From 7ba5567e70c6a9c0cc16fe02a1854d8058519c86 Mon Sep 17 00:00:00 2001
From: t3chn0m4g3
Date: Fri, 5 Jan 2024 21:31:13 +0100
Subject: [PATCH] add logstash http_input support for nginx
remove cockpit support entirely
cleanup / housekeeping
---
compose/mac_win.yml | 1 -
compose/standard.yml | 4 +-
docker-compose.yml | 4 +-
docker/nginx/Dockerfile | 1 +
docker/nginx/dist/conf/lsweb.conf | 110 ++++++++++++++++++++++++
docker/nginx/dist/conf/nginx.conf | 3 +-
docker/nginx/dist/conf/tpotweb.conf | 8 +-
docker/nginx/dist/html/cockpit.html | 13 ---
docker/nginx/dist/html/config.js | 4 -
docker/nginx/dist/html/config_light.js | 71 ---------------
docker/nginx/dist/html/index.html | 7 ++
docker/nginx/dist/html/index_light.html | 60 -------------
docker/tpotinit/dist/entrypoint.sh | 1 +
env.example | 3 -
14 files changed, 128 insertions(+), 162 deletions(-)
create mode 100644 docker/nginx/dist/conf/lsweb.conf
delete mode 100644 docker/nginx/dist/html/cockpit.html
delete mode 100644 docker/nginx/dist/html/config_light.js
delete mode 100644 docker/nginx/dist/html/index_light.html
diff --git a/compose/mac_win.yml b/compose/mac_win.yml
index 4a76ee63..731ad5f7 100644
--- a/compose/mac_win.yml
+++ b/compose/mac_win.yml
@@ -780,7 +780,6 @@ services:
- nginx_local
ports:
- "64297:64297"
- - "127.0.0.1:64304:64304"
image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
pull_policy: ${TPOT_PULL_POLICY}
read_only: true
diff --git a/compose/standard.yml b/compose/standard.yml
index fa82ce47..cb7c5b9c 100644
--- a/compose/standard.yml
+++ b/compose/standard.yml
@@ -686,6 +686,8 @@ services:
condition: service_healthy
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+ ports:
+ - "127.0.0.1:64305:64305"
mem_limit: 2g
image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
pull_policy: ${TPOT_PULL_POLICY}
@@ -783,13 +785,13 @@ services:
network_mode: "host"
ports:
- "64297:64297"
- - "127.0.0.1:64304:64304"
image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
pull_policy: ${TPOT_PULL_POLICY}
read_only: true
volumes:
- ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
- ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+ - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
- ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
# Spiderfoot service
diff --git a/docker-compose.yml b/docker-compose.yml
index fa82ce47..cb7c5b9c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -686,6 +686,8 @@ services:
condition: service_healthy
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+ ports:
+ - "127.0.0.1:64305:64305"
mem_limit: 2g
image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
pull_policy: ${TPOT_PULL_POLICY}
@@ -783,13 +785,13 @@ services:
network_mode: "host"
ports:
- "64297:64297"
- - "127.0.0.1:64304:64304"
image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
pull_policy: ${TPOT_PULL_POLICY}
read_only: true
volumes:
- ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
- ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+ - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
- ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
# Spiderfoot service
diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile
index b2ed2c5a..21403744 100644
--- a/docker/nginx/Dockerfile
+++ b/docker/nginx/Dockerfile
@@ -29,6 +29,7 @@ RUN apk -U --no-cache add \
cp /root/dist/conf/nginx.conf /etc/nginx/ && \
cp -R /root/dist/conf/ssl /etc/nginx/ && \
cp /root/dist/conf/tpotweb.conf /etc/nginx/conf.d/ && \
+ cp /root/dist/conf/lsweb.conf /etc/nginx/conf.d/ && \
#
# Clean up
rm -rf /root/* && \
diff --git a/docker/nginx/dist/conf/lsweb.conf b/docker/nginx/dist/conf/lsweb.conf
new file mode 100644
index 00000000..872774b8
--- /dev/null
+++ b/docker/nginx/dist/conf/lsweb.conf
@@ -0,0 +1,110 @@
+############################################
+### NGINX T-Pot configuration file by mo ###
+############################################
+
+server {
+
+ #########################
+ ### Basic server settings
+ #########################
+ listen 64294 ssl http2;
+ index index.html;
+ ssl_protocols TLSv1.3;
+ server_name example.com;
+ error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
+ root /var/lib/nginx/html;
+ add_header Cache-Control "public, max-age=604800";
+
+ ##############################################
+ ### Remove version number add different header
+ ##############################################
+ server_tokens off;
+
+
+ ##############################################
+ ### SSL settings and Cipher Suites
+ ##############################################
+ ssl_certificate /etc/nginx/cert/nginx.crt;
+ ssl_certificate_key /etc/nginx/cert/nginx.key;
+
+ ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
+ ssl_ecdh_curve secp384r1;
+ ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
+
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:10m;
+
+
+ ####################################
+ ### OWASP recommendations / settings
+ ####################################
+
+ ### Size Limits & Buffer Overflows
+ ### the size may be configured based on the needs.
