Commit 201c0291 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS
Browse files

add: Dockerfile to build release

parent dd48aaeb
Pipeline #640 failed with stage
in 6 minutes and 9 seconds
FROM debian:jessie
MAINTAINER hi+burpui@ziirish.me
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y supervisor logrotate locales wget curl python2.7-dev git python-virtualenv gunicorn python-pip cron libffi-dev redis-server \
&& update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \
&& locale-gen en_US.UTF-8 \
&& dpkg-reconfigure -f noninteractive locales \
&& echo "Europe/Paris" >/etc/timezone \
&& dpkg-reconfigure -f noninteractive tzdata \
&& rm -rf /var/lib/apt/lists/*
ADD . /burp-ui
ADD docker/docker-release/assets/setup/ /app/setup/
ADD docker/docker-release/assets/config/ /app/setup/config/
ADD docker/docker-release/assets/init /app/init
RUN chmod 755 /app/init
RUN chmod 755 /app/setup/install
RUN /app/setup/install
EXPOSE 5000/tcp
EXPOSE 4971/tcp
EXPOSE 4972/tcp
ENTRYPOINT ["/app/init"]
CMD ["app:start"]
[Global]
# On which port is the application listening
port = 5000
# On which address is the application listening
# '::' is the default for all IPv6
bind = ::
# enable SSL
ssl = false
# ssl cert
sslcert = /etc/burp/ssl_cert-server.pem
# ssl key
sslkey = /etc/burp/ssl_cert-server.key
# burp server version 1 or 2
version = 1
# Handle multiple bui-servers or not
# If set to 'false', you will need to declare at least one 'Agent' section (see
# bellow)
standalone = true
# authentication plugin (mandatory)
# list the misc/auth directory to see the available backends
# to disable authentication you can set "auth: none"
# you can also chain multiple backends. Example: "auth: ldap,basic"
# the order will be respected unless you manually set a higher backend priority
auth = basic
# acl plugin
# list misc/acl directory to see the available backends
# default is no ACL
acl = basic
# You can change the prefix if you are behind a reverse-proxy under a custom
# root path. For example: /burpui
# You can also configure your reverse-proxy to announce the prefix through the
# 'X-Script-Name' header. In this case, the bellow prefix will be ignored in
# favour of the one announced by your reverse-proxy
prefix = none
[UI]
# refresh interval of the pages in seconds
refresh = 180
# refresh interval of the live-monitoring page in seconds
liverefresh = 5
[Production]
# storage backend (only used with gunicorn) for session and cache
# may be either 'default' or 'redis'
storage = redis
# redis server to connect to
redis = 127.0.0.1:6379
[Security]
## This section contains some security options. Make sure you understand the
## security implications before changing these.
# list of 'root' paths allowed when sourcing files in the configuration.
# Set this to 'none' if you don't want any restrictions, keeping in mind this
# can lead to accessing sensible files. Defaults to '/etc/burp'.
# Note: you can have several paths separated by comas.
# Example: /etc/burp,/etc/burp.d
includes = /etc/burp
# remember_cookie duration in days
cookietime = 14
# whether to use a secure cookie for https or not. If set to false, cookies
# won't have the 'secure' flag.
# This setting is only useful when HTTPS is detected
scookie = true
# application secret to secure cookies. If you don't set anything, the default
# value is 'random' which will generate a new secret after every restart of your
# application. You can also set it to 'none' although this is not recommended.
# /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\
appsecret = random
## burp1 backend specific options
#[Burp1]
## burp status address (can only be '127.0.0.1' or '::1')
#bhost = ::1
## burp status port
#bport = 4972
## burp binary
#burpbin = /usr/sbin/burp
## vss_strip binary
#stripbin = /usr/sbin/vss_strip
## burp client configuration file used for the restoration (Default: None)
#bconfcli = /etc/burp/burp.conf
## burp server configuration file used for the setting page
#bconfsrv = /etc/burp/burp-server.conf
## temporary directory to use for restoration
#tmpdir = /tmp/bui
## burp2 backend specific options
[Burp2]
## burp binary
#burpbin = /usr/sbin/burp
## vss_strip binary
#stripbin = /usr/sbin/vss_strip
## burp client configuration file used for the restoration (Default: None)
#bconfcli = /etc/burp/burp.conf
## burp server configuration file used for the setting page
#bconfsrv = /etc/burp/burp-server.conf
## temporary directory to use for restoration
tmpdir = /srv/temp/
## ldapauth specific options
#[LDAP]
## Backend priority. Higher is first
#priority = 1
## LDAP host
#host = 127.0.0.1
## LDAP port
#port = 389
## Encryption type to LDAP server (none, ssl or tls)
## - try tls if unsure, otherwise ssl on port 636
#encryption = ssl
## specifies if the server certificate must be validated, values can be:
## - none (certificates are ignored)
## - optional (not required, but validated if provided)
## - required (required and validated)
#validate = none
## SSL or TLS version to use, can be one of the following:
## - SSLv2
## - SSLv3
## - SSLv23
## - TLSv1
## - TLSv1_1 (Available only with openssl version 1.0.1+, requires python 2.7.9 or higher)
#version = TLSv1
## the file containing the certificates of the certification authorities
#cafile = none
## Attribute to use when searching the LDAP repository
##searchattr = sAMAccountName
#searchattr = uid
## LDAP filter to find users in the LDAP repository
## - {0} will be replaced by the search attribute
## - {1} will be replaced by the login name
##filter = (&({0}={1})(burpui=1))
##filter = (&({0}={1})(|(userAccountControl=512)(userAccountControl=66048)))
## LDAP base
#base = ou=users,dc=example,dc=com
## Binddn to list existing users
#binddn = cn=admin,dc=example,dc=com
## Bindpw to list existing users
#bindpw = Sup3rS3cr3tPa$$w0rd
## basicauth specific options
## Note: in case you leave this section commented, the default login/password
## is admin/admin
## Please DO NOT touch the following line
## @salted@
#[BASIC]
## Backend priority. Higher is first
#priority = 2
#admin = password
#user1 = otherpassword
## basicacl specific options
## Note: in case you leave this section commented, the user 'admin' will have
## access to all clients whereas other users will only see the client that have
## the same name
#[BASIC:ACL]
## Please note the double-quote around the username on the admin line are
## mandatory!
#admin = user1,user2
## You can also overwrite the default behavior by specifying which clients a
## user can access
#user3 = '["client4", "client5"]'
## In case you are not in a standalone mode, you can also specify which clients
## a user can access on a specific Agent
#user4 = '{"agent1": ["client6", "client7"], "agent2": ["client8"]}'
## If you set standalone to 'false', add at least one section like this per
## bui-agent
#[Agent:agent1]
## bui-agent address
#host = 192.168.1.1
## bui-agent port
#port = 10000
## bui-agent password
#password = azerty
## enable SSL
#ssl = true
#[Agent:agent2]
## bui-agent address
#host = 192.168.2.1
## bui-agent port
#port = 10000
## bui-agent password
#password = ytreza
## enable SSL
#ssl = true
# simple config for burp_ca
RANDFILE = /dev/urandom
CA_DIR = /tmp/burp2/CA
[ ca ]
dir = $ENV::CA_DIR
database = $dir/index.txt
serial = $dir/serial.txt
certs = $dir/certs
new_certs_dir = $dir/newcerts
crlnumber = $dir/crlnumber.txt
unique_subject = no
default_md = sha1
default_days = 7300
default_crl_days = 7300
#????
