85f3324340bdb35c2795a02f7d625
|
||||
cd luasec
|
||||
make linux -j $NTASK
|
||||
cp src/ssl.so /usr/local/lib/lua/5.1
|
||||
mkdir /usr/local/lib/lua/ssl
|
||||
cp src/*.lua /usr/local/lib/lua
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 71c4247d6b66234e3f3426b2ea721ad50c741579
|
||||
cd lua-cs-bouncer
|
||||
mkdir /usr/local/lib/lua/crowdsec
|
||||
cp lib/*.lua /usr/local/lib/lua/crowdsec
|
||||
cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
|
||||
sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/:' /usr/local/lib/lua/crowdsec/crowdsec.conf
|
||||
sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/:' /usr/local/lib/lua/crowdsec/crowdsec.conf
|
||||
sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/openresty/lua-nginx-module.git 2d23bc4f0a29ed79aaaa754c11bffb1080aa44ba
|
||||
export LUAJIT_LIB=/usr/local/lib
|
||||
export LUAJIT_INC=/usr/local/include/luajit-2.1
|
||||
|
|
|
|||
|
|
@ -1,63 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
function git_secure_clone() {
|
||||
repo="$1"
|
||||
commit="$2"
|
||||
folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")
|
||||
git clone "$repo"
|
||||
cd "$folder"
|
||||
git checkout "${commit}^{commit}"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] Commit hash $commit is absent from repository $repo !"
|
||||
exit 1
|
||||
fi
|
||||
cd ..
|
||||
}
|
||||
|
||||
NTASK=$(nproc)
|
||||
|
||||
# install build dependencies
|
||||
apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq
|
||||
|
||||
# build and install crowdsec
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4
|
||||
cd crowdsec
|
||||
make -j $NTASK build
|
||||
./wizard.sh --bininstall
|
||||
sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml
|
||||
sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml
|
||||
|
||||
# install nginx collection
|
||||
cscli update
|
||||
cscli install collection crowdsecurity/nginx
|
||||
sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
|
||||
sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
|
||||
|
||||
# build and install luasql
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1
|
||||
cd luasql
|
||||
make -j $NTASK sqlite3 mysql
|
||||
mkdir /usr/local/lib/lua/5.1/luasql
|
||||
cp src/*.so /usr/local/lib/lua/5.1/luasql
|
||||
|
||||
# install lualogging
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
|
||||
cd lualogging
|
||||
cp -r src/* /usr/local/lib/lua
|
||||
|
||||
# install cs-lua-lib
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301
|
||||
cd cs-lua-lib
|
||||
mkdir /usr/local/lib/lua/crowdsec
|
||||
cp lib/*.lua /usr/local/lib/lua/crowdsec
|
||||
cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
|
||||
rm /usr/local/lib/lua/crowdsec/lrucache.lua
|
||||
sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
|
||||
# remove build dependencies
|
||||
apk del build
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
MULTISITE="${MULTISITE-no}"
|
||||
LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
|
||||
LOG_FORMAT="${LOG_FORMAT-\$host \$remote_addr - \$remote_user [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
|
||||
HTTP_PORT="${HTTP_PORT-8080}"
|
||||
HTTPS_PORT="${HTTPS_PORT-8443}"
|
||||
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
|
||||
|
|
|
|||
|
|
@ -100,12 +100,6 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
|||
LOGS="$LOGS /var/log/fail2ban.log"
|
||||
fi
|
||||
|
||||
# start crowdsec
|
||||
if [ "$USE_CROWDSEC" = "yes" ] ; then
|
||||
echo "[*] Running crowdsec ..."
|
||||
crowdsec
|
||||
fi
|
||||
|
||||
# autotest
|
||||
if [ "$1" == "test" ] ; then
|
||||
sleep 10
|
||||
|
|
|
|||
|
|
@ -291,10 +291,8 @@ fi
|
|||
# CrowdSec setup
|
||||
if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
|
||||
cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
|
||||
cscli api register >> /etc/crowdsec/config/api.yaml
|
||||
cscli api pull
|
||||
echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST" "$CROWDSEC_HOST"
|
||||
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY" "$CROWDSEC_KEY"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -0,0 +1,70 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./web-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- nginx_logs:/var/log
|
||||
environment:
|
||||
- SERVER_NAME=app1.website.com app2.website.com # replace with your domains
|
||||
- MULTISITE=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_CROWDSEC=yes
|
||||
- CROWDSEC_HOST=mycrowdsec
|
||||
- CROWDSEC_KEY= # you need to generate it (see bouncer_key.sh)
|
||||
- app1.website.com_REMOTE_PHP=myapp1
|
||||
- app1.website.com_REMOTE_PHP_PATH=/app
|
||||
- app2.website.com_REMOTE_PHP=myapp2
|
||||
- app2.website.com_REMOTE_PHP_PATH=/app
|
||||
networks:
|
||||
- net0
|
||||
- net1
|
||||
- net2
|
||||
|
||||
mycrowdsec:
|
||||
image: crowdsecurity/crowdsec:v1.0.2
|
||||
restart: always
|
||||
volumes:
|
||||
- ./acquis.yaml:/etc/crowdsec/acquis.yaml
|
||||
- nginx_logs:/var/log:ro
|
||||
environment:
|
||||
- COLLECTIONS=crowdsecurity/nginx
|
||||
- REGISTER_TO_ONLINE_API=true
|
||||
networks:
|
||||
- net0
|
||||
|
||||
myapp1:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files/app1.website.com:/app
|
||||
networks:
|
||||
- net1
|
||||
|
||||
myapp2:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files/app2.website.com:/app
|
||||
networks:
|
||||
- net2
|
||||
|
||||
networks:
|
||||
net0:
|
||||
net1:
|
||||
net2:
|
||||
|
||||
volumes:
|
||||
nginx_logs:
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
<?php
|
||||
|
||||
echo "hello from app1 !";
|
||||
|
||||
?>
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
<?php
|
||||
|
||||
echo "hello from app2 !";
|
||||
|
||||
?>
|
||||
Loading…
Reference in New Issue