Commit 0d11afb3 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS
Browse files

add: new docker image

parent 3c67c0e8
Pipeline #969 failed with stages
in 10 minutes and 36 seconds
FROM python:3.6-alpine
MAINTAINER hi+burpui@ziirish.me
RUN apk add --no-cache supervisor logrotate librsync openssl tzdata \
&& apk add --no-cache --virtual .fetch-deps \
tar \
\
&& wget -O burp.tar.gz https://github.com/grke/burp/archive/2.0.54.tar.gz \
&& wget -O uthash.tar.gz https://github.com/troydhanson/uthash/archive/v2.0.1.tar.gz \
&& mkdir -p /usr/src/burp /usr/src/uthash \
&& tar -xC /usr/src/burp --strip-components=1 -f burp.tar.gz \
&& tar -xC /usr/src/uthash --strip-components=1 -f uthash.tar.gz \
&& rm burp.tar.gz uthash.tar.gz \
\
&& apk add --no-cache --virtual .build-deps \
g++ \
libc-dev \
make \
openssl-dev \
zlib-dev \
librsync-dev \
pkgconfig \
yajl-dev \
autoconf \
automake \
libtool \
\
# add build deps before removing fetch deps in case there's overlap
&& apk del .fetch-deps \
\
&& cd /usr/src/burp \
&& autoreconf -vif \
&& CPPFLAGS="-I../uthash/src" ./configure \
--prefix=/usr \
--sysconfdir=/etc/burp \
--localstatedir=/var \
&& make -j$(getconf _NPROCESSORS_ONLN) \
&& make install \
&& make install-configs \
\
&& runDeps="$( \
scanelf --needed --nobanner --recursive /usr/local \
| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
| sort -u \
| xargs -r apk info --installed \
| sort -u \
)" \
&& apk add --virtual .python-rundeps $runDeps \
&& apk del .build-deps \
# needed for the bui-cli tool
&& ln -sf /usr/bin/nc /bin/nc \
# do some cleanup
&& rm -rf /usr/src/burp /usr/src/uthash ~/.cache
ADD . /burp-ui
ADD docker/docker-alpine/assets/setup/ /app/setup/
ADD docker/docker-alpine/assets/config/ /app/setup/config/
ADD docker/docker-alpine/assets/init /app/init
RUN chmod 755 /app/init
RUN chmod 755 /app/setup/install
RUN /app/setup/install
EXPOSE 5000/tcp
VOLUME ["/var/spool/burp"]
VOLUME ["/etc/burp"]
ENTRYPOINT ["/app/init"]
CMD ["app:start"]
......@@ -340,6 +340,7 @@ class ClientsReport(Resource):
'os': None
}
}
# TODO: fix OS aggregation
for client in clients_orig:
if client.get('name') not in clients_name:
complement['stats']['total'] += client.get('stats', {}).get('total', 0)
......
......@@ -284,11 +284,11 @@ class Burp(Burp1):
# wait a little bit in case the process dies on a network error
time.sleep(0.5)
if not self._proc_is_alive():
details = ''
details = u''
if verbose:
details = ':\n'
details = u':\n'
out, _ = self.proc.communicate()
details += out
details += to_unicode(out)
raise OSError('Unable to spawn burp process{}'.format(details))
_, write, _ = select([], [self.proc.stdin], [], self.timeout)
if self.proc.stdin not in write:
......
