Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify the use of custom NGINX SSL certificates with Docker Compose #11504

Closed
wants to merge 2 commits into from

Conversation

Bernasv
Copy link

@Bernasv Bernasv commented Jan 4, 2025

Instead of manually copying custom user certificates into the image for SSL usage, the arguments NGINX_CRT_PATH and NGINX_KEY_PATH have been added to simplify the process. These arguments enable automatic handling of certificates when GENERATE_TLS_CERTIFICATE is set to false. Providing the paths to the certificate and key through these arguments simplifies the setup, or they can be left empty to use the default certificate generation.

Copy link

dryrunsecurity bot commented Jan 4, 2025

DryRun Security Summary

The pull request enhances the security of the DefectDojo application by improving HTTPS configuration, implementing secure cookies, providing detailed TLS certificate management instructions, and updating Dockerfiles to support secure deployment.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the security of the DefectDojo application by enhancing the HTTPS configuration and providing better guidance for users on how to securely deploy the application.

The key security-related changes include:

  1. TLS Configuration: The docker-compose.override.https.yml file has been updated to ensure that the Nginx service is configured to use TLS, which is essential for securing communication between the client and the server.
  2. Secure Cookies: The uWSGI service is configured to use secure cookies for session management and CSRF protection, helping to mitigate session-related attacks and CSRF vulnerabilities.
  3. TLS Certificate and Key Management: The instructions in the DOCKER.md file provide detailed steps for users to properly manage the TLS certificate and private key, emphasizing the importance of secure storage and access control.
  4. Dockerfile Security: The Dockerfiles for the Nginx server (Dockerfile.nginx-debian and Dockerfile.nginx-alpine) have been updated to allow for the configuration of TLS certificates and keys, set appropriate permissions, and use environment variables for secure configuration.

Overall, these changes demonstrate a strong focus on improving the security of the DefectDojo application, particularly in the areas of secure communication, session management, and certificate/key management. As an application security engineer, I would consider these changes to be a positive step towards enhancing the overall security posture of the application.

Files Changed:

  1. docker-compose.override.https.yml:

    • Configures the Nginx service to use TLS by setting the USE_TLS and GENERATE_TLS_CERTIFICATE environment variables.
    • Sets the DD_SESSION_COOKIE_SECURE and DD_CSRF_COOKIE_SECURE environment variables to ensure that the application uses secure cookies.
  2. readme-docs/DOCKER.md:

    • Provides updated instructions for securely deploying the DefectDojo application using HTTPS.
    • Includes steps for generating a private key, creating a CSR, and properly managing the TLS certificate and key.
  3. Dockerfile.nginx-debian and Dockerfile.nginx-alpine:

    • Allow for the configuration of TLS certificates and keys through the NGINX_CRT_PATH and NGINX_KEY_PATH build arguments.
    • Copy the TLS certificate and key files into the appropriate directories within the Nginx server.
    • Set the appropriate permissions for the Nginx directories and files.
    • Configure various environment variables related to the Nginx server, UWSGI, TLS, and metrics.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@Maffooch
Copy link
Contributor

Hi @Bernasv thank you for your contribution! I think the majority of folks using DefectDojo use the prebuilt images, and this change does not offer any benefits there. This seems like a change that would better kept locally rather than upstream.

@Maffooch Maffooch closed this Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants