├── 9 ├── Dockerfile ├── ci.sh ├── config │ ├── ldapUserSync │ │ ├── config.py │ │ └── ldapUserSync.py │ ├── main.cf_template │ ├── redis.config │ └── sasl_passwd_template ├── start └── test.sh ├── .github └── stale.yml ├── .gitignore ├── .travis.yml ├── LICENSE ├── README.md ├── conf ├── nginx.conf └── nginx_ssl.conf └── docker-compose.yml /.github/stale.yml: -------------------------------------------------------------------------------- 1 | # Number of days of inactivity before an issue becomes stale 2 | daysUntilStale: 60 3 | # Number of days of inactivity before a stale issue is closed 4 | daysUntilClose: 30 5 | # Issues with these labels will never be considered stale 6 | exemptLabels: 7 | - pinned 8 | - security 9 | - Feature Request 10 | - enhancement 11 | # Label to use when marking an issue as stale 12 | staleLabel: stale 13 | # Comment to post when marking an issue as stale. Set to `false` to disable 14 | markComment: > 15 | This issue has been automatically marked as stale because it has not had 16 | recent activity. It will be closed in 30 days if no further activity occurs. 17 | Thank you for your contributions. 18 | # Comment to post when closing a stale issue. Set to `false` to disable 19 | closeComment: > 20 | This issue has been automatically closed because it has not had 21 | recent activity. Issue creator may reopen if the issue still exists. 22 | Thank you for your contributions. 23 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 8/images 2 | 8/logs 3 | 9/images 4 | 9/logs 5 | 6 | data/ 7 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | sudo: required 2 | services: 3 | - docker 4 | script: 5 | - 9/ci.sh 6 | 7 | notifications: 8 | slack: 9 | secure: I01kvX71vWivneJVHCN6vlSM4rFJU2Awi3uXn24ZtuAeFN1DCp+GLkRBzcVeRAKQcA3WYPemWbJgYPCkBfprl1gxcatCoBcey2Vv4cYyXOy62dgHDAyeD040VNgA94u5h/Fkd6T0cW1ankCSIMP90tZcwE2YS3ba9I5S1S8v0ao= 10 | env: 11 | global: 12 | - secure: QJzHjhPwG0nQ9/m3y+xRTJ2S4N08v2SVTjlrw3Cvf8Ja55LKsFlXf/1T40WIVba7IQKPsUiSBxDPBjRoXltJj7ZRCVfm3ZW3BFKVyGzswNQOwPraxNCq1aNRMNpW8OQggN94Rn+g641iBWkHhfnLL7yqv1phNi1jFpFfwhhUA4A= 13 | - secure: LpxNv01FUNMjNcCgmTaPG6xa8T+GeTG6NPGpcUniDvlK1u+CkCE60Z/OLqBtxTQ6OfcEPTky1nc0wWpcMXz8saiTycKOo1AEXuP0x+J2YGozjQvfnO2rEUM8l+ts+h6Zt+gewzQB5/XKQ6uAIANs07d4/ydXbJjT7QGMVbuOnIs= 14 | -------------------------------------------------------------------------------- /9/Dockerfile: -------------------------------------------------------------------------------- 1 | # Start by pulling down our existing container 2 | # to sync 1.9 Gb of data from OpenVAS. 3 | FROM mikesplain/openvas 4 | 5 | FROM ubuntu:16.04 6 | 7 | COPY --from=0 /var/lib/openvas /var/lib/openvas 8 | COPY config/redis.config /etc/redis/redis.config 9 | COPY config/sasl_passwd_template / 10 | COPY config/main.cf_template / 11 | COPY config/ldapUserSync/* /ldapUserSync/ 12 | COPY start /start 13 | 14 | ENV DEBIAN_FRONTEND=noninteractive \ 15 | OV_PASSWORD=admin \ 16 | PUBLIC_HOSTNAME=openvas 17 | 18 | RUN apt-get update && \ 19 | apt-get install software-properties-common --no-install-recommends -yq && \ 20 | add-apt-repository ppa:mikesplain/openvas -y && \ 21 | add-apt-repository ppa:mrazavi/openvas -y && \ 22 | apt-get clean && \ 23 | apt-get update && \ 24 | apt-get install alien \ 25 | autotools-dev \ 26 | bind9-host \ 27 | binutils \ 28 | bsdmainutils \ 29 | build-essential \ 30 | bzip2 \ 31 | ca-certificates \ 32 | cpio \ 33 | cpp \ 34 | cpp-5 \ 35 | curl \ 36 | debhelper \ 37 | debugedit \ 38 | dh-python \ 39 | dh-strip-nondeterminism \ 40 | dirb \ 41 | dirmngr \ 42 | dnsutils \ 43 | dpkg-dev \ 44 | fakeroot \ 45 | file \ 46 | fontconfig \ 47 | fontconfig-config \ 48 | fonts-dejavu-core \ 49 | fonts-lato \ 50 | fonts-liberation \ 51 | fonts-lmodern \ 52 | fonts-texgyre \ 53 | g++ \ 54 | g++-5 \ 55 | gcc \ 56 | gcc-5 \ 57 | geoip-database \ 58 | gettext \ 59 | gettext-base \ 60 | ghostscript \ 61 | gir1.2-glib-2.0:amd64 \ 62 | gnupg-agent \ 63 | gnupg2 \ 64 | gnutls-bin \ 65 | graphviz \ 66 | groff-base \ 67 | gsfonts \ 68 | hicolor-icon-theme \ 69 | ifupdown \ 70 | intltool-debian \ 71 | iproute2 \ 72 | isc-dhcp-client \ 73 | isc-dhcp-common \ 74 | javascript-common \ 75 | ldap-utils \ 76 | libalgorithm-diff-perl \ 77 | libalgorithm-diff-xs-perl \ 78 | libalgorithm-merge-perl \ 79 | libapr1:amd64 \ 80 | libaprutil1:amd64 \ 81 | libarchive-zip-perl \ 82 | libarchive13:amd64 \ 83 | libasan2:amd64 \ 84 | libasn1-8-heimdal:amd64 \ 85 | libasprintf-dev:amd64 \ 86 | libasprintf0v5:amd64 \ 87 | libassuan0:amd64 \ 88 | libatk1.0-0:amd64 \ 89 | libatk1.0-data \ 90 | libatm1:amd64 \ 91 | libatomic1:amd64 \ 92 | libauthen-sasl-perl \ 93 | libavahi-client3:amd64 \ 94 | libavahi-common-data:amd64 \ 95 | libavahi-common3:amd64 \ 96 | libbind9-140:amd64 \ 97 | libblas-common \ 98 | libblas3 \ 99 | libbsd0:amd64 \ 100 | libc-dev-bin \ 101 | libc6-dev:amd64 \ 