diff --git a/security_monkey/0.7.0/.dockerignore b/security_monkey/0.7.0/.dockerignore new file mode 100644 index 0000000..b998130 --- /dev/null +++ b/security_monkey/0.7.0/.dockerignore @@ -0,0 +1,5 @@ +boto.cfg +docker-compose.yml +secmonkey.env +*.example +security_monkey-nginx diff --git a/security_monkey/0.7.0/.gitignore b/security_monkey/0.7.0/.gitignore new file mode 100644 index 0000000..40226f6 --- /dev/null +++ b/security_monkey/0.7.0/.gitignore @@ -0,0 +1,2 @@ +boto.cfg +secmonkey.env diff --git a/security_monkey/0.7.0/Dockerfile b/security_monkey/0.7.0/Dockerfile new file mode 100644 index 0000000..df78c82 --- /dev/null +++ b/security_monkey/0.7.0/Dockerfile @@ -0,0 +1,39 @@ +# Copyright 2014 Netflix, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM ubuntu:14.04 +MAINTAINER Netflix Open Source Development + +ENV SECURITY_MONKEY_VERSION=v0.7.0 \ + SECURITY_MONKEY_SETTINGS=/usr/local/src/security_monkey/env-config/config-deploy.py + +RUN apt-get update &&\ + apt-get -y -q install python-software-properties software-properties-common postgresql-9.3 postgresql-client-9.3 postgresql-contrib-9.3 curl &&\ + apt-get install -y python-pip python-dev python-psycopg2 libffi-dev libpq-dev libyaml-dev libxml2-dev libxmlsec1-dev git sudo swig python-m2crypto &&\ + apt-get clean autoclean autoremove && rm -rf /var/lib/apt/lists/* + +RUN cd /usr/local/src &&\ + git clone --branch $SECURITY_MONKEY_VERSION https://github.com/Netflix/security_monkey.git + +WORKDIR /usr/local/src/security_monkey +RUN python setup.py install &&\ + /bin/mkdir -pv /var/log/security_monkey &&\ + touch /var/log/security_monkey/security_monkey-deploy.log /var/log/security_monkey/securitymonkey.log + +COPY config-deploy.py /usr/local/src/security_monkey/env-config/ +ADD api-start.sh api-init.sh scheduler-start.sh /usr/local/src/security_monkey/scripts/ + +EXPOSE 5000 + +ENTRYPOINT ["/usr/local/src/security_monkey/scripts/api-start.sh"] diff --git a/security_monkey/0.7.0/api-init.sh b/security_monkey/0.7.0/api-init.sh new file mode 100755 index 0000000..bc64faf --- /dev/null +++ b/security_monkey/0.7.0/api-init.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +sudo -u ${SECURITY_MONKEY_POSTGRES_USER:-postgres} psql\ + -h ${SECURITY_MONKEY_POSTGRES_HOST:-postgres} -p ${SECURITY_MONKEY_POSTGRES_PORT:-5432}\ + --command "ALTER USER ${SECURITY_MONKEY_POSTGRES_USER:-postgres} with PASSWORD '${SECURITY_MONKEY_POSTGRES_PASSWORD:-securitymonkeypassword}';" + +sudo -u ${SECURITY_MONKEY_POSTGRES_USER:-postgres} createdb\ + -h ${SECURITY_MONKEY_POSTGRES_HOST:-postgres} -p ${SECURITY_MONKEY_POSTGRES_PORT:-5432}\ + -O ${SECURITY_MONKEY_POSTGRES_USER:-postgres} ${SECURITY_MONKEY_POSTGRES_DATABASE:-secmonkey} + +mkdir -p /var/log/security_monkey/ +touch "/var/log/security_monkey/security_monkey-deploy.log" + +cd /usr/local/src/security_monkey/ +exec python manage.py db upgrade diff --git a/security_monkey/0.7.0/api-start.sh b/security_monkey/0.7.0/api-start.sh new file mode 100755 index 0000000..64000ce --- /dev/null +++ b/security_monkey/0.7.0/api-start.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +cd /usr/local/src/security_monkey/ +exec python manage.py run_api_server -b 0.0.0.0:${SECURITY_MONKEY_API_PORT:-5000} diff --git a/security_monkey/0.7.0/boto.cfg.example b/security_monkey/0.7.0/boto.cfg.example new file mode 100644 index 0000000..a5fb66f --- /dev/null +++ b/security_monkey/0.7.0/boto.cfg.example @@ -0,0 +1,4 @@ +[Credentials] +aws_access_key_id = YOUR_ACCESS_KEY +aws_secret_access_key = YOUR_SECRET_KEY + diff --git a/security_monkey/0.7.0/config-deploy.py b/security_monkey/0.7.0/config-deploy.py new file mode 100644 index 0000000..b17822a --- /dev/null +++ b/security_monkey/0.7.0/config-deploy.py @@ -0,0 +1,305 @@ +# Copyright 2014 Netflix, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# Insert any config items here. +# This will be fed into Flask/SQLAlchemy inside security_monkey/__init__.py + +import os + +# Setting default settings +sm_config = { + 'fqdn': 'ec2-XX-XXX-XXX-XXX.compute-1.amazonaws.com', + 'postgres': { + 'database': 'secmonkey', + 'host': 'localhost', + 'password': 'securitymonkeypassword', + 'port': '5432', + 'user': 'postgres' + }, + 'api': { + 'port': 5000 + }, + 'email': { + 'security-team-email': [], + 'smtp': False, + 'ses-region': 'us-east-1', + 'default-sender': 'securitymonkey@example.com', + 'server': 'smtp.example.com', + 'username': 'username', + 'password': 'password' + } +} + +if 'SECURITY_MONKEY_POSTGRES_HOST' in os.environ: + sm_config['postgres']['host'] = os.environ.get('SECURITY_MONKEY_POSTGRES_HOST') + +if 'SECURITY_MONKEY_POSTGRES_USER' in os.environ: + sm_config['postgres']['user'] = os.environ.get('SECURITY_MONKEY_POSTGRES_USER') + +if 'SECURITY_MONKEY_POSTGRES_PASSWORD' in os.environ: + sm_config['postgres']['password'] = os.environ.get('SECURITY_MONKEY_POSTGRES_PASSWORD') + +if 'SECURITY_MONKEY_POSTGRES_DATABASE' in os.environ: + sm_config['postgres']['database'] = os.environ.get('SECURITY_MONKEY_POSTGRES_DATABASE') + +if 'SECURITY_MONKEY_POSTGRES_PORT' in os.environ: + sm_config['postgres']['port'] = os.environ.get('SECURITY_MONKEY_POSTGRES_PORT') + +if 'SECURITY_MONKEY_API_PORT' in os.environ: + sm_config['api']['port'] = os.environ.get('SECURITY_MONKEY_API_PORT') + +if 'SECURITY_MONKEY_FQDN' in os.environ: + sm_config['fqdn'] = os.environ.get('SECURITY_MONKEY_FQDN') + +if 'SECURITY_MONKEY_SECURITY_TEAM_EMAIL' in os.environ: + sm_config['email']['security-team-email'] = os.environ.get('SECURITY_MONKEY_SECURITY_TEAM_EMAIL') + +if 'SECURITY_MONKEY_SMTP' in os.environ: + # Must change String from environment variable into Boolean + if os.environ.get('SECURITY_MONKEY_SMTP') == 'True': + sm_config['email']['smtp'] = True + +if 'SECURITY_MONKEY_SES_REGION' in os.environ: + sm_config['email']['ses-region'] = os.environ.get('SECURITY_MONKEY_SES_REGION') + +if 'SECURITY_MONKEY_EMAIL_DEFAULT_SENDER' in os.environ: + sm_config['email']['default-sender'] = os.environ.get('SECURITY_MONKEY_EMAIL_DEFAULT_SENDER') + +if 'SECURITY_MONKEY_EMAIL_SERVER' in os.environ: + sm_config['email']['server'] = os.environ.get('SECURITY_MONKEY_EMAIL_SERVER') + +if 'SECURITY_MONKEY_EMAIL_USERNAME' in os.environ: + sm_config['email']['username'] = os.environ.get('SECURITY_MONKEY_EMAIL_USERNAME') + +if 'SECURITY_MONKEY_EMAIL_PASSWORD' in os.environ: + sm_config['email']['password'] = os.environ.get('SECURITY_MONKEY_EMAIL_PASSWORD') + +LOG_CFG = { + 'version': 1, + 'disable_existing_loggers': False, + 'formatters': { + 'standard': { + 'format': '%(asctime)s %(levelname)s: %(message)s ' + '[in %(pathname)s:%(lineno)d]' + } + }, + 'handlers': { + 'file': { + 'class': 'logging.handlers.RotatingFileHandler', + 'level': 'DEBUG', + 'formatter': 'standard', + 'filename': '/var/log/security_monkey/securitymonkey.log', + 'maxBytes': 10485760, + 'backupCount': 100, + 'encoding': 'utf8' + }, + 'console': { + 'class': 'logging.StreamHandler', + 'level': 'DEBUG', + 'formatter': 'standard', + 'stream': 'ext://sys.stdout' + } + }, + 'loggers': { + 'security_monkey': { + 'handlers': ['file', 'console'], + 'level': 'DEBUG' + }, + 'apscheduler': { + 'handlers': ['file', 'console'], + 'level': 'INFO' + } + } +} + +SQLALCHEMY_DATABASE_URI = 'postgresql://%s:%s@%s:%s/%s' % ( + sm_config['postgres']['user'], + sm_config['postgres']['password'], + sm_config['postgres']['host'], + sm_config['postgres']['port'], + sm_config['postgres']['database'] +) + +# print sm_config['postgres'] +# print SQLALCHEMY_DATABASE_URI + +SQLALCHEMY_POOL_SIZE = 50 +SQLALCHEMY_MAX_OVERFLOW = 15 +ENVIRONMENT = 'ec2' +USE_ROUTE53 = False +FQDN = sm_config['fqdn'] +API_PORT = sm_config['api']['port'] +WEB_PORT = '443' +WEB_PATH = '/static/ui.html' +FRONTED_BY_NGINX = True +NGINX_PORT = '443' +BASE_URL = 'https://{}/'.format(FQDN) + +SECRET_KEY = '' + +MAIL_DEFAULT_SENDER = sm_config['email']['default-sender'] +SECURITY_REGISTERABLE = True +SECURITY_CONFIRMABLE = False +SECURITY_RECOVERABLE = False +SECURITY_PASSWORD_HASH = 'bcrypt' +SECURITY_PASSWORD_SALT = '' +SECURITY_TRACKABLE = True + +SECURITY_POST_LOGIN_VIEW = BASE_URL +SECURITY_POST_REGISTER_VIEW = BASE_URL +SECURITY_POST_CONFIRM_VIEW = BASE_URL +SECURITY_POST_RESET_VIEW = BASE_URL +SECURITY_POST_CHANGE_VIEW = BASE_URL + +# This address gets all change notifications (i.e. 'securityteam@example.com') +SECURITY_TEAM_EMAIL = sm_config['email']['security-team-email'] + +# These are only required if using SMTP instead of SES +EMAILS_USE_SMTP = sm_config['email']['smtp'] # Otherwise, Use SES +SES_REGION = sm_config['email']['ses-region'] +MAIL_SERVER = sm_config['email']['server'] +MAIL_PORT = 465 +MAIL_USE_SSL = True +MAIL_USERNAME = sm_config['email']['username'] +MAIL_PASSWORD = sm_config['email']['password'] + +WTF_CSRF_ENABLED = True +WTF_CSRF_SSL_STRICT = True # Checks Referer Header. Set to False for API access. +WTF_CSRF_METHODS = ['DELETE', 'POST', 'PUT', 'PATCH'] + +# "NONE", "SUMMARY", or "FULL" +SECURITYGROUP_INSTANCE_DETAIL = 'FULL' + +# Threads used by the scheduler. +# You will likely need at least one core thread for every account being monitored. +CORE_THREADS = 25 +MAX_THREADS = 30 + +# SSO SETTINGS: +ACTIVE_PROVIDERS = [] # "ping", "google" or "onelogin" + +PING_NAME = '' # Use to override the Ping name in the UI. +PING_REDIRECT_URI = "{BASE}api/1/auth/ping".format(BASE=BASE_URL) +PING_CLIENT_ID = '' # Provided by your administrator +PING_AUTH_ENDPOINT = '' # Often something ending in authorization.oauth2 +PING_ACCESS_TOKEN_URL = '' # Often something ending in token.oauth2 +PING_USER_API_URL = '' # Often something ending in idp/userinfo.openid +PING_JWKS_URL = '' # Often something ending in JWKS +PING_SECRET = '' # Provided by your administrator + +GOOGLE_CLIENT_ID = '' +GOOGLE_AUTH_ENDPOINT = '' +GOOGLE_SECRET = '' + +ONELOGIN_APP_ID = '' # OneLogin App ID provider by your administrator +ONELOGIN_EMAIL_FIELD = 'User.email' # SAML attribute used to provide email address +ONELOGIN_DEFAULT_ROLE = 'View' # Default RBAC when user doesn't already exist +ONELOGIN_HTTPS = True # If using HTTPS strict mode will check the requests are HTTPS +ONELOGIN_SETTINGS = { + # If strict is True, then the Python Toolkit will reject unsigned + # or unencrypted messages if it expects them to be signed or encrypted. + # Also it will reject the messages if the SAML standard is not strictly + # followed. Destination, NameId, Conditions ... are validated too. + "strict": True, + + # Enable debug mode (outputs errors). + "debug": True, + + # Service Provider Data that we are deploying. + "sp": { + # Identifier of the SP entity (must be a URI) + "entityId": "{BASE}metadata/".format(BASE=BASE_URL), + # Specifies info about where and how the message MUST be + # returned to the requester, in this case our SP. + "assertionConsumerService": { + # URL Location where the from the IdP will be returned + "url": "{BASE}api/1/auth/onelogin?acs".format(BASE=BASE_URL), + # SAML protocol binding to be used when returning the + # message. OneLogin Toolkit supports this endpoint for the + # HTTP-POST binding only. + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + }, + # If you need to specify requested attributes, set a + # attributeConsumingService. nameFormat, attributeValue and + # friendlyName can be omitted + #"attributeConsumingService": { + # "ServiceName": "SP test", + # "serviceDescription": "Test Service", + # "requestedAttributes": [ + # { + # "name": "", + # "isRequired": False, + # "nameFormat": "", + # "friendlyName": "", + # "attributeValue": "" + # } + # ] + #}, + # Specifies info about where and how the message MUST be + # returned to the requester, in this case our SP. + "singleLogoutService": { + # URL Location where the from the IdP will be returned + "url": "{BASE}api/1/auth/onelogin?sls".format(BASE=BASE_URL), + # SAML protocol binding to be used when returning the + # message. OneLogin Toolkit supports the HTTP-Redirect binding + # only for this endpoint. + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + # Specifies the constraints on the name identifier to be used to + # represent the requested subject. + # Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported. + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", + # Usually