From c80371138a627b2bbada3a65cbe2c603d3a16e82 Mon Sep 17 00:00:00 2001 From: Pin Date: Wed, 20 Apr 2022 22:57:21 -0400 Subject: [PATCH] Initial commit --- README.md | 12 ++++++ files/default.conf | 0 files/dvwa-proxy.conf | 20 +++++++++ handlers/main.yml | 12 ++++++ tasks/Install-Docker-Debian18.yml | 4 ++ tasks/Install-Docker-Debian20.yml | 12 ++++++ tasks/Install-Docker-RedHat8.yml | 19 +++++++++ tasks/Setup-Certs.yml | 30 ++++++++++++++ tasks/Setup-DVWA-Docker-Network.yml | 14 +++++++ tasks/Setup-Docker-Env.yml | 64 +++++++++++++++++++++++++++++ tasks/main.yml | 45 ++++++++++++++++++++ templates/docker-compose.service.j2 | 16 ++++++++ templates/docker-compose.yml.j2 | 31 ++++++++++++++ 13 files changed, 279 insertions(+) create mode 100644 README.md create mode 100644 files/default.conf create mode 100644 files/dvwa-proxy.conf create mode 100644 handlers/main.yml create mode 100644 tasks/Install-Docker-Debian18.yml create mode 100644 tasks/Install-Docker-Debian20.yml create mode 100644 tasks/Install-Docker-RedHat8.yml create mode 100644 tasks/Setup-Certs.yml create mode 100644 tasks/Setup-DVWA-Docker-Network.yml create mode 100644 tasks/Setup-Docker-Env.yml create mode 100644 tasks/main.yml create mode 100644 templates/docker-compose.service.j2 create mode 100644 templates/docker-compose.yml.j2 diff --git a/README.md b/README.md new file mode 100644 index 0000000..e6f22c8 --- /dev/null +++ b/README.md @@ -0,0 +1,12 @@ +# DVWA Proxy Project + +Run `ansible-playbook tasks/main.yml` to start the install process. +This project makes the assumption that any host setup within the inventory file, will be deployed to. + +Normal reverse proxy will open on the hosts port 80 (HTTP) and 443 (HTTPS), as well as (8080) with a WAF proxy. +HTTPS certificates will be generated at deployment; these certificates are self-signed. + +Current tested distros: +- CentOS 8 Stream +- Ubuntu 20.04 + diff --git a/files/default.conf b/files/default.conf new file mode 100644 index 0000000..e69de29 diff --git a/files/dvwa-proxy.conf b/files/dvwa-proxy.conf new file mode 100644 index 0000000..c86d90a --- /dev/null +++ b/files/dvwa-proxy.conf @@ -0,0 +1,20 @@ +server { + listen 80; + server_name _; + + location / { + proxy_pass http://dvwa; + } +} + +server { + listen 443 ssl; + ssl_certificate /etc/ssl/cert.crt; + ssl_certificate_key /etc/ssl/private/key.priv; + + server_name _; + + location / { + proxy_pass http://dvwa; + } +} diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..cd0d173 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: Init Docker + service: + name: docker + state: started + enabled: "true" + +- name: Restart Docker DVWA + service: + name: dvwa-docker + state: restarted +... diff --git a/tasks/Install-Docker-Debian18.yml b/tasks/Install-Docker-Debian18.yml new file mode 100644 index 0000000..79f09a1 --- /dev/null +++ b/tasks/Install-Docker-Debian18.yml @@ -0,0 +1,4 @@ +--- +- name: Include Ubuntu20 Tasks + include_tasks: ./Install-Docker-Debian20.yml +... diff --git a/tasks/Install-Docker-Debian20.yml b/tasks/Install-Docker-Debian20.yml new file mode 100644 index 0000000..038cedf --- /dev/null +++ b/tasks/Install-Docker-Debian20.yml @@ -0,0 +1,12 @@ +--- +- name: Install Docker and Docker Compose (and Pip) + package: + name: "{{ package_name }}" + state: present + loop: + - docker + - docker-compose + - python3-pip + loop_control: + loop_var: package_name +... diff --git a/tasks/Install-Docker-RedHat8.yml b/tasks/Install-Docker-RedHat8.yml new file mode 100644 index 0000000..86cfdf4 --- /dev/null +++ b/tasks/Install-Docker-RedHat8.yml @@ -0,0 +1,19 @@ +--- +- name: Download Docker CE Repository Defs + get_url: + url: https://download.docker.com/linux/centos/docker-ce.repo + dest: /etc/yum.repos.d/docker-ce.repo + +- name: Install Docker + package: + name: docker-ce + state: present + notify: + - Init Docker + +- name: Install Docker Compose from GitHub Repo + get_url: + url: "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}" + dest: /usr/bin/docker-compose + mode: "0755" +... diff --git a/tasks/Setup-Certs.yml b/tasks/Setup-Certs.yml new file mode 100644 index 0000000..651e499 --- /dev/null +++ b/tasks/Setup-Certs.yml @@ -0,0 +1,30 @@ +--- +- name: Create DVWA Certs Directory + file: + path: /opt/dvwa-docker/certs + state: directory + owner: root + group: root + mode: "0700" + +- name: Generate OpenSSL Priv Key + openssl_privatekey: + path: /opt/dvwa-docker/certs/key.priv + size: 4096 + type: RSA + +- name: Generate OpenSSL CSR + openssl_csr: + path: /opt/dvwa-docker/certs/cert.csr + privatekey_path: /opt/dvwa-docker/certs/key.priv + country_name: US + organization_name: ACME + common_name: localhost + +- name: Generate Self Signed Cert + openssl_certificate: + path: /opt/dvwa-docker/certs/cert.crt + privatekey_path: /opt/dvwa-docker/certs/key.priv + csr_path: /opt/dvwa-docker/certs/cert.csr + provider: selfsigned +... diff --git a/tasks/Setup-DVWA-Docker-Network.yml b/tasks/Setup-DVWA-Docker-Network.yml new file mode 100644 index 0000000..a3bfa9a --- /dev/null +++ b/tasks/Setup-DVWA-Docker-Network.yml @@ -0,0 +1,14 @@ +--- +- name: Generate DVWA Network + community.docker.docker_network: + name: dvwa-net + +- name: Pull DVWA Network Information + community.docker.docker_network_info: + name: dvwa-net + register: docker_network_stdout + +- set_fact: + docker_network_base: '{{ docker_network_stdout.network.IPAM.Config[0].Subnet | regex_replace("^(.