-
Notifications
You must be signed in to change notification settings - Fork 46
/
misp.conf
182 lines (154 loc) · 6.84 KB
/
misp.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
ServerTokens Prod
ServerName {{ SERVER_NAME }}
# Include request ID header in accesss log
LogFormat "%h %{X-Request-Id}i %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog "logs/access_log" combined
{% if ECS_LOG_ENABLED %}
# ECS logging to Vector
# JSON log format for access log is modified by httpd_ecs_log.py to ECS format
{% raw %}
LogFormat "{\"@timestamp\":\"%{%Y-%m-%d}tT%{%T}t.%{msec_frac}tZ\",\"pid\":\"%P\",\"log_id\":\"%L\",\"request_id\":\"%{X-Request-Id}i\",\"http_x_forwarded_for\":\"%{X-Forwarded-For}i\",\"remote_addr\":\"%a\",\"remote_port\":\"%{remote}p\",\"user\":\"%u\",\"user_email\":\"%{OIDC_CLAIM_email}e\",\"server_name\":\"%V\",\"server_port\":\"%p\",\"host\":\"%{Host}i\",\"request_uri\":\"%U\",\"args\":\"%q\",\"bytes_sent\":\"%O\",\"body_bytes_sent\":\"%B\",\"file\":\"%f\",\"request_method\":\"%m\",\"status\":\"%>s\",\"http_user_agent\":\"%{User-agent}i\",\"http_referer\":\"%{Referer}i\",\"http_location\":\"%{Location}o\",\"server_protocol\":\"%H\",\"duration\":%{us}T}" json
{% endraw %}
CustomLog "|/usr/local/bin/su-exec apache /usr/local/bin/httpd_ecs_log.py access_log" json
# ErrorLog is modified by httpd_ecs_log.py to ECS format
# %{cu}t - The current time in compact ISO 8601 format, including micro-seconds
# %m - Name of the module logging the message
# %l - Loglevel of the message
# %P - Process ID of current process
# %T - Thread ID of current thread
# %a - Client IP address and port of the request
# %L - Log ID of the request
# %M - The actual log message
ErrorLogFormat "%{cu}t;%-m;%l;%P;%T;%a;%L;%M"
ErrorLog "|/usr/local/bin/su-exec apache /usr/local/bin/httpd_ecs_log.py error_log"
{% endif %}
# Specific VirthualHost bind to 127.0.0.2 for fetching metrics from server
<VirtualHost 127.0.0.2:80>
# Disable access log for metrics
CustomLog /dev/null combined
# httpd server status page
<Location "/server-status">
SetHandler server-status
# Just for sure
Require local
</Location>
# php-fpm server status page
<Location "/fpm-status">
ProxyPass "unix:/run/php-fpm/www.sock|fcgi://127.0.0.1:9000"
# Just for sure
Require local
</Location>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/MISP/app/webroot
ErrorDocument 401 /401.html
ErrorDocument 403 /401.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html
ErrorDocument 504 /504.html
Alias /401.html /var/www/html/401.shtml
Alias /500.html /var/www/html/500.shtml
Alias /502.html /var/www/html/502.shtml
Alias /503.html /var/www/html/503.shtml
Alias /504.html /var/www/html/504.shtml
<Directory /var/www/html/>
Options +Includes
</Directory>
# Allow access to error page without authentication
<LocationMatch "/(401|500).html">
Satisfy any
</LocationMatch>
# Disable access to fpm-status
<Location "/fpm-status">
Require all denied
</Location>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
DirectoryIndex /index.php index.php
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://127.0.0.1:9000"
</FilesMatch>
RewriteEngine On
{% if OIDC_LOGIN %}
# Check if authkey is valid before we let apache to touch PHP
RewriteMap authkeys "prg:/var/www/MISP/app/Console/cake user authkey_valid --disableStdLog" apache:apache
{% endif %}
<Directory /var/www/MISP/app/webroot>
Options -Indexes
Require all granted
{% if OIDC_LOGIN %}
# If request contains Authorization header, check if authorizatzion key is valid. This adds another level of protection.
RewriteCond %{HTTP:Authorization} "^[a-zA-Z0-9]{40}$"
RewriteCond ${authkeys:%{HTTP:Authorization}|0} "!=1"
# If authkey is not valid, return forbidden error
RewriteRule .* - [F,L]
{% endif %}
# Standard MISP rules that will allow processing requests by PHP if it is not directory or file
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
{% if OIDC_LOGIN %}
OIDCProviderMetadataURL {{ OIDC_PROVIDER }}
OIDCRedirectURI {{ MISP_BASEURL }}/oauth2callback
OIDCCryptoPassphrase {{ OIDC_CLIENT_CRYPTO_PASS }}
OIDCClientID {{ OIDC_CLIENT_ID }}
OIDCClientSecret {{ OIDC_CLIENT_SECRET }}
OIDCDefaultURL {{ MISP_BASEURL }}
OIDCCookieSameSite On
OIDCProviderTokenEndpointAuth {{ OIDC_AUTHENTICATION_METHOD }}
{% if OIDC_CODE_CHALLENGE_METHOD %}
OIDCPKCEMethod {{ OIDC_CODE_CHALLENGE_METHOD }}
{% endif %}
{% if OIDC_TOKEN_SIGNED_ALGORITHM %}
OIDCIDTokenSignedResponseAlg {{ OIDC_TOKEN_SIGNED_ALGORITHM }}
{% endif %}
# OIDCScope "openid email"
OIDCHTMLErrorTemplate /var/www/html/oidc.html
# Allow access if header contains Authorization header and value in MISP format
<If "-T req('Authorization') && req('Authorization') =~ /^[a-zA-Z0-9]{40}$/">
Require all granted
AuthType None
</If>
<Else>
AuthType openid-connect
{% for role_name in OIDC_ROLES_MAPPING %}
Require claim {{ OIDC_ROLES_PROPERTY }}:{{ role_name }}
{% endfor %}
</Else>
{% endif %}
TimeOut {{ PHP_MAX_EXECUTION_TIME + 10 }}
ServerSignature Off
# Set request ID if not set from reverse proxy
RequestHeader setifempty X-Request-Id %{UNIQUE_ID}e
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
Header always set Referrer-Policy same-origin
<Directory "/var/www/MISP/app/webroot/webfonts/">
# Cache for one year
Header always set Cache-Control "max-age=31536000; immutable"
</Directory>
{% if not MISP_DEBUG %}
<DirectoryMatch "^/var/www/MISP/app/webroot/(js|css)/">
# Cache for one week
Header always set Cache-Control "max-age=604800; immutable"
# If clients accepts brotli compressed files and that files exists, use compressed version
RewriteCond %{HTTP:Accept-Encoding} br
RewriteCond %{REQUEST_FILENAME}.br -f
RewriteRule ^(.*)$ $1.br [L]
</DirectoryMatch>
{% endif %}
<Files *.js.br>
AddType "text/javascript" .br
AddEncoding br .br
</Files>
<Files *.css.br>
AddType "text/css" .br
AddEncoding br .br
</Files>
{% if MISP_OUTPUT_COMPRESSION %}
# Enable brotli and deflate ouput compression
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/json application/x-font-ttf image/svg+xml
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/json application/x-font-ttf image/svg+xml
{% endif %}
</VirtualHost>