......@@ -24,3 +24,4 @@ burpui:
# - DATABASE_URL=sqlite:////var/lib/burpui/store.db
# - REDIS_SERVER=redis:6379
# - BURP_SERVER_ADDR=auto
# - TIMEZONE=Europe/Paris
[Global]
# On which port is the application listening
port = 5000
# On which address is the application listening
# '::' is the default for all IPv6
bind = ::
# enable SSL
ssl = false
# ssl cert
sslcert = /etc/burp/ssl_cert-server.pem
# ssl key
sslkey = /etc/burp/ssl_cert-server.key
# burp server version 1 or 2
version = 2
# Handle multiple bui-servers or not
# If set to 'false', you will need to declare at least one 'Agent' section (see
# bellow)
standalone = true
# authentication plugin (mandatory)
# list the misc/auth directory to see the available backends
# to disable authentication you can set "auth: none"
# you can also chain multiple backends. Example: "auth: ldap,basic"
# the order will be respected unless you manually set a higher backend priority
auth = basic
# acl plugin
# list misc/acl directory to see the available backends
# default is no ACL
acl = basic
# You can change the prefix if you are behind a reverse-proxy under a custom
# root path. For example: /burpui
# You can also configure your reverse-proxy to announce the prefix through the
# 'X-Script-Name' header. In this case, the bellow prefix will be ignored in
# favour of the one announced by your reverse-proxy
prefix = none
[UI]
# refresh interval of the pages in seconds
refresh = 180
# refresh interval of the live-monitoring page in seconds
liverefresh = 5
[Production]
# storage backend (only used with gunicorn) for session and cache
# may be either 'default' or 'redis'
storage = redis
# redis server to connect to
redis = 127.0.0.1:6379
[Security]
## This section contains some security options. Make sure you understand the
## security implications before changing these.
# list of 'root' paths allowed when sourcing files in the configuration.
# Set this to 'none' if you don't want any restrictions, keeping in mind this
# can lead to accessing sensible files. Defaults to '/etc/burp'.
# Note: you can have several paths separated by comas.
# Example: /etc/burp,/etc/burp.d
includes = /etc/burp
# remember_cookie duration in days
cookietime = 14
# whether to use a secure cookie for https or not. If set to false, cookies
# won't have the 'secure' flag.
# This setting is only useful when HTTPS is detected
scookie = true
# application secret to secure cookies. If you don't set anything, the default
# value is 'random' which will generate a new secret after every restart of your
# application. You can also set it to 'none' although this is not recommended.
# /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\
appsecret = random
## burp1 backend specific options
#[Burp1]
## burp status address (can only be '127.0.0.1' or '::1')
#bhost = ::1
## burp status port
#bport = 4972
## burp binary
#burpbin = /usr/sbin/burp
## vss_strip binary
#stripbin = /usr/sbin/vss_strip
## burp client configuration file used for the restoration (Default: None)
#bconfcli = /etc/burp/burp.conf
## burp server configuration file used for the setting page
#bconfsrv = /etc/burp/burp-server.conf
## temporary directory to use for restoration
#tmpdir = /tmp/bui
## burp2 backend specific options
[Burp2]
## burp binary
#burpbin = /usr/sbin/burp
## vss_strip binary
stripbin = /usr/bin/vss_strip
## burp client configuration file used for the restoration (Default: None)
#bconfcli = /etc/burp/burp.conf
## burp server configuration file used for the setting page
#bconfsrv = /etc/burp/burp-server.conf
## temporary directory to use for restoration
tmpdir = /tmp/bui
## ldapauth specific options
#[LDAP]
## Backend priority. Higher is first
#priority = 1
## LDAP host
#host = 127.0.0.1
## LDAP port
#port = 389
## Encryption type to LDAP server (none, ssl or tls)
## - try tls if unsure, otherwise ssl on port 636
#encryption = ssl
## specifies if the server certificate must be validated, values can be:
## - none (certificates are ignored)
## - optional (not required, but validated if provided)
## - required (required and validated)
#validate = none
## SSL or TLS version to use, can be one of the following:
## - SSLv2
## - SSLv3
## - SSLv23
## - TLSv1
## - TLSv1_1 (Available only with openssl version 1.0.1+, requires python 2.7.9 or higher)
#version = TLSv1
## the file containing the certificates of the certification authorities
#cafile = none
## Attribute to use when searching the LDAP repository
##searchattr = sAMAccountName
#searchattr = uid
## LDAP filter to find users in the LDAP repository
## - {0} will be replaced by the search attribute
## - {1} will be replaced by the login name
##filter = (&({0}={1})(burpui=1))
##filter = (&({0}={1})(|(userAccountControl=512)(userAccountControl=66048)))
## LDAP base
#base = ou=users,dc=example,dc=com
## Binddn to list existing users
#binddn = cn=admin,dc=example,dc=com
## Bindpw to list existing users
#bindpw = Sup3rS3cr3tPa$$w0rd
## basicauth specific options
## Note: in case you leave this section commented, the default login/password
## is admin/admin
## Please DO NOT touch the following line
## @salted@
#[BASIC]
## Backend priority. Higher is first
#priority = 2
#admin = password
#user1 = otherpassword
## basicacl specific options
## Note: in case you leave this section commented, the user 'admin' will have
## access to all clients whereas other users will only see the client that have
## the same name
#[BASIC:ACL]
## Please note the double-quote around the username on the admin line are
## mandatory!
#admin = user1,user2
## You can also overwrite the default behavior by specifying which clients a
## user can access
#user3 = '["client4", "client5"]'
## In case you are not in a standalone mode, you can also specify which clients
## a user can access on a specific Agent
#user4 = '{"agent1": ["client6", "client7"], "agent2": ["client8"]}'
## If you set standalone to 'false', add at least one section like this per
## bui-agent
#[Agent:agent1]
## bui-agent address
#host = 192.168.1.1
## bui-agent port
#port = 10000
## bui-agent password
#password = azerty
## enable SSL
#ssl = true
#[Agent:agent2]
## bui-agent address
#host = 192.168.2.1
## bui-agent port
#port = 10000
## bui-agent password
#password = ytreza
## enable SSL
#ssl = true
# This is an example config file for the burp server.
mode = server
# The default addresses to listen on depend upon compile time options.
# They may be overridden here.
address = 0.0.0.0
port = 4971
# Think carefully before changing the status port address, as it can be used
# to view the contents of backups.
status_address = 0.0.0.0
# If you do not wish to run a status server at all, comment status_port out.
status_port = 4972
directory = /srv/backup
dedup_group = global
clientconfdir = /etc/burp/clientconfdir
# Choose the protocol to use.
# 0 to decide automatically, 1 to force protocol1 mode (file level granularity
# with a pseudo mirrored storage on the server and optional rsync). 2 forces
# protocol2 mode (inline deduplication with variable length blocks).
# Like many other settings, this can be set per client in the clientconfdir
# files.
protocol = 1
pidfile = /tmp/burp.server.pid
hardlinked_archive = 1
working_dir_recovery_method = resume
max_children = 5
max_status_children = 10
umask = 0022
syslog = 1
stdout = 0
# The following options can restrict what the client can do.
# Restore clients can override all of these expect for force_backup.
client_can_delete = 1
# Set client_can_force_backup to 0 to only allow timed backups.
client_can_force_backup = 1
client_can_list = 1
# Set client_can_restore to 0 if you want restores to only be initialised by
# the server.
client_can_restore = 1
client_can_verify = 1
# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
# ratelimit = 1.5
# Network timeout defaults to 7200 seconds (2 hours).
network_timeout = 1800
# Server storage compression. Default is zlib9. Set to zlib0 to turn it off.
compression = gzip5
# When the client version does not match the server version, log a warning.
# Set to 0 to turn it off.
version_warn = 1
# More configuration files can be read, using syntax like the following
# (without the leading '# ').
# . path/to/more/conf
# Location of autoupgrade files to serve to clients. Leave it commented out
# to not autoupgrade clients.
# autoupgrade_dir = /etc/burp/autoupgrade/server
# You can have as many 'keep' lines as you like.
# For example, if running backups daily, setting 7, 4, 6 will keep
# 7 daily backups, 4 weekly, and 6 four-weekly backups.
keep = 7
keep = 4
keep = 6
# Run as different user/group.
user = burpui
group = burpui
# CA options.
# If you want your server to be a certificate authority and generate its own
# certificates, uncomment the following lines. If the directory specified in
# ca_conf does not exist, the server will create, populate it, and the paths
# indicated by ssl_cert_ca, ssl_cert, ssl_key and ssl_dhfile below will be
# overwritten. See docs/burp_ca.txt for more information.
ca_conf = /etc/burp/CA.cnf
ca_name = burpCA
ca_server_name = burpserver
ca_burp_ca = /usr/sbin/burp_ca
# Check for revoked certificates in the certificate revocation list.
# Turn this off if you use the old ssl_extra_checks_script server script.
ca_crl_check = 1
# SSL certificate authority - same file on both server and client
ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
# Server SSL certificate
ssl_cert = /etc/burp/ssl_cert-server.pem
# Server SSL key
ssl_key = /etc/burp/ssl_cert-server.key
# Server SSL ciphers
#ssl_ciphers =
# Server SSL compression. Default is zlib5. Set to zlib0 to turn it off.
#ssl_compression = zlib5
# SSL key password, for loading a certificate with encryption.
#ssl_key_password = password
# Server DH file.
ssl_dhfile = /etc/burp/dhfile.pem
timer_script = /usr/share/burp/scripts/timer_script
# Ensure that 20 hours elapse between backups
# Available units:
# s (seconds), m (minutes), h (hours), d (days), w (weeks), n (months)
timer_arg = 1h
timer_arg = Mon,Tue,Wed,Thu,Fri,05,06,07,08,09,10,11,12,13,14,15,16,17,18,19,20,21
timer_arg = Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23
# Allow backups to start in the evenings and nights during weekdays
# Allow more hours at the weekend.
# Note that, if you specify no timebands, the default timer script will never
# allow backups.
# Uncomment the notify_success_* lines for email notifications of backups that
# succeeded.
# In the subject line, the following are substituted:
# %b - "backup"/"restore"/"verify"
# %c - client name
# %w - number of warnings, if any
#notify_success_script = /usr/share/burp/scripts/notify_script
#notify_success_arg = sendmail -t
#notify_success_arg = To: youremail@example.com
#notify_success_arg = From: burp
#notify_success_arg = Subject: %b succeeded: %c %w
# Uncomment the following to have success notifications only if there were
# warnings.
#notify_success_warnings_only = 1
# Uncomment the following to have success notifications only if there were
# new or changed files.
#notify_success_changes_only = 1
# Uncomment the following for email notifications of backups that failed.
#notify_failure_script = /usr/share/burp/scripts/notify_script
#notify_failure_arg = sendmail -t
#notify_failure_arg = To: youremail@example.com
#notify_failure_arg = From: burp
#notify_failure_arg = Subject: %b failed: %c %w
# The server can run scripts on each connection after authentication and before
# disconnecting.
#server_script_pre = /usr/share/burp/scripts/ssl_extra_checks_script
#server_script_pre_arg = /etc/burp/crl
#server_script_pre_arg = /etc/burp/burp-server.conf
#server_script_pre_arg = /usr/share/burp/scripts/server-pre-script.local
# Set server_script_pre_notify to 1 to have notifications on server_script_pre
# returning non-zero. Most people will want to leave this off - it could
# result in a lot of emails because clients normally connect once every 20
# minutes. Requires notify_failure_script to be set above.
#server_script_pre_notify = 0
#server_script_post =
#server_script_post_arg =
#server_script_post_arg =
#server_script_post_run_on_fail=0
# As for server_script_pre_notify, but for post.
#server_script_post_notify = 0
# Clients that are able to list and restore files belonging to any other
# client. If this is too permissive, you may set a restore_client for
# individual original clients in the individual clientconfdir files.
# restore_client = someclient
# restore_client = someotherclient
restore_client = agent
# Whether or not the server process should cache the tree when a monitor client
# is browsing a backup. Advantage: speed. Disadvantage: more memory is used.
monitor_browse_cache = 1
# This is an example config file for the burp client.
mode = client
port = 4971
status_port = 4972
server = 127.0.0.1
password = abcdefgh
cname = agent
# Choose the protocol to use.
# 0 to decide automatically, 1 to force protocol1 mode (file level granularity
# with a pseudo mirrored storage on the server and optional rsync). 2 forces
# protocol2 mode (inline deduplication with variable length blocks).
protocol = 1
pidfile = /tmp/burp.client.pid
syslog = 1
stdout = 0
progress_counter = 1
# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
# ratelimit = 1.5
# Network timeout defaults to 7200 seconds (2 hours).
network_timeout = 72000
# The directory to which autoupgrade files will be downloaded.
# To never autoupgrade, leave it commented out.
# autoupgrade_dir=/opt/burp2/etc/autoupgrade/client
# OS path component for the autoupgrade directory on the server.
# autoupgrade_os=test_os
# Wait a random number of seconds between 0 and the given number before
# contacting the server on a timed backup.
# randomise = 1200
# Set server_can_restore to 0 if you do not want the server to be able to
# initiate a restore.
server_can_restore = 0
