nginx-security/docker-compose.yml at master · NeoLabHQ/nginx-security · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
# Development/testing environment — starts all services locally with httpbin test backend
# For production: use the Docker image directly (see README.md)
version: "3.8"

services:
  # ===========================================
  # NGINX + ModSecurity WAF
  # ===========================================
  nginx-waf:
    image: owasp/modsecurity-crs:4-nginx-alpine-202601060501
    container_name: nginx-waf
    ports:
      - "${NGINX_HTTP_PORT:-8080}:8080"
      - "${NGINX_HTTPS_PORT:-8443}:8443"
    security_opt:
      - no-new-privileges:true
    environment:
      # Backend configuration
      - BACKEND=${BACKEND:-http://httpbin:80}
      - PORT=8080
      - SSL_PORT=8443

      # ModSecurity settings
      - MODSEC_RULE_ENGINE=${MODSEC_RULE_ENGINE:-On}
      - MODSEC_AUDIT_LOG=/var/log/modsecurity/audit.log
      - MODSEC_AUDIT_LOG_FORMAT=JSON

      # OWASP CRS settings
      - PARANOIA=${PARANOIA:-1}
      - ANOMALY_INBOUND=${ANOMALY_INBOUND:-5}
      - ANOMALY_OUTBOUND=${ANOMALY_OUTBOUND:-4}

      # Proxy timeout
      - PROXY_TIMEOUT=60

    volumes:
      # Custom nginx config with rate limiting
      - ./config/nginx/default.conf.template:/etc/nginx/templates/conf.d/default.conf.template:ro

      # Custom ModSecurity rules
      - ./config/modsecurity/custom-rules.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-CUSTOM.conf:ro
      - ./config/modsecurity/exclusions.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:ro

      # Logs (for CrowdSec analysis)
      - ./logs/nginx:/var/log/nginx
      - ./logs/modsecurity:/var/log/modsecurity

    networks:
      - security-net
    depends_on:
      - crowdsec
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/healthz"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 512M
        reservations:
          cpus: '0.5'
          memory: 256M

  # ===========================================
  # CrowdSec - Intrusion Prevention System
  # ===========================================
  crowdsec:
    image: crowdsecurity/crowdsec:v1.6.4
    container_name: crowdsec
    security_opt:
      - no-new-privileges:true
    environment:
      - COLLECTIONS=crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/base-http-scenarios
      - GID=${GID:-1000}
    ports:
      - "${CROWDSEC_METRICS_PORT:-6060}:6060"
    volumes:
      # CrowdSec configuration
      - ./config/crowdsec:/etc/crowdsec:rw
      - crowdsec-data:/var/lib/crowdsec/data

      # Log sources to analyze
      - ./logs/nginx:/var/log/nginx:ro
      - ./logs/modsecurity:/var/log/modsecurity:ro

    networks:
      - security-net
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "cscli", "version"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: 256M
        reservations:
          cpus: '0.25'
          memory: 128M

  # ===========================================
  # Nginx Prometheus Exporter (for CloudBankin)
  # ===========================================
  nginx-exporter:
    image: nginx/nginx-prometheus-exporter:1.3.0
    container_name: nginx-exporter
    security_opt:
      - no-new-privileges:true
    command:
      - -nginx.scrape-uri=http://nginx-waf:8080/stub_status
    ports:
      - "${NGINX_EXPORTER_PORT:-9113}:9113"
    networks:
      - security-net
    depends_on:
      - nginx-waf
    restart: unless-stopped
    # Note: healthcheck removed - minimal image without wget/curl
    # Use 'make health' to verify metrics endpoint
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 64M

  # ===========================================
  # Loki - Log Aggregation (Optional)
  # ===========================================
  loki:
    image: grafana/loki:3.3.2
    container_name: loki
    ports:
      - "${LOKI_PORT:-3100}:3100"
    volumes:
      - ./config/loki:/etc/loki:ro
      - loki-data:/loki
    command: -config.file=/etc/loki/loki-config.yml
    networks:
      - security-net
    restart: unless-stopped
    profiles:
      - monitoring

  # ===========================================
  # Promtail - Log Collector (Optional)
  # ===========================================
  promtail:
    image: grafana/promtail:3.3.2
    container_name: promtail
    volumes:
      - ./config/promtail:/etc/promtail:ro
      - ./logs:/var/log/app:ro
    command: -config.file=/etc/promtail/promtail-config.yml
    networks:
      - security-net
    depends_on:
      - loki
    restart: unless-stopped
    profiles:
      - monitoring

  # ===========================================
  # Grafana - Visualization (Optional)
  # ===========================================
  grafana:
    image: grafana/grafana:11.4.0
    container_name: grafana
    ports:
      - "${GRAFANA_PORT:-3000}:3000"
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD:-admin}
      - GF_USERS_ALLOW_SIGN_UP=false
    volumes:
      - grafana-data:/var/lib/grafana
      - ./config/grafana/provisioning:/etc/grafana/provisioning:ro
    networks:
      - security-net
    depends_on:
      - loki
    restart: unless-stopped
    profiles:
      - monitoring

  # ===========================================
  # HTTPBin - Test Backend for Quick Start
  # ===========================================
  httpbin:
    image: kennethreitz/httpbin:latest
    container_name: httpbin
    networks:
      - security-net
    restart: unless-stopped

  # ===========================================
  # CrowdSec Firewall Bouncer - IP Blocking
  # ===========================================
  # NOTE: Requires manual API key generation after first CrowdSec start
  # Run: docker exec crowdsec cscli bouncers add firewall-bouncer -o raw
  # Then add the key to .env as CROWDSEC_BOUNCER_KEY
  crowdsec-bouncer:
    image: crowdsecurity/firewall-bouncer:latest
    container_name: crowdsec-bouncer
    environment:
      - CROWDSEC_LAPI_URL=http://crowdsec:8080
      - CROWDSEC_BOUNCER_API_KEY=${CROWDSEC_BOUNCER_KEY}
      - MODE=iptables
      - DISABLE_IPV6=true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    network_mode: host
    depends_on:
      - crowdsec
    restart: unless-stopped
    profiles:
      - bouncer

networks:
  security-net:
    driver: bridge

volumes:
  crowdsec-data:
  loki-data:
  grafana-data: