From fa8d967748de0158420f10b9571249350a1f95dc Mon Sep 17 00:00:00 2001 From: Christian Risi <75698846+CnF-Gris@users.noreply.github.com> Date: Wed, 25 Jun 2025 16:12:08 +0200 Subject: [PATCH] Changed composition to make it easier to user --- .gitignore | 5 +- compose.yaml | 28 +---- vulnbox/DOCKERFILE | 10 +- vulnbox/nginx/grpc/example.conf | 38 +++++++ vulnbox/nginx/http/example.conf | 37 +++++++ vulnbox/nginx/http/prova.conf | 23 ---- vulnbox/nginx/nginx.conf | 7 +- vulnbox/nginx/stream/ssl-termination.conf | 33 ------ vulnbox/ssh/sshd_config | 123 ---------------------- 9 files changed, 86 insertions(+), 218 deletions(-) create mode 100644 vulnbox/nginx/grpc/example.conf create mode 100644 vulnbox/nginx/http/example.conf delete mode 100644 vulnbox/nginx/http/prova.conf delete mode 100644 vulnbox/nginx/stream/ssl-termination.conf delete mode 100644 vulnbox/ssh/sshd_config diff --git a/.gitignore b/.gitignore index 1558beb..b8e3542 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,7 @@ config/*/* private/** +services/** +**/http/* !**/*.gitkeep -!**/*.example \ No newline at end of file +!**/*.example +!**/http/example.conf \ No newline at end of file diff --git a/compose.yaml b/compose.yaml index 7130f25..18d0f07 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,34 +1,10 @@ services: vulnbox: - privileged: true - env_file: - - ./config/vulnbox/.env build: context: ./vulnbox dockerfile: DOCKERFILE volumes: - ./vulnbox/nginx:/etc/nginx/ - ./private/:/services-keys - ports: - - 8080:80 - - 3000:3000 - - 3443:3443 - - 0.0.0.0:22:22 - networks: - - test-net - entrypoint: entry.sh - - express-tls: - build: - context: ./services/ExpressTLS - dockerfile: DOCKERFILE - volumes: - - ./private/ExpressTLS:/workspace/keys - networks: - - test-net - ports: - - 0.0.0.0:8443:8443 - - -networks: - test-net: + network_mode: host + entrypoint: entry.sh \ No newline at end of file diff --git a/vulnbox/DOCKERFILE b/vulnbox/DOCKERFILE index ebbfb64..3389f67 100644 --- a/vulnbox/DOCKERFILE +++ b/vulnbox/DOCKERFILE @@ -1,10 +1,10 @@ FROM alpine -ENV PATH "$PATH:/docker-bin" +ENV PATH="$PATH:/docker-bin" RUN apk update && apk upgrade -RUN apk add nginx openssh openrc \ - nano openssl git nginx-mod-stream \ +RUN apk add nginx openrc \ + openssl nginx-mod-stream \ nginx-mod-http-headers-more \ tcpdump @@ -16,12 +16,8 @@ RUN chown -R www:www /www RUN cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig -# SSHD -RUN rc-update add sshd RUN touch /run/openrc/softlevel -COPY ./ssh/sshd_config /etc/ssh/sshd_config - WORKDIR /docker-bin COPY ./helper-scripts /docker-bin diff --git a/vulnbox/nginx/grpc/example.conf b/vulnbox/nginx/grpc/example.conf new file mode 100644 index 0000000..27f1a5f --- /dev/null +++ b/vulnbox/nginx/grpc/example.conf @@ -0,0 +1,38 @@ +# Example conf + + +# Example TLS endpoint +server { + + more_clear_headers Server; + + listen PORT ssl; + http2 on; + + location / { + grpc_pass grpc://127.0.0.1:PORT; + } + + + ssl_certificate /services-keys/Example/cert.pem; + ssl_certificate_key /services-keys/Example/key.pem; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + + +} + +# Example Termination endpoint +server { + + more_clear_headers Server; + + listen 127.0.0.1:PORT; + http2 on; + + # Here put the service you need + location / { + grpc_pass grpcs://127.0.0.1:PORT; + } + + +} \ No newline at end of file diff --git a/vulnbox/nginx/http/example.conf b/vulnbox/nginx/http/example.conf new file mode 100644 index 0000000..0b501dc --- /dev/null +++ b/vulnbox/nginx/http/example.conf @@ -0,0 +1,37 @@ +# Example conf + + +# Example TLS endpoint +server { + + listen PORT ssl; + + more_clear_headers Server; + + location / { + proxy_pass http://localhost:8080; + } + + + + ssl_certificate /services-keys/Example/cert.pem; + ssl_certificate_key /services-keys/Example/key.pem; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + + +} + +# Example Termination endpoint +server { + + more_clear_headers Server; + + listen 127.0.0.1:8080; + + # Here put the service you need + location / { + proxy_pass https://127.0.0.1:PORT; + } + + +} \ No newline at end of file diff --git a/vulnbox/nginx/http/prova.conf b/vulnbox/nginx/http/prova.conf deleted file mode 100644 index 8e3572d..0000000 --- a/vulnbox/nginx/http/prova.conf +++ /dev/null @@ -1,23 +0,0 @@ - - - -server { - listen *:3443 ssl; - - ssl_certificate /services-keys/ExpressTLS/cert.pem; - ssl_certificate_key /services-keys/ExpressTLS/key.pem; - ssl_protocols TLSv1.3; - - location / { - proxy_pass http://localhost:3080/; - } -} - -server { - listen 127.0.0.1:3080; - - location / { - proxy_pass https://express-tls:8443/; - } -} - diff --git a/vulnbox/nginx/nginx.conf b/vulnbox/nginx/nginx.conf index 8192ed5..b169a9e 100644 --- a/vulnbox/nginx/nginx.conf +++ b/vulnbox/nginx/nginx.conf @@ -3,14 +3,11 @@ user nginx; # Set number of worker processes automatically based on number of CPU cores. worker_processes auto; -# Load ngx_stream_module +# Load Modules load_module /usr/lib/nginx/modules/ngx_stream_module.so; load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; - - - # Enables the use of JIT for regular expressions to speed-up their processing. pcre_jit on; @@ -37,9 +34,9 @@ http { '"$http_user_agent" "$http_x_forwarded_for"'; - # Includes virtual hosts configs. include /etc/nginx/http/*.conf; + include /etc/nginx/grpc/*.conf; } stream { diff --git a/vulnbox/nginx/stream/ssl-termination.conf b/vulnbox/nginx/stream/ssl-termination.conf deleted file mode 100644 index b8a88b1..0000000 --- a/vulnbox/nginx/stream/ssl-termination.conf +++ /dev/null @@ -1,33 +0,0 @@ - -upstream backend_ssl_ter { - server localhost:3080; -} - -upstream backend { - server https://express-tls:8443; -} - -server { - - listen 3443 ssl; - - more_clear_headers Server; - - proxy_pass backend_ssl_ter; - - - ssl_certificate /services-keys/ExpressTLS/cert.pem; - ssl_certificate_key /services-keys/ExpressTLS/key.pem; - ssl_protocols TLSv1.3; - - -} - -server { - - more_clear_headers Server; - - listen 3080; - proxy_pass backend; - -} \ No newline at end of file diff --git a/vulnbox/ssh/sshd_config b/vulnbox/ssh/sshd_config deleted file mode 100644 index b9a9616..0000000 --- a/vulnbox/ssh/sshd_config +++ /dev/null @@ -1,123 +0,0 @@ -# $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -# Include configuration snippets before processing this file to allow the -# snippets to override directives set in this file. -Include /etc/ssh/sshd_config.d/*.conf - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to "no" here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to "no" to disable keyboard-interactive authentication. Depending on -# the system's configuration, this may involve passwords, challenge-response, -# one-time passwords or some combination of these and other methods. -#KbdInteractiveAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin prohibit-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -#UsePAM no - -#AllowAgentForwarding yes -# Feel free to re-enable these if your use case requires them. -AllowTcpForwarding no -GatewayPorts no -X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp internal-sftp - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server \ No newline at end of file