x509cert and privateKey of the SP are provided by files placed at + # the certs folder. But we can also provide them with the following parameters + "x509cert": "", + "privateKey": "" + }, + + # Identity Provider Data that we want connected with our SP. + "idp": { + # Identifier of the IdP entity (must be a URI) + "entityId": "https://app.onelogin.com/saml/metadata/{APP_ID}".format(APP_ID=ONELOGIN_APP_ID), + # SSO endpoint info of the IdP. (Authentication Request protocol) + "singleSignOnService": { + # URL Target of the IdP where the Authentication Request Message + # will be sent. + "url": "https://app.onelogin.com/trust/saml2/http-post/sso/{APP_ID}".format(APP_ID=ONELOGIN_APP_ID), + # SAML protocol binding to be used when returning the + # message. OneLogin Toolkit supports the HTTP-Redirect binding + # only for this endpoint. + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + # SLO endpoint info of the IdP. + "singleLogoutService": { + # URL Location of the IdP where SLO Request will be sent. + "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/{APP_ID}".format(APP_ID=ONELOGIN_APP_ID), + # SAML protocol binding to be used when returning the + # message. OneLogin Toolkit supports the HTTP-Redirect binding + # only for this endpoint. + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + # Public x509 certificate of the IdP + "x509cert": "" + } +} + +from datetime import timedelta +PERMANENT_SESSION_LIFETIME=timedelta(minutes=60) +SESSION_REFRESH_EACH_REQUEST=True +SESSION_COOKIE_SECURE=True +SESSION_COOKIE_HTTPONLY=True +PREFERRED_URL_SCHEME='https' + +REMEMBER_COOKIE_DURATION=timedelta(minutes=60) # Can make longer if you want remember_me to be useful. +REMEMBER_COOKIE_SECURE=True +REMEMBER_COOKIE_HTTPONLY=True diff --git a/security_monkey/0.7.0/docker-compose.yml b/security_monkey/0.7.0/docker-compose.yml new file mode 100644 index 0000000..9a36ecc --- /dev/null +++ b/security_monkey/0.7.0/docker-compose.yml @@ -0,0 +1,72 @@ +--- + +### +# +# Documentation: http://securitymonkey.readthedocs.io/en/latest/index.html +# +# shortcuts +# open https://$(docker-machine active | xargs docker-machine ip) +# +### + +version: '2' +# volumes: +# - postgres-data: {} +services: + postgres: + container_name: db + image: postgres:9 + # volumes: + # - ./postgres-data/:/var/lib/postgresql/data + + init: + container_name: init + build: . + depends_on: + - postgres + env_file: secmonkey.env + volumes: + - ./config-deploy.py:/usr/local/src/security_monkey/env-config/config-deploy.py + - ./api-init.sh:/usr/local/src/security_monkey/scripts/api-init.sh + - ./api-start.sh:/usr/local/src/security_monkey/scripts/api-start.sh + - ./scheduler-start.sh:/usr/local/src/security_monkey/scripts/scheduler-start.sh + entrypoint: # ["/usr/local/src/security_monkey/scripts/api-init.sh"] + - sleep + - 8h + + api: + container_name: api + build: . + depends_on: + - postgres + env_file: secmonkey.env + volumes_from: + - init + entrypoint: ["/usr/local/src/security_monkey/scripts/api-start.sh"] + + scheduler: + container_name: scheduler + build: . + depends_on: + - api + env_file: secmonkey.env + entrypoint: ["/usr/local/src/security_monkey/scripts/scheduler-start.sh"] + volumes_from: + - init + + nginx: + container_name: nginx + build: + context: ./security_monkey-nginx + working_dir: /etc/nginx + volumes: + - ./security_monkey-nginx/server.crt:/etc/nginx/ssl/server.crt + - ./security_monkey-nginx/server.key:/etc/nginx/ssl/server.key + - ./security_monkey-nginx/nginx-start.sh:/usr/local/src/security_monkey/scripts/nginx-start.sh + depends_on: + - api + ports: + - 80:80 + - 443:443 + links: + - api:smapi diff --git a/security_monkey/0.7.0/scheduler-start.sh b/security_monkey/0.7.0/scheduler-start.sh new file mode 100755 index 0000000..9e88fda --- /dev/null +++ b/security_monkey/0.7.0/scheduler-start.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +cd /usr/local/src/security_monkey/ +exec python manage.py start_scheduler diff --git a/security_monkey/0.7.0/secmonkey.env.example b/security_monkey/0.7.0/secmonkey.env.example new file mode 100644 index 0000000..e9ba79e --- /dev/null +++ b/security_monkey/0.7.0/secmonkey.env.example @@ -0,0 +1,4 @@ +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +SECURITY_MONKEY_POSTGRES_HOST=postgres +SECURITY_MONKEY_FQDN=192.168.99.100 diff --git a/security_monkey/0.7.0/security_monkey-nginx/Dockerfile b/security_monkey/0.7.0/security_monkey-nginx/Dockerfile new file mode 100755 index 0000000..897bac0 --- /dev/null +++ b/security_monkey/0.7.0/security_monkey-nginx/Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2014 Netflix, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM nginx:1.11.4 +MAINTAINER Netflix Open Source Development + +ENV SECURITY_MONKEY_VERSION=v0.7.0 +RUN apt-get update &&\ + apt-get install -y curl git sudo apt-transport-https &&\ + apt-get clean autoclean autoremove && rm -rf /var/lib/apt/lists/* + +RUN cd /usr/local/src &&\ + git clone -b $SECURITY_MONKEY_VERSION https://github.com/Netflix/security_monkey.git + +RUN curl https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - &&\ + curl https://storage.googleapis.com/download.dartlang.org/linux/debian/dart_stable.list > /etc/apt/sources.list.d/dart_stable.list && \ + apt-get update &&\ + apt-get install -y -q dart &&\ + apt-get clean autoclean autoremove && rm -rf /var/lib/apt/lists/* + +RUN cd /usr/local/src/security_monkey/dart &&\ + /usr/lib/dart/bin/pub get &&\ + /usr/lib/dart/bin/pub build &&\ + /bin/mkdir -p /usr/local/src/security_monkey/security_monkey/static/ &&\ + /bin/cp -R /usr/local/src/security_monkey/dart/build/web/* /usr/local/src/security_monkey/security_monkey/static/ + +RUN /bin/mkdir -p /var/log/security_monkey/ &&\ + /usr/bin/touch /var/log/security_monkey/security_monkey.access.log &&\ + /usr/bin/touch /var/log/security_monkey/security_monkey.error.log + +WORKDIR /etc/nginx +EXPOSE 443 + +ADD securitymonkey.conf /etc/nginx/conf.d/securitymonkey.conf +COPY nginx.conf /etc/nginx/nginx.conf +ADD nginx-start.sh /usr/local/src/security_monkey/scripts/nginx-start.sh + +ENTRYPOINT ["/usr/local/src/security_monkey/scripts/nginx-start.sh"] diff --git a/security_monkey/0.7.0/security_monkey-nginx/nginx-start.sh b/security_monkey/0.7.0/security_monkey-nginx/nginx-start.sh new file mode 100755 index 0000000..4580daf --- /dev/null +++ b/security_monkey/0.7.0/security_monkey-nginx/nginx-start.