From 2fda56085c70bda0a3439e83f51e17e2ccba23ea Mon Sep 17 00:00:00 2001 From: Yuri Volchkov Date: Sat, 11 Jun 2022 16:41:27 +0000 Subject: [PATCH 1/5] use volumes instead of bind mounts where it makes sense. So far it makes sense only for elasticsearch. More is comming with a bit of restructuring of the services. Also bump docker-compose version while at it. Signed-off-by: Yuri Volchkov --- docker-compose.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 9aeffb2..91f65e5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,4 @@ -version: '2.4' +version: '3.4' services: parsedmarc: @@ -31,7 +31,7 @@ services: soft: -1 hard: -1 volumes: - - ./elasticsearch/data/:/usr/share/elasticsearch/data/:z + - elasticsearch_data:/usr/share/elasticsearch/data/ restart: "unless-stopped" networks: - parsedmarc-network @@ -77,3 +77,5 @@ services: networks: parsedmarc-network: driver: bridge +volumes: + elasticsearch_data: From 62c2d7a4a640e994df3be89a053637d7ebcdc7d9 Mon Sep 17 00:00:00 2001 From: Yuri Volchkov Date: Sat, 11 Jun 2022 17:06:48 +0000 Subject: [PATCH 2/5] Generate htpass with means of docker --- README.md | 6 +++--- docker-compose.yml | 7 +++++-- nginx/Dockerfile | 4 ++++ nginx/conf.d/kibana.conf | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 nginx/Dockerfile diff --git a/README.md b/README.md index 7f05d5c..fcf80ee 100644 --- a/README.md +++ b/README.md @@ -63,13 +63,13 @@ volumes: ``` 5. Create `nginx/htpasswd` to provide Basic-Authentification for Nginx. -Change `dnf` to your package manager and `anyusername` to your needs. In end you will be prompted to enter password to console. ``` -dnf install -y httpd-tools -htpasswd -c nginx/htpasswd anyusername +docker-compose run nginx htpasswd -c /etc/nginx-secrets/htpasswd anyusername ``` +You will be prompted for password. + 6. Generate & put your SSL keypair `kibana.crt` and `kibana.key` to `nginx/ssl` folder. There are to many posible solutuins like [Let's Encrypt](https://letsencrypt.org/docs/client-options/), private PKI or [self-hosted](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04) certificates. diff --git a/docker-compose.yml b/docker-compose.yml index 91f65e5..8b96e89 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -61,7 +61,9 @@ services: nginx: container_name: "nginx" - image: nginx:alpine + build: + context: . + dockerfile: nginx/Dockerfile restart: unless-stopped tty: true ports: @@ -70,7 +72,7 @@ services: volumes: - ./nginx/conf.d/:/etc/nginx/conf.d/:z - ./nginx/ssl/:/etc/nginx/ssl/:z - - ./nginx/htpasswd:/etc/nginx/htpasswd:z + - nginx_secrets:/etc/nginx-secrets networks: - parsedmarc-network @@ -79,3 +81,4 @@ networks: driver: bridge volumes: elasticsearch_data: + nginx_secrets: diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 0000000..2fd43f7 --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,4 @@ +from nginx:alpine + +RUN apk add --no-cache --virtual .checksum-deps \ + apache2-utils diff --git a/nginx/conf.d/kibana.conf b/nginx/conf.d/kibana.conf index 810f7cf..bbe5b07 100644 --- a/nginx/conf.d/kibana.conf +++ b/nginx/conf.d/kibana.conf @@ -16,7 +16,7 @@ server { add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; auth_basic "Login required"; - auth_basic_user_file /etc/nginx/htpasswd; + auth_basic_user_file /etc/nginx-secrets/htpasswd; location / { proxy_pass http://kibana:5601; From e6dc558fae5d3cc05af20291ebf353490a25100b Mon Sep 17 00:00:00 2001 From: Yuri Volchkov Date: Sat, 11 Jun 2022 17:23:26 +0000 Subject: [PATCH 3/5] introduce acme.sh service I did not follow the default recepies of restarting nginx on sertificates renewal, as it requires to pass /var/run/docker.sock to the acme container, so it able to restart nginx container. The problem is acme would've got the full control over the docker, which is not ideal from the security point of view. Instead, a crontab entry is added to the nginx container to reload sertificaes weekly. From the up time (if it even matters), this is even beter, because "nginx -s reload" compleates in no time. While a full container reloading might take a second or two. Signed-off-by: Yuri Volchkov --- README.md | 18 +++++++++++++++--- docker-compose.yml | 17 ++++++++++++++++- nginx/Dockerfile | 3 ++- 3 files changed, 33 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index fcf80ee..3c40701 100644 --- a/README.md +++ b/README.md @@ -70,11 +70,23 @@ docker-compose run nginx htpasswd -c /etc/nginx-secrets/htpasswd anyusername You will be prompted for password. -6. Generate & put your SSL keypair `kibana.crt` and `kibana.key` to `nginx/ssl` folder. +6. Generate SSL certificates -There are to many posible solutuins like [Let's Encrypt](https://letsencrypt.org/docs/client-options/), private PKI or [self-hosted](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04) certificates. +The following example leverages the Cloudflare API. But you can +similary use any of