102 | libcairo2:amd64 \ 103 | libcc1-0:amd64 \ 104 | libcdt5 \ 105 | libcgraph6 \ 106 | libcilkrts5:amd64 \ 107 | libcroco3:amd64 \ 108 | libcups2:amd64 \ 109 | libcupsfilters1:amd64 \ 110 | libcupsimage2:amd64 \ 111 | libcurl3:amd64 \ 112 | libcurl3-gnutls:amd64 \ 113 | libdatrie1:amd64 \ 114 | libdbus-1-3:amd64 \ 115 | libdns-export162 \ 116 | libdns162:amd64 \ 117 | libdpkg-perl \ 118 | libdrm-amdgpu1:amd64 \ 119 | libdrm-common \ 120 | libdrm-intel1:amd64 \ 121 | libdrm-nouveau2:amd64 \ 122 | libdrm-radeon1:amd64 \ 123 | libdrm2:amd64 \ 124 | libedit2:amd64 \ 125 | libelf1:amd64 \ 126 | libencode-locale-perl \ 127 | libexpat1:amd64 \ 128 | libfakeroot:amd64 \ 129 | libffi6:amd64 \ 130 | libfile-basedir-perl \ 131 | libfile-desktopentry-perl \ 132 | libfile-fcntllock-perl \ 133 | libfile-homedir-perl \ 134 | libfile-listing-perl \ 135 | libfile-mimeinfo-perl \ 136 | libfile-stripnondeterminism-perl \ 137 | libfile-which-perl \ 138 | libfont-afm-perl \ 139 | libfontconfig1:amd64 \ 140 | libfontenc1:amd64 \ 141 | libfreetype6:amd64 \ 142 | libgcc-5-dev:amd64 \ 143 | libgd3:amd64 \ 144 | libgdbm3:amd64 \ 145 | libgdk-pixbuf2.0-0:amd64 \ 146 | libgdk-pixbuf2.0-common \ 147 | libgeoip1:amd64 \ 148 | libgettextpo-dev:amd64 \ 149 | libgettextpo0:amd64 \ 150 | libgirepository-1.0-1:amd64 \ 151 | libgl1-mesa-dri:amd64 \ 152 | libgl1-mesa-glx:amd64 \ 153 | libglapi-mesa:amd64 \ 154 | libglib2.0-0:amd64 \ 155 | libgmp10:amd64 \ 156 | libgnutls30:amd64 \ 157 | libgomp1:amd64 \ 158 | libgpgme11:amd64 \ 159 | libgraphite2-3:amd64 \ 160 | libgs9:amd64 \ 161 | libgs9-common \ 162 | libgssapi-krb5-2:amd64 \ 163 | libgssapi3-heimdal:amd64 \ 164 | libgtk2.0-0:amd64 \ 165 | libgtk2.0-bin \ 166 | libgtk2.0-common \ 167 | libgtksourceview2.0-0 \ 168 | libgtksourceview2.0-common \ 169 | libgvc6 \ 170 | libgvpr2 \ 171 | libharfbuzz-icu0:amd64 \ 172 | libharfbuzz0b:amd64 \ 173 | libhcrypto4-heimdal:amd64 \ 174 | libheimbase1-heimdal:amd64 \ 175 | libheimntlm0-heimdal:amd64 \ 176 | libhiredis0.13:amd64 \ 177 | libhogweed4:amd64 \ 178 | libhtml-form-perl \ 179 | libhtml-format-perl \ 180 | libhtml-parser-perl \ 181 | libhtml-tagset-perl \ 182 | libhtml-tree-perl \ 183 | libhttp-cookies-perl \ 184 | libhttp-daemon-perl \ 185 | libhttp-date-perl \ 186 | libhttp-message-perl \ 187 | libhttp-negotiate-perl \ 188 | libhx509-5-heimdal:amd64 \ 189 | libice6:amd64 \ 190 | libicu55:amd64 \ 191 | libidn11:amd64 \ 192 | libijs-0.35:amd64 \ 193 | libio-html-perl \ 194 | libio-socket-ssl-perl \ 195 | libipc-system-simple-perl \ 196 | libisc-export160 \ 197 | libisc160:amd64 \ 198 | libisccc140:amd64 \ 199 | libisccfg140:amd64 \ 200 | libisl15:amd64 \ 201 | libitm1:amd64 \ 202 | libjbig0:amd64 \ 203 | libjbig2dec0 \ 204 | libjemalloc1 \ 205 | libjpeg-turbo8:amd64 \ 206 | libjpeg8:amd64 \ 207 | libjs-jquery \ 208 | libk5crypto3:amd64 \ 209 | libkeyutils1:amd64 \ 210 | libkpathsea6:amd64 \ 211 | libkrb5-26-heimdal:amd64 \ 212 | libkrb5-3:amd64 \ 213 | libkrb5support0:amd64 \ 214 | libksba8:amd64 \ 215 | liblcms2-2:amd64 \ 216 | libldap-2.4-2:amd64 \ 217 | libldb1:amd64 \ 218 | liblinear3:amd64 \ 219 | libllvm6.0:amd64 \ 220 | liblsan0:amd64 \ 221 | libltdl7:amd64 \ 222 | liblua5.2-0:amd64 \ 223 | liblwp-mediatypes-perl \ 224 | liblwp-protocol-https-perl \ 225 | liblwres141:amd64 \ 226 | liblzo2-2:amd64 \ 227 | libmagic1:amd64 \ 228 | libmail-sendmail-perl \ 229 | libmailtools-perl \ 230 | libmicrohttpd10 \ 231 | libmnl0:amd64 \ 232 | libmpc3:amd64 \ 233 | libmpdec2:amd64 \ 234 | libmpfr4:amd64 \ 235 | libmpx0:amd64 \ 236 | libnet-dbus-perl \ 237 | libnet-http-perl \ 238 | libnet-smtp-ssl-perl \ 239 | libnet-ssleay-perl \ 240 | libnettle6:amd64 \ 241 | libnpth0:amd64 \ 242 | libnspr4:amd64 \ 243 | libnss3:amd64 \ 244 | libnss3-nssdb \ 245 | libopenvas9 \ 246 | libopenvas9-dev \ 247 | libopts25:amd64 \ 248 | libp11-kit0:amd64 \ 249 | libpango-1.0-0:amd64 \ 250 | libpangocairo-1.0-0:amd64 \ 251 | libpangoft2-1.0-0:amd64 \ 252 | libpaper-utils \ 253 | libpaper1:amd64 \ 254 | libpathplan4 \ 255 | libpcap0.8:amd64 \ 256 | libpci3:amd64 \ 257 | libpciaccess0:amd64 \ 258 | libperl5.22:amd64 \ 259 | libpipeline1:amd64 \ 260 | libpixman-1-0:amd64 \ 261 | libpng12-0:amd64 \ 262 | libpoppler58:amd64 \ 263 | libpopt0:amd64 \ 264 | libpotrace0 \ 265 | libptexenc1:amd64 \ 266 | libpython-stdlib:amd64 \ 267 | libpython2.7:amd64 \ 268 | libpython2.7-minimal:amd64 \ 269 | libpython2.7-stdlib:amd64 \ 270 | libpython3-stdlib:amd64 \ 271 | libpython3.5-minimal:amd64 \ 272 | libpython3.5-stdlib:amd64 \ 273 | libquadmath0:amd64 \ 274 | libroken18-heimdal:amd64 \ 275 | librpm3 \ 276 | librpmbuild3 \ 277 | librpmio3 \ 278 | librpmsign3 \ 279 | librtmp1:amd64 \ 280 | libruby2.3:amd64 \ 281 | libsasl2-2:amd64 \ 282 | libsasl2-modules:amd64 \ 283 | libsasl2-modules-db:amd64 \ 284 | libsensors4:amd64 \ 285 | libserf-1-1:amd64 \ 286 | libsm6:amd64 \ 287 | libsmbclient:amd64 \ 288 | libsnmp-base \ 289 | libsnmp30:amd64 \ 290 | libsqlite3-0:amd64 \ 291 | libssh-4:amd64 \ 292 | libssl1.0.0:amd64 \ 293 | libstdc++-5-dev:amd64 \ 294 | libsvn1:amd64 \ 295 | libsynctex1:amd64 \ 296 | libsys-hostname-long-perl \ 297 | libtalloc2:amd64 \ 298 | libtasn1-6:amd64 \ 299 | libtcl8.6:amd64 \ 300 | libtdb1:amd64 \ 301 | libtevent0:amd64 \ 302 | libtexlua52:amd64 \ 303 | libtexluajit2:amd64 \ 304 | libtext-iconv-perl \ 305 | libthai-data \ 306 | libthai0:amd64 \ 307 | libtie-ixhash-perl \ 308 | libtiff5:amd64 \ 309 | libtimedate-perl \ 310 | libtk8.6:amd64 \ 311 | libtsan0:amd64 \ 312 | libtxc-dxtn-s2tc0:amd64 \ 313 | libubsan0:amd64 \ 314 | libunistring0:amd64 \ 315 | liburi-perl \ 316 | libutempter0:amd64 \ 317 | libvpx3:amd64 \ 318 | libwbclient0:amd64 \ 319 | libwhisker2-perl \ 320 | libwind0-heimdal:amd64 \ 321 | libwrap0:amd64 \ 322 | libwww-perl \ 323 | libwww-robotrules-perl \ 324 | libx11-6:amd64 \ 325 | libx11-data \ 326 | libx11-protocol-perl \ 327 | libx11-xcb1:amd64 \ 328 | libxau6:amd64 \ 329 | libxaw7:amd64 \ 330 | libxcb-dri2-0:amd64 \ 331 | libxcb-dri3-0:amd64 \ 332 | libxcb-glx0:amd64 \ 333 | libxcb-present0:amd64 \ 334 | libxcb-render0:amd64 \ 335 | libxcb-shape0:amd64 \ 336 | libxcb-shm0:amd64 \ 337 | libxcb-sync1:amd64 \ 338 | libxcb1:amd64 \ 339 | libxcomposite1:amd64 \ 340 | libxcursor1:amd64 \ 341 | libxdamage1:amd64 \ 342 | libxdmcp6:amd64 \ 343 | libxext6:amd64 \ 344 | libxfixes3:amd64 \ 345 | libxft2:amd64 \ 346 | libxi6:amd64 \ 347 | libxinerama1:amd64 \ 348 | libxml-parser-perl \ 349 | libxml-twig-perl \ 350 | libxml-xpathengine-perl \ 351 | libxml2:amd64 \ 352 | libxmu6:amd64 \ 353 | libxmuu1:amd64 \ 354 | libxpm4:amd64 \ 355 | libxrandr2:amd64 \ 356 | libxrender1:amd64 \ 357 | libxshmfence1:amd64 \ 358 | libxslt1.1:amd64 \ 359 | libxss1:amd64 \ 360 | libxt6:amd64 \ 361 | libxtables11:amd64 \ 362 | libxtst6:amd64 \ 363 | libxv1:amd64 \ 364 | libxxf86dga1:amd64 \ 365 | libxxf86vm1:amd64 \ 366 | libyaml-0-2:amd64 \ 367 | libyaml-tiny-perl \ 368 | libzzip-0-13:amd64 \ 369 | linux-libc-dev:amd64 \ 370 | lmodern \ 371 | lua-lpeg:amd64 \ 372 | make \ 373 | man-db \ 374 | manpages \ 375 | manpages-dev \ 376 | mime-support \ 377 | ndiff \ 378 | net-tools \ 379 | netbase \ 380 | nikto \ 381 | nmap \ 382 | nsis \ 383 | nsis-common \ 384 | openssh-client \ 385 | openssl \ 386 | openvas9 \ 387 | openvas9-cli \ 388 | openvas9-gsa \ 389 | openvas9-manager \ 390 | openvas9-scanner \ 391 | patch \ 392 | perl \ 393 | perl-modules-5.22 \ 394 | pinentry-curses \ 395 | po-debconf \ 396 | poppler-data \ 397 | postfix \ 398 | preview-latex-style \ 399 | prosper \ 400 | ps2eps \ 401 | python \ 402 | python-beautifulsoup \ 403 | python-bs4 \ 404 | python-cairo \ 405 | python-cffi-backend \ 406 | python-chardet \ 407 | python-crypto \ 408 | python-cryptography \ 409 | python-defusedxml \ 410 | python-enum34 \ 411 | python-gi \ 412 | python-gobject \ 413 | python-gobject-2 \ 414 | python-gtk2 \ 415 | python-gtksourceview2 \ 416 | python-html5lib \ 417 | python-idna \ 418 | python-ipaddress \ 419 | python-ldb \ 420 | python-lxml \ 421 | python-minimal \ 422 | python-ndg-httpsclient \ 423 | python-openssl \ 424 | python-pkg-resources \ 425 | python-pyasn1 \ 426 | python-pypdf \ 427 | python-pysqlite2 \ 428 | python-requests \ 429 | python-samba \ 430 | python-scapy \ 431 | python-simplejson \ 432 | python-six \ 433 | python-soappy \ 434 | python-svn \ 435 | python-talloc \ 436 | python-tdb \ 437 | python-urllib3 \ 438 | python-wstools \ 439 | python2.7 \ 440 | python2.7-minimal \ 441 | python3 \ 442 | python3-minimal \ 443 | python3.5 \ 444 | python3.5-minimal \ 445 | rake \ 446 | redis-server \ 447 | redis-tools \ 448 | rename \ 449 | rpm \ 450 | rpm-common \ 451 | rpm2cpio \ 452 | rsync \ 453 | ruby \ 454 | ruby-did-you-mean \ 455 | ruby-minitest \ 456 | ruby-net-telnet \ 457 | ruby-power-assert \ 458 | ruby-test-unit \ 459 | ruby2.3 \ 460 | rubygems-integration \ 461 | samba-common \ 462 | samba-common-bin \ 463 | samba-libs:amd64 \ 464 | sgml-base \ 465 | shared-mime-info \ 466 | smbclient \ 467 | socat \ 468 | sqlite3 \ 469 | sshpass \ 470 | ssl-cert \ 471 | t1utils \ 472 | tcl \ 473 | tcl8.6 \ 474 | tcpd \ 475 | tex-common \ 476 | tex-gyre \ 477 | texlive-base \ 478 | texlive-binaries \ 479 | texlive-extra-utils \ 480 | texlive-font-utils \ 481 | texlive-fonts-recommended \ 482 | texlive-fonts-recommended-doc \ 483 | texlive-generic-recommended \ 484 | texlive-latex-base \ 485 | texlive-latex-extra \ 486 | texlive-latex-recommended \ 487 | texlive-pictures \ 488 | texlive-pstricks \ 489 | tipa \ 490 | tk \ 491 | tk8.6 \ 492 | tzdata \ 493 | ucf \ 494 | unzip \ 495 | w3af \ 496 | w3af-console \ 497 | wapiti \ 498 | wget \ 499 | x11-common \ 500 | x11-utils \ 501 | x11-xserver-utils \ 502 | xauth \ 503 | xbitmaps \ 504 | xdg-utils \ 505 | xml-core \ 506 | xsltproc \ 507 | xterm \ 508 | xz-utils \ 509 | zip \ 510 | -yq --no-install-recommends && \ 511 | rm -rf /var/lib/apt/lists/* 512 | 513 | RUN wget -q https://github.com/Arachni/arachni/releases/download/v1.5.1/arachni-1.5.1-0.5.12-linux-x86_64.tar.gz && \ 514 | tar -zxf arachni-1.5.1-0.5.12-linux-x86_64.tar.gz && \ 515 | mv arachni-1.5.1-0.5.12 /opt/arachni && \ 516 | ln -s /opt/arachni/bin/* /usr/local/bin/ && \ 517 | rm -rf arachni* 518 | 519 | RUN mkdir -p /var/run/redis && \ 520 | wget -q --no-check-certificate \ 521 | https://raw.githubusercontent.com/kurobeats/OpenVas-Management-Scripts/master/openvas-check-setup \ 522 | -O /openvas-check-setup && \ 523 | chmod +x /openvas-check-setup && \ 524 | sed -i 's/DAEMON_ARGS=""/DAEMON_ARGS="-a 0.0.0.0 --client-watch-interval=0"/' /etc/init.d/openvas-manager && \ 525 | sed -i 's/DAEMON_ARGS=""/DAEMON_ARGS="--mlisten 127.0.0.1 -m 9390 --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0"/' /etc/init.d/openvas-gsa && \ 526 | sed -i '/^\[ -n "$HTTP_STS_MAX_AGE" \]/a[ -n "$PUBLIC_HOSTNAME" ] && DAEMON_ARGS="$DAEMON_ARGS --allow-header-host=$PUBLIC_HOSTNAME"' /etc/init.d/openvas-gsa && \ 527 | sed -i 's/PORT_NUMBER=4000/PORT_NUMBER=443/' /etc/default/openvas-gsa && \ 528 | greenbone-nvt-sync > /dev/null && \ 529 | greenbone-scapdata-sync > /dev/null && \ 530 | greenbone-certdata-sync > /dev/null && \ 531 | BUILD=true /start && \ 532 | service openvas-scanner stop && \ 533 | service openvas-manager stop && \ 534 | service openvas-gsa stop && \ 535 | service redis-server stop 536 | 537 | 538 | ENV BUILD="" 539 | 540 | CMD /start 541 | 542 | EXPOSE 443 9390 543 | -------------------------------------------------------------------------------- /9/ci.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Setup" 4 | 5 | if [ -n "$QUAY_PASSWORD" ]; then 6 | docker login -u="${QUAY_USER}" -p="${QUAY_PASSWORD}" quay.io 7 | fi 8 | 9 | cd $(dirname $0) 10 | mkdir -p logs images 11 | 12 | docker build -t openvas9 . 13 | docker tag openvas9 quay.io/mikesplain/openvas:travis-${TRAVIS_BUILD_ID} 14 | 15 | if [ -n "$QUAY_PASSWORD" ]; then 16 | docker push quay.io/mikesplain/openvas:travis-${TRAVIS_BUILD_ID} 17 | fi 18 | 19 | ./test.sh 20 | 21 | if [ $? -eq 1 ]; then 22 | echo "Test failure. Look in log to debug." 23 | exit 1 24 | fi 25 | 26 | echo "Test Complete!" -------------------------------------------------------------------------------- /9/config/ldapUserSync/config.py: -------------------------------------------------------------------------------- 1 | config = { 2 | # LDAP configuration 3 | 'ldap_host' : 'YOUR HOST', 4 | 'ldap_bind' : 'uid=bindUid,cn=sysaccounts,dc=company,dc=com', 5 | 'ldap_base' : 'cn=accounts,dc=company,dc=com', 6 | 'ldap_admin_filter' : 'memberOf=cn=admins,cn=groups,cn=accounts,dc=company,dc=com', 7 | 'ldap_password' : 'password', 8 | 'ldap_username_attr' : 'uid', 9 | 10 | # OpenVAS configuration 11 | 'ov_password' : 'admin' 12 | } 13 | -------------------------------------------------------------------------------- /9/config/ldapUserSync/ldapUserSync.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | """ 4 | ldapUserSync.py 5 | This little script will sync ldap admin user with openvas user. A work around to openvas per-user ldap limitation 6 | Created by lhan on 2015-07-17. 7 | """ 8 | import os 9 | import sys 10 | import getopt 11 | import shlex 12 | import subprocess 13 | from sets import Set 14 | from config import config 15 | from os import environ 16 | 17 | 18 | def get_config(key): 19 | try: 20 | envKey = key.upper() 21 | value = environ[envKey] 22 | except: 23 | value = config.get(key) 24 | return value 25 | 26 | help_message = ''' 27 | Sync admin user from ldap to openvas 28 | ''' 29 | # LDAP Configuration 30 | host = get_config('ldap_host') 31 | bindDN = get_config('ldap_bind_dn') 32 | baseDN = get_config('ldap_base_dn') 33 | ldapFilter = get_config('ldap_admin_filter') 34 | ldapPwd = get_config('ldap_password') 35 | 36 | # OpenVAS configuration 37 | ovUser = 'admin' 38 | ovPwd = get_config('ov_password') 39 | 40 | ADMIN_ROLE_ID = '7a8cb5b4-b74d-11e2-8187-406186ea4fc5' 41 | UID_ATT = get_config('ldap_username_attr') 42 | 43 | 44 | ldapUsers = Set([]) 45 | ovUsers = Set([]) 46 | 47 | # Utils 48 | BASH = lambda x: (subprocess.Popen(shlex.split(x), stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=False).communicate()[0]) 49 | 50 | 51 | class Usage(Exception): 52 | def __init__(self, msg): 53 | self.msg = msg 54 | 55 | 56 | def main(argv=None): 57 | if argv is None: 58 | argv = sys.argv 59 | try: 60 | try: 61 | opts, args = getopt.getopt(argv[1:], "hv:H:D:b:w:f:u:W:", ["help", "host=", "bind=", "base=", "ldap-pass=", "ldap-filter=", "username=", "password="]) 62 | except getopt.error, msg: 63 | raise Usage(msg) 64 | 65 | # option processing 66 | for option, value