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +SECURITY_MONKEY_SSL_CERT=${SECURITY_MONKEY_SSL_CERT:-/etc/nginx/ssl/server.crt} +SECURITY_MONKEY_SSL_KEY=${SECURITY_MONKEY_SSL_KEY:-/etc/nginx/ssl/server.key} + +if [ ! -f "$SECURITY_MONKEY_SSL_CERT" ] || [ ! -f "$SECURITY_MONKEY_SSL_KEY" ]; then + # Fail if SSL is unavailable + echo "$(date) Error: Missing files required for SSL" + exit 1 +fi + +exec nginx diff --git a/security_monkey/0.7.0/security_monkey-nginx/nginx.conf b/security_monkey/0.7.0/security_monkey-nginx/nginx.conf new file mode 100644 index 0000000..93f3c3a --- /dev/null +++ b/security_monkey/0.7.0/security_monkey-nginx/nginx.conf @@ -0,0 +1,34 @@ +user nginx; +worker_processes 1; +daemon off; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + +} + diff --git a/security_monkey/0.7.0/security_monkey-nginx/securitymonkey.conf b/security_monkey/0.7.0/security_monkey-nginx/securitymonkey.conf new file mode 100644 index 0000000..038a3ad --- /dev/null +++ b/security_monkey/0.7.0/security_monkey-nginx/securitymonkey.conf @@ -0,0 +1,64 @@ +server { + listen 0.0.0.0:80 default; + listen 0.0.0.0:443 ssl default; + ssl_certificate /etc/nginx/ssl/server.crt; + ssl_certificate_key /etc/nginx/ssl/server.key; + access_log /var/log/security_monkey/security_monkey.access.log; + error_log /var/log/security_monkey/security_monkey.error.log; + + location /register { + proxy_read_timeout 120; + proxy_pass http://smapi:5000; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /logout { + proxy_read_timeout 120; + proxy_pass http://smapi:5000; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /login { + proxy_read_timeout 120; + proxy_pass http://smapi:5000; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /api { + proxy_read_timeout 120; + proxy_pass http://smapi:5000; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /static { + rewrite ^/static/(.*)$ /$1 break; + root /usr/local/src/security_monkey/security_monkey/static; + index ui.html; + } + + location / { + root /usr/local/src/security_monkey/security_monkey/static; + index ui.html; + } + +} diff --git a/security_monkey/0.7.0/security_monkey-nginx/server.crt b/security_monkey/0.7.0/security_monkey-nginx/server.crt new file mode 100644 index 0000000..c2e516e --- /dev/null +++ b/security_monkey/0.7.0/security_monkey-nginx/server.