Skip to content
Leo Q edited this page Feb 4, 2024 · 12 revisions

docker部署

安装docker

curl -fsSL https://get.docker.com -o get-docker.sh | sudo sh
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

准备运行配置

具体可参考:https://github.com/hhyo/Archery/tree/master/src/docker-compose

docker-compose.yml文件内的services可按照本身的运行环境来调整,同时注意检查版本号是否正确,比如说外部已经装好了mysql、redis、inception,就可以将对应的services删除,但是需要注意修改settings.py文件的相关配置,具体可以参考修改配置

启动

下载 Releases文件,解压后进入docker-compose文件夹

# 启动
docker-compose -f docker-compose.yml up -d

# 表结构初始化
docker exec -ti archery /bin/bash
cd /opt/archery
source /opt/venv4archery/bin/activate
python3 manage.py makemigrations sql  
python3 manage.py migrate 

# 数据初始化
python3 manage.py dbshell<sql/fixtures/auth_group.sql
python3 manage.py dbshell<src/init_sql/mysql_slow_query_review.sql

# 创建管理用户
python3 manage.py createsuperuser

# 退出容器
exit

# 日志查看和问题排查
docker logs archery -f --tail=50

访问

http://127.0.0.1:9123

启动后配置

在启动后 Archery 有一些配置(如Inception , 资源组, 权限组等)需要按需配置, 请详细阅读 配置项说明 , 按照自己的需要进行配置

配置SSL/TLS

步骤

  1. 准备nginx证书 请自行准备

  2. 上传证书
    目录自定义。
    比如:docker-compse目录下,创建nginx/cert目录。

  3. 修改nginx配置
    增加443端口监听,并将http重定向至https端口。

  4. django配置settings.py

  5. 重新运行archery容器

  6. 验证
    注意:要清除cookie缓存。

示例

第1/2步省略
测试是在内网使用,没有域名,使用了私网ip,自签名证书。

  1. 修改nginx配置
server{
    listen 9123; #监听的端口
    server_name archery;
    client_max_body_size 20M;

    proxy_read_timeout 600s;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;

    return 301 https://$host$request_uri;
}

# Settings for a TLS enabled server.
server{
    listen 443 ssl; #监听的端口
    client_max_body_size 20M;
    proxy_read_timeout 600s;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate /etc/nginx/cert/192.168.1.3_chain.crt; # 配置证书文件地址
    ssl_certificate_key /etc/nginx/cert/192.168.1.3_key.key; # 配置密钥文件地址

    location / {
      proxy_pass http://127.0.0.1:8888;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Host  $host:9123;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /static {
      alias /opt/archery/static;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}
  1. django配置settings.py
    增加如下安全配置项:
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
SECURE_SSL_REDIRECT = True                  # 将所有非SSL请求永久重定向到SSL
SESSION_COOKIE_SECURE = True                # 仅通过https传输cookie
CSRF_COOKIE_SECURE = True                   # 仅通过https传输cookie
SECURE_HSTS_INCLUDE_SUBDOMAINS = True       # 严格要求使用https协议传输
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_SECONDS = 60
SECURE_CONTENT_TYPE_NOSNIFF = True          # 防止浏览器猜测资产的内容类型
CSRF_TRUSTED_ORIGINS = ['192.168.1.3']
CORS_ORIGIN_WHITELIST = (
'192.168.1.3',
)
  1. 重新运行archery容器
    新建一个yml配置,单独重建archery容器:
version: '3'

services:
  archery:
    image: hhyo/archery:v1.8.5
    container_name: archery
    restart: always
    ports:
      - "9123:9123"
      - "443:443"
    volumes:
      - "./archery/settings.py:/opt/archery/archery/settings.py"
      - "./archery/soar.yaml:/etc/soar.yaml"
      - "./archery/docs.md:/opt/archery/docs/docs.md"
      - "./archery/downloads:/opt/archery/downloads"
      - "./archery/sql/migrations:/opt/archery/sql/migrations"
      - "./archery/logs:/opt/archery/logs"
      - "./archery/keys:/opt/archery/keys"
      - "./nginx/nginx.conf:/etc/nginx/nginx.conf"
      - "./nginx/cert:/etc/nginx/cert"
    entrypoint: "dockerize -wait tcp://mysql:3306 -wait tcp://redis:6379 -timeout 60s /opt/archery/src/docker/startup.sh"
    environment:
      NGINX_PORT: 9123
    networks:
      - "archery-184_default"

networks:
  archery-184_default:
    external: true
  1. 验证
    重建archery容器后,清除浏览器cookie缓存验证。