Skip to content

Instantly share code, notes, and snippets.

@thepoppingone
Last active October 14, 2022 18:21
Show Gist options
  • Save thepoppingone/a099a33d1b0ed85572e330d3e8de4319 to your computer and use it in GitHub Desktop.
Save thepoppingone/a099a33d1b0ed85572e330d3e8de4319 to your computer and use it in GitHub Desktop.
Fortify sample server.xml and entrypoint.sh
#!/bin/bash
set -e -o pipefail
if [ -x "$(command -v "$1")" ]; then
exec "$@"
fi
assertIsSet() {
# $1=variable_value $2=variable_name
if [ -z "$1" ]; then
echo "Environment variable $2 is required"
exit 1
fi
}
assertIsReadable() {
# $1=file_path $2=variable_name
if [ -n "$1" ] && [ ! -r "$1" ]; then
echo "A file referenced by environment variable $2 does not exists or is not readable"
exit 1
fi
}
assertIsSetAndReadable() {
# $1=file_path $2=variable_name
assertIsSet "$1" "$2"
assertIsReadable "$1" "$2"
}
loadFileToEnv() {
# $1=src_file_path $2=src_variable_name $3=dst_variable_name
assertIsSetAndReadable "$1" "$2"
# not POSIX bourne shell compatible, but supported at least by bash, busybox ash and dash
export "$3"="$(head -1 "$1" | tr -d '\n\r')"
}
#
# Set default file locations
#
# default secrets directory
secret_dir="$FORTIFY_HOME/secrets"
if [ -z "$COM_FORTIFY_SSC_AUTOCONFIGPATH" ] && [ -e "$secret_dir/ssc.autoconfig" ]; then
export COM_FORTIFY_SSC_AUTOCONFIGPATH="$secret_dir/ssc.autoconfig"
fi
if [ -z "$COM_FORTIFY_SSC_LICENSEPATH" ] && [ -e "$secret