in opts: 67 | if option == "-v": 68 | verbose = True 69 | if option in ("-h", "--help"): 70 | raise Usage(help_message) 71 | # ldap host 72 | if option in ("-H", "--host"): 73 | global host 74 | host = value 75 | # ldap bindDN(-D) 76 | if option in ("-D", "--bind"): 77 | global bindDN 78 | bindDN = value 79 | # ldap baseDN(-b) 80 | if option in ("-b", "--base"): 81 | global baseDN 82 | baseDN = value 83 | # ldap password(-w) 84 | if option in ("-w", "--ldap-pass"): 85 | global ldapPwd 86 | ldapPwd = value 87 | # filter(-f) 88 | if option in ("-f", "--ldap-filter"): 89 | global ldapFilter 90 | ldapFilter = value 91 | # openvas username (-u) 92 | if option in ("-u", "--username"): 93 | global ovUser 94 | ovUser = value 95 | # openvas password(-W) 96 | if option in ("-W", "--password"): 97 | global ovPwd 98 | ovPwd = value 99 | except Usage, err: 100 | print >> sys.stderr, sys.argv[0].split("/")[-1] + ": " + str(err.msg) 101 | print >> sys.stderr, "\t for help use --help" 102 | return 2 103 | syncUsers() 104 | 105 | def getLdapUser(): 106 | global ldapUsers 107 | if len(ldapUsers) == 0: 108 | ldapUsersCmd = "ldapsearch -H ldaps://%s -D %s -b %s -w %s \'(%s)\' %s"%(host, bindDN, baseDN, ldapPwd, ldapFilter, UID_ATT) 109 | ldapUsersCmdResponse = BASH(ldapUsersCmd) 110 | uidAttrP = '%s: '%(UID_ATT) 111 | for line in ldapUsersCmdResponse.split('\n'): 112 | if line.find(uidAttrP) != -1 : 113 | ldapUsers.add(line.split(uidAttrP)[1]) 114 | return ldapUsers 115 | 116 | def getOpenVasUsers(): 117 | global ovUsers 118 | if len(ovUsers) == 0: 119 | ovUsersCmd = "openvasmd --get-users" 120 | ovUsersCmdResponse = BASH(ovUsersCmd) 121 | for line in ovUsersCmdResponse.split('\n'): 122 | if len(line) > 0: 123 | ovUsers.add(line) 124 | 125 | return ovUsers 126 | 127 | def createUser(userName): 128 | cmd = '''omp -u %s -w %s -X "%sldap_connect"'''%(ovUser, ovPwd, userName, ADMIN_ROLE_ID) 129 | resp = BASH(cmd) 130 | if resp.find("OK, resource created") != -1: 131 | print "Sucess to create user %s"%(userName) 132 | return True 133 | else: 134 | print "Fail to create user %s: %s"%(userName, resp) 135 | return False 136 | 137 | def syncUsers(): 138 | ldapUsers = getLdapUser() 139 | ovUsers = getOpenVasUsers() 140 | usersToCreate = ldapUsers - ovUsers 141 | map(createUser, usersToCreate) 142 | 143 | if __name__ == "__main__": 144 | sys.exit(main()) 145 | -------------------------------------------------------------------------------- /9/config/main.cf_template: -------------------------------------------------------------------------------- 1 | # enable SASL authentication 2 | smtp_sasl_auth_enable = yes 3 | # tell Postfix where the credentials are stored 4 | smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd 5 | smtp_sasl_security_options = noanonymous 6 | # use STARTTLS for encryption 7 | smtp_use_tls = yes 8 | relayhost = [$OV_SMTP_HOSTNAME]:$OV_SMTP_PORT 9 | mynetworks = 0.0.0.0/0 10 | -------------------------------------------------------------------------------- /9/config/redis.config: -------------------------------------------------------------------------------- 1 | unixsocket /var/run/redis/redis.sock 2 | unixsocketperm 700 3 | timeout 0 4 | #DB = 1 + (#of parallel tasks) * (#of parallel hosts) 5 | databases 128 6 | #CLI = 1 + (#of parallel tasks) * (#of parallel hosts) * (#of concurrent NVTs) 7 | maxclients 512 8 | daemonize yes 9 | -------------------------------------------------------------------------------- /9/config/sasl_passwd_template: -------------------------------------------------------------------------------- 1 | [$OV_SMTP_HOSTNAME]:$OV_SMTP_PORT $OV_SMTP_USERNAME:$OV_SMTP_KEY 2 | -------------------------------------------------------------------------------- /9/start: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | DATAVOL=/var/lib/openvas/mgr/ 4 | OV_PASSWORD=${OV_PASSWORD:-admin} 5 | WEB_CERT_FILE=${WEB_CERT_FILE:-""} 6 | WEB_KEY_FILE=${WEB_KEY_FILE:-""} 7 | 8 | if [ ! -z "$WEB_CERT_FILE" -a ! -z "$WEB_KEY_FILE" ]; then 9 | rm -f /var/lib/openvas/CA/servercert.pem 10 | rm -f /var/lib/openvas/private/CA/serverkey.pem 11 | ln -s "$WEB_CERT_FILE" /var/lib/openvas/CA/servercert.pem 12 | ln -s "$WEB_KEY_FILE" /var/lib/openvas/private/CA/serverkey.pem 13 | fi 14 | 15 | redis-server /etc/redis/redis.conf 16 | 17 | echo "Testing redis status..." 18 | X="$(redis-cli ping)" 19 | while [ "${X}" != "PONG" ]; do 20 | echo "Redis not yet ready..." 21 | sleep 1 22 | X="$(redis-cli ping)" 23 | done 24 | echo "Redis ready." 