add logstash http_input support for nginx

remove cockpit support entirely
cleanup / housekeeping

compose/mac_win.yml

@@ -780,7 +780,6 @@ services:
      - nginx_local
     ports:
      - "64297:64297"
-     - "127.0.0.1:64304:64304"
     image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
     pull_policy: ${TPOT_PULL_POLICY}
     read_only: true

compose/standard.yml

@@ -686,6 +686,8 @@ services:
         condition: service_healthy
     environment:
      - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    ports:
+     - "127.0.0.1:64305:64305"
     mem_limit: 2g
     image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
     pull_policy: ${TPOT_PULL_POLICY}
@@ -783,13 +785,13 @@ services:
     network_mode: "host"
     ports:
      - "64297:64297"
-     - "127.0.0.1:64304:64304"
     image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
     pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
      - ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
      - ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
      - ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
 
 # Spiderfoot service

docker-compose.yml

@@ -686,6 +686,8 @@ services:
         condition: service_healthy
     environment:
      - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    ports:
+     - "127.0.0.1:64305:64305"
     mem_limit: 2g
     image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
     pull_policy: ${TPOT_PULL_POLICY}
@@ -783,13 +785,13 @@ services:
     network_mode: "host"
     ports:
      - "64297:64297"
-     - "127.0.0.1:64304:64304"
     image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
     pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
      - ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
      - ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
      - ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
 
 # Spiderfoot service

docker/nginx/Dockerfile

@@ -29,6 +29,7 @@ RUN apk -U --no-cache add \
     cp /root/dist/conf/nginx.conf /etc/nginx/ && \
     cp -R /root/dist/conf/ssl /etc/nginx/ && \
     cp /root/dist/conf/tpotweb.conf /etc/nginx/conf.d/ && \
+    cp /root/dist/conf/lsweb.conf /etc/nginx/conf.d/ && \
 #
 # Clean up
     rm -rf /root/* && \

docker/nginx/dist/conf/lsweb.conf

@@ -0,0 +1,110 @@
+############################################
+### NGINX T-Pot configuration file by mo ###
+############################################
+
+server {
+
+    #########################
+    ### Basic server settings
+    #########################
+    listen 64294 ssl http2;
+    index index.html;
+    ssl_protocols TLSv1.3;
+    server_name example.com;
+    error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
+    root /var/lib/nginx/html;
+    add_header Cache-Control "public, max-age=604800";
+
+    ##############################################
+    ### Remove version number add different header
+    ##############################################
+    server_tokens off;
+
+
+    ##############################################
+    ### SSL settings and Cipher Suites
+    ##############################################
+    ssl_certificate /etc/nginx/cert/nginx.crt;
+    ssl_certificate_key /etc/nginx/cert/nginx.key;
+
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
+    ssl_ecdh_curve secp384r1;
+    ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
+
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+
+
+    ####################################
+    ### OWASP recommendations / settings
+    ####################################
+
+    ### Size Limits & Buffer Overflows
+    ### the size may be configured based on the needs.
+    client_body_buffer_size  128k;
+    client_header_buffer_size 1k;
+    client_max_body_size 2M;
+    
+    ### Changed from OWASP recommendations: "2 1k" to "2 1280" (So 1.2k)
+    ### When you pass though potentially another reverse proxy/load balancer
+    ### in front of tpotce you can introduce more headers than normal and
+    ### therefore you can exceed the allowed header buffer of 1k.
+    ### An 280 extra bytes seems to be working for most use-cases.
+    ### And still keeping it close to OWASP's recommendation.
+    large_client_header_buffers 2 1280;
+
+    ### Mitigate Slow HHTP DoS Attack
+    ### Timeouts definition ##
+    client_body_timeout   10;
+    client_header_timeout 10;
+    keepalive_timeout     5 5;
+    send_timeout          10;
+
+    ### X-Frame-Options is to prevent from clickJacking attack
+    add_header X-Frame-Options SAMEORIGIN;
+
+    ### disable content-type sniffing on some browsers.
+    add_header X-Content-Type-Options nosniff;
+
+    ### This header enables the Cross-site scripting (XSS) filter
+    add_header X-XSS-Protection "1; mode=block";
+
+    ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+#    add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
+
+    ##################################
+    ### Restrict access and basic auth
+    ##################################
+
+    # satisfy all;
+    satisfy any;
+
+    # allow 10.0.0.0/8;
+    # allow 172.16.0.0/12;
+    # allow 192.168.0.0/16;
+    allow 127.0.0.1;
+    allow ::1;
+    deny  all;
+
+    auth_basic           "closed site";
+    auth_basic_user_file /etc/nginx/lswebpasswd;
+
+    ################################################
+    ### T-Pot Hive Logstash HTTP Input Reverse Proxy
+    ################################################
+
+    location / {
+         set_by_lua_block $logstash {
+            local tpot_ostype = os.getenv("TPOT_OSTYPE")
+            if tpot_ostype == "mac" or tpot_ostype == "win" then
+                return "http://logstash:64305";
+            else
+                return "http://127.0.0.1:64305";
+            end
+        }
+        access_log off;
+        error_log /var/log/nginx/lsweb_error.log;
+        proxy_pass $logstash;
+    }
+}

docker/nginx/dist/conf/nginx.conf

@@ -6,7 +6,6 @@ load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
 
 # OS ENV variables need to be defined here, so Lua can use them
-env COCKPIT;
 env TPOT_OSTYPE;
 
 # Both modules are needed for Lua, in this exact order
@@ -36,7 +35,7 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-        ##
+    ##
 	# Compression
 	##
 

docker/nginx/dist/conf/tpotweb.conf

@@ -96,12 +96,7 @@ server {
 
     location / {
         set_by_lua_block $index_file {
-            local cockpit = os.getenv("COCKPIT")
+              return "index.html";
-            if cockpit == "false" then
-                return "index_light.html"
-            else
-                return "index.html"
-            end
         }
         auth_basic           "closed site";
         auth_basic_user_file /etc/nginx/nginxpasswd;
@@ -149,6 +144,7 @@ server {
                 return "http://127.0.0.1:64298";
             end
         }
+
         proxy_pass $elasticsearch;
         rewrite /es/(.*)$ /$1 break;
     }

docker/nginx/dist/html/cockpit.html

@@ -1,13 +0,0 @@
-<!DOCTYPE HTML>
-<html lang="en-US">
-  <head>
-    <meta charset="UTF-8">
-    <title>Redirect to Cockpit</title>
-  </head>
-  <body>
-    <script type="text/javascript">
-      window.location.href = window.location.protocol + '//' + window.location.hostname + ':64294';
-    </script>
-  </body>
-</html>
-

docker/nginx/dist/html/config.js

@@ -36,10 +36,6 @@ const CONFIG = {
         name: 'Attack Map',
         link: '/map/',
       },
-      {
-        name: 'Cockpit',
-        link: '/cockpit.html',
-      },
       {
         name: 'Cyberchef',
         link: '/cyberchef/',

docker/nginx/dist/html/config_light.js

@@ -1,71 +0,0 @@
-// ╔╗ ╔═╗╔╗╔╔╦╗╔═╗
-// ╠╩╗║╣ ║║║ ║ ║ ║
-// ╚═╝╚═╝╝╚╝ ╩ ╚═╝
-// ┌─┐┌─┐┌┐┌┌─┐┬┌─┐┬ ┬┬─┐┌─┐┌┬┐┬┌─┐┌┐┌
-// │  │ ││││├┤ ││ ┬│ │├┬┘├─┤ │ ││ ││││
-// └─┘└─┘┘└┘└  ┴└─┘└─┘┴└─┴ ┴ ┴ ┴└─┘┘└┘
-
-const CONFIG = {
-  // ┌┐ ┌─┐┌─┐┬┌─┐┌─┐
-  // ├┴┐├─┤└─┐││  └─┐
-  // └─┘┴ ┴└─┘┴└─┘└─┘
-
-  // General
-  imageBackground: true,
-  openInNewTab: true,
-  twelveHourFormat: false,
-
-  // Greetings
-  greetingMorning: 'Good morning ☕',
-  greetingAfternoon: 'Good afternoon 🍯',
-  greetingEvening: 'Good evening 😁',
-  greetingNight: 'Go to Sleep 🥱',
-
-  // ┬  ┬┌─┐┌┬┐┌─┐
-  // │  │└─┐ │ └─┐
-  // ┴─┘┴└─┘ ┴ └─┘
-
-  //Icons
-  firstListIcon: 'home',
-  secondListIcon: 'external-link',
-
-  // Links
-  lists: {
-    firstList: [
-      {
-        name: 'Attack Map',
-        link: '/map/',
-      },
-      {
-        name: 'Cyberchef',
-        link: '/cyberchef/',
-      },
-      {
-        name: 'Elasticvue',
-        link: '/elasticvue/',
-      },
-      {
-        name: 'Kibana',
-        link: '/kibana/',
-      },
-      {
-        name: 'Spiderfoot',
-        link: '/spiderfoot/',
-      },
-    ],
-    secondList: [
-      {
-        name: 'SecurityMeter',
-        link: 'https://sicherheitstacho.eu',
-      },
-      {
-        name: 'T-Pot @ GitHub',
-        link: 'https://github.com/telekom-security/tpotce/',
-      },
-      {
-        name: 'T-Pot ReadMe',
-        link: 'https://github.com/telekom-security/tpotce/blob/master/README.md',
-      },      
-    ],
-  },
-};

