diff --git a/README.md b/README.md index b982b77..4b05999 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Note: The standalone `parsedmarc` docker image on [DockerHub @ accolon/parsedmarc](https://hub.docker.com/r/accolon/parsedmarc) can also be used, if interested. -This stack is based on [patschi's work](https://github.com/patschi/parsedmarc-dockerized) but also builds for and runs on ARM64 systems, e.g. the OCI Cloud Free Tier with Ampere CPUs. It includes a few other tweaks, too. +This stack is based on [patschi's work](https://github.com/patschi/parsedmarc-dockerized) but also builds for and runs on ARM64 systems, e.g. the OCI Cloud Free Tier with Ampere CPUs. It includes a few other tweaks, too: It's running on port 443 by default (can be changed in `docker-compose.yml`) and has HTTP basic authentication enabled (default user/pw is admin/admin). ## Setup: 1. Get basics together: @@ -25,7 +25,12 @@ GEOIPUPDATE_FREQUENCY=24 EOF ``` -4. Finally, we start up the stack and wait: +4. Change credentials for HTTP basic auth, e.g. this way (needs apache2-utils or httpd-tools): +``` +htpasswd -c data/conf/nginx/htpasswd USERNAME +``` + +5. Finally, we start up the stack and wait: ``` docker-compose up -d ``` @@ -35,7 +40,7 @@ docker-compose up -d 1. First, containers of the stack are created and started. This might take a while, as several containers have dependencies on others being in a healthy state (meaning that its service must be fully started). 2. During the startup of the `parsedmarc-init` container, all required steps and preparations are being taken care of - like generating a self-signed certificate for the included `nginx` webserver. 3. Once the Kibana container - where you can view the dashboards - is started up, the corresponding parsedmarc dashboards are automatically imported into Kibana by the `parsedmarc-init` container. -4. After some while, when everything is up and running, you can then access Kibana and its dashboards under the shipped reverse proxy at `https://HOST_IP:9999`. (Make sure to use HTTPS!) +4. After some while, when everything is up and running, you can then access Kibana and its dashboards under the shipped reverse proxy at `https://HOST_IP` (Make sure to use HTTPS!). There will be a warning due to the self-signed certificate. The default username/password for HTTP basic authentication is admin/admin. You should change this! ## Credits diff --git a/data/conf/nginx/htpasswd b/data/conf/nginx/htpasswd new file mode 100644 index 0000000..ae09185 --- /dev/null +++ b/data/conf/nginx/htpasswd @@ -0,0 +1 @@ +admin:$apr1$VF255VLe$A5HSo8COu00g0IKCseOS61 diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf index 758d995..95b0af6 100644 --- a/data/conf/nginx/site.conf +++ b/data/conf/nginx/site.conf @@ -12,9 +12,9 @@ server { ssl_session_tickets off; # modern configuration. tweak to your needs. - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; @@ -22,8 +22,9 @@ server { # Uncomment this next line if you are using a signed, trusted cert #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; - #auth_basic "Login required"; - #auth_basic_user_file /etc/nginx/htpasswd; + # Enable a simple auth. User/PW is admin/admin by default, CHANGE THIS! + auth_basic "Login required"; + auth_basic_user_file /etc/nginx/htpasswd; location / { proxy_pass http://kibana:5601; diff --git a/docker-compose.yml b/docker-compose.yml index 1ac3023..e68626f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -94,10 +94,11 @@ services: image: nginx:alpine restart: always ports: - - "9999:443" + - "443:443" # change this if port 443 is already used volumes: - ./data/conf/nginx/site.conf:/etc/nginx/conf.d/default.conf:ro - ./data/conf/nginx/ssl/:/etc/nginx/ssl/:ro + - ./data/conf/nginx/htpasswd:/etc/nginx/htpasswd:ro networks: - parsedmarc-network depends_on: