-
Notifications
You must be signed in to change notification settings - Fork 1.7k
docker
Leo Q edited this page Feb 4, 2024
·
12 revisions
curl -fsSL https://get.docker.com -o get-docker.sh | sudo sh
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
具体可参考:https://github.com/hhyo/Archery/tree/master/src/docker-compose
docker-compose.yml文件内的services可按照本身的运行环境来调整,同时注意检查版本号是否正确,比如说外部已经装好了mysql、redis、inception,就可以将对应的services删除,但是需要注意修改settings.py文件的相关配置,具体可以参考修改配置
下载 Releases文件,解压后进入docker-compose文件夹
# 启动
docker-compose -f docker-compose.yml up -d
# 表结构初始化
docker exec -ti archery /bin/bash
cd /opt/archery
source /opt/venv4archery/bin/activate
python3 manage.py makemigrations sql
python3 manage.py migrate
# 数据初始化
python3 manage.py dbshell<sql/fixtures/auth_group.sql
python3 manage.py dbshell<src/init_sql/mysql_slow_query_review.sql
# 创建管理用户
python3 manage.py createsuperuser
# 退出容器
exit
# 日志查看和问题排查
docker logs archery -f --tail=50
在启动后 Archery 有一些配置(如Inception , 资源组, 权限组等)需要按需配置, 请详细阅读 配置项说明 , 按照自己的需要进行配置
-
准备nginx证书 请自行准备
-
上传证书
目录自定义。
比如:docker-compse目录下,创建nginx/cert目录。 -
修改nginx配置
增加443端口监听,并将http重定向至https端口。 -
django配置settings.py
-
重新运行archery容器
-
验证
注意:要清除cookie缓存。
第1/2步省略
测试是在内网使用,没有域名,使用了私网ip,自签名证书。
- 修改nginx配置
server{
listen 9123; #监听的端口
server_name archery;
client_max_body_size 20M;
proxy_read_timeout 600s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
return 301 https://$host$request_uri;
}
# Settings for a TLS enabled server.
server{
listen 443 ssl; #监听的端口
client_max_body_size 20M;
proxy_read_timeout 600s;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/nginx/cert/192.168.1.3_chain.crt; # 配置证书文件地址
ssl_certificate_key /etc/nginx/cert/192.168.1.3_key.key; # 配置密钥文件地址
location / {
proxy_pass http://127.0.0.1:8888;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host:9123;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /static {
alias /opt/archery/static;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
- django配置settings.py
增加如下安全配置项:
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
SECURE_SSL_REDIRECT = True # 将所有非SSL请求永久重定向到SSL
SESSION_COOKIE_SECURE = True # 仅通过https传输cookie
CSRF_COOKIE_SECURE = True # 仅通过https传输cookie
SECURE_HSTS_INCLUDE_SUBDOMAINS = True # 严格要求使用https协议传输
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_SECONDS = 60
SECURE_CONTENT_TYPE_NOSNIFF = True # 防止浏览器猜测资产的内容类型
CSRF_TRUSTED_ORIGINS = ['192.168.1.3']
CORS_ORIGIN_WHITELIST = (
'192.168.1.3',
)
- 重新运行archery容器
新建一个yml配置,单独重建archery容器:
version: '3'
services:
archery:
image: hhyo/archery:v1.8.5
container_name: archery
restart: always
ports:
- "9123:9123"
- "443:443"
volumes:
- "./archery/settings.py:/opt/archery/archery/settings.py"
- "./archery/soar.yaml:/etc/soar.yaml"
- "./archery/docs.md:/opt/archery/docs/docs.md"
- "./archery/downloads:/opt/archery/downloads"
- "./archery/sql/migrations:/opt/archery/sql/migrations"
- "./archery/logs:/opt/archery/logs"
- "./archery/keys:/opt/archery/keys"
- "./nginx/nginx.conf:/etc/nginx/nginx.conf"
- "./nginx/cert:/etc/nginx/cert"
entrypoint: "dockerize -wait tcp://mysql:3306 -wait tcp://redis:6379 -timeout 60s /opt/archery/src/docker/startup.sh"
environment:
NGINX_PORT: 9123
networks:
- "archery-184_default"
networks:
archery-184_default:
external: true
- 验证
重建archery容器后,清除浏览器cookie缓存验证。