Add support for 'X-Forwarded-For'; merge podman PR by @urfin00djuce

Author: ostefano

README.md

@@ -141,3 +141,65 @@ A GitHub Action builds both `misp-core` and `misp-modules` images automatically
 -   `misp-core:${commit-sha1}[0:7]` and `misp-modules:${commit-sha1}[0:7]` where `${commit-sha1}` is the commit hash triggering the build
 -   `misp-core:latest` and `misp-modules:latest` in order to track the latest builds available 
 -   `misp-core:${CORE_TAG}` and `misp-modules:${MODULES_TAG}` reflecting the underlying version of MISP and MISP modules (as specified inside the `template.env` file at build time)
+
+## Podman (experimental)
+
+It is possible to run the image using `podman-systemd` rather than `docker` to:
+- Run containers in **rootless** mode
+- Manage containers with **systemd**
+- Write container descriptions in an **ignition** file and deploy them (not covered in this documentation)
+
+Note that this is **experimental** and it is **NOT SUPPORTED** (issues will be automatically closed).
+
+### Configuration
+
+Copy the following directories and files:
+- Content of `experimental/podman-systemd` to `$USER/.config/containers/systemd/`
+- `template.vars` to `$USER/.config/containers/systemd/vars.env`
+
+Edit `vars.env`, and initialize the following MySQL settings: 
+```bash
+MYSQL_HOST=
+MYSQL_USER=
+MYSQL_PASSWORD=
+MYSQL_ROOT_PASSWORD=
+MYSQL_DATABASE=
+```
+
+Set the Redis password:
+```bash
+REDIS_PASSWORD=
+```
+
+Set the base URL:
+```bash
+BASE_URL=https://<IP>:10443
+```
+
+### Run
+
+Reload systemd user daemon:
+```bash
+systemctl --user daemon-reload
+```
+
+Start services:
+```bash
+systemctl --user start misp-mail.service
+systemctl --user start misp-db.service
+systemctl --user start misp-redis.service
+systemctl --user start misp-core.service
+systemctl --user start misp-modules.service
+```
+
+Wait a bit and check your service at `https://<IP>:10443`.
+If everything checks out, you can make services persistent across reboots and logouts:
+```bash
+sudo loginctl enable-linger $USER
+```
+
+You can even set podman to check for new container versions by activating the specific timer `podman-auto-update.timer`:
+```bash
+systemctl --user enable podman-auto-update.timer --now
+```
+

core/files/entrypoint.sh

@@ -45,5 +45,8 @@ export PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}
 export PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}
 export PHP_MAX_INPUT_TIME=${PHP_MAX_INPUT_TIME:-300}
 
+export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false}
+export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}
+
 # start supervisord using the main configuration file so we have a socket interface
 /usr/bin/supervisord -c /etc/supervisor/supervisord.conf

core/files/entrypoint_nginx.sh

@@ -206,6 +206,26 @@ init_nginx() {
     echo "... adjusting 'fastcgi_connect_timeout' to ${FASTCGI_CONNECT_TIMEOUT}"
     sed -i "s/fastcgi_connect_timeout .*;/fastcgi_connect_timeout ${FASTCGI_CONNECT_TIMEOUT};/" /etc/nginx/includes/misp
 
+    # Adjust forwarding header settings (clean up first)
+    sed -i '/real_ip_header/d' /etc/nginx/includes/misp
+    sed -i '/real_ip_recursive/d' /etc/nginx/includes/misp
+    sed -i '/set_real_ip_from/d' /etc/nginx/includes/misp
+    if [[ "$NGINX_X_FORWARDED_FOR" = "true" ]]; then
+        echo "... enabling X-Forwarded-For header"
+        echo "... setting 'real_ip_header X-Forwarded-For'"
+        echo "... setting 'real_ip_recursive on'"
+        sed -i "/index index.php/a real_ip_header X-Forwarded-For;\nreal_ip_recursive on;" /etc/nginx/includes/misp
+        if [[ ! -z "$NGINX_SET_REAL_IP_FROM" ]]; then
+            SET_REAL_IP_FROM_PRINT=$(echo $NGINX_SET_REAL_IP_FROM | tr ',' '\n')
+            for real_ip in ${SET_REAL_IP_FROM_PRINT[@]}; do
+                echo "... setting 'set_real_ip_from ${real_ip}'"
+            done
+            SET_REAL_IP_FROM=$(echo $NGINX_SET_REAL_IP_FROM | tr ',' '\n' | while read line; do echo -n "set_real_ip_from ${line};\n"; done)
+            SET_REAL_IP_FROM_ESCAPED=$(echo $SET_REAL_IP_FROM | sed '$!s/$/\\/' | sed 's/\\n$//')
+            sed -i "/real_ip_recursive on/a $SET_REAL_IP_FROM_ESCAPED" /etc/nginx/includes/misp
+        fi
+    fi
+
     # Testing for files also test for links, and generalize better to mounted files
     if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
         echo "... enabling port 80 redirect"

docker-compose.yml

@@ -146,6 +146,9 @@ services:
       - "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}"
       - "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}"
       - "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}"
+      # Nginx settings
+      - "NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR}"
+      - "NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}"
       # Proxy settings
       - "PROXY_ENABLE=${PROXY_ENABLE}"
       - "PROXY_HOST=${PROXY_HOST}"

experimental/podman-systemd/certs.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=certs

experimental/podman-systemd/conf.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=conf

experimental/podman-systemd/db.container

@@ -0,0 +1,26 @@
+[Unit]
+Description=MISP Database system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=db
+Image=docker.io/library/mariadb:10.11
+Network=misp-net
+Volume=mysql_data:/var/lib/mysql
+PodmanArgs=--network-alias db
+EnvironmentFile=vars.env
+AddCapability=SYS_NICE
+HealthCmd=mysqladmin --user=${MYSQL_USER} --password=${MYSQL_PASSWORD} status
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target

experimental/podman-systemd/files.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=files

experimental/podman-systemd/gpg.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=gpg

experimental/podman-systemd/logs.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=logs