+ client_body_buffer_size 128k;
+ client_header_buffer_size 1k;
+ client_max_body_size 2M;
+
+ ### Changed from OWASP recommendations: "2 1k" to "2 1280" (So 1.2k)
+ ### When you pass though potentially another reverse proxy/load balancer
+ ### in front of tpotce you can introduce more headers than normal and
+ ### therefore you can exceed the allowed header buffer of 1k.
+ ### An 280 extra bytes seems to be working for most use-cases.
+ ### And still keeping it close to OWASP's recommendation.
+ large_client_header_buffers 2 1280;
+
+ ### Mitigate Slow HHTP DoS Attack
+ ### Timeouts definition ##
+ client_body_timeout 10;
+ client_header_timeout 10;
+ keepalive_timeout 5 5;
+ send_timeout 10;
+
+ ### X-Frame-Options is to prevent from clickJacking attack
+ add_header X-Frame-Options SAMEORIGIN;
+
+ ### disable content-type sniffing on some browsers.
+ add_header X-Content-Type-Options nosniff;
+
+ ### This header enables the Cross-site scripting (XSS) filter
+ add_header X-XSS-Protection "1; mode=block";
+
+ ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
+ add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+# add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
+
+ ##################################
+ ### Restrict access and basic auth
+ ##################################
+
+ # satisfy all;
+ satisfy any;
+
+ # allow 10.0.0.0/8;
+ # allow 172.16.0.0/12;
+ # allow 192.168.0.0/16;
+ allow 127.0.0.1;
+ allow ::1;
+ deny all;
+
+ auth_basic "closed site";
+ auth_basic_user_file /etc/nginx/lswebpasswd;
+
+ ################################################
+ ### T-Pot Hive Logstash HTTP Input Reverse Proxy
+ ################################################
+
+ location / {
+ set_by_lua_block $logstash {
+ local tpot_ostype = os.getenv("TPOT_OSTYPE")
+ if tpot_ostype == "mac" or tpot_ostype == "win" then
+ return "http://logstash:64305";
+ else
+ return "http://127.0.0.1:64305";
+ end
+ }
+ access_log off;
+ error_log /var/log/nginx/lsweb_error.log;
+ proxy_pass $logstash;
+ }
+}
diff --git a/docker/nginx/dist/conf/nginx.conf b/docker/nginx/dist/conf/nginx.conf
index 988a92b6..8e956ed6 100644
--- a/docker/nginx/dist/conf/nginx.conf
+++ b/docker/nginx/dist/conf/nginx.conf
@@ -6,7 +6,6 @@ load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
# OS ENV variables need to be defined here, so Lua can use them
-env COCKPIT;
env TPOT_OSTYPE;
# Both modules are needed for Lua, in this exact order
@@ -36,7 +35,7 @@ http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
- ##
+ ##
# Compression
##
diff --git a/docker/nginx/dist/conf/tpotweb.conf b/docker/nginx/dist/conf/tpotweb.conf
index 2f48cb4c..7c8900bd 100644
--- a/docker/nginx/dist/conf/tpotweb.conf
+++ b/docker/nginx/dist/conf/tpotweb.conf
@@ -96,12 +96,7 @@ server {
location / {
set_by_lua_block $index_file {
- local cockpit = os.getenv("COCKPIT")