docker/nginx/dist/html/index.html

@@ -53,6 +53,13 @@
     <script>
       lucide.createIcons();
     </script>
+
+    <!-- Auto-Reload -->
+    <script>
+      setTimeout(function(){
+         window.location.reload(1);
+      }, 60000);
+    </script>
   </body>
 
   <!-- Developed and designed by Miguel R. Ávila: -->

docker/nginx/dist/html/index_light.html

@@ -1,60 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-  <head>
-    <meta charset="UTF-8" />
-    <title>T-Pot</title>
-    <link
-      rel=" shortcut icon"
-      type="image/png"
-      href="assets/icons/favicon.png"
-    />
-    <link rel="stylesheet" href="app.css" />
-    <script src="assets/js/lucide.min.js"></script>
-  </head>
-
-  <!-- 
-      ╔╗ ╔═╗╔╗╔╔╦╗╔═╗
-      ╠╩╗║╣ ║║║ ║ ║ ║
-      ╚═╝╚═╝╝╚╝ ╩ ╚═╝
-      -->
-
-  <body class="">
-    <div class="container">
-      <!-- Clock and Greetings  -->
-
-      <div class="timeBlock">
-        <div class="clock">
-          <div id="hour" class=""></div>
-          <div id="separator" class=""></div>
-          <div id="minutes" class=""></div>
-        </div>
-        <div id="greetings"></div>
-      </div>
-
-      <!-- 
-        ┬  ┬┌─┐┌┬┐┌─┐
-        │  │└─┐ │ └─┐
-        ┴─┘┴└─┘ ┴ └─┘
-        -->
-
-      <div class="card list list__1" id="list_1"></div>
-
-      <div class="card list list__2" id="list_2"></div>
-    </div>
-
-    <!-- Config  -->
-    <script src="config_light.js"></script>
-
-    <!-- Scripts  -->
-    <script src="assets/js/time.js"></script>
-    <script src="assets/js/theme.js"></script>
-    <script src="assets/js/greeting.js"></script>
-    <script src="assets/js/lists.js"></script>
-    <script>
-      lucide.createIcons();
-    </script>
-  </body>
-
-  <!-- Developed and designed by Miguel R. Ávila: -->
-  <!-- https://github.com/migueravila -->
-</html>

docker/tpotinit/dist/entrypoint.sh

@@ -146,6 +146,7 @@ if [ -f "/data/uuid" ];
     echo "# Creating web user from tpot.env, make sure to erase the password from the .env ..."
     echo
     echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
+    touch /data/nginx/conf/lswebpasswd
     echo
     echo "# Extracting objects, final touches and permissions ..."
     echo

env.example

@@ -61,9 +61,6 @@ TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC
 # NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! #
 ###################################################################################
 
-# T-Pot Landing page provides Cockpit Link
-COCKPIT=false
-
 # docker.sock Path
 TPOT_DOCKER_SOCK=/var/run/docker.sock