25 | 26 | echo "Checking for empty volume" 27 | [ -e "$DATAVOL/tasks.db" ] || SETUPUSER=true 28 | 29 | echo "Restarting services" 30 | /etc/init.d/openvas-scanner restart 31 | /etc/init.d/openvas-manager restart 32 | /etc/init.d/openvas-gsa restart 33 | 34 | 35 | echo "Reloading NVTs" 36 | openvasmd --rebuild --progress 37 | 38 | if [ -n "$SETUPUSER" ]; then 39 | echo "Setting up user" 40 | /usr/sbin/openvasmd openvasmd --create-user=admin 41 | /usr/sbin/openvasmd --user=admin --new-password=$OV_PASSWORD 42 | fi 43 | 44 | # 45 | # CA configuration (optional) 46 | # 47 | # Varaibles: 48 | # - CA_CERT 49 | # - CA_CERTS_DIR 50 | i=0 51 | # Add CA certs to the system if they are defined 52 | if [[ -n "$CA_CERT" && -e "$CA_CERT" ]] 53 | then 54 | CA_CERTS_TO_ADD[((i++))]="$CA_CERT" 55 | fi 56 | 57 | 58 | if [[ -n "$CA_CERTS_DIR" && -e "$CA_CERTS_DIR" ]] 59 | then 60 | for cert in `find $CA_CERTS_DIR -type f \( -iname \*.crt -o -iname \*.pem \)` 61 | do 62 | CA_CERTS_TO_ADD[((i++))]="$cert" 63 | done 64 | fi 65 | 66 | for (( i = 0; i < ${#CA_CERTS_TO_ADD[@]}; i++)) 67 | do 68 | echo "Importing ${CA_CERTS_TO_ADD[${i}]} to system keystore as ${CA_CERTS_TO_ADD[${i}]##*/}" 69 | cp ${CA_CERTS_TO_ADD[${i}]} /usr/local/share/ca-certificates/ 70 | done 71 | 72 | if [ "$i" -gt "0" ] 73 | then 74 | update-ca-certificates 75 | fi 76 | 77 | # 78 | # LDAP configuration (optional) 79 | # 80 | # Varaibles: 81 | # - LDAP_HOST 82 | # - LDAP_BIND_DN 83 | # - LDAP_BASE_DN 84 | # - LDAP_AUTH_DN 85 | # - LDAP_ADMIN_FILTER 86 | # - LDAP_PASSWORD 87 | # - LDAP_USERNAME_ATTR 88 | if [ -n "$LDAP_HOST" ] && 89 | [ -n "$LDAP_BIND_DN" ] && 90 | [ -n "$LDAP_BASE_DN" ] && 91 | [ -n "$LDAP_AUTH_DN" ] && 92 | [ -n "$LDAP_ADMIN_FILTER" ] && 93 | [ -n "$LDAP_PASSWORD" ] 94 | then 95 | echo "Syncing Ldap admin users to openVAS..." 96 | /ldapUserSync/ldapUserSync.py 97 | fi 98 | 99 | echo "Checking setup" 100 | ./openvas-check-setup --v9 101 | 102 | if [ -f /sasl_passwd_template ]; then 103 | echo "Configuring postfix" 104 | 105 | set -o nounset 106 | set -o errexit 107 | set -o pipefail 108 | 109 | envsubst < "/sasl_passwd_template" > "/etc/postfix/sasl_passwd" 110 | envsubst < "/main.cf_template" > "/etc/postfix/main.cf" 111 | 112 | /usr/sbin/postmap /etc/postfix/sasl_passwd 113 | 114 | service postfix restart 115 | fi 116 | 117 | if [ -z "$BUILD" ]; then 118 | echo "Tailing logs" 119 | tail -F /var/log/openvas/* 120 | fi 121 | -------------------------------------------------------------------------------- /9/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker run -d -p 8443:443 --name openvas9 openvas9 4 | 5 | echo "Waiting for startup to complete..." 6 | until docker logs openvas9 | grep -E 'It seems like your OpenVAS-9 installation is'; do 7 | echo . 8 | sleep 5 9 | done 10 | 11 | if $(curl -k https://localhost:8443/login/login.html | grep -q "Greenbone Security Assistant"); then 12 | echo "Greenbone started successfully!" 13 | else 14 | echo "Greenbone couldn't be found. There's probably something wrong" 15 | exit 1 16 | fi 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Mike Splain 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## This has been deprecated 2 | 3 | Thanks to the many users over the years for continueing to develop and support this project. I originally built this container to solve a problem at work and I was amazed to see many other folks interested in using it as well. With over 29 Million downloads from Docker hub, it's clear to me that it has had a good run, but as correctly pointed out in a number of issues such as [#271](https://github.com/mikesplain/openvas-docker/issues/271), there are better, supported solutions out there. Thanks to all the support, contributions, and forks over the years. And finally, thanks to the folks a Greenbone for a wonderful tool and fully supporting docker based deployments going forward. 4 | 5 | Please reference the [Greenbone Documentation](https://greenbone.github.io/docs/latest/) on how to utilize their [containers](https://hub.docker.com/u/greenbone). 6 | 7 | Cheers 🍻 8 | Mike 9 | 10 | 11 | OpenVAS image for Docker 12 | ============== 13 | 14 | [![Travis CI](https://img.shields.io/travis/mikesplain/openvas-docker/master.svg)](https://travis-ci.org/mikesplain/openvas-docker/branches) [![Docker Pulls](https://img.shields.io/docker/pulls/mikesplain/openvas.svg)](https://hub.docker.com/r/mikesplain/openvas/) [![Docker Stars](https://img.shields.io/docker/stars/mikesplain/openvas.svg)](https://hub.docker.com/r/mikesplain/openvas/) [![](https://images.microbadger.com/badges/image/mikesplain/openvas.svg)](https://microbadger.com/images/mikesplain/openvas "Get your own image badge on microbadger.com") 15 | 16 | A Docker container for OpenVAS on Ubuntu. By default, the latest images includes the OpenVAS Base as well as the NVTs and Certs required to run OpenVAS. We made the decision to move to 9 as the default branch since 8 seems to have [many issues](https://github.com/mikesplain/openvas-docker/issues/84) in docker. We suggest you use 9 as it is much more stable. Our Openvas9 build was designed to be a smaller image with fewer extras built in. Please note, OpenVAS 8 is no longer being built as OpenVAS 9 is now standard. The image is can still be pulled from the Docker hub, however the source has been removed in this github as is standard with deprecated Docker Images. 