Initial commit

README.md

@@ -0,0 +1,12 @@
+# DVWA Proxy Project
+
+Run `ansible-playbook tasks/main.yml` to start the install process.
+This project makes the assumption that any host setup within the inventory file, will be deployed to.
+
+Normal reverse proxy will open on the hosts port 80 (HTTP) and 443 (HTTPS), as well as (8080) with a WAF proxy.
+HTTPS certificates will be generated at deployment; these certificates are self-signed.
+
+Current tested distros:
+- CentOS 8 Stream
+- Ubuntu 20.04
+

files/dvwa-proxy.conf

@@ -0,0 +1,20 @@
+server {
+  listen 80;
+  server_name _;
+
+  location / {
+    proxy_pass http://dvwa;
+  }
+}
+
+server {
+  listen 443 ssl;
+  ssl_certificate /etc/ssl/cert.crt;
+  ssl_certificate_key /etc/ssl/private/key.priv;
+
+  server_name _;
+
+  location / {
+    proxy_pass http://dvwa;
+  }
+}

handlers/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Init Docker
+  service:
+    name: docker
+    state: started
+    enabled: "true"
+
+- name: Restart Docker DVWA
+  service:
+    name: dvwa-docker
+    state: restarted
+...

tasks/Install-Docker-Debian18.yml

@@ -0,0 +1,4 @@
+---
+- name: Include Ubuntu20 Tasks
+  include_tasks: ./Install-Docker-Debian20.yml
+...

tasks/Install-Docker-Debian20.yml

@@ -0,0 +1,12 @@
+---
+- name: Install Docker and Docker Compose (and Pip)
+  package:
+    name: "{{ package_name }}"
+    state: present
+  loop:
+    - docker
+    - docker-compose
+    - python3-pip
+  loop_control:
+    loop_var: package_name
+...

tasks/Install-Docker-RedHat8.yml

@@ -0,0 +1,19 @@
+---
+- name: Download Docker CE Repository Defs
+  get_url:
+    url: https://download.docker.com/linux/centos/docker-ce.repo
+    dest: /etc/yum.repos.d/docker-ce.repo
+
+- name: Install Docker
+  package:
+    name: docker-ce
+    state: present
+  notify:
+    - Init Docker
+
+- name: Install Docker Compose from GitHub Repo
+  get_url:
+    url: "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}"
+    dest: /usr/bin/docker-compose
+    mode: "0755"
+...

tasks/Setup-Certs.yml

@@ -0,0 +1,30 @@
+---
+- name: Create DVWA Certs Directory
+  file:
+    path: /opt/dvwa-docker/certs
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Generate OpenSSL Priv Key
+  openssl_privatekey:
+    path: /opt/dvwa-docker/certs/key.priv
+    size: 4096
+    type: RSA
+
+- name: Generate OpenSSL CSR
+  openssl_csr:
+    path: /opt/dvwa-docker/certs/cert.csr
+    privatekey_path: /opt/dvwa-docker/certs/key.priv
+    country_name: US
+    organization_name: ACME
+    common_name: localhost
+
+- name: Generate Self Signed Cert
+  openssl_certificate:
+    path: /opt/dvwa-docker/certs/cert.crt
+    privatekey_path: /opt/dvwa-docker/certs/key.priv
+    csr_path: /opt/dvwa-docker/certs/cert.csr
+    provider: selfsigned
+...

tasks/Setup-DVWA-Docker-Network.yml

@@ -0,0 +1,14 @@
+---
+- name: Generate DVWA Network
+  community.docker.docker_network:
+    name: dvwa-net
+
+- name: Pull DVWA Network Information
+  community.docker.docker_network_info:
+    name: dvwa-net
+  register: docker_network_stdout
+
+- set_fact:
+    docker_network_base: '{{ docker_network_stdout.network.IPAM.Config[0].Subnet | regex_replace("^(.*)\.[0-9]{1,3}/[0-9]{2}$", "\1") }}'
+    docker_network_prefix: '{{ docker_network_stdout.network.IPAM.Config[0].Subnet | regex_replace("^.*\.[0-9]{1,3}/([0-9]{2})$", "\1") }}'
+...

