docker部署¶
安装docker¶
curl -fsSL https://get.docker.com -o get-docker.sh | sudo sh
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
准备运行配置¶
具体可参考:https://github.com/hhyo/Archery/tree/master/src/docker-compose
docker-compose.yml文件内的services可按照本身的运行环境来调整,同时注意检查版本号是否正确,比如说外部已经装好了mysql、redis、inception,就可以将对应的services删除,但是需要注意修改settings.py文件的相关配置,具体可以参考修改配置
启动¶
下载 Releases文件,解压后进入docker-compose文件夹
# 启动
docker-compose -f docker-compose.yml up -d
# 表结构初始化
docker exec -ti archery /bin/bash
cd /opt/archery
source /opt/venv4archery/bin/activate
python3 manage.py makemigrations sql
python3 manage.py migrate
# 数据初始化
python3 manage.py dbshell<sql/fixtures/auth_group.sql
python3 manage.py dbshell<src/init_sql/mysql_slow_query_review.sql
# 创建管理用户
python3 manage.py createsuperuser
# 退出容器
exit
# 日志查看和问题排查
docker logs archery -f --tail=50
访问¶
启动后配置¶
在启动后 Archery 有一些配置(如Inception , 资源组, 权限组等)需要按需配置, 请详细阅读 配置项说明 , 按照自己的需要进行配置
配置SSL/TLS¶
步骤¶
-
准备nginx证书 请自行准备
-
上传证书
目录自定义。
比如:docker-compse目录下,创建nginx/cert目录。 -
修改nginx配置
增加443端口监听,并将http重定向至https端口。 -
django配置settings.py
-
重新运行archery容器
-
验证
注意:要清除cookie缓存。
示例¶
第½步省略
测试是在内网使用,没有域名,使用了私网ip,自签名证书。
- 修改nginx配置
server{
listen 9123; #监听的端口
server_name archery;
client_max_body_size 20M;
proxy_read_timeout 600s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
return 301 https://$host$request_uri;
}
# Settings for a TLS enabled server.
server{
listen 443 ssl; #监听的端口
client_max_body_size 20M;
proxy_read_timeout 600s;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/nginx/cert/192.168.1.3_chain.crt; # 配置证书文件地址
ssl_certificate_key /etc/nginx/cert/192.168.1.3_key.key; # 配置密钥文件地址
location / {
proxy_pass http://127.0.0.1:8888;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host:9123;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /static {
alias /opt/archery/static;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
-
django配置settings.py
增加如下安全配置项:SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") SECURE_SSL_REDIRECT = True # 将所有非SSL请求永久重定向到SSL SESSION_COOKIE_SECURE = True # 仅通过https传输cookie CSRF_COOKIE_SECURE = True # 仅通过https传输cookie SECURE_HSTS_INCLUDE_SUBDOMAINS = True # 严格要求使用https协议传输 SECURE_HSTS_PRELOAD = True SECURE_HSTS_SECONDS = 60 SECURE_CONTENT_TYPE_NOSNIFF = True # 防止浏览器猜测资产的内容类型 CSRF_TRUSTED_ORIGINS = ['192.168.1.3'] CORS_ORIGIN_WHITELIST = ( '192.168.1.3', )
-
重新运行archery容器
新建一个yml配置,单独重建archery容器:version: '3' services: archery: image: hhyo/archery:v1.8.5 container_name: archery restart: always ports: - "9123:9123" - "443:443" volumes: - "./archery/settings.py:/opt/archery/archery/settings.py" - "./archery/soar.yaml:/etc/soar.yaml" - "./archery/docs.md:/opt/archery/docs/docs.md" - "./archery/downloads:/opt/archery/downloads" - "./archery/sql/migrations:/opt/archery/sql/migrations" - "./archery/logs:/opt/archery/logs" - "./archery/keys:/opt/archery/keys" - "./nginx/nginx.conf:/etc/nginx/nginx.conf" - "./nginx/cert:/etc/nginx/cert" entrypoint: "dockerize -wait tcp://mysql:3306 -wait tcp://redis:6379 -timeout 60s /opt/archery/src/docker/startup.sh" environment: NGINX_PORT: 9123 networks: - "archery-184_default" networks: archery-184_default: external: true
-
验证
重建archery容器后,清除浏览器cookie缓存验证。