fix: mount misp-guard/mitmproxy ca in misp-core (#368)

righel · web-flow · commit 76d1263b3cb2 · 2026-01-20T11:46:38.000Z
* fix: mount misp-guard/mitmproxy ca in misp-core

* fix: remove extra breakline
diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh
@@ -467,6 +467,14 @@ update_ca_certificates() {
     fi
 }
 
+configure_misp_guard_ca() {
+    if [[ "$COMPOSE_PROFILES" = "misp-guard" ]]; then
+        echo "... configuring misp-guard CA certificate"
+        chown www-data:www-data /usr/local/share/ca-certificates/misp_guard/mitmproxy-ca.pem
+        sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.ca_path" "/usr/local/share/ca-certificates/misp_guard/mitmproxy-ca.pem"
+    fi
+}
+
 create_sync_servers() {
     if [ -z "$ADMIN_KEY" ]; then
         echo "... admin key auto configuration is required to configure sync servers"
@@ -632,5 +640,7 @@ echo "MISP | Set Up Proxy ..." && set_up_proxy
 
 echo "MISP | Create default Scheduled Tasks ..." && create_default_scheduled_tasks
 
+echo "MISP | Configure misp-guard CA certificate ..." && configure_misp_guard_ca
+
 echo "MISP | Mark instance live" && print_version
 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -126,6 +126,7 @@ services:
       - "./files/:/var/www/MISP/app/files/:Z"
       - "./ssl/:/etc/nginx/certs/:Z"
       - "./gnupg/:/var/www/MISP/.gnupg/:Z"
+      - "misp_guard_ca:/usr/local/share/ca-certificates/misp_guard:Z"
     # customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh'
     # - "${CUSTOM_PATH}/:/custom/:Z"
     # mount custom ca root certificates
@@ -305,6 +306,8 @@ services:
       - "HSTS_MAX_AGE=${HSTS_MAX_AGE}"
       - "X_FRAME_OPTIONS=${X_FRAME_OPTIONS}"
       - "CONTENT_SECURITY_POLICY=${CONTENT_SECURITY_POLICY}"
+      # compose profiles
+      - "COMPOSE_PROFILES=${COMPOSE_PROFILES}"
 
   misp-modules:
     image: ghcr.io/misp/misp-docker/misp-modules:${MODULES_RUNNING_TAG:-latest}
@@ -348,6 +351,7 @@ services:
       - "GUARD_ARGS=${GUARD_ARGS}"
     volumes:
       - ./guard/config.json:/config.json:ro
+      - misp_guard_ca:/misp_guard_ca
     healthcheck:
       test: "/bin/bash -c '</dev/tcp/localhost/${GUARD_PORT:-8888}'"
       interval: 2m
@@ -358,3 +362,4 @@ services:
 volumes:
   mysql_data:
   cache_data:
+  misp_guard_ca:
diff --git a/guard/files/entrypoint.sh b/guard/files/entrypoint.sh
@@ -24,4 +24,21 @@ jq --arg ip "$MISP_IP" \
    '.instances.misp_container.ip = $ip' \
    /config.json > /srv/misp-guard/src/config.json
 
-exec mitmdump -s mispguard.py -p ${GUARD_PORT:-8888} ${GUARD_ARGS:+$GUARD_ARGS} --set config=config.json
+# start mitmdump in background
+mitmdump \
+  -s mispguard.py \
+  -p "${GUARD_PORT:-8888}" \
+  ${GUARD_ARGS:+$GUARD_ARGS} \
+  --set config=config.json &
+
+MITM_PID=$!
+
+# wait for mitmproxy CA to exist
+while [ ! -f /root/.mitmproxy/mitmproxy-ca.pem ]; do
+  sleep 1
+done
+
+# copy mitmproxy CA to shared volume for misp-core to use
+cp /root/.mitmproxy/mitmproxy-ca.pem /misp_guard_ca/mitmproxy-ca.pem
+
+wait "$MITM_PID"