tasks/Setup-Docker-Env.yml

@@ -0,0 +1,64 @@
+---
+- name: Pull Docker Images
+  community.docker.docker_image:
+    name: "{{ docker_image_name }}"
+    source: pull
+  loop:
+    - nginx:latest
+    - httpd:latest
+    - sagikazarmark/dvwa:latest
+    - owasp/modsecurity-crs:apache
+  loop_control:
+    loop_var: docker_image_name
+
+- name: Create DVWA Docker Service Directory
+  file:
+    path: /opt/dvwa-docker
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Create Nginx Conf Directory
+  file:
+    path: /opt/dvwa-docker/nginx
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name:
+  include_tasks: Setup-Certs.yml
+
+- name: Copy Compose File
+  template:
+    src: ../templates/docker-compose.yml.j2
+    dest: /opt/dvwa-docker/docker-compose.yml
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Restart Docker DVWA
+
+- name: Copy Docker Compose Service File
+  template:
+    src: ../templates/docker-compose.service.j2
+    dest: /usr/lib/systemd/system/dvwa-docker.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart Docker DVWA
+
+- name: Copy Nginx Config Files
+  copy:
+    src: "../files/{{ nginx_conf_files }}"
+    dest: "/opt/dvwa-docker/nginx/{{ nginx_conf_files }}.template"
+    owner: root
+    group: root
+    mode: "0644"
+  loop:
+    - dvwa-proxy.conf
+    - default.conf
+  loop_control:
+    loop_var: nginx_conf_files
+  notify: Restart Docker DVWA
+...

tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: DVWA Harden Project
+  hosts: all
+  become: "true"
+  handlers:
+    - import_tasks: ../handlers/main.yml
+  tasks:
+    - name: Include OS Specific Docker Install
+      include_tasks: "Install-Docker-{{ ansible_os_family }}{{ ansible_distribution_major_version }}.yml"
+
+    - name: Flush handlers to Start Docker if Changed
+      meta: flush_handlers
+
+    - name: Ensure Docker Is Running
+      service:
+        name: docker
+        state: started
+
+    - name: Grab docker-compose Install Location
+      command: which docker-compose
+      register: dockercomposeshellstdout
+
+    - set_fact:
+        dockercompose_location: "{{ dockercomposeshellstdout.stdout }}"
+
+    - name: Upgrade Pip
+      pip:
+        name: pip
+        state: latest
+
+    - name: Install Docker Pip Packages (Needed for docker module)
+      pip:
+        name: "{{ pip_package }}"
+      loop:
+        - docker>4.4.4
+        - cryptography>=1.2.3
+      loop_control:
+        loop_var: pip_package
+
+    - name: Setup DVWA Docker ENV
+      include_tasks: Setup-DVWA-Docker-Network.yml
+
+    - name: Setup Docker ENV
+      include_tasks: Setup-Docker-Env.yml
+...

templates/docker-compose.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Docker DVWA Hardened Service
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=always
+User=root
+Group=docker
+WorkingDirectory=/opt/dvwa-docker
+ExecStartPre={{ dockercompose_location }} -f docker-compose.yml down
+ExecStart={{ dockercompose_location }} -f docker-compose.yml up
+ExecStop={{ dockercompose_location }} -f docker-compose.yml down
+
+[Install]
+WantedBy=multi-user.target

templates/docker-compose.yml.j2

@@ -0,0 +1,31 @@
+version: "3"
+
+services:
+  nginx:
+    image: nginx:latest
+    volumes:
+      - /opt/dvwa-docker/nginx:/etc/nginx/templates
+      - /opt/dvwa-docker/certs/cert.crt:/etc/ssl/cert.crt
+      - /opt/dvwa-docker/certs/key.priv:/etc/ssl/private/key.priv
+    ports:
+      - "80:80"
+      - "443:443"
+    depends_on:
+      - dvwa
+
+  modsec:
+    image: owasp/modsecurity-crs:apache
+    environment:
+      - BACKEND=http://dvwa
+    ports:
+      - "8080:80"
+    depends_on:
+      - dvwa
+
+  dvwa:
+    image: sagikazarmark/dvwa:latest
+
+networks:
+  default:
+    external:
+      name: dvwa-net