Skip to content

Commit

Permalink
Squashed commit of the following:
Browse files Browse the repository at this point in the history 
commit 192e5c3
Author: SG <[email protected]>
Date:   Tue May 5 13:03:33 2020 -0600

    bump version to 2.0.3

commit 2c2de9f
Author: SG <[email protected]>
Date:   Tue May 5 12:51:14 2020 -0600

    create ca-trust directory on boot

commit 4c24aff
Author: SG <[email protected]>
Date:   Tue May 5 11:55:59 2020 -0600

    remove unused nginx PAM module, and comment setting up initial crt symlinks

commit 04b12ce
Author: SG <[email protected]>
Date:   Mon May 4 14:32:16 2020 -0600

    for idaholab#128, provide directory to put CA certificates for trusted LDAP servers
  • Loading branch information
@mmguero
mmguero committed May 5, 2020
1 parent 0ad0b9f commit 3eded78
Show file tree
Hide file tree
Showing 10 changed files with 187 additions and 109 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
/logstash/certs
/filebeat/certs
/nginx/certs
/nginx/ca-trust
/nginx/htpasswd
/nginx/nginx_ldap.conf
/htadmin/config.ini
Expand Down
25 changes: 16 additions & 9 deletions Dockerfiles/nginx.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,18 +61,28 @@ ARG NGINX_LDAP_TLS_STUNNEL=false
# when initiating the "extendedReq(1) LDAP_START_TLS_OID" command, which protocol to use: winldap or openldap
ARG NGINX_LDAP_TLS_STUNNEL_PROTOCOL=winldap

# stunnel will require and verify certificates for StartTLS when one or more
# trusted CA certificate files are placed in the ./nginx/ca-trust directory.
# For additional security, hostname or IP address checking of the associated
# CA certificate(s) can be enabled by providing these values.
# see https://www.stunnel.org/howto.html
# https://www.openssl.org/docs/man1.1.1/man3/X509_check_host.html
ARG NGINX_LDAP_TLS_STUNNEL_CHECK_HOST=
ARG NGINX_LDAP_TLS_STUNNEL_CHECK_IP=
ARG NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL=2

ENV NGINX_BASIC_AUTH $NGINX_BASIC_AUTH
ENV NGINX_LDAP_TLS_STUNNEL $NGINX_LDAP_TLS_STUNNEL
ENV NGINX_LDAP_TLS_STUNNEL_PROTOCOL $NGINX_LDAP_TLS_STUNNEL_PROTOCOL

ENV NGINX_LDAP_TLS_STUNNEL_CHECK_HOST $NGINX_LDAP_TLS_STUNNEL_CHECK_HOST
ENV NGINX_LDAP_TLS_STUNNEL_CHECK_IP $NGINX_LDAP_TLS_STUNNEL_CHECK_IP
ENV NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL $NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL

# build latest nginx with nginx-auth-ldap
ENV NGINX_VERSION=1.17.9
ENV NGINX_AUTH_LDAP_BRANCH=master
ENV NGINX_AUTH_PAM_BRANCH=master

ADD https://codeload.github.com/mmguero-dev/nginx-auth-ldap/tar.gz/$NGINX_AUTH_LDAP_BRANCH /nginx-auth-ldap.tar.gz
ADD https://codeload.github.com/sto/ngx_http_auth_pam_module/tar.gz/$NGINX_AUTH_PAM_BRANCH /ngx_http_auth_pam_module.tar.gz
ADD http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz /nginx.tar.gz