*)\.[0-9]{1,3}/[0-9]{2}$", "\1") }}' + docker_network_prefix: '{{ docker_network_stdout.network.IPAM.Config[0].Subnet | regex_replace("^.*\.[0-9]{1,3}/([0-9]{2})$", "\1") }}' +... diff --git a/tasks/Setup-Docker-Env.yml b/tasks/Setup-Docker-Env.yml new file mode 100644 index 0000000..55afcec --- /dev/null +++ b/tasks/Setup-Docker-Env.yml @@ -0,0 +1,64 @@ +--- +- name: Pull Docker Images + community.docker.docker_image: + name: "{{ docker_image_name }}" + source: pull + loop: + - nginx:latest + - httpd:latest + - sagikazarmark/dvwa:latest + - owasp/modsecurity-crs:apache + loop_control: + loop_var: docker_image_name + +- name: Create DVWA Docker Service Directory + file: + path: /opt/dvwa-docker + state: directory + owner: root + group: root + mode: "0700" + +- name: Create Nginx Conf Directory + file: + path: /opt/dvwa-docker/nginx + state: directory + owner: root + group: root + mode: "0700" + +- name: + include_tasks: Setup-Certs.yml + +- name: Copy Compose File + template: + src: ../templates/docker-compose.yml.j2 + dest: /opt/dvwa-docker/docker-compose.yml + owner: root + group: root + mode: "0600" + notify: Restart Docker DVWA + +- name: Copy Docker Compose Service File + template: + src: ../templates/docker-compose.service.j2 + dest: /usr/lib/systemd/system/dvwa-docker.service + owner: root + group: root + mode: "0644" + notify: Restart Docker DVWA + +- name: Copy Nginx Config Files + copy: + src: "../files/{{ nginx_conf_files }}" + dest: "/opt/dvwa-docker/nginx/{{ nginx_conf_files }}.template" + owner: root + group: root + mode: "0644" + loop: + - dvwa-proxy.conf + - default.conf + loop_control: + loop_var: nginx_conf_files + notify: Restart Docker DVWA +... diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..eb298eb --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: DVWA Harden Project + hosts: all + become: "true" + handlers: + - import_tasks: ../handlers/main.yml + tasks: + - name: Include OS Specific Docker Install + include_tasks: "Install-Docker-{{ ansible_os_family }}{{ ansible_distribution_major_version }}.yml" + + - name: Flush handlers to Start Docker if Changed + meta: flush_handlers + + - name: Ensure Docker Is Running + service: + name: docker + state: started + + - name: Grab docker-compose Install Location + command: which docker-compose + register: dockercomposeshellstdout + + - set_fact: + dockercompose_location: "{{ dockercomposeshellstdout.stdout }}" + + - name: Upgrade Pip + pip: + name: pip + state: latest + + - name: Install Docker Pip Packages (Needed for docker module) + pip: + name: "{{ pip_package }}" + loop: + - docker>4.4.4 + - cryptography>=1.2.3 + loop_control: + loop_var: pip_package + + - name: Setup DVWA Docker ENV + include_tasks: Setup-DVWA-Docker-Network.yml + + - name: Setup Docker ENV + include_tasks: Setup-Docker-Env.yml +... diff --git a/templates/docker-compose.service.j2 b/templates/docker-compose.service.j2 new file mode 100644 index 0000000..7629d34 --- /dev/null +++ b/templates/docker-compose.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description=Docker DVWA Hardened Service +Requires=docker.service +After=docker.service + +[Service] +Restart=always +User=root +Group=docker +WorkingDirectory=/opt/dvwa-docker +ExecStartPre={{ dockercompose_location }} -f docker-compose.yml down +ExecStart={{ dockercompose_location }} -f docker-compose.yml up +ExecStop={{ dockercompose_location }} -f docker-compose.yml down + +[Install] +WantedBy=multi-user.target diff --git a/templates/docker-compose.yml.j2 b/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..6e8c05f --- /dev/null +++ b/templates/docker-compose.yml.j2 @@ -0,0 +1,31 @@ +version: "3" + +services: + nginx: + image: nginx:latest + volumes: + - /opt/dvwa-docker/nginx:/etc/nginx/templates + - /opt/dvwa-docker/certs/cert.crt:/etc/ssl/cert.crt + - /opt/dvwa-docker/certs/key.priv:/etc/ssl/private/key.priv + ports: + - "80:80" + - "443:443" + depends_on: + - dvwa + + modsec: + image: owasp/modsecurity-crs:apache + environment: + - BACKEND=http://dvwa + ports: + - "8080:80" + depends_on: + - dvwa + + dvwa: + image: sagikazarmark/dvwa:latest + +networks: + default: + external: + name: dvwa-net