Redback-Operations · lperry022 · Sep 25, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
@@ -0,0 +1,54 @@
+services:
+  nginx:
+#    image: nginx
+    image: owasp/modsecurity-crs:4.16-nginx-202506301206
+    container_name: nginx.modsecurity
+    restart: always
+
+    ports:
+      # Temporarily using high ports to avoid conflicts:
+      # - 444: Wazuh
+      # - 80: Streamlit
+      # Replace with standard ports once Nginx is tested.
+      - "980:80"
+      - "443:443"
+    environment:
+      MODSEC_RULE_ENGINE: "DetectionOnly"
+      MODSEC_AUDIT_LOG: /dev/stdout
+      MODSEC_AUDIT_LOG_FORMAT: "Native"
+      MODSEC_AUDIT_LOG_PARTS: "ACH"
+      MODSEC_REQ_BODY_ACCESS: "On"
+    logging:
+      driver: journald
+      options:
+        tag: "modsecurity"
+    # Requires access to multiple networks to route requests.
+    networks:
+      - coredwinfrastructure_dw_network
+      - mongo_default
+      - monitoring_infra_team_net
+      - playground-backend_bugbox
+      - single-node_default
+      - sumit_default
+
+    volumes:
+      # Main configuration file that includes infra and blue team configurations.
+      - /home/codey/infra-team/proxy/nginx.conf:/etc/nginx/templates/nginx.conf.template:ro
+      - /home/codey/infra-team/proxy/ssl:/etc/nginx/conf:ro
+
+networks:
+  coredwinfrastructure_dw_network:
+    external: true
+  mongo_default:
+    external: true
+  monitoring_infra_team_net:
+    external: true
+  playground-backend_bugbox:
+    external: true
+  single-node_default:
+    external: true
+  sumit_default:
+
+    external: true
+
+
@@ -0,0 +1,118 @@
+load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
+events {}
+
+# Change the PID file to the TMP directory
+# This prevents permission issues due to the container running as non-root
+
+pid /tmp/nginx.pid;
+
+
+http {
+    # Point certs to the conf directory
+    ssl_certificate /etc/nginx/conf/server.cert;
+    ssl_certificate_key /etc/nginx/conf/server.key;
+    access_log /tmp/access.log;
+
+    # Routes non-HTTPS to HTTPS
+    # Doesn't fully work right now
+    # Test when the container has full access to port 80 (i.e. when Streamlit is off it)
+#    server {
+#        listen 80;
+#        server_name redback.it.deakin.edu.au;
+#        return 301 https://$host$request_uri;
+#      }
+
+
+    server {
+        # Listening on port 443 fixes issues with incomplete requests (e.g. /streamlit instead of /streamlit/)
+        listen 443 ssl default_server;
+        server_name redback.it.deakin.edu.au;
+        modsecurity on;
+        modsecurity_rules_file /etc/modsecurity.d/setup.conf;
+
+        #Streamlit
+        location /file-upload/ {
+            proxy_pass http://streamlit-app:8501/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+
+        #MinIO
+        location /minio/ {
+            proxy_pass http://minioserver:9001/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+        # Wazuh
+        location /wazuh/ {
+            modsecurity off;
+            proxy_pass https://wazuh.dashboard:5601/;
+            proxy_set_header Host $host;
+            # This line is needed for Wazuh v4.13.0
+            proxy_set_header osd-xsrf "true";
+        }
+        # Dremio
+        # Doesn't work for now - WIP
+        location /dremio/ {
+            proxy_pass http://dremio:9047/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Accept-Encoding "";
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            # Sub filter
+            sub_filter_once off;
+            sub_filter 'href="/' 'href="/dremio/';
+            sub_filter 'src="/' 'src="/dremio/';
+            sub_filter 'src="/../static' 'src="/dremio/static';
+        }
+        # --- Kafka UI under /kafka ---
+        # redirect /kafka -> /kafka/ (trailing slash matters)
+        #location = /kafka { return 301 https://$host/kafka/; }
+        # Kafka
+        location /kafka/ {
+            modsecurity off; #avoids WAF blocking REST calls
+            proxy_pass http://kafka-ui:8080;  # points to Kafka REST Proxy running on port 8081
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+         # Grafana
+         location = /monitor {
+                 return 301 $scheme://$host/monitor/;
+         }
+        location ^~ /monitor/ {
+            modsecurity off; #avoids WAF blocking Grafana API calls
+            proxy_pass http://grafana:3000/;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            proxy_redirect http://grafana:3000/ /monitor/;
+
+        }
+
+    }
+}