Simplify the use of custom NGINX SSL certificates with Docker Compose

[Bernasv]

Instead of manually copying custom user certificates into the image for SSL usage, the arguments NGINX_CRT_PATH and NGINX_KEY_PATH have been added to simplify the process. These arguments enable automatic handling of certificates when GENERATE_TLS_CERTIFICATE is set to false. Providing the paths to the certificate and key through these arguments simplifies the setup, or they can be left empty to use the default certificate generation.

[dryrunsecurity]

DryRun Security Summary

The pull request enhances the security of the DefectDojo application by improving HTTPS configuration, implementing secure cookies, providing detailed TLS certificate management instructions, and updating Dockerfiles to support secure deployment.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the security of the DefectDojo application by enhancing the HTTPS configuration and providing better guidance for users on how to securely deploy the application.

The key security-related changes include:

1. TLS Configuration: The docker-compose.override.https.yml file has been updated to ensure that the Nginx service is configured to use TLS, which is essential for securing communication between the client and the server.
2. Secure Cookies: The uWSGI service is configured to use secure cookies for session management and CSRF protection, helping to mitigate session-related attacks and CSRF vulnerabilities.
3. TLS Certificate and Key Management: The instructions in the DOCKER.md file provide detailed steps for users to properly manage the TLS certificate and private key, emphasizing the importance of secure storage and access control.
4. Dockerfile Security: The Dockerfiles for the Nginx server (Dockerfile.nginx-debian and Dockerfile.nginx-alpine) have been updated to allow for the configuration of TLS certificates and keys, set appropriate permissions, and use environment variables for secure configuration.

Overall, these changes demonstrate a strong focus on improving the security of the DefectDojo application, particularly in the areas of secure communication, session management, and certificate/key management. As an application security engineer, I would consider these changes to be a positive step towards enhancing the overall security posture of the application.

Files Changed:

1. docker-compose.override.https.yml:

   • Configures the Nginx service to use TLS by setting the USE_TLS and GENERATE_TLS_CERTIFICATE environment variables.
   • Sets the DD_SESSION_COOKIE_SECURE and DD_CSRF_COOKIE_SECURE environment variables to ensure that the application uses secure cookies.

2. readme-docs/DOCKER.md:

   • Provides updated instructions for securely deploying the DefectDojo application using HTTPS.
   • Includes steps for generating a private key, creating a CSR, and properly managing the TLS certificate and key.

3. Dockerfile.nginx-debian and Dockerfile.nginx-alpine:

   • Allow for the configuration of TLS certificates and keys through the NGINX_CRT_PATH and NGINX_KEY_PATH build arguments.
   • Copy the TLS certificate and key files into the appropriate directories within the Nginx server.
   • Set the appropriate permissions for the Nginx directories and files.
   • Configure various environment variables related to the Nginx server, UWSGI, TLS, and metrics.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.