17 | 18 | 19 | | Openvas Version | Tag | Web UI Port | 20 | |-----------------|---------|-------------| 21 | | 9 | latest/9| 443 | 22 | 23 | 24 | 25 | Usage 26 | ----- 27 | 28 | Simply run: 29 | 30 | ``` 31 | # latest (9) 32 | docker run -d -p 443:443 --name openvas mikesplain/openvas 33 | # 9 34 | docker run -d -p 443:443 --name openvas mikesplain/openvas:9 35 | ``` 36 | 37 | This will grab the container from the docker registry and start it up. Openvas startup can take some time (4-5 minutes while NVT's are scanned and databases rebuilt), so be patient. Once you see a `It seems like your OpenVAS-9 installation is OK.` process in the logs, the web ui is good to go. Goto `https://` 38 | 39 | ``` 40 | Username: admin 41 | Password: admin 42 | ``` 43 | 44 | To check the status of the process, run: 45 | 46 | ``` 47 | docker top openvas 48 | ``` 49 | 50 | In the output, look for the process scanning cert data. It contains a percentage. 51 | 52 | To run bash inside the container run: 53 | 54 | ``` 55 | docker exec -it openvas bash 56 | ``` 57 | 58 | #### Specify DNS Hostname 59 | By default, the system only allows connections for the hostname "openvas". To allow access using a custom DNS name, you must use this command: 60 | 61 | ``` 62 | docker run -d -p 443:443 -e PUBLIC_HOSTNAME=myopenvas.example.org --name openvas mikesplain/openvas 63 | ``` 64 | 65 | #### OpenVAS Manager 66 | To use OpenVAS Manager, add port `9390` to you docker run command: 67 | ``` 68 | docker run -d -p 443:443 -p 9390:9390 --name openvas mikesplain/openvas 69 | ``` 70 | 71 | #### Volume Support 72 | We now support volumes. Simply mount your data directory to `/var/lib/openvas/mgr/`: 73 | ``` 74 | mkdir data 75 | docker run -d -p 443:443 -v $(pwd)/data:/var/lib/openvas/mgr/ --name openvas mikesplain/openvas 76 | ``` 77 | Note, your local directory must exist prior to running. 78 | 79 | #### Set Admin Password 80 | The admin password can be changed by specifying a password at runtime using the env variable `OV_PASSWORD`: 81 | ``` 82 | docker run -d -p 443:443 -e OV_PASSWORD=securepassword41 --name openvas mikesplain/openvas 83 | ``` 84 | #### Update NVTs 85 | Occasionally you'll need to update NVTs. We update the container about once a week but you can update your container by execing into the container and running a few commands: 86 | ``` 87 | docker exec -it openvas bash 88 | ## inside container 89 | greenbone-nvt-sync 90 | openvasmd --rebuild --progress 91 | greenbone-certdata-sync 92 | greenbone-scapdata-sync 93 | openvasmd --update --verbose --progress 94 | 95 | /etc/init.d/openvas-manager restart 96 | /etc/init.d/openvas-scanner restart 97 | ``` 98 | #### Docker compose (experimental) 99 | 100 | For simplicity a docker-compose.yml file is provided, as well as configuration for Nginx as a reverse proxy, with the following features: 101 | 102 | * Nginx as a reverse proxy 103 | * Redirect from port 80 (http) to port 433 (https) 104 | * Automatic SSL certificates from [Let's Encrypt](https://letsencrypt.org/) 105 | * A cron that updates daily the NVTs 106 | 107 | To run: 108 | 109 | * Change "example.com" in the following files: 110 | * [docker-compose.yml](docker-compose.yml) 111 | * [conf/nginx.conf](conf/nginx.conf) 112 | * [conf/nginx_ssl.conf](conf/nginx_ssl.conf) 113 | * Change the "OV_PASSWORD" enviromental variable in [docker-compose.yml](docker-compose.yml) 114 | * Install the latest [docker-compose](https://docs.docker.com/compose/install/) 115 | * run `docker-compose up -d` 116 | 117 | #### LDAP Support (experimental) 118 | Openvas do not support full ldap integration but only per-user authentication. A workaround is in place here by syncing ldap admin user(defined by `LDAP_ADMIN_FILTER `) with openvas admin users everytime the app start up. To use this, just need to specify the required ldap env variables: 119 | ``` 120 | docker run -d -p 443:443 -p 9390:9390 --name openvas -e LDAP_HOST=your.ldap.host -e LDAP_BIND_DN=uid=binduid,dc=company,dc=com -e LDAP_BASE_DN=cn=accounts,dc=company,dc=com -e LDAP_AUTH_DN=uid=%s,cn=users,cn=accounts,dc=company,dc=com -e LDAP_ADMIN_FILTER=memberOf=cn=admins,cn=groups,cn=accounts,dc=company,dc=com -e LDAP_PASSWORD=password -e OV_PASSWORD=admin mikesplain/openvas 121 | ``` 122 | 123 | #### Email Support 124 | To configure the postfix server, provide the following env variables at runtime: `OV_SMTP_HOSTNAME`, `OV_SMTP_PORT`, `OV_SMTP_USERNAME`, `OV_SMTP_KEY` 125 | ``` 126 | docker run -d -p 443:443 -e OV_SMTP_HOSTNAME=smtp.example.com -e OV_SMTP_PORT=587 -e OV_SMTP_USERNAME=username@example.com -e OV_SMTP_KEY=g0bBl3de3Go0k --name openvas mikesplain/openvas 127 | ``` 128 | 129 | 130 | Contributing 131 | ------------ 132 | 133 | I'm always happy to accept [pull requests](https://github.com/mikesplain/openvas-docker/pulls) or [issues](https://github.com/mikesplain/openvas-docker/issues). 