Docker deployment issues
Hi,
I just finished setting up Docker based burp-ui. I have followed the docs and it was not as straight forward as it could / should:
- Volume mapping for burpui was not working for me - directories were not mapped. I had to use following volume mapping (part after colon added):
volumes:
- /etc/burp:/etc/burp
- /var/spool/burp:/var/spool/burp
- /var/lib/burp:/var/lib/burp
- Timezone for redis and pgsql was not set, so logs were confusing. To fix, I used following:
redis:
restart: always
image: redis
environment:
- TZ=Europe/Paris
pgsql:
restart: always
image: registry.ziirish.me/ziirish/burp-ui/pgsql:10
environment:
- TZ=Europe/Paris
- PGTZ=Europe/Paris
- POSTGRES_PASSWORD=password
volumes:
- /var/lib/buistore/pgsql/10/data:/var/lib/postgresql/data
- Reverse proxy -
socket.io
- I have specified
prefix
in[Production]
ofburpui.cfg
-
socket.io
doesn't respect this prefix and is everytime on/socket.io/
path - As a result, another section for reverse proxy is needed. My apache setup:
- I have specified
ProxyPass /socket.io/ http://localhost:5000/socket.io/
ProxyPassReverse /socket.io/ http://localhost:5000/socket.io/
<Location /socket.io/>
RequestHeader edit "Referer" ^https://www.example.org/burp/clients$ "http://localhost:5000/burp/clients"
RequestHeader edit "Origin" ^https://www.example.org$ "http://localhost:5000"
Header edit "Access-Control-Allow-Origin" .* "https://www.example.org"
ProxyPassReverse /socket.io/
Require all granted
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} =websocket [NC]
RewriteRule .* ws://localhost:5000%{REQUEST_URI} [P,L]
</Location>
- Issue with origin - when using without header overwrites (see previous Apache example), then:
- POST requests going to websocket were rejected with 400 error because of incorrect origin (fixed by correcting
Referer
andOrigin
header) - Probably could be solved by having configuration option with allowed origins that would be applied in the code - similar issue explained here
- Returned responses did not contain correct
Access-Control-Allow-Origin
- there was localhost.
- POST requests going to websocket were rejected with 400 error because of incorrect origin (fixed by correcting
- There was some issue with ACL. If I let default settings, I was constantly getting
CSRF token
error. Here I'm not sure what helped. May be uncommenting[BASIC:AUTH]
and creating admin user. - Security - more and more installations get rid of preset passwords (admin/admin). It would be better to generate / request passwords on initial setup from the user (with possibility to pass passwords as parameters for automated install).
- appsecret in burpui.cfg - should be automatically generated as well if used with docker-compose setup
- Very high memory usage - when running the default Docker setup, it consumes 1.5GB of memory just for burpui container, which is a lot, esp. when used on home family server and most of the time burp does nothing
- Each celery / gunicorn / flask process uses 70 - 85 MB of RAM
- Total of 34 processes:
- Websocket - 8x
- Celery worker - 9x
- Gunicorn - 16x
- Celery beat - 1x
- It would be nice to have some note on memory consumption in documentation and example of some settings suitable for family targeted setups with relatively limited number of clients / users.
Otherwise thank you for this nice piece of software.
Jan