This guide provides instructions on how to set up STIG Manager using Docker and Docker Compose and utilizing nginx proxy.
Before you begin, ensure Docker and Docker Compose are installed on your system. If not, follow the installation instructions below.
sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install docker-ce
Download and install Docker Desktop from Docker Hub.
sudo curl -L "https://github.com/docker/compose/releases/download/v2.5.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo yum remove docker docker-common docker-selinux docker-engine
sudo yum install -y yum-utils
Set up the stable repository:
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install docker-ce
sudo systemctl start docker
sudo systemctl enable docker
git clone https://github.com/allamiro/stig-manager.git
cd stig-manager
Update the environment variables .env
file
Start the services using Docker Compose:
docker-compose up -d
Verify that the containers are running successfully:
docker-compose ps
To deploy STIG Manager with TLS using NGINX as a reverse proxy, you will need to follow these essential steps based on the information you provided:
- Install nginx then generate your CSR requests and get them signed by your Certificate Authority
For RHEL
dnf install openssl nginx -y
FOR UBUNTU
sudo apt update
sudo apt install openssl nginx
Generate the CSR Using the Private Key
openssl genrsa -out mydomain.key 2048
openssl req -new -key mydomain.key -out mydomain.csr
To create a self signed certificate without a prompt
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt
- Create you configuration file at
/etc/nginx/conf.d/site-domain.conf
as follows:
server {
listen 443 ssl;
server_name your-domain.com;
ssl_certificate /etc/nginx/ssl/your-domain.crt; # SSL Certificate
ssl_certificate_key /etc/nginx/ssl/your-domain.key; # SSL Certificate Key
# Adjusted location for the STIG Manager API ######
location / {
proxy_pass http://localhost:54000; # Proxy traffic to the API service on port 54000
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Location for the STIG Manager main interface
location / {
proxy_pass http://localhost:8080; # Proxy traffic to the main STIG Manager service on port 8080
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
- Update firewalld
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
- Update Selinux rules
setsebool -P httpd_can_network_relay 1
- Enable and restart nginx service
systemctl enable nginx
systemctl start nginx
- Access the site - https://your-site-domainname happy STIGGING