search

gerosecurity / gerobug

The First Open Source Bug Bounty Platform
https://gerobug.gerosecurity.com
GNU Affero General Public License v3.0
63 stars 12 forks source link

Nginx ports still exposed regardless of settings provided to ./run.sh #55

Closed brandonsturgeon closed 10 months ago

brandonsturgeon commented 10 months ago

Here is my setup:

 ______     ______     ______     ______     ______     __  __     ______
/\  ___\   /\  ___\   /\  == \   /\  __ \   /\  == \   /\ \/\ \   /\  ___\
\ \ \__ \  \ \  __\   \ \  __<   \ \ \/\ \  \ \  __<   \ \ \_\ \  \ \ \__ \
 \ \_____\  \ \_____\  \ \_\ \_\  \ \_____\  \ \_____\  \ \_____\  \ \_____\
  \/_____/   \/_____/   \/_/ /_/   \/_____/   \/_____/   \/_____/   \/_____/

================================================================================
Gerobug v2.3 (PRODUCTION READY)
================================================================================

================================================================================
---------------------------------
Welcome to the Gerobug Installer!
---------------------------------
My name is Gero and I will assist you through the installation :)
I need to ask you a few questions before starting the setup.

Server Public IP : <snip>
Is it correct?
   1) YES
   2) NO
Your choice [1-2]: 1

Server Internal IP : <snip>
Is it correct?
   1) YES
   2) NO
Your choice [1-2]: 2
Enter Internal / Secondary IP (example: 127.0.0.1): 127.0.0.1

Do you have a domain that you want to use?
example: demo.gerobug.com
   1) YES (I will help to implement HTTPS using lets encrypt for you)
   2) NO  (Gerobug will use HTTP instead of HTTPS) [NOT RECOMMENDED FOR PRODUCTION]
Your choice [1-2]: 2
Gerobug will not implement HTTPS [NOT RECOMMENDED FOR PRODUCTION]
A domain is required to setup HTTPS

Run this script again later when you have a domain to setup HTTPS
or you can change the nginx config manually

Do you have a VPN Server on the network?
   1) YES (Gerobug Dashboard will only accept connection from internal IP)
   2) NO  (Gerobug Dashboard will be accessible from public) [NOT RECOMMENDED FOR PRODUCTION]
Your choice [1-2]: 1

Gerobug Dashboard will only accept connection from INTERNAL IP
So a VPN Server will be required
If you face any trouble, read the documentation :)

Okay, that was all I needed. We are ready to setup Gerobug server now.
Press any key to continue...
================================================================================

So I set my internal IP, chose HTTP only, and set it to only accept connections from the local IP.

And then after it's running, docker compose ps shows:

gerobug-nginx-1       gerobug-nginx       "/docker-entrypoint.sh nginx -g 'daemon off;'"
nginx       11 seconds ago   Up 10 seconds
0.0.0.0:80->80/tcp, :::80->80/tcp,
0.0.0.0:443->443/tcp, :::443->443/tcp,
0.0.0.0:6320->6320/tcp, :::6320->6320/tcp

So ports 80, 443, and 6320 are all exposed publicly on the machine. Even if there are safeguards in place in the nginx config, the ports are still exposed.

This is because in the docker-compose.yml file, the ports are set like so:

  nginx:
    build: ./nginx
    ports:
      - "80:80"
      - "443:443"
      - "6320:6320"

In the absence of a binding address, compose defaults to 0.0.0.0.

Suggestions

1. I suggest that during the ./run.sh process, it saves the given settings to a .env file (which compose reads by default), something like this:

BIND_ADDRESS=<public or local ip, as chosen during the setup>
HTTP_PORT=<the port chosen during setup>
HTTPS_PORT=<the port chosen during setup>
DASHBOARD_PORT<the port chosen during setup>

And then the compose file changed to something like this:

  nginx:
    build: ./nginx
    ports:
      - "${BIND_ADDRESS}:${BIND_PORT}:80"
      - "${BIND_ADDRESS}:${BIND_PORT}:443"
      - "${BIND_ADDRESS}:${DASHBOARD_PORT}:6320"

You'll notice I also separated the ports out to be configurable as well. I think this is an important option. For example, on the server I wish to run gerobug on, I already have 80 and 443 bound, so I have to edit the compose file manually to make it work.

2. Only bind the HTTPS port if HTTPS is selected

I'm actually not sure how to do this, but it would be a nice way to keep the ports clean and reduce confusion for developers.

I would make a PR, but I think this requires some decisions that I wouldn't want to impose on you guys :)

VGR6479 commented 10 months ago

The exposed ports are actually expected since currently we mitigate that by using safeguards within nginx config. However this is indeed a good suggestion and we will implement it on the next update.