COPY --from=stunnel_build /apkbuild/packages/community/x86_64/stunnel-*.apk /tmp/
Expand Down Expand Up @@ -124,7 +134,6 @@ RUN set -x ; \
--with-file-aio \
--with-http_v2_module \
--add-module=/usr/src/nginx-auth-ldap \
--add-module=/usr/src/ngx_http_auth_pam_module \
" ; \
addgroup -g 101 -S nginx ; \
adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx ; \
Expand All @@ -143,17 +152,15 @@ RUN set -x ; \
linux-headers \
make \
openldap-dev \
linux-pam-dev \
pcre-dev \
perl-dev \
tar \
zlib-dev \
; \
\
mkdir -p /usr/src/nginx-auth-ldap /usr/src/ngx_http_auth_pam_module /www /www/logs/nginx ; \
mkdir -p /usr/src/nginx-auth-ldap /www /www/logs/nginx ; \
tar -zxC /usr/src -f /nginx.tar.gz ; \
tar -zxC /usr/src/nginx-auth-ldap --strip=1 -f /nginx-auth-ldap.tar.gz ; \
tar -zxC /usr/src/ngx_http_auth_pam_module --strip=1 -f /ngx_http_auth_pam_module.tar.gz ; \
cd /usr/src/nginx-$NGINX_VERSION ; \
./configure $CONFIG --with-debug ; \
make -j$(getconf _NPROCESSORS_ONLN) ; \
Expand Down Expand Up @@ -196,14 +203,14 @@ RUN set -x ; \
| xargs -r apk info --installed \
| sort -u \
)" ; \
apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap linux-pam nss-pam-ldapd supervisor tzdata; \
apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap supervisor tzdata; \
update-ca-certificates; \
apk add --no-cache --allow-untrusted /tmp/stunnel-*.apk; \
apk del .nginx-build-deps ; \
apk del .gettext ; \
mv /tmp/envsubst /usr/local/bin/ ; \
mkdir -p /var/log/supervisor ; \
rm -rf /usr/src/* /var/tmp/* /var/cache/apk/* /tmp/stunnel-*.apk /nginx.tar.gz /nginx-auth-ldap.tar.gz /ngx_http_auth_pam_module.tar.gz; \
rm -rf /usr/src/* /var/tmp/* /var/cache/apk/* /tmp/stunnel-*.apk /nginx.tar.gz /nginx-auth-ldap.tar.gz; \
touch /etc/nginx/nginx_ldap.conf /etc/nginx/nginx_blank.conf;

COPY --from=jwilder/nginx-proxy:alpine /app/nginx.tmpl /etc/nginx/
Expand Down
64 changes: 33 additions & 31 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,21 +128,21 @@ You can then observe that the images have been retrieved by running `docker imag
```
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
malcolmnetsec/moloch 2.0.2 xxxxxxxxxxxx 10 minutes ago 491MB
malcolmnetsec/logstash-oss 2.0.2 xxxxxxxxxxxx 17 minutes ago 1.4GB
malcolmnetsec/zeek 2.0.2 xxxxxxxxxxxx 17 minutes ago 232MB
malcolmnetsec/file-upload 2.0.2 xxxxxxxxxxxx 23 minutes ago 199MB
malcolmnetsec/pcap-capture 2.0.2 xxxxxxxxxxxx 23 minutes ago 112MB
malcolmnetsec/file-monitor 2.0.2 xxxxxxxxxxxx 25 minutes ago 369MB
malcolmnetsec/filebeat-oss 2.0.2 xxxxxxxxxxxx 28 minutes ago 501MB
malcolmnetsec/kibana-oss 2.0.2 xxxxxxxxxxxx 28 minutes ago 964MB
malcolmnetsec/pcap-monitor 2.0.2 xxxxxxxxxxxx 28 minutes ago 156MB
malcolmnetsec/curator 2.0.2 xxxxxxxxxxxx 29 minutes ago 240MB
malcolmnetsec/nginx-proxy 2.0.2 xxxxxxxxxxxx 29 minutes ago 54.5MB
malcolmnetsec/elastalert 2.0.2 xxxxxxxxxxxx 30 minutes ago 276MB
malcolmnetsec/htadmin 2.0.2 xxxxxxxxxxxx 31 minutes ago 256MB
malcolmnetsec/freq 2.0.2 xxxxxxxxxxxx 32 minutes ago 188MB
malcolmnetsec/name-map-ui 2.0.2 xxxxxxxxxxxx 35 minutes ago 20MB
malcolmnetsec/moloch 2.0.3 xxxxxxxxxxxx 10 minutes ago 491MB
malcolmnetsec/logstash-oss 2.0.3 xxxxxxxxxxxx 17 minutes ago 1.4GB
malcolmnetsec/zeek 2.0.3 xxxxxxxxxxxx 17 minutes ago 232MB
malcolmnetsec/file-upload 2.0.3 xxxxxxxxxxxx 23 minutes ago 199MB
malcolmnetsec/pcap-capture 2.0.3 xxxxxxxxxxxx 23 minutes ago 112MB
malcolmnetsec/file-monitor 2.0.3 xxxxxxxxxxxx 25 minutes ago 369MB
malcolmnetsec/filebeat-oss 2.0.3 xxxxxxxxxxxx 28 minutes ago 501MB
malcolmnetsec/kibana-oss 2.0.3 xxxxxxxxxxxx 28 minutes ago 964MB
malcolmnetsec/pcap-monitor 2.0.3 xxxxxxxxxxxx 28 minutes ago 156MB
malcolmnetsec/curator 2.0.3 xxxxxxxxxxxx 29 minutes ago 240MB
malcolmnetsec/nginx-proxy 2.0.3 xxxxxxxxxxxx 29 minutes ago 54.5MB
malcolmnetsec/elastalert 2.0.3 xxxxxxxxxxxx 30 minutes ago 276MB
malcolmnetsec/htadmin 2.0.3 xxxxxxxxxxxx 31 minutes ago 256MB
malcolmnetsec/freq 2.0.3 xxxxxxxxxxxx 32 minutes ago 188MB
malcolmnetsec/name-map-ui 2.0.3 xxxxxxxxxxxx 35 minutes ago 20MB
docker.elastic.co/elasticsearch/elasticsearch-oss 7.6.2 xxxxxxxxxxxx 5 weeks ago 825MB
```

Expand Down Expand Up @@ -757,6 +757,8 @@ In addition to the `NGINX_BASIC_AUTH` environment variable being set to `false`
- `NGINX_LDAP_TLS_STUNNEL` set to `false` in [`docker-compose.yml`](#DockerComposeYml)
- `url` should begin with `ldap://` and its port should be either the default LDAP port (389) or the default Global Catalog port (3268) in `nginx/nginx_ldap.conf`

For encrypted connections (whether using **StartTLS** or **LDAPS**), Malcolm will require and verify certificates when one or more trusted CA certificate files are placed in the `nginx/ca-trust/` directory. Otherwise, any certificate presented by the domain server will be accepted.

### <a name="Starting"></a>Starting Malcolm

[Docker compose](https://docs.docker.com/compose/) is used to coordinate running the Docker containers. To start Malcolm, navigate to the directory containing `docker-compose.yml` and run:
Expand Down Expand Up @@ -1373,7 +1375,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu

```
Finished, created "/malcolm-build/malcolm-iso/malcolm-2.0.2.iso"
Finished, created "/malcolm-build/malcolm-iso/malcolm-2.0.3.iso"
```

Expand Down Expand Up @@ -1769,21 +1771,21 @@ Pulling zeek ... done
user@host:~/Malcolm$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
malcolmnetsec/moloch 2.0.2 xxxxxxxxxxxx 27 minutes ago 517MB
malcolmnetsec/zeek 2.0.2 xxxxxxxxxxxx 27 minutes ago 489MB
malcolmnetsec/htadmin 2.0.2 xxxxxxxxxxxx 2 hours ago 180MB
malcolmnetsec/nginx-proxy 2.0.2 xxxxxxxxxxxx 4 hours ago 53MB
malcolmnetsec/file-upload 2.0.2 xxxxxxxxxxxx 24 hours ago 198MB
malcolmnetsec/pcap-capture 2.0.2 xxxxxxxxxxxx 24 hours ago 111MB
malcolmnetsec/pcap-monitor 2.0.2 xxxxxxxxxxxx 24 hours ago 156MB
malcolmnetsec/file-monitor 2.0.2 xxxxxxxxxxxx 24 hours ago 355MB
malcolmnetsec/logstash-oss 2.0.2 xxxxxxxxxxxx 25 hours ago 1.24GB
malcolmnetsec/curator 2.0.2 xxxxxxxxxxxx 25 hours ago 303MB
malcolmnetsec/kibana-oss 2.0.2 xxxxxxxxxxxx 33 hours ago 944MB
malcolmnetsec/filebeat-oss 2.0.2 xxxxxxxxxxxx 11 days ago 459MB
malcolmnetsec/elastalert 2.0.2 xxxxxxxxxxxx 11 days ago 276MB
malcolmnetsec/freq 2.0.2 xxxxxxxxxxxx 11 days ago 188MB
malcolmnetsec/name-map-ui 2.0.2 xxxxxxxxxxxx 35 minutes ago 20MB
malcolmnetsec/moloch 2.0.3 xxxxxxxxxxxx 27 minutes ago 517MB
malcolmnetsec/zeek 2.0.3 xxxxxxxxxxxx 27 minutes ago 489MB
malcolmnetsec/htadmin 2.0.3 xxxxxxxxxxxx 2 hours ago 180MB
malcolmnetsec/nginx-proxy 2.0.3 xxxxxxxxxxxx 4 hours ago 53MB
malcolmnetsec/file-upload 2.0.3 xxxxxxxxxxxx 24 hours ago 198MB
malcolmnetsec/pcap-capture 2.0.3 xxxxxxxxxxxx 24 hours ago 111MB
malcolmnetsec/pcap-monitor 2.0.3 xxxxxxxxxxxx 24 hours ago 156MB
malcolmnetsec/file-monitor 2.0.3 xxxxxxxxxxxx 24 hours ago 355MB
malcolmnetsec/logstash-oss 2.0.3 xxxxxxxxxxxx 25 hours ago 1.24GB
malcolmnetsec/curator 2.0.3 xxxxxxxxxxxx 25 hours ago 303MB
malcolmnetsec/kibana-oss 2.0.3 xxxxxxxxxxxx 33 hours ago 944MB
malcolmnetsec/filebeat-oss 2.0.3 xxxxxxxxxxxx 11 days ago 459MB
malcolmnetsec/elastalert 2.0.3 xxxxxxxxxxxx 11 days ago 276MB
malcolmnetsec/freq 2.0.3 xxxxxxxxxxxx 11 days ago 188MB
malcolmnetsec/name-map-ui 2.0.3 xxxxxxxxxxxx 35 minutes ago 20MB
docker.elastic.co/elasticsearch/elasticsearch-oss 7.6.2 xxxxxxxxxxxx 5 weeks ago 769MB
```

Expand Down
38 changes: 23 additions & 15 deletions docker-compose-standalone.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@ x-auth-variables: &auth-variables
# When NGINX_LDAP_TLS_STUNNEL=true, which protocol to use when initiating the
# "extendedReq(1) LDAP_START_TLS_OID" command: winldap or openldap
NGINX_LDAP_TLS_STUNNEL_PROTOCOL : 'winldap'
# stunnel will require and verify certificates for StartTLS when one or more
# trusted CA certificate files are placed in the ./nginx/ca-trust directory.
# For additional security, hostname or IP address checking of the associated
# CA certificate(s) can be enabled by providing these values.
NGINX_LDAP_TLS_STUNNEL_CHECK_HOST : ''
NGINX_LDAP_TLS_STUNNEL_CHECK_IP : ''
NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL : 2

x-nginx-variables: &nginx-variables
# Whether or not to write nginx's access.log and error.log to Elasticsearch
Expand Down Expand Up @@ -127,7 +134,7 @@ services:
retries: 3
start_period: 180s
kibana:
image: malcolmnetsec/kibana-oss:2.0.2
image: malcolmnetsec/kibana-oss:2.0.3
restart: "no"
hostname: kibana
environment:
Expand All @@ -150,7 +157,7 @@ services:
retries: 3
start_period: 210s
elastalert:
image: malcolmnetsec/elastalert:2.0.2
image: malcolmnetsec/elastalert:2.0.3
restart: "no"
hostname: elastalert
environment:
Expand All @@ -175,7 +182,7 @@ services:
retries: 3
start_period: 210s
curator:
image: malcolmnetsec/curator:2.0.2
image: malcolmnetsec/curator:2.0.3
restart: "no"
hostname: curator
environment:
Expand All @@ -191,7 +198,7 @@ services:
retries: 3
start_period: 30s
logstash:
image: malcolmnetsec/logstash-oss:2.0.2
image: malcolmnetsec/logstash-oss:2.0.3
restart: "no"
hostname: logstash
environment:
Expand Down Expand Up @@ -221,7 +228,7 @@ services:
retries: 3
start_period: 600s
filebeat:
image: malcolmnetsec/filebeat-oss:2.0.2
image: malcolmnetsec/filebeat-oss:2.0.3
restart: "no"
hostname: filebeat
environment:
Expand Down Expand Up @@ -255,7 +262,7 @@ services:
retries: 3
start_period: 60s
moloch:
image: malcolmnetsec/moloch:2.0.2
image: malcolmnetsec/moloch:2.0.3
restart: "no"
hostname: moloch
env_file:
Expand Down Expand Up @@ -291,7 +298,7 @@ services:
retries: 3
start_period: 210s
zeek:
image: malcolmnetsec/zeek:2.0.2
image: malcolmnetsec/zeek:2.0.3
restart: "no"
hostname: zeek
environment:
Expand All @@ -314,7 +321,7 @@ services:
retries: 3
start_period: 60s
file-monitor:
image: malcolmnetsec/file-monitor:2.0.2
image: malcolmnetsec/file-monitor:2.0.3
restart: "no"
hostname: filemon
environment:
Expand All @@ -331,7 +338,7 @@ services:
retries: 3
start_period: 60s
pcap-capture:
image: malcolmnetsec/pcap-capture:2.0.2
image: malcolmnetsec/pcap-capture:2.0.3
restart: "no"
network_mode: host
ulimits:
Expand All @@ -354,7 +361,7 @@ services:
retries: 3
start_period: 60s
pcap-monitor:
image: malcolmnetsec/pcap-monitor:2.0.2
image: malcolmnetsec/pcap-monitor:2.0.3
restart: "no"
hostname: pcapmon
environment:
Expand All @@ -374,7 +381,7 @@ services:
retries: 3
start_period: 90s
upload:
image: malcolmnetsec/file-upload:2.0.2
image: malcolmnetsec/file-upload:2.0.3
restart: "no"
hostname: upload
env_file:
Expand All @@ -397,7 +404,7 @@ services:
retries: 3
start_period: 60s
htadmin:
image: malcolmnetsec/htadmin:2.0.2
image: malcolmnetsec/htadmin:2.0.3
restart: "no"
hostname: htadmin
environment:
Expand All @@ -416,7 +423,7 @@ services:
retries: 3
start_period: 60s
freq:
image: malcolmnetsec/freq:2.0.2
image: malcolmnetsec/freq:2.0.3
restart: "no"
hostname: freq
environment:
Expand All @@ -431,7 +438,7 @@ services:
retries: 3
start_period: 60s
name-map-ui:
image: malcolmnetsec/name-map-ui:2.0.2
image: malcolmnetsec/name-map-ui:2.0.3
restart: "no"
hostname: name-map-ui
environment:
Expand All @@ -449,7 +456,7 @@ services:
retries: 3
start_period: 60s
nginx-proxy:
image: malcolmnetsec/nginx-proxy:2.0.2
image: malcolmnetsec/nginx-proxy:2.0.3
restart: "no"
hostname: nginx-proxy
environment:
Expand All @@ -473,6 +480,7 @@ services:
- nginx-log-path:/var/log/nginx:rw
- ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro
- ./nginx/htpasswd:/etc/nginx/.htpasswd:ro
- ./nginx/ca-trust:/etc/nginx/ca-trust:ro
- ./nginx/certs:/etc/nginx/certs:ro
- ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
healthcheck:
Expand Down
Loading

0 comments on commit 3eded78

Please sign in to comment.