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID8jCCAtoCCQCnvR3ajR8rsjANBgkqhkiG9w0BAQsFADCBujELMAkGA1UEBhMC +VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCUxvcyBHYXRvczEnMCUG +A1UECgweU2VsZiBTaWduZWQgRG9ja2VyIENlcnRzIExtdGQuMR4wHAYDVQQLDBVT +ZWxmIFNpZ25lZCBEb2NrZXIgT1UxFTATBgNVBAMMDFNvbWVEb2NrZXJJUDEiMCAG +CSqGSIb3DQEJARYTcGtlbGxleUBuZXRmbGl4LmNvbTAeFw0xNDExMTAwMzQ0Mzda +Fw0xNTExMTAwMzQ0MzdaMIG6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZv +cm5pYTESMBAGA1UEBwwJTG9zIEdhdG9zMScwJQYDVQQKDB5TZWxmIFNpZ25lZCBE +b2NrZXIgQ2VydHMgTG10ZC4xHjAcBgNVBAsMFVNlbGYgU2lnbmVkIERvY2tlciBP +VTEVMBMGA1UEAwwMU29tZURvY2tlcklQMSIwIAYJKoZIhvcNAQkBFhNwa2VsbGV5 +QG5ldGZsaXguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvkeh +4rS7A2Irm8UAuEitneMRviSDPI04a3sbYIZISPMTsmn50ZXAewikL7YAVchDceiW +dhu4T+lah/lAmTjHLgleEUu2htsSO25pQBSC1mzpxU2RhY8EpW4pgjZdkzlHdsy5 +ZiYS4HAHIp7ZFr+DEDAoFgR2uIMK8W7jAwLXcjT1qs/q69Po1EAnOucLAwu6fiUS +MY/BAwGxhRDp9Q0dT7FiHwN8756MdQufapnuosHPcQoOj73IOhSN7EBqNXFWOjPc +nKKhmFxuFhKgIDcY8yJoAx5qWOWM7vlgACHd/41kE53RMd7k7hp3GXxofs7qHtaf +ZxtdMqiuPC/UUoMEzwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCckPS2VT4VZr8S +UsyuSy4RWtpwTg2sVGsddb27R3l9a/fRupHnSs1v+ZyrP7a/QcK16wNAGYm05Ajd +jXxaI8auNwi+Vix5r9pV3OG9bGoDp5m0+TeeV+RGs6nhIgnyJrYqDBV6St3UPwwS +U0mh4iFxwdR8NZYpLAu1R+t0t7G0do8yJKmHezs7zXy6J16Xl8txjFAVF5pHw2aN +h5Lj1FcdrOUCaeAFTmTK15ZcojDuIOoN/EdpNyHgelXqr0NQGcfrGJIGsn/8vXyV ++2B7QTr7w5gtqu5RQ5pem14wMoJl2tRNx02fP9CYmJoD8KAximnJDxL1PXEFIMxw +t7hR6j5w +-----END CERTIFICATE----- diff --git a/security_monkey/0.7.0/security_monkey-nginx/server.key b/security_monkey/0.7.0/security_monkey-nginx/server.key new file mode 100644 index 0000000..1f0acf5 --- /dev/null +++ b/security_monkey/0.7.0/security_monkey-nginx/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvkeh4rS7A2Irm8UAuEitneMRviSDPI04a3sbYIZISPMTsmn5 +0ZXAewikL7YAVchDceiWdhu4T+lah/lAmTjHLgleEUu2htsSO25pQBSC1mzpxU2R +hY8EpW4pgjZdkzlHdsy5ZiYS4HAHIp7ZFr+DEDAoFgR2uIMK8W7jAwLXcjT1qs/q +69Po1EAnOucLAwu6fiUSMY/BAwGxhRDp9Q0dT7FiHwN8756MdQufapnuosHPcQoO +j73IOhSN7EBqNXFWOjPcnKKhmFxuFhKgIDcY8yJoAx5qWOWM7vlgACHd/41kE53R +Md7k7hp3GXxofs7qHtafZxtdMqiuPC/UUoMEzwIDAQABAoIBAAShg6wbz+1eJ0eM +PN8/TZJpI1ZoVxVTLotXHKx1uC6mU9VkxOK37U5RQIW0vT9ZN2L/USIgvJSdTkm+ +5DaWbiqNqc9r805G6KOvpTodBa4oSmw13hPNDkTkcHgt0IszuqyGgQCebpktwM6z +5P6rvInZUjBu/WCyN8L2euno2Mt7ubYsHp6IZNeDF5UKBd3fcORCCN2oIjud/wo+ +7qzgc1Qz8yZLg5rLY5t1TXmWsYPnTgCo2xSUt+40VEPu2IeShg+TxyFzVTkfsxs9 +ZT6+HwW3wcnRLbUcdX/sYldaKHW+k4rDHnRtqzaxgwmL+Pd/RC/b1MRReY2IANkU +P1q5kikCgYEA7GuPfeX4SmvZqipRi6CujWHZcR5pHUAqURrA+PkGw7PVo3Z59aor +KbAUsPDpQLhLnsO/nTjxjnvz+uHYRJjsAypXtwp0cyvV5TUd8REwzg8ivRB1U6TX +aUTmqpdC7JL8bfN10puqOG2dE4/tiVpW02e2pSp+gBdjS0t0Rn/PagsCgYEAzgnU +7Fs+G0sKBkXF+/M/XFin5dGqlvYBKXwh49qeyyOZFHzGNs97qtvuRnKZ3xgSsbnV +KGa4PcSBcSH7ktiKMsjxs2rxkGrFvD+7TpM4FfNxOL04AupHLgkb0JOlCDsgPkwH +DoyOSomutL3hSXrIEbg+2pgPUm6kgMfKFw5rjs0CgYEAmZq4u/+ydgfkf97G5IUd +Y9ZzRD+R4+NQmylav2hssLIi1/Wd/7L0ID2688tSgS48U4ay9B+PMhfuyM37iXYh +wVy9aLtuNXYBns4IChw1LWxAEb6jvBiZrFeL1sI4RSSqxXUs1A03ZzowmAknN9pu +FySHUoBteCO56622eieIR0kCgYA0uB1MMPiOQUAaZMYI9q+ysFidnG1a3S1k8Qc2 +5xyUe9JShK6vHZ3WFRo92lr205EM+rDI+qeP3nUEfp6Bb3jFD9eQgf+3ZSqdRW1m +6JKEQ1soGnp3fHykEd6VGwIyPfa9GfUASwSpm9shEijQBWOl7Q/gHOJmxDrBXN2f +0qfAzQKBgQDL7gyh7hBCBlwFreKmmYyNQDYWp4XJvvO0mOhR4rpNMgFAWqBWPd/C +VBPCctp71Dj9MztNrIUBTOsU54DFHfC+UIicoyAtPIWUbaYlS0Wxf1DY6orvAp+T +3D+eNMsdnZqEPC+Q+Fb2DkF8CzrhYdH2nZEMN8rA50/L/r0OGkOiLg== +-----END RSA PRIVATE KEY-----