From eabbf1907354dc284ab87c57634c84555886e6b2 Mon Sep 17 00:00:00 2001
From: rspoerl1 <140146306+rspoerl1@users.noreply.github.com>
Date: Mon, 22 Sep 2025 20:47:15 +0930
Subject: [PATCH 1/6] Create Reverse Proxy Folder

---
 T2_2025/Reverse Proxy | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 T2_2025/Reverse Proxy

diff --git a/T2_2025/Reverse Proxy b/T2_2025/Reverse Proxy
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/T2_2025/Reverse Proxy	
@@ -0,0 +1 @@
+

From 2e83cea09a241ac8e3ebefb0f7cc16155ec2f3d9 Mon Sep 17 00:00:00 2001
From: rspoerl1 <140146306+rspoerl1@users.noreply.github.com>
Date: Mon, 22 Sep 2025 20:51:34 +0930
Subject: [PATCH 2/6] Delete T2_2025/Reverse Proxy

---
 T2_2025/Reverse Proxy | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 T2_2025/Reverse Proxy

diff --git a/T2_2025/Reverse Proxy b/T2_2025/Reverse Proxy
deleted file mode 100644
index 8b13789..0000000
--- a/T2_2025/Reverse Proxy	
+++ /dev/null
@@ -1 +0,0 @@
-

From abd0c556f8f9b52d7f6fcda8b17bc516531f226a Mon Sep 17 00:00:00 2001
From: rspoerl1 <140146306+rspoerl1@users.noreply.github.com>
Date: Mon, 22 Sep 2025 20:56:40 +0930
Subject: [PATCH 3/6] Nginx config so far

---
 T2_2025/Reverse Proxy/docker-compose.yaml |  51 ++++++++++
 T2_2025/Reverse Proxy/nginx.conf          | 118 ++++++++++++++++++++++
 2 files changed, 169 insertions(+)
 create mode 100644 T2_2025/Reverse Proxy/docker-compose.yaml
 create mode 100644 T2_2025/Reverse Proxy/nginx.conf

diff --git a/T2_2025/Reverse Proxy/docker-compose.yaml b/T2_2025/Reverse Proxy/docker-compose.yaml
new file mode 100644
index 0000000..e5602f2
--- /dev/null
+++ b/T2_2025/Reverse Proxy/docker-compose.yaml	
@@ -0,0 +1,51 @@
+services:
+  nginx:
+#    image: nginx
+    image: owasp/modsecurity-crs:4.16-nginx-202506301206
+    container_name: nginx.modsecurity
+    restart: always
+
+    ports:
+      # Temporarily using high ports to avoid conflicts:
+      # - 444: Wazuh
+      # - 80: Streamlit
+      # Replace with standard ports once Nginx is tested.
+      - "980:80"
+      - "443:443"
+    environment:
+      MODSEC_RULE_ENGINE: "DetectionOnly"
+      MODSEC_AUDIT_LOG: /dev/stdout
+      MODSEC_AUDIT_LOG_FORMAT: "Native"
+      MODSEC_AUDIT_LOG_PARTS: "ACH"
+      MODSEC_REQ_BODY_ACCESS: "On"
+    logging:
+      driver: journald
+      options:
+        tag: "modsecurity"
+    # Requires access to multiple networks to route requests.
+    networks:
+      - coredwinfrastructure_dw_network
+      - mongo_default
+      - monitoring_infra_team_net
+      - playground-backend_bugbox
+      - single-node_default
+      - sumit_default
+
+    volumes:
+      # Main configuration file that includes infra and blue team configurations.
+      - /home/codey/infra-team/proxy/nginx.conf:/etc/nginx/templates/nginx.conf.template:ro
+      - /home/codey/infra-team/proxy/ssl:/etc/nginx/conf:ro
+
+networks:
+  coredwinfrastructure_dw_network:
+    external: true
+  mongo_default:
+    external: true
+  monitoring_infra_team_net:
+    external: true
+  playground-backend_bugbox:
+    external: true
+  single-node_default:
+    external: true
+  sumit_default:
+    external: true
\ No newline at end of file
diff --git a/T2_2025/Reverse Proxy/nginx.conf b/T2_2025/Reverse Proxy/nginx.conf
new file mode 100644
index 0000000..edfe81a
--- /dev/null
+++ b/T2_2025/Reverse Proxy/nginx.conf	
@@ -0,0 +1,118 @@
+load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
+events {}
+
+# Change the PID file to the TMP directory
+# This prevents permission issues due to the container running as non-root
+
+pid /tmp/nginx.pid;
+
+
+http {
+    # Point certs to the conf directory
+    ssl_certificate /etc/nginx/conf/server.cert;
+    ssl_certificate_key /etc/nginx/conf/server.key;
+    access_log /tmp/access.log;
+
+    # Routes non-HTTPS to HTTPS
+    # Doesn't fully work right now
+    # Test when the container has full access to port 80 (i.e. when Streamlit is off it)
+#    server {
+#        listen 80;
+#        server_name redback.it.deakin.edu.au;
+#        return 301 https://$host$request_uri;
+#      }
+
+
+    server {
+        # Listening on port 443 fixes issues with incomplete requests (e.g. /streamlit instead of /streamlit/)
+        listen 443 ssl default_server;
+        server_name redback.it.deakin.edu.au;
+        modsecurity on;
+        modsecurity_rules_file /etc/modsecurity.d/setup.conf;
+
+        #Streamlit
+        location /file-upload/ {
+            proxy_pass http://streamlit-app:8501/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+
+        #MinIO
+        location /minio/ {
+            proxy_pass http://minioserver:9001/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+        # Wazuh
+        location /wazuh/ {
+            modsecurity off;
+            proxy_pass https://wazuh.dashboard:5601/;
+            proxy_set_header Host $host;
+            # This line is needed for Wazuh v4.13.0
+            proxy_set_header osd-xsrf "true";
+        }
+        # Dremio
+        # Doesn't work for now - WIP
+        location /dremio/ {
+            proxy_pass http://dremio:9047/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Accept-Encoding "";
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            # Sub filter
+            sub_filter_once off;
+            sub_filter 'href="/' 'href="/dremio/';
+            sub_filter 'src="/' 'src="/dremio/';
+            sub_filter 'src="/../static' 'src="/dremio/static';
+        }
+        # --- Kafka UI under /kafka ---
+        # redirect /kafka -> /kafka/ (trailing slash matters)
+        #location = /kafka { return 301 https://$host/kafka/; }
+        # Kafka
+        location /kafka/ {
+            modsecurity off; #avoids WAF blocking REST calls
+            proxy_pass http://kafka-ui:8080;  # points to Kafka REST Proxy running on port 8081
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+         # Grafana
+         location = /monitor {
+                 return 301 $scheme://$host/monitor/;
+         }
+        location ^~ /monitor/ {
+            modsecurity off; #avoids WAF blocking Grafana API calls
+            proxy_pass http://grafana:3000/;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            proxy_redirect http://grafana:3000/ /monitor/;
+
+        }
+
+    }
+}
\ No newline at end of file

From a99a9f189566294508d2dcdf334e574c88b2f8f1 Mon Sep 17 00:00:00 2001
From: Liana Perry <62174756+lperry022@users.noreply.github.com>
Date: Wed, 24 Sep 2025 15:00:09 +1000
Subject: [PATCH 4/6] Update docker-compose.yaml

---
 T2_2025/Reverse Proxy/docker-compose.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/T2_2025/Reverse Proxy/docker-compose.yaml b/T2_2025/Reverse Proxy/docker-compose.yaml
index e5602f2..27daaff 100644
--- a/T2_2025/Reverse Proxy/docker-compose.yaml	
+++ b/T2_2025/Reverse Proxy/docker-compose.yaml	
@@ -48,4 +48,7 @@ networks:
   single-node_default:
     external: true
   sumit_default:
-    external: true
\ No newline at end of file
+
+    external: true
+
+    

From 95210b075b4dfcd9a0e02f29927528cbc35ac5f5 Mon Sep 17 00:00:00 2001
From: Liana Perry <62174756+lperry022@users.noreply.github.com>
Date: Wed, 24 Sep 2025 15:44:32 +1000
Subject: [PATCH 5/6] Update docker-compose.yaml

---
 T2_2025/Reverse Proxy/docker-compose.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/T2_2025/Reverse Proxy/docker-compose.yaml b/T2_2025/Reverse Proxy/docker-compose.yaml
index 27daaff..d4d9070 100644
--- a/T2_2025/Reverse Proxy/docker-compose.yaml	
+++ b/T2_2025/Reverse Proxy/docker-compose.yaml	
@@ -50,5 +50,3 @@ networks:
   sumit_default:
 
     external: true
-
-    

From a955eadb30e3ed73aa8080d6047ae17938326da4 Mon Sep 17 00:00:00 2001
From: Liana Perry <62174756+lperry022@users.noreply.github.com>
Date: Thu, 25 Sep 2025 19:01:57 +1000
Subject: [PATCH 6/6] Update docker-compose.yaml

---
 T2_2025/Reverse Proxy/docker-compose.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/T2_2025/Reverse Proxy/docker-compose.yaml b/T2_2025/Reverse Proxy/docker-compose.yaml
index d4d9070..f6b0576 100644
--- a/T2_2025/Reverse Proxy/docker-compose.yaml	
+++ b/T2_2025/Reverse Proxy/docker-compose.yaml	
@@ -50,3 +50,5 @@ networks:
   sumit_default:
 
     external: true
+
+