- if cockpit == "false" then
- return "index_light.html"
- else
- return "index.html"
- end
+ return "index.html";
}
auth_basic "closed site";
auth_basic_user_file /etc/nginx/nginxpasswd;
@@ -149,6 +144,7 @@ server {
return "http://127.0.0.1:64298";
end
}
+
proxy_pass $elasticsearch;
rewrite /es/(.*)$ /$1 break;
}
diff --git a/docker/nginx/dist/html/cockpit.html b/docker/nginx/dist/html/cockpit.html
deleted file mode 100644
index 96c71fac..00000000
--- a/docker/nginx/dist/html/cockpit.html
+++ /dev/null
@@ -1,13 +0,0 @@
-
-
-
-
- Redirect to Cockpit
-
-
-
-
-
-
diff --git a/docker/nginx/dist/html/config.js b/docker/nginx/dist/html/config.js
index 3ec00428..f1af7436 100644
--- a/docker/nginx/dist/html/config.js
+++ b/docker/nginx/dist/html/config.js
@@ -36,10 +36,6 @@ const CONFIG = {
name: 'Attack Map',
link: '/map/',
},
- {
- name: 'Cockpit',
- link: '/cockpit.html',
- },
{
name: 'Cyberchef',
link: '/cyberchef/',
diff --git a/docker/nginx/dist/html/config_light.js b/docker/nginx/dist/html/config_light.js
deleted file mode 100644
index f1af7436..00000000
--- a/docker/nginx/dist/html/config_light.js
+++ /dev/null
@@ -1,71 +0,0 @@
-// ╔╗ ╔═╗╔╗╔╔╦╗╔═╗
-// ╠╩╗║╣ ║║║ ║ ║ ║
-// ╚═╝╚═╝╝╚╝ ╩ ╚═╝
-// ┌─┐┌─┐┌┐┌┌─┐┬┌─┐┬ ┬┬─┐┌─┐┌┬┐┬┌─┐┌┐┌
-// │ │ ││││├┤ ││ ┬│ │├┬┘├─┤ │ ││ ││││
-// └─┘└─┘┘└┘└ ┴└─┘└─┘┴└─┴ ┴ ┴ ┴└─┘┘└┘
-
-const CONFIG = {
- // ┌┐ ┌─┐┌─┐┬┌─┐┌─┐
- // ├┴┐├─┤└─┐││ └─┐
- // └─┘┴ ┴└─┘┴└─┘└─┘
-
- // General
- imageBackground: true,
- openInNewTab: true,
- twelveHourFormat: false,
-
- // Greetings
- greetingMorning: 'Good morning ☕',
- greetingAfternoon: 'Good afternoon 🍯',
- greetingEvening: 'Good evening 😁',
- greetingNight: 'Go to Sleep 🥱',
-
- // ┬ ┬┌─┐┌┬┐┌─┐
- // │ │└─┐ │ └─┐
- // ┴─┘┴└─┘ ┴ └─┘
-
- //Icons
- firstListIcon: 'home',
- secondListIcon: 'external-link',
-
- // Links
- lists: {
- firstList: [
- {
- name: 'Attack Map',
- link: '/map/',
- },
- {
- name: 'Cyberchef',
- link: '/cyberchef/',
- },
- {
- name: 'Elasticvue',
- link: '/elasticvue/',
- },
- {
- name: 'Kibana',
- link: '/kibana/',
- },
- {
- name: 'Spiderfoot',
- link: '/spiderfoot/',
- },
- ],
- secondList: [
- {
- name: 'SecurityMeter',
- link: 'https://sicherheitstacho.eu',
- },
- {
- name: 'T-Pot @ GitHub',
- link: 'https://github.com/telekom-security/tpotce/',
- },
- {
- name: 'T-Pot ReadMe',
- link: 'https://github.com/telekom-security/tpotce/blob/master/README.md',
- },
- ],
- },
-};
diff --git a/docker/nginx/dist/html/index.html b/docker/nginx/dist/html/index.html
index a80543ef..86c78404 100644
--- a/docker/nginx/dist/html/index.html
+++ b/docker/nginx/dist/html/index.html
@@ -53,6 +53,13 @@
+
+
+
diff --git a/docker/nginx/dist/html/index_light.html b/docker/nginx/dist/html/index_light.html
deleted file mode 100644
index 7d92f100..00000000
--- a/docker/nginx/dist/html/index_light.html
+++ /dev/null
@@ -1,60 +0,0 @@
-
-
-