diff --git a/Makefile b/Makefile index 060d922..7712f84 100644 --- a/Makefile +++ b/Makefile @@ -26,10 +26,11 @@ run: @make run-core @make setup-mattermost @make echo-logins + @docker exec -it -u root cs-repro-mattermost /bin/bash update-ca-certificates run-core: @echo "Starting the core services... hang in there." - @docker-compose up -d postgres openldap prometheus grafana elasticsearch mattermost keycloak + @docker-compose up -d postgres openldap prometheus grafana elasticsearch mattermost keycloak mitmproxy run-db-replicas: @echo "Starting with replicas. Hang in there..." @@ -37,12 +38,14 @@ run-db-replicas: @docker exec -it cs-repro-mattermost mmctl config patch /mattermost/config/replicaConfig.json --local @echo "Should be up and running. Go crazy." + ## Need a way to modify the run-mm-replicas: @echo "Starting Mattermost replicas. Hang in there..." @docker exec -it cs-repro-mattermost mmctl config set ClusterSettings.Enable true --local @docker-compose down mattermost @docker-compose up -d mattermost mattermost-2 + @docker exec -it -u root cs-repro-mattermost-2 /bin/bash update-ca-certificates @echo "Should be up and running. Go crazy." run-rtcd: diff --git a/README.md b/README.md index 14617a7..b4cacf8 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ This is designed to be used as a reproduction of a standard customer production - [Commands](#commands) - [Accounts](#accounts) - [Grafana](#grafana) +- [mitmproxy](#mitmproxy) - [Guides](#guides) - [How to upgrade](#how-to-upgrade) - [How to Downgrade](#how-to-downgrade) @@ -299,4 +300,10 @@ docker exec -it cs-repro-openldap ldapmodify \ ## Calls -By default this is setup to run on the built in Mattermost calls. You can enable the `rtcd` service by running `make run-rtcd`, which will start up `rtcd` and adjust the settings within Mattermost to work. \ No newline at end of file +By default this is setup to run on the built in Mattermost calls. You can enable the `rtcd` service by running `make run-rtcd`, which will start up `rtcd` and adjust the settings within Mattermost to work. + +## mitmproxy + +All traffic is routed through the mitmproxy for monitoring. You can access this with `localhost:8181` in your browser. + +To disable this you can comment out the `HTTP_PROXY` and `HTTPS_PROXY` env vars on the Mattermost objects. \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 07d502c..461f374 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -66,6 +66,8 @@ services: depends_on: postgres: condition: service_healthy + mitmproxy: + condition: service_started image: mattermost/mattermost-enterprise-edition:release-9.6 restart: unless-stopped security_opt: @@ -90,15 +92,24 @@ services: - ./files/mattermost/defaultConfig.json:/mattermost/config/defaultConfig.json:ro - ./files/mattermost/replicaConfig.json:/mattermost/config/replicaConfig.json:ro - ./files/mattermost/rtcdConfig.json:/mattermost/config/rtcdConfig.json:ro + + ## Files are required for the mitmproxy on the box + - ./files/mitmproxy/mitmproxy-ca.pem:/etc/ssl/certs/mitmproxy-ca.pem + - ./files/mitmproxy/mitmproxy-dhparam.pem:/etc/ssl/certs/mitmproxy-dhparam.pem environment: + - HTTP_PROXY=http://cs-repro-mitmproxy:8080 + - HTTPS_PROXY=http://cs-repro-mitmproxy:8080 - MM_SqlSettings_DriverName=postgres - MM_SqlSettings_DataSource=postgres://mmuser:mmuser_password@cs-repro-postgres:5432/mattermost?sslmode=disable&connect_timeout=10&binary_parameters=yes - MM_SAMLSETTINGS_IDPCERTIFICATEFILE=/mattermost/config/saml-cert.crt - # - MM_SqlSettings_DriverName=mysql - # - MM_SqlSettings_DataSource=mmuser:mmuser_password@tcp(mysql:3306)/mattermost?charset=utf8mb4,utf8&writeTimeout=30s - MM_ServiceSettings_EnableLocalMode=true - MM_ServiceSettings_LocalModeSocketLocation=/var/tmp/mattermost_local.socket - MM_ServiceSettings_LicenseFileLocation=/mattermost/config/license.mattermost-enterprise + + ## mysql Settings + # - MM_SqlSettings_DriverName=mysql + # - MM_SqlSettings_DataSource=mmuser:mmuser_password@tcp(mysql:3306)/mattermost?charset=utf8mb4,utf8&writeTimeout=30s + ## Disable this to migrate your config to the database # - MM_CONFIG=postgres://mmuser:mmuser_password@cs-repro-postgres:5432/mattermost?sslmode=disable&connect_timeout=10&binary_parameters=yes keycloak: @@ -194,6 +205,8 @@ services: depends_on: postgres: condition: service_healthy + mitmproxy: + condition: service_started image: mattermost/mattermost-enterprise-edition:release-9.6 restart: unless-stopped security_opt: @@ -217,7 +230,13 @@ services: - ./files/mattermost/advancedLogging.json:/mattermost/config/advancedLogging.json:ro - ./files/mattermost/defaultConfig.json:/mattermost/config/defaultConfig.json:ro - ./files/mattermost/replicaConfig.json:/mattermost/config/replicaConfig.json:ro + + ## Files are required for the mitmproxy on the box + - ./files/mitmproxy/mitmproxy-ca.pem:/etc/ssl/certs/mitmproxy-ca.pem + - ./files/mitmproxy/mitmproxy-dhparam.pem:/etc/ssl/certs/mitmproxy-dhparam.pem environment: + - HTTP_PROXY=http://cs-repro-mitmproxy:8080 + - HTTPS_PROXY=http://cs-repro-mitmproxy:8080 - MM_SqlSettings_DriverName=postgres - MM_SqlSettings_DataSource=postgres://mmuser:mmuser_password@cs-repro-postgres:5432/mattermost?sslmode=disable&connect_timeout=10&binary_parameters=yes - MM_SAMLSETTINGS_IDPCERTIFICATEFILE=/mattermost/config/saml-cert.crt @@ -241,7 +260,16 @@ services: - "8443:8443/udp" - "8443:8443/tcp" - "8045:8045" - + mitmproxy: + container_name: cs-repro-mitmproxy + image: mitmproxy/mitmproxy + command: mitmweb --web-host 0.0.0.0 --set confdir=/certs + volumes: + - ./files/mitmproxy:/certs + ports: + - "8180:8080" + - "8181:8081" + restart: unless-stopped # mysql: # container_name: cs-repro-mysql # image: mysql:8 @@ -256,7 +284,7 @@ services: # MYSQL_ROOT_PASSWORD: "mmuser_password" # healthcheck: # test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] - # timeout: 20s + # timeout: 20supdat # retries: 10 # ports: # # : diff --git a/files/mattermost/defaultConfig.json b/files/mattermost/defaultConfig.json index 802a737..022d471 100644 --- a/files/mattermost/defaultConfig.json +++ b/files/mattermost/defaultConfig.json @@ -1,7 +1,7 @@ { "ServiceSettings": { "LicenseFileLocation": "config/license.mattermost-enterprise", - "AllowedUntrustedInternalConnections": "cs-repro-keycloak:8080 cs-repro-keycloak" + "AllowedUntrustedInternalConnections": "cs-repro-keycloak:8080 cs-repro-keycloak cs-repro-mitmproxy:8180 cs-repro-mitmproxy" }, "LogSettings": { "EnableConsole": true, diff --git a/files/mitmproxy/ca.crt b/files/mitmproxy/ca.crt new file mode 100644 index 0000000..53dda1a --- /dev/null +++ b/files/mitmproxy/ca.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDezCCAmOgAwIBAgIUQt5fv3mCSFaR2lg2mdvpCtvP0vgwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA1MDExODMwNDlaFw0yNDA1 +MzExODMwNDlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDgJGkKHfrKwon6mJceG3TteghBkytk+RJ2RmWhUrv5 +WKpHfAUaQFAw8dLXgxxBNyqnGTtx4JcvsqycPFgosvtOo/F/2oKrPYzrhiCVaGjx +Ig0DGx+y55eH/JQoJVIgvxIncLlTMvmAgncrGJ3fod9CT5UJwwLgpgpNjI4P7JgC +MZNGJ7VQLLVdvRxrnbW6K874pxDxJeedzgjDnNvkJnNYLIVuY5x0hcbNxOeu9Xa2 +Li29QAOhSVO//SU41dXa4kQMvglmgdc5URc/q97UYjOk0LNgSvazMPZEo45yG5Gu +sLdypS6plG+Y70FBk6JklkcWjOd3RySjw8vhAIAXFcFPAgMBAAGjYzBhMB0GA1Ud +DgQWBBR4Unu0x+H3uRUUay5mloWxOqyOajAfBgNVHSMEGDAWgBR4Unu0x+H3uRUU +ay5mloWxOqyOajAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkq +hkiG9w0BAQsFAAOCAQEABOnS5z5QWjiepyD5OvikaE3k3iBSvbuy2hV8bZH1lpQM +zS7pw9I5jPHcdI3ToMImlN3hDKywOwiYMUHdAfH0L1wUO9okUYvjiZDCkziYpxg1 +Fq0sG39FydswjbMLHHf5pU5JAIFyqoQb4TT7FvuMCLhaFwuUGk7AXo/RdpFc4EbL +lpgDrrXqp30ch/wp8GLqJnnqgSDWBx7YjwbmR3v1HZXq3aWE6Q4Fcb01DsR2yxF/ +ru4ff6LjylLbVNDge8nbOaPS+hU1mBDCfXWcGuAGcJZPkzmxjYenWmCHULu1/Bzo +cHqQqXNX8z1Xd9gRHtRIPHq81kwr2264F6AzcnsnNg== +-----END CERTIFICATE----- diff --git a/files/mitmproxy/ca.key b/files/mitmproxy/ca.key new file mode 100644 index 0000000..a672572 --- /dev/null +++ b/files/mitmproxy/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgJGkKHfrKwon6 +mJceG3TteghBkytk+RJ2RmWhUrv5WKpHfAUaQFAw8dLXgxxBNyqnGTtx4Jcvsqyc +PFgosvtOo/F/2oKrPYzrhiCVaGjxIg0DGx+y55eH/JQoJVIgvxIncLlTMvmAgncr +GJ3fod9CT5UJwwLgpgpNjI4P7JgCMZNGJ7VQLLVdvRxrnbW6K874pxDxJeedzgjD +nNvkJnNYLIVuY5x0hcbNxOeu9Xa2Li29QAOhSVO//SU41dXa4kQMvglmgdc5URc/ +q97UYjOk0LNgSvazMPZEo45yG5GusLdypS6plG+Y70FBk6JklkcWjOd3RySjw8vh +AIAXFcFPAgMBAAECggEAT1Xz7AXSiEQ1jILIMnrrd0cTdwp9eJ8EnuKqBGEBce+l +Teoi8DjFaZ2e0HNy486ABWdT+CnTualXmXFujvFTLHGxAF06lRwTLiZqkBfF1VwF +GQ1Xuf5pT1PiqRcUq8yVw2oN3toTIB6Nya5L6yUjnhgHG85vzU5YJTzT5+UJpPR3 +pYS8XNT/N9ZErx20auB8lYqMjB0qpYLoCZrpoh1nB2qjNE5V41+GQ9RiYZ6uZ39t +8XiNSCUGPRE+n56RonpUVosLGN7YxM8/PLF7mho9KQ92HXQNHJpMPe/FT4b9PekP +40fDYMp6UiSBNRq6vybeyaze6YWkoExwBPSl46KHiQKBgQDw0LCqtL4v65qdy+zA +YheypVwfz2/X2SqpFUxOh0AxReYDdNV9zVlIkV5GjEUT5MG0IGYUu0cIAF41arAp +gTFB9Px40E1ovvIuUQxh1GJhxb1ZMRfOvFNOgb4hMLt/GNqVM4HpcA+7xO7+awpM +xIAz95I1WEdabw2wHTh378AQ8wKBgQDuRpSKrwQ5C8sbRjgFX3DI/i6tkAHZC2qZ +VoCiDg76oHzixXtVoEhoK9cBepyFZxKPhSQFHfrPL2jGobyNq4XqPAyL9rFAbc/L +stsI6CQzyiquJYIqv8rJHsrFt0eWImtoYEV8Sapd5UvUxSqot0yJnlwJfPEWoVZN +Xemdp2yFNQKBgDGN4CzgkJpv0xtRkWBtTw8V9AUfvJYgPCUbGt61+kGpbpGbgysm +DI9gSpQd3UEgu7ODTz5I428EFF7Nm36O9UHrVeDOjH9Xe6KITxH6kFwqQrKN5aZH +HqVzEVrnGk4nISO+u6b7xmEPP1bfU/lEHlWTRmTvy48SdzCccrhLf6x9AoGBAMjL +ecoVCv33zkVBu1vrvePjL/rbbHM3h7GIkAYAyuax8Aw6V2ElHV+L8jgw104kOiPw +Exas2PtX/HfHPFo2vTdTO0+HqH+fComiQ6sR1dA/AhCXU0YrMfyikkZj2VPP1auz +1VqTyZou7OR08yoSrdEbPnxQaeqkM1InXgOZX34xAoGANN27KoqWI0SSL0n16oxc +UHsrcpxSykMG2/hseZuFyoiMRnwMC6nhK4vvF1XkEYKq7Rdw2dzNLLOnAT+3VYpV +beNnHAvYvneDYTpgAiF+rRBZfAxiysZznqmBe0eMTAAbESPjr18OprzXDD/wRt9c +SSeoYlIHJT2Mdy54zl60VZk= +-----END PRIVATE KEY----- diff --git a/files/mitmproxy/mitmproxy-ca.pem b/files/mitmproxy/mitmproxy-ca.pem new file mode 100644 index 0000000..d0181ea --- /dev/null +++ b/files/mitmproxy/mitmproxy-ca.pem @@ -0,0 +1,49 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgJGkKHfrKwon6 +mJceG3TteghBkytk+RJ2RmWhUrv5WKpHfAUaQFAw8dLXgxxBNyqnGTtx4Jcvsqyc +PFgosvtOo/F/2oKrPYzrhiCVaGjxIg0DGx+y55eH/JQoJVIgvxIncLlTMvmAgncr +GJ3fod9CT5UJwwLgpgpNjI4P7JgCMZNGJ7VQLLVdvRxrnbW6K874pxDxJeedzgjD +nNvkJnNYLIVuY5x0hcbNxOeu9Xa2Li29QAOhSVO//SU41dXa4kQMvglmgdc5URc/ +q97UYjOk0LNgSvazMPZEo45yG5GusLdypS6plG+Y70FBk6JklkcWjOd3RySjw8vh +AIAXFcFPAgMBAAECggEAT1Xz7AXSiEQ1jILIMnrrd0cTdwp9eJ8EnuKqBGEBce+l +Teoi8DjFaZ2e0HNy486ABWdT+CnTualXmXFujvFTLHGxAF06lRwTLiZqkBfF1VwF +GQ1Xuf5pT1PiqRcUq8yVw2oN3toTIB6Nya5L6yUjnhgHG85vzU5YJTzT5+UJpPR3 +pYS8XNT/N9ZErx20auB8lYqMjB0qpYLoCZrpoh1nB2qjNE5V41+GQ9RiYZ6uZ39t +8XiNSCUGPRE+n56RonpUVosLGN7YxM8/PLF7mho9KQ92HXQNHJpMPe/FT4b9PekP +40fDYMp6UiSBNRq6vybeyaze6YWkoExwBPSl46KHiQKBgQDw0LCqtL4v65qdy+zA +YheypVwfz2/X2SqpFUxOh0AxReYDdNV9zVlIkV5GjEUT5MG0IGYUu0cIAF41arAp +gTFB9Px40E1ovvIuUQxh1GJhxb1ZMRfOvFNOgb4hMLt/GNqVM4HpcA+7xO7+awpM +xIAz95I1WEdabw2wHTh378AQ8wKBgQDuRpSKrwQ5C8sbRjgFX3DI/i6tkAHZC2qZ +VoCiDg76oHzixXtVoEhoK9cBepyFZxKPhSQFHfrPL2jGobyNq4XqPAyL9rFAbc/L +stsI6CQzyiquJYIqv8rJHsrFt0eWImtoYEV8Sapd5UvUxSqot0yJnlwJfPEWoVZN +Xemdp2yFNQKBgDGN4CzgkJpv0xtRkWBtTw8V9AUfvJYgPCUbGt61+kGpbpGbgysm +DI9gSpQd3UEgu7ODTz5I428EFF7Nm36O9UHrVeDOjH9Xe6KITxH6kFwqQrKN5aZH +HqVzEVrnGk4nISO+u6b7xmEPP1bfU/lEHlWTRmTvy48SdzCccrhLf6x9AoGBAMjL +ecoVCv33zkVBu1vrvePjL/rbbHM3h7GIkAYAyuax8Aw6V2ElHV+L8jgw104kOiPw +Exas2PtX/HfHPFo2vTdTO0+HqH+fComiQ6sR1dA/AhCXU0YrMfyikkZj2VPP1auz +1VqTyZou7OR08yoSrdEbPnxQaeqkM1InXgOZX34xAoGANN27KoqWI0SSL0n16oxc +UHsrcpxSykMG2/hseZuFyoiMRnwMC6nhK4vvF1XkEYKq7Rdw2dzNLLOnAT+3VYpV +beNnHAvYvneDYTpgAiF+rRBZfAxiysZznqmBe0eMTAAbESPjr18OprzXDD/wRt9c +SSeoYlIHJT2Mdy54zl60VZk= +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDezCCAmOgAwIBAgIUQt5fv3mCSFaR2lg2mdvpCtvP0vgwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA1MDExODMwNDlaFw0yNDA1 +MzExODMwNDlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDgJGkKHfrKwon6mJceG3TteghBkytk+RJ2RmWhUrv5 +WKpHfAUaQFAw8dLXgxxBNyqnGTtx4JcvsqycPFgosvtOo/F/2oKrPYzrhiCVaGjx +Ig0DGx+y55eH/JQoJVIgvxIncLlTMvmAgncrGJ3fod9CT5UJwwLgpgpNjI4P7JgC +MZNGJ7VQLLVdvRxrnbW6K874pxDxJeedzgjDnNvkJnNYLIVuY5x0hcbNxOeu9Xa2 +Li29QAOhSVO//SU41dXa4kQMvglmgdc5URc/q97UYjOk0LNgSvazMPZEo45yG5Gu +sLdypS6plG+Y70FBk6JklkcWjOd3RySjw8vhAIAXFcFPAgMBAAGjYzBhMB0GA1Ud +DgQWBBR4Unu0x+H3uRUUay5mloWxOqyOajAfBgNVHSMEGDAWgBR4Unu0x+H3uRUU +ay5mloWxOqyOajAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkq +hkiG9w0BAQsFAAOCAQEABOnS5z5QWjiepyD5OvikaE3k3iBSvbuy2hV8bZH1lpQM +zS7pw9I5jPHcdI3ToMImlN3hDKywOwiYMUHdAfH0L1wUO9okUYvjiZDCkziYpxg1 +Fq0sG39FydswjbMLHHf5pU5JAIFyqoQb4TT7FvuMCLhaFwuUGk7AXo/RdpFc4EbL +lpgDrrXqp30ch/wp8GLqJnnqgSDWBx7YjwbmR3v1HZXq3aWE6Q4Fcb01DsR2yxF/ +ru4ff6LjylLbVNDge8nbOaPS+hU1mBDCfXWcGuAGcJZPkzmxjYenWmCHULu1/Bzo +cHqQqXNX8z1Xd9gRHtRIPHq81kwr2264F6AzcnsnNg== +-----END CERTIFICATE----- diff --git a/files/mitmproxy/mitmproxy-dhparam.pem b/files/mitmproxy/mitmproxy-dhparam.pem new file mode 100644 index 0000000..c10121f --- /dev/null +++ b/files/mitmproxy/mitmproxy-dhparam.pem @@ -0,0 +1,14 @@ + +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAyT6LzpwVFS3gryIo29J5icvgxCnCebcdSe/NHMkD8dKJf8suFCg3 +O2+dguLakSVif/t6dhImxInJk230HmfC8q93hdcg/j8rLGJYDKu3ik6H//BAHKIv +j5O9yjU3rXCfmVJQic2Nne39sg3CreAepEts2TvYHhVv3TEAzEqCtOuTjgDv0ntJ +Gwpj+BJBRQGG9NvprX1YGJ7WOFBP/hWU7d6tgvE6Xa7T/u9QIKpYHMIkcN/l3ZFB +chZEqVlyrcngtSXCROTPcDOQ6Q8QzhaBJS+Z6rcsd7X+haiQqvoFcmaJ08Ks6LQC +ZIL2EtYJw8V8z7C0igVEBIADZBI6OTbuuhDwRw//zU1uq52Oc48CIZlGxTYG/Evq +o9EWAXUYVzWkDSTeBH1r4z/qLPE2cnhtMxbFxuvK53jGB0emy2y1Ei6IhKshJ5qX +IB/aE7SSHyQ3MDHHkCmQJCsOd4Mo26YX61NZ+n501XjqpCBQ2+DfZCBh8Va2wDyv +A2Ryg9SUz8j0AXViRNMJgJrr446yro/FuJZwnQcO3WQnXeqSBnURqKjmqkeFP+d8 +6mk2tqJaY507lRNqtGlLnj7f5RNoBFJDCLBNurVgfvq9TCVWKDIFD4vZRjCrnl6I +rD693XKIHUCWOjMh1if6omGXKHH40QuME2gNa50+YPn1iYDl88uDbbMCAQI= +-----END DH PARAMETERS-----