From 95eb229de3d19e7cd5d6e7ee19657d6ad67f5e51 Mon Sep 17 00:00:00 2001
From: Jeff Hoskinson <jphoskinson@sei.cmu.edu>
Date: Fri, 18 Aug 2023 17:07:56 -0400
Subject: [PATCH] Add configuration for HTTP port and HTTPS

---
 Dockerfile                 |  1 +
 README.md                  |  3 +++
 bin/misp_create_configs.py |  3 +++
 misp.conf                  | 14 +++++++++++++-
 packages                   |  1 +
 5 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 7f6d7eb4..b2b3effd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -84,6 +84,7 @@ VOLUME /var/www/MISP/app/tmp/logs/
 VOLUME /var/www/MISP/app/files/certs/
 VOLUME /var/www/MISP/app/attachments/
 VOLUME /var/www/MISP/.gnupg/
+VOLUME /etc/pki/tls
 
 WORKDIR /var/www/MISP/
 # Web server
diff --git a/README.md b/README.md
index 9a20f519..39e66480 100644
--- a/README.md
+++ b/README.md
@@ -100,6 +100,8 @@ By default, MISP requires Redis. MISP will connect to Redis defined in `REDIS_HO
 * `MISP_HOST_ORG_ID` (optional, int, default `1`) - MISP default organisation ID
 * `MISP_MODULE_URL` (optional, string) - full URL to MISP modules
 * `MISP_DEBUG` (optional, boolean, default `false`) - enable debug mode (do not enable on production environment)
+* `MISP_PORT (optional, int, default `80`) - port to serve MISP web interface on
+* `MISP_USE_SSL` (optional, boolean, default `false`) - enable to serve MISP web interface over HTTPS
 
 [Check more variables that allows MISP customization.](docs/CUSTOMIZATION.md)
 
@@ -229,6 +231,7 @@ If one of the variables is set to `0`, no workers will be started.
 * `/var/www/MISP/app/files/certs/` - uploaded certificates used for accessing remote feeds and servers
 * `/var/www/MISP/app/attachments/` - uploaded attachments and malware samples
 * `/var/www/MISP/.gnupg/` - GPG homedir
+* `/etc/pik/tls` - certificates to serve MISP over HTTPS
 
 ## License
 
diff --git a/bin/misp_create_configs.py b/bin/misp_create_configs.py
index faae3b80..02ead4a8 100644
--- a/bin/misp_create_configs.py
+++ b/bin/misp_create_configs.py
@@ -152,6 +152,8 @@ def check_is_uuid(variable_name: str, value: str):
     "MISP_HOME_LOGO": Option(),
     "MISP_FOOTER_LOGO": Option(),
     "MISP_CUSTOM_CSS": Option(),
+    "MISP_PORT": Option(typ=int, default=80),
+    "MISP_USE_SSL": Option(typ=bool, default=False),
     # Security
     "GNUPG_SIGN": Option(typ=bool, default=False),
     "GNUPG_PRIVATE_KEY_PASSWORD": Option(),
@@ -235,6 +237,7 @@ def render_jinja_template(path: str, variables: dict):
 
 
 def generate_apache_config(variables: dict):
+    os.remove("/etc/httpd/conf.d/ssl.conf")
     render_jinja_template("/etc/httpd/conf.d/misp.conf", variables)
 
 
diff --git a/misp.conf b/misp.conf
index 76048f8a..57efc75d 100644
--- a/misp.conf
+++ b/misp.conf
@@ -2,12 +2,24 @@ ServerTokens Prod
 
 ServerName {{ SERVER_NAME }}
 
+{% if MISP_USE_SSL %}
+LoadModule ssl_module modules/mod_ssl.so
+{% endif %}
+
 # Include request ID header in accesss log
 LogFormat "%h %{X-Request-Id}i %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 
-<VirtualHost *:80>
+Listen {{ MISP_PORT }}
+
+<VirtualHost *:{{ MISP_PORT }}>
     DocumentRoot /var/www/MISP/app/webroot
 
+    {% if MISP_USE_SSL %}
+    SSLEngine On
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+    {% endif %}
+
     ErrorDocument 401 /401.html
     ErrorDocument 403 /401.html
     ErrorDocument 500 /500.html
diff --git a/packages b/packages
index ace259f0..cc2c3882 100644
--- a/packages
+++ b/packages
@@ -1,6 +1,7 @@
 git-core
 httpd
 mod_auth_openidc
+mod_ssl
 zip
 supervisor
 ssdeep-libs