name_opt = ca_default
cert_opt = ca_default
x509_extensions = usr_cert
copy_extensions = copy
policy = policy_anything
[ usr_cert ]
basicConstraints = CA:FALSE
[ policy_anything ]
commonName = supplied
# This is an example config file for the burp server.
mode = server
# The default addresses to listen on depend upon compile time options.
# They may be overridden here.
address = 0.0.0.0
port = 4971
# Think carefully before changing the status port address, as it can be used
# to view the contents of backups.
status_address = 0.0.0.0
# If you do not wish to run a status server at all, comment status_port out.
status_port = 4972
directory = /srv/backup
dedup_group = global
clientconfdir = /etc/burp/clientconfdir
# Choose the protocol to use.
# 0 to decide automatically, 1 to force protocol1 mode (file level granularity
# with a pseudo mirrored storage on the server and optional rsync). 2 forces
# protocol2 mode (inline deduplication with variable length blocks).
# Like many other settings, this can be set per client in the clientconfdir
# files.
protocol = 1
pidfile = /tmp/burp.server.pid
hardlinked_archive = 1
working_dir_recovery_method = resume
max_children = 5
max_status_children = 10
umask = 0022
syslog = 1
stdout = 0
# The following options can restrict what the client can do.
# Restore clients can override all of these expect for force_backup.
client_can_delete = 1
# Set client_can_force_backup to 0 to only allow timed backups.
client_can_force_backup = 1
client_can_list = 1
# Set client_can_restore to 0 if you want restores to only be initialised by
# the server.
client_can_restore = 1
client_can_verify = 1
# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
# ratelimit = 1.5
# Network timeout defaults to 7200 seconds (2 hours).
network_timeout = 1800
# Server storage compression. Default is zlib9. Set to zlib0 to turn it off.
compression = gzip5
# When the client version does not match the server version, log a warning.
# Set to 0 to turn it off.
version_warn = 1
# More configuration files can be read, using syntax like the following
# (without the leading '# ').
# . path/to/more/conf
# Location of autoupgrade files to serve to clients. Leave it commented out
# to not autoupgrade clients.
# autoupgrade_dir = /etc/burp/autoupgrade/server
# You can have as many 'keep' lines as you like.
# For example, if running backups daily, setting 7, 4, 6 will keep
# 7 daily backups, 4 weekly, and 6 four-weekly backups.
keep = 7
keep = 4
keep = 6
# Run as different user/group.
user = burpui
group = burpui
# CA options.
# If you want your server to be a certificate authority and generate its own
# certificates, uncomment the following lines. If the directory specified in
# ca_conf does not exist, the server will create, populate it, and the paths
# indicated by ssl_cert_ca, ssl_cert, ssl_key and ssl_dhfile below will be
# overwritten. See docs/burp_ca.txt for more information.
ca_conf = /etc/burp/CA.cnf
ca_name = burpCA
ca_server_name = burpserver
ca_burp_ca = /usr/sbin/burp_ca
# Check for revoked certificates in the certificate revocation list.
# Turn this off if you use the old ssl_extra_checks_script server script.
ca_crl_check = 1
# SSL certificate authority - same file on both server and client
ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
# Server SSL certificate
ssl_cert = /etc/burp/ssl_cert-server.pem
# Server SSL key
ssl_key = /etc/burp/ssl_cert-server.key
# Server SSL ciphers
#ssl_ciphers =
# Server SSL compression. Default is zlib5. Set to zlib0 to turn it off.
#ssl_compression = zlib5
# SSL key password, for loading a certificate with encryption.
#ssl_key_password = password
# Server DH file.
ssl_dhfile = /etc/burp/dhfile.pem
timer_script = /usr/share/burp/scripts/timer_script
# Ensure that 20 hours elapse between backups
# Available units:
# s (seconds), m (minutes), h (hours), d (days), w (weeks), n (months)
timer_arg = 1h
timer_arg = Mon,Tue,Wed,Thu,Fri,05,06,07,08,09,10,11,12,13,14,15,16,17,18,19,20,21
timer_arg = Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23
# Allow backups to start in the evenings and nights during weekdays
# Allow more hours at the weekend.
# Note that, if you specify no timebands, the default timer script will never
# allow backups.
# Uncomment the notify_success_* lines for email notifications of backups that
# succeeded.
# In the subject line, the following are substituted:
# %b - "backup"/"restore"/"verify"
# %c - client name
# %w - number of warnings, if any
#notify_success_script = /usr/share/burp/scripts/notify_script
#notify_success_arg = sendmail -t
#notify_success_arg = To: youremail@example.com
#notify_success_arg = From: burp
#notify_success_arg = Subject: %b succeeded: %c %w
# Uncomment the following to have success notifications only if there were
# warnings.
#notify_success_warnings_only = 1
# Uncomment the following to have success notifications only if there were
# new or changed files.
#notify_success_changes_only = 1
# Uncomment the following for email notifications of backups that failed.
#notify_failure_script = /usr/share/burp/scripts/notify_script
#notify_failure_arg = sendmail -t
#notify_failure_arg = To: youremail@example.com
#notify_failure_arg = From: burp
#notify_failure_arg = Subject: %b failed: %c %w
# The server can run scripts on each connection after authentication and before
# disconnecting.
#server_script_pre = /usr/share/burp/scripts/ssl_extra_checks_script
#server_script_pre_arg = /etc/burp/crl
#server_script_pre_arg = /etc/burp/burp-server.conf
#server_script_pre_arg = /usr/share/burp/scripts/server-pre-script.local
# Set server_script_pre_notify to 1 to have notifications on server_script_pre
# returning non-zero. Most people will want to leave this off - it could
# result in a lot of emails because clients normally connect once every 20
# minutes. Requires notify_failure_script to be set above.
#server_script_pre_notify = 0
#server_script_post =
#server_script_post_arg =
#server_script_post_arg =
#server_script_post_run_on_fail=0
# As for server_script_pre_notify, but for post.
#server_script_post_notify = 0
# Clients that are able to list and restore files belonging to any other
# client. If this is too permissive, you may set a restore_client for
# individual original clients in the individual clientconfdir files.
# restore_client = someclient
# restore_client = someotherclient
restore_client = agent
# Whether or not the server process should cache the tree when a monitor client
# is browsing a backup. Advantage: speed. Disadvantage: more memory is used.
monitor_browse_cache = 1
# This is an example config file for the burp client.
mode = client
port = 4971
status_port = 4972
server = ::1
password = abcdefgh
cname = agent
# Choose the protocol to use.
# 0 to decide automatically, 1 to force protocol1 mode (file level granularity
# with a pseudo mirrored storage on the server and optional rsync). 2 forces
# protocol2 mode (inline deduplication with variable length blocks).
protocol = 1
pidfile = /tmp/burp.client.pid
syslog = 1
stdout = 0
progress_counter = 1
# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
# ratelimit = 1.5
# Network timeout defaults to 7200 seconds (2 hours).
network_timeout = 72000
# The directory to which autoupgrade files will be downloaded.
# To never autoupgrade, leave it commented out.
# autoupgrade_dir=/opt/burp2/etc/autoupgrade/client
# OS path component for the autoupgrade directory on the server.
# autoupgrade_os=test_os
# Wait a random number of seconds between 0 and the given number before
# contacting the server on a timed backup.
# randomise = 1200
# Set server_can_restore to 0 if you do not want the server to be able to
# initiate a restore.
server_can_restore = 0
# Set an encryption password if you do not trust the server with your data.
# Note that this will mean that network deltas will not be possible. Each time
# a file changes, the whole file will be transferred on the next backup.
# encryption_password = My^$pAsswIrD%@
# More configuration files can be read, using syntax like the following
# (without the leading '# ').
# . path/to/more/conf
# Run as different user/group.
# user=graham
# group=nogroup
cross_filesystem=/home
cross_all_filesystems=0
# Uncomment the following lines to automatically generate a certificate signing
# request and send it to the server.
ca_burp_ca = /usr/sbin/burp_ca
ca_csr_dir = /etc/burp/CA-client
# SSL certificate authority - same file on both server and client
ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
# Client SSL certificate
ssl_cert = /etc/burp/ssl_cert-client.pem
# Client SSL key
ssl_key = /etc/burp/ssl_cert-client.key
# Client SSL ciphers
#ssl_ciphers =
# Client SSL compression. Default is zlib5. Set to zlib0 to turn it off.
#ssl_compression = zlib5
# SSL key password
ssl_key_password = password
# Common name in the certificate that the server gives us
ssl_peer_cn = burpserver
# Example syntax for pre/post scripts
#backup_script_pre=/path/to/a/script
#backup_script_post=/path/to/a/script
#restore_script_pre=/path/to/a/script
#restore_script_post=/path/to/a/script
# The following options specify exactly what to backup.
# The server will override them if there is at least one 'include=' line on
# the server side.
include = /etc
include = /home
#exclude = /home/graham/testdir/librsync-0.9.7/testsuite
#include = /home/graham/testdir/librsync-0.9.7/testsuite/deep
#include = /home/graham/xdir
#exclude = /home/graham/testdir/libr
# Exclude file names ending in '.vdi' or '.vmdk' (case insensitive)
#exclude_ext = vdi
#exclude_ext = vmd
# Exlude file path matching a regular expression
# (note that 'include_regex' is not yet implemented)
#exclude_regex = \.cache
# Exclude various temporary file systems. You may want to add devfs, devpts,
# proc, ramfs, etc.
exclude_fs = sysfs
exclude_fs = tmpfs
# Exclude files based on size. Defaults are 0, which means no limit.
#min_file_size = 0 Mb
#max_file_size = 0 Mb
# The content of directories containing a filesystem entry named like this
# will not be backed up.
nobackup = .nobackup
# By default, burp backups up the fifos themselves, rather than reading from
# them. These two options let you choose a particular fifo to read, or read
# from all fifos.
#read_fifo=/path/to/a/fifo
#read_all_fifos=0
# The same for block device nodes.
#read_blockdev=/path/to/a/blockdev
#read_all_blockdevs=0
# Exclude files from compression by extension.
exclude_comp=bz2
exclude_comp=gz
# When backing up, whether to enable O_NOATIME when opening files and
# directories. The default is atime=0, which enables O_NOATIME.
#atime=1
# When enabled, this causes problems in the phase1 scan (such as an 'include'
# being missing) to be treated as fatal errors. The default is 0.
#scan_problem_raises_error=1
password = abcdefgh
label = color: #ffcc00
. inc/rules
password = abcdefgh
label = color: #9966ff
. inc/rules
timer_arg = 5m
timer_arg = Mon,Tue,Wed,Thu,Fri,Sat,Sun,00,01,02,03,04,05,06,07,08,09,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
keep = 7
keep = 4
CONFIG = {
'args': (
'--bind=0.0.0.0:5000',
'--user=burpui',
'--workers=5',
'--worker-class=gevent',
'--access-logfile=/var/log/gunicorn/burp-ui_access.log',
'--error-logfile=/var/log/gunicorn/burp-ui_error.log',
'burpui:init(logfile="/var/log/gunicorn/burp-ui_info.log")',
),
}
#!/bin/bash
set -e
trap appStop SIGINT SIGTERM
appStart () {
# start supervisord
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
chown -R burpui: /srv
echo "Starting crond..."
supervisorctl start cron >/dev/null
echo "Starting burp..."
supervisorctl start burp >/dev/null
echo "Starting redis..."
supervisorctl start redis >/dev/null
echo "Starting gunicorn..."
/etc/init.d/gunicorn restart >/dev/null
# watch the access logs
tail -F /var/log/gunicorn/burp-ui_info.log
}
appStop() {
echo ""