diff --git a/T2_2025/Reverse Proxy/docker-compose.yaml b/T2_2025/Reverse Proxy/docker-compose.yaml new file mode 100644 index 0000000..f6b0576 --- /dev/null +++ b/T2_2025/Reverse Proxy/docker-compose.yaml @@ -0,0 +1,54 @@ +services: + nginx: +# image: nginx + image: owasp/modsecurity-crs:4.16-nginx-202506301206 + container_name: nginx.modsecurity + restart: always + + ports: + # Temporarily using high ports to avoid conflicts: + # - 444: Wazuh + # - 80: Streamlit + # Replace with standard ports once Nginx is tested. + - "980:80" + - "443:443" + environment: + MODSEC_RULE_ENGINE: "DetectionOnly" + MODSEC_AUDIT_LOG: /dev/stdout + MODSEC_AUDIT_LOG_FORMAT: "Native" + MODSEC_AUDIT_LOG_PARTS: "ACH" + MODSEC_REQ_BODY_ACCESS: "On" + logging: + driver: journald + options: + tag: "modsecurity" + # Requires access to multiple networks to route requests. + networks: + - coredwinfrastructure_dw_network + - mongo_default + - monitoring_infra_team_net + - playground-backend_bugbox + - single-node_default + - sumit_default + + volumes: + # Main configuration file that includes infra and blue team configurations. + - /home/codey/infra-team/proxy/nginx.conf:/etc/nginx/templates/nginx.conf.template:ro + - /home/codey/infra-team/proxy/ssl:/etc/nginx/conf:ro + +networks: + coredwinfrastructure_dw_network: + external: true + mongo_default: + external: true + monitoring_infra_team_net: + external: true + playground-backend_bugbox: + external: true + single-node_default: + external: true + sumit_default: + + external: true + + diff --git a/T2_2025/Reverse Proxy/nginx.conf b/T2_2025/Reverse Proxy/nginx.conf new file mode 100644 index 0000000..edfe81a --- /dev/null +++ b/T2_2025/Reverse Proxy/nginx.conf @@ -0,0 +1,118 @@ +load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; +events {} + +# Change the PID file to the TMP directory +# This prevents permission issues due to the container running as non-root + +pid /tmp/nginx.pid; + + +http { + # Point certs to the conf directory + ssl_certificate /etc/nginx/conf/server.cert; + ssl_certificate_key /etc/nginx/conf/server.key; + access_log /tmp/access.log; + + # Routes non-HTTPS to HTTPS + # Doesn't fully work right now + # Test when the container has full access to port 80 (i.e. when Streamlit is off it) +# server { +# listen 80; +# server_name redback.it.deakin.edu.au; +# return 301 https://$host$request_uri; +# } + + + server { + # Listening on port 443 fixes issues with incomplete requests (e.g. /streamlit instead of /streamlit/) + listen 443 ssl default_server; + server_name redback.it.deakin.edu.au; + modsecurity on; + modsecurity_rules_file /etc/modsecurity.d/setup.conf; + + #Streamlit + location /file-upload/ { + proxy_pass http://streamlit-app:8501/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + #MinIO + location /minio/ { + proxy_pass http://minioserver:9001/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + # Wazuh + location /wazuh/ { + modsecurity off; + proxy_pass https://wazuh.dashboard:5601/; + proxy_set_header Host $host; + # This line is needed for Wazuh v4.13.0 + proxy_set_header osd-xsrf "true"; + } + # Dremio + # Doesn't work for now - WIP + location /dremio/ { + proxy_pass http://dremio:9047/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Accept-Encoding ""; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Sub filter + sub_filter_once off; + sub_filter 'href="/' 'href="/dremio/'; + sub_filter 'src="/' 'src="/dremio/'; + sub_filter 'src="/../static' 'src="/dremio/static'; + } + # --- Kafka UI under /kafka --- + # redirect /kafka -> /kafka/ (trailing slash matters) + #location = /kafka { return 301 https://$host/kafka/; } + # Kafka + location /kafka/ { + modsecurity off; #avoids WAF blocking REST calls + proxy_pass http://kafka-ui:8080; # points to Kafka REST Proxy running on port 8081 + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + # Grafana + location = /monitor { + return 301 $scheme://$host/monitor/; + } + location ^~ /monitor/ { + modsecurity off; #avoids WAF blocking Grafana API calls + proxy_pass http://grafana:3000/; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_redirect http://grafana:3000/ /monitor/; + + } + + } +} \ No newline at end of file