134 | 135 | Thanks 136 | ------ 137 | Thanks to hackertarget for the great tutorial: http://hackertarget.com/install-openvas-7-ubuntu/ 138 | Thanks to Serge Katzmann for contributing with some great work on OpenVAS 8: https://github.com/sergekatzmann/openvas8-complete 139 | -------------------------------------------------------------------------------- /conf/nginx.conf: -------------------------------------------------------------------------------- 1 | ###################################################### 2 | # Remember to Search and replace for "example.com" ! 3 | ###################################################### 4 | 5 | 6 | events { 7 | worker_connections 768; 8 | } 9 | 10 | http { 11 | set_real_ip_from 127.0.0.1; 12 | set_real_ip_from 10.0.0.0/8; 13 | real_ip_header X-Forwarded-For; 14 | real_ip_recursive on; 15 | 16 | server { 17 | listen 80; 18 | server_name example.com; 19 | 20 | location '/.well-known/acme-challenge' { 21 | default_type "text/plain"; 22 | root /tmp/letsencrypt; 23 | } 24 | 25 | location / { 26 | if ($request_method = GET) { 27 | rewrite ^ https://$host$request_uri? permanent; 28 | } 29 | return 405; 30 | } 31 | } 32 | 33 | 34 | } 35 | -------------------------------------------------------------------------------- /conf/nginx_ssl.conf: -------------------------------------------------------------------------------- 1 | ###################################################### 2 | # Remember to Search and replace for "example.com" ! 3 | ###################################################### 4 | 5 | 6 | events { 7 | worker_connections 768; 8 | } 9 | 10 | http { 11 | set_real_ip_from 127.0.0.1; 12 | set_real_ip_from 10.0.0.0/8; 13 | real_ip_header X-Forwarded-For; 14 | real_ip_recursive on; 15 | 16 | 17 | 18 | server { 19 | listen 443 ssl http2; 20 | server_name example.com; 21 | 22 | ssl_protocols TLSv1.2; 23 | ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; 24 | ssl_prefer_server_ciphers on; 25 | ssl_session_cache shared:SSL:10m; 26 | 27 | ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; 28 | ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; 29 | 30 | proxy_set_header Host $http_host; 31 | proxy_set_header X-Forwarded-Proto $scheme; 32 | proxy_set_header X-Forwarded-For $remote_addr; 33 | proxy_redirect off; 34 | 35 | gzip on; 36 | gzip_disable "msie6"; 37 | gzip_vary on; 38 | gzip_proxied any; 39 | gzip_comp_level 6; 40 | gzip_buffers 16 8k; 41 | gzip_http_version 1.1; 42 | gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 43 | 44 | # keepalive + raven.js is a disaster 45 | keepalive_timeout 0; 46 | 47 | # buffer larger messages 48 | client_max_body_size 5m; 49 | client_body_buffer_size 100k; 50 | 51 | location / { 52 | proxy_pass https://openvas:443; 53 | 54 | add_header Strict-Transport-Security "max-age=31536000"; 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | # This Nginx will be the first to start, and it will serve the redirect as well as ACME verification 4 | nginx: 5 | image: nginx:alpine 6 | restart: always 7 | hostname: nginx 8 | ports: 9 | - "80:80" 10 | links: 11 | - openvas 12 | volumes: 13 | - ./conf/nginx.conf:/etc/nginx/nginx.conf:ro 14 | - ./data/letsencrypt:/etc/letsencrypt 15 | - ./data/letsencrypt-www:/tmp/letsencrypt 16 | # This Nginx requires the certificates to exist, otherwise will fail 17 | nginx_ssl: 18 | image: nginx:alpine 19 | restart: always 20 | hostname: nginx_ssl 21 | ports: 22 | - "443:443" 23 | links: 24 | - openvas 25 | - letsencrypt 26 | volumes: 27 | - ./conf/nginx_ssl.conf:/etc/nginx/nginx.conf:ro 28 | - ./data/letsencrypt:/etc/letsencrypt 29 | - ./data/letsencrypt-www:/tmp/letsencrypt 30 | letsencrypt: 31 | restart: always 32 | image: kvaps/letsencrypt-webroot 33 | volumes: 34 | - ./data/letsencrypt:/etc/letsencrypt 35 | - ./data/letsencrypt-www:/tmp/letsencrypt 36 | links: 37 | - nginx 38 | environment: 39 | DOMAINS: example.com 40 | EMAIL: webmaster@example.com 41 | WEBROOT_PATH: /tmp/letsencrypt 42 | EXP_LIMIT: 30 43 | CHECK_FREQ: 30 44 | openvas: 45 | restart: always 46 | image: mikesplain/openvas 47 | hostname: openvas 48 | expose: 49 | - "443" 50 | volumes: 51 | - "./data/openvas:/var/lib/openvas/mgr/" 52 | environment: 53 | # CHANGE THIS ! 54 | OV_PASSWORD: securepassword41 55 | labels: 56 | deck-chores.dump.command: sh -c "greenbone-nvt-sync; openvasmd --rebuild --progress" 57 | deck-chores.dump.interval: daily 58 | # Daily updates to openvas 59 | cron: 60 | restart: always 61 | image: funkyfuture/deck-chores 62 | volumes: 63 | - "/var/run/docker.sock:/var/run/docker.sock" 64 | --------------------------------------------------------------------------------