the options provided by acme.sh. But if you do, +don't forget to create a pull request with the verified steps :). + +Update `docker-compose.yml` with your Cloudflare credentials, and then simply run: + +``` +docker-compose run acme.sh --issue -d parsedmarc.your.domain --dns dns_cf +ocker-compose run acme.sh --install-cert -d parsedmarc.your.domain --cert-file /installed_certs/kibana.crt --key-file /installed_certs/kibana.key +``` + +From now on, acme.sh container will take care of certifcates +renewal. The nginx would not get automatically restarted, but it will +reload certificates once a week by means of a cron job. -It all up to you what to use. Note: for Let's Encrypt you need modify nginx configs to support it. You can use local ACME or modify docker-compose image. 7. Create needed folders and configure permissions. ``` diff --git a/docker-compose.yml b/docker-compose.yml index 8b96e89..7d87e1f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -71,14 +71,29 @@ services: - "443:443" volumes: - ./nginx/conf.d/:/etc/nginx/conf.d/:z - - ./nginx/ssl/:/etc/nginx/ssl/:z + - acme_certs:/etc/nginx/ssl/ - nginx_secrets:/etc/nginx-secrets networks: - parsedmarc-network + acme.sh: + image: neilpang/acme.sh + container_name: acme.sh + command: daemon + volumes: + - acmeout:/acme.sh + - acme_certs:/installed_certs + environment: + + # CloudFlare + - CF_Token= + - CF_Account_ID= + - CF_Zone_ID= networks: parsedmarc-network: driver: bridge volumes: + acmeout: elasticsearch_data: + acme_certs: nginx_secrets: diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 2fd43f7..a6a7fa9 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,4 +1,5 @@ from nginx:alpine RUN apk add --no-cache --virtual .checksum-deps \ - apache2-utils + apache2-utils && \ + echo "0 0 * * 0 nginx -s reload" | crontab - From 96d1622134ec88a859d5114ff52701a2bb5a50c3 Mon Sep 17 00:00:00 2001 From: Yuri Volchkov Date: Sat, 11 Jun 2022 17:42:01 +0000 Subject: [PATCH 4/5] introduce geoipupdate service Make parsedmarc service even more self contained. Do not rely on the geoip running on the host, include it in the compose Signed-off-by: Yuri Volchkov --- README.md | 15 +++++++++------ docker-compose.yml | 19 ++++++++++++++++++- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3c40701..77393a5 100644 --- a/README.md +++ b/README.md @@ -55,12 +55,15 @@ user = parsedmarc@example.com password = somepassword ``` -4. Enable IP geolocation by installing [GeoIP Update software](https://github.com/maxmind/geoipupdate). And edit `docker-compose.yml` to enable access to the MaxMind databases on your host system. -``` -volumes: - - ./parsedmarc/parsedmarc.ini:/etc/parsedmarc.ini:z - - /path/to/GeoIP:/usr/share/GeoIP -``` +4. Geolocation data + +Create an account and generate a licence key at +[maxmind](https://www.maxmind.com/en/accounts/current/license-key). And +update GEOIPUPDATE_ACCOUNT_ID and GEOIPUPDATE_LICENSE_KEY in the +`docker-compose` + +For more information refer to [GeoIP Update +software](https://github.com/maxmind/geoipupdate) github page 5. Create `nginx/htpasswd` to provide Basic-Authentification for Nginx. In end you will be prompted to enter password to console. diff --git a/docker-compose.yml b/docker-compose.yml index 7d87e1f..9816a92 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,7 +10,7 @@ services: tty: true volumes: - ./parsedmarc/parsedmarc.ini:/etc/parsedmarc.ini:z - #- /path/to/GeoIP:/usr/share/GeoIP + - geoipupdate_data:/usr/share/GeoIP restart: unless-stopped networks: - parsedmarc-network @@ -18,6 +18,20 @@ services: elasticsearch: condition: service_healthy + geoipupdate: + container_name: geoipupdate + image: maxmindinc/geoipupdate + restart: unless-stopped + environment: + - GEOIPUPDATE_ACCOUNT_ID= + - GEOIPUPDATE_LICENSE_KEY= + - 'GEOIPUPDATE_EDITION_IDS=GeoLite2-ASN GeoLite2-City GeoLite2-Country' + - GEOIPUPDATE_FREQUENCY=72 + networks: + - geoipupdate + volumes: + - geoipupdate_data:/usr/share/GeoIP + elasticsearch: container_name: "elasticsearch" image: docker.elastic.co/elasticsearch/elasticsearch:7.17.0 @@ -92,8 +106,11 @@ services: networks: parsedmarc-network: driver: bridge + geoipupdate: + volumes: acmeout: elasticsearch_data: + geoipupdate_data: acme_certs: nginx_secrets: From 1ccc03466710b0d14ab873f669bf970c1d0f646c Mon Sep 17 00:00:00 2001 From: Yuri Volchkov Date: Sat, 11 Jun 2022 17:53:14 +0000 Subject: [PATCH 5/5] parsedmarc.ini: move watch flag to the mailbox section as newver version requres Signed-off-by: Yuri Volchkov --- parsedmarc/parsedmarc.ini | 2 ++ 1 file changed, 2 insertions(+) diff --git a/parsedmarc/parsedmarc.ini b/parsedmarc/parsedmarc.ini index 7c6a158..72cd766 100644 --- a/parsedmarc/parsedmarc.ini +++ b/parsedmarc/parsedmarc.ini @@ -6,6 +6,8 @@ save_forensic = True host = imap.example.com user = parsedmarc@example.com password = somepassword + +[mailbox] watch = True [elasticsearch]