first sync

2025-03-04 07:59:21 +01:00
parent 9cdcf486b6
commit 506716e703
1450 changed files with 577316 additions and 62 deletions
--- a/iris-web/docker/nginx/Dockerfile
+++ b/iris-web/docker/nginx/Dockerfile
@ -0,0 +1,49 @@
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+
+FROM nginx:1.21.3
+
+RUN apt-get update && apt-get install -y curl
+
+# Used to pass protected files to the container through volumes
+ARG NGINX_CONF_GID
+ARG NGINX_CONF_FILE
+
+RUN groupadd -g ${NGINX_CONF_GID} az-app-nginx-conf && usermod -a -G az-app-nginx-conf www-data
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod 700 /entrypoint.sh
+RUN chown www-data:www-data /entrypoint.sh
+
+COPY ${NGINX_CONF_FILE} /etc/nginx/nginx.conf
+
+# log
+RUN touch /var/log/nginx/audit_platform_error.log && chown -R www-data:www-data /var/log/nginx/audit_platform_error.log
+RUN touch /var/log/nginx/audit_platform_access.log && chown -R www-data:www-data /var/log/nginx/audit_platform_access.log
+
+# Security
+RUN touch /var/run/nginx.pid && chown -R www-data:www-data /var/run/nginx.pid /var/cache/nginx /etc/nginx/nginx.conf
+
+RUN mkdir -p /www/certs/
+
+USER www-data
+
+HEALTHCHECK --interval=5s --timeout=3s CMD curl --fail -k https://127.0.0.1:${INTERFACE_HTTPS_PORT:-8443} || exit 1
+
+ENTRYPOINT ["/entrypoint.sh"]
--- a/iris-web/docker/nginx/entrypoint.sh
+++ b/iris-web/docker/nginx/entrypoint.sh
@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+set -e
+
+# envsubst will make a substitution on every $variable in a file, since the nginx file contains nginx variable like $host, we have to limit the substitution to this set
+# otherwise, each nginx variable will be replaced by an empty string
+envsubst '${INTERFACE_HTTPS_PORT} ${IRIS_UPSTREAM_SERVER} ${IRIS_UPSTREAM_PORT} ${SERVER_NAME} ${KEY_FILENAME} ${CERT_FILENAME}' < /etc/nginx/nginx.conf > /tmp/nginx.conf
+cp /tmp/nginx.conf /etc/nginx/nginx.conf
+rm /tmp/nginx.conf
+
+exec nginx -g "daemon off;"
--- a/iris-web/docker/nginx/nginx.conf
+++ b/iris-web/docker/nginx/nginx.conf
@ -0,0 +1,161 @@
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+
+worker_processes auto;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    map $request_uri $csp_header {
+        default "default-src 'self' https://analytics.dfir-iris.org; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline';";
+    }
+    include /etc/nginx/mime.types;
+
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log main;
+    error_log   /var/log/nginx/error.log debug;
+
+    server_tokens off;
+
+    sendfile    on;
+    tcp_nopush  on;
+    tcp_nodelay on;
+
+    types_hash_max_size             2048;
+    types_hash_bucket_size          128;
+    proxy_headers_hash_max_size     2048;
+    proxy_headers_hash_bucket_size  128;
+    proxy_buffering                 on;
+    proxy_buffers                   8 16k;
+    proxy_buffer_size               4k;
+
+    client_header_buffer_size   2k;
+    large_client_header_buffers 8 64k;
+    client_body_buffer_size     64k;
+    client_max_body_size        100M;
+
+    reset_timedout_connection   on;
+    keepalive_timeout           90s;
+    client_body_timeout         90s;
+    send_timeout                90s;
+    client_header_timeout       90s;
+    fastcgi_read_timeout        90s;
+    # WORKING TIMEOUT FOR PROXY CONF
+    proxy_read_timeout          90s;
+    uwsgi_read_timeout          90s;
+
+    gzip off;
+    gzip_disable "MSIE [1-6]\.";
+
+    # FORWARD CLIENT IDENTITY TO SERVER
+    proxy_set_header    HOST                $http_host;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+
+    # FULLY DISABLE SERVER CACHE
+    add_header          Last-Modified $date_gmt;
+    add_header          'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+    if_modified_since   off;
+    expires             off;
+    etag                off;
+    proxy_no_cache      1;
+    proxy_cache_bypass  1;
+
+    # SSL CONF, STRONG CIPHERS ONLY
+    ssl_protocols               TLSv1.2 TLSv1.3;
+
+    ssl_prefer_server_ciphers   on;
+    ssl_certificate             /www/certs/${CERT_FILENAME};
+    ssl_certificate_key         /www/certs/${KEY_FILENAME};
+    ssl_ecdh_curve              secp521r1:secp384r1:prime256v1;
+    ssl_buffer_size             4k;
+
+    # DISABLE SSL SESSION CACHE
+    ssl_session_tickets         off;
+    ssl_session_cache           none;
+
+    access_log /var/log/nginx/audit_platform_access.log main;
+    error_log  /var/log/nginx/audit_platform_error.log debug;
+
+    server {
+        listen          ${INTERFACE_HTTPS_PORT} ssl;
+        server_name     ${SERVER_NAME};
+        root            /www/data;
+        index           index.html;
+        error_page      500 502 503 504  /50x.html;
+
+        add_header Content-Security-Policy $csp_header;
+        
+        # SECURITY HEADERS
+        add_header X-XSS-Protection             "1; mode=block";
+        add_header X-Frame-Options              DENY;
+        add_header X-Content-Type-Options       nosniff;
+        # max-age = 31536000s = 1 year
+        add_header Strict-Transport-Security    "max-age=31536000: includeSubDomains" always;
+        add_header Front-End-Https              on;
+
+        location / {
+            proxy_pass  http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT};
+
+            location ~ ^/(manage/templates/add|manage/cases/upload_files) {
+                keepalive_timeout           10m;
+                client_body_timeout         10m;
+                send_timeout                10m;
+                proxy_read_timeout          10m;
+                client_max_body_size        0M;
+                proxy_request_buffering off;
+                proxy_pass  http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT};
+            }
+
+            location ~ ^/(datastore/file/add|datastore/file/add-interactive) {
+                keepalive_timeout           10m;
+                client_body_timeout         10m;
+                send_timeout                10m;
+                proxy_read_timeout          10m;
+                client_max_body_size        0M;
+                proxy_request_buffering off;
+                proxy_pass  http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT};
+            }
+        }
+        location /socket.io {
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_buffering off;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_pass http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT}/socket.io;
+        }
+
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+}