# Set an encryption password if you do not trust the server with your data.
# Note that this will mean that network deltas will not be possible. Each time
# a file changes, the whole file will be transferred on the next backup.
# encryption_password = My^$pAsswIrD%@
# More configuration files can be read, using syntax like the following
# (without the leading '# ').
# . path/to/more/conf
# Run as different user/group.
# user=graham
# group=nogroup
cross_filesystem=/home
cross_all_filesystems=0
# Uncomment the following lines to automatically generate a certificate signing
# request and send it to the server.
ca_burp_ca = /usr/sbin/burp_ca
ca_csr_dir = /etc/burp/CA-client
# SSL certificate authority - same file on both server and client
ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
# Client SSL certificate
ssl_cert = /etc/burp/ssl_cert-client.pem
# Client SSL key
ssl_key = /etc/burp/ssl_cert-client.key
# Client SSL ciphers
#ssl_ciphers =
# Client SSL compression. Default is zlib5. Set to zlib0 to turn it off.
#ssl_compression = zlib5
# SSL key password
ssl_key_password = password
# Common name in the certificate that the server gives us
ssl_peer_cn = burpserver
# Example syntax for pre/post scripts
#backup_script_pre=/path/to/a/script
#backup_script_post=/path/to/a/script
#restore_script_pre=/path/to/a/script
#restore_script_post=/path/to/a/script
# The following options specify exactly what to backup.
# The server will override them if there is at least one 'include=' line on
# the server side.
include = /etc
include = /home
#exclude = /home/graham/testdir/librsync-0.9.7/testsuite
#include = /home/graham/testdir/librsync-0.9.7/testsuite/deep
#include = /home/graham/xdir
#exclude = /home/graham/testdir/libr
# Exclude file names ending in '.vdi' or '.vmdk' (case insensitive)
#exclude_ext = vdi
#exclude_ext = vmd
# Exlude file path matching a regular expression
# (note that 'include_regex' is not yet implemented)
#exclude_regex = \.cache
# Exclude various temporary file systems. You may want to add devfs, devpts,
# proc, ramfs, etc.
exclude_fs = sysfs
exclude_fs = tmpfs
# Exclude files based on size. Defaults are 0, which means no limit.
#min_file_size = 0 Mb
#max_file_size = 0 Mb
# The content of directories containing a filesystem entry named like this
# will not be backed up.
nobackup = .nobackup
# By default, burp backups up the fifos themselves, rather than reading from
# them. These two options let you choose a particular fifo to read, or read
# from all fifos.
#read_fifo=/path/to/a/fifo
#read_all_fifos=0
# The same for block device nodes.
#read_blockdev=/path/to/a/blockdev
#read_all_blockdevs=0
# Exclude files from compression by extension.
exclude_comp=bz2
exclude_comp=gz
# When backing up, whether to enable O_NOATIME when opening files and
# directories. The default is atime=0, which enables O_NOATIME.
#atime=1
# When enabled, this causes problems in the phase1 scan (such as an 'include'
# being missing) to be treated as fatal errors. The default is 0.
#scan_problem_raises_error=1
CONFIG = {
'args': (
'--bind=0.0.0.0:5000',
'--user=burpui',
'--group=burpui',
'--workers=5',
'--preload',
'--worker-class=gevent',
'--access-logfile=/var/log/gunicorn/burp-ui_access.log',
'--error-logfile=/var/log/gunicorn/burp-ui_error.log',
'burpui:create_app("@BURPUI_CONFIG@",logfile="/var/log/gunicorn/burp-ui_info.log",verbose=@BURPUI_VERBOSE@)',
),
}
#!/bin/ash
set -e
trap appStop SIGINT SIGTERM
appStart () {
BURPUI_CONFIG=${BURPUI_CONFIG:-/etc/burp/burpui.cfg}
BURPUI_CLIENT_NAME=${BURPUI_CLIENT_NAME:-bui}
BURPUI_VERBOSE=${BURPUI_VERBOSE:-0}
BURPUI_UID=${BURPUI_UID:-5337}
BURPUI_GID=${BURPUI_GID:-5337}
BURP_CLIENT_CONFIG=${BURP_CLIENT_CONFIG:-/tmp/burp.conf}