From e1274a6082a356225b1b0b017f81e9ee5220906c Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Wed, 4 Nov 2020 11:16:26 +0100
Subject: [PATCH] passbolt example

---
 examples/passbolt/docker-compose.yml          | 42 +++++++++++++++++++
 examples/passbolt/modsec-confs/passbolt.conf  |  2 +
 .../passbolt/modsec-crs-confs/passbolt.conf   |  7 ++++
 .../passbolt/server-confs/reverse-proxy.conf  |  9 ++++
 4 files changed, 60 insertions(+)
 create mode 100644 examples/passbolt/docker-compose.yml
 create mode 100644 examples/passbolt/modsec-confs/passbolt.conf
 create mode 100644 examples/passbolt/modsec-crs-confs/passbolt.conf
 create mode 100644 examples/passbolt/server-confs/reverse-proxy.conf

diff --git a/examples/passbolt/docker-compose.yml b/examples/passbolt/docker-compose.yml
new file mode 100644
index 00000000..b09d4ae9
--- /dev/null
+++ b/examples/passbolt/docker-compose.yml
@@ -0,0 +1,42 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+      - ./server-confs:/server-confs              # custom confs to reverse proxy to passbolt
+      - ./modsec-crs-confs:/modsec-crs-confs      # disable some false positive
+      - ./modsec-confs:/modsec-confs              # disable some false positive
+    environment:
+      - SERVER_NAME=www.website.com               # replace with your domain
+      - AUTO_LETS_ENCRYPT=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
+
+  mypassbolt:
+    image: passbolt/passbolt
+    restart: always
+    environment:
+      - DATASOURCES_DEFAULT_HOST=mydb
+      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd  # replace with a stronger password (must match MYSQL_PASSWORD)
+      - DATASOURCES_DEFAULT_USERNAME=user
+      - DATASOURCES_DEFAULT_DATABASE=passbolt
+      - APP_FULL_BASE_URL=https://www.website.com # replace with your URL
+
+  mydb:
+    image: mariadb
+    restart: always
+    volumes:
+      - ./db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd           # replace with a stronger password
+      - MYSQL_DATABASE=passbolt
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd                # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
diff --git a/examples/passbolt/modsec-confs/passbolt.conf b/examples/passbolt/modsec-confs/passbolt.conf
new file mode 100644
index 00000000..7bd25764
--- /dev/null
+++ b/examples/passbolt/modsec-confs/passbolt.conf
@@ -0,0 +1,2 @@
+SecRuleRemoveById 942100
+SecRuleRemoveById 930120
diff --git a/examples/passbolt/modsec-crs-confs/passbolt.conf b/examples/passbolt/modsec-crs-confs/passbolt.conf
new file mode 100644
index 00000000..41037442
--- /dev/null
+++ b/examples/passbolt/modsec-crs-confs/passbolt.conf
@@ -0,0 +1,7 @@
+SecAction \
+ "id:900200,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_methods=GET HEAD POST PUT DELETE'"
diff --git a/examples/passbolt/server-confs/reverse-proxy.conf b/examples/passbolt/server-confs/reverse-proxy.conf
new file mode 100644
index 00000000..ca036f25
--- /dev/null
+++ b/examples/passbolt/server-confs/reverse-proxy.conf
@@ -0,0 +1,9 @@
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+location / {
+        if ($host = www.website.com) {
+                proxy_pass https://mypassbolt:443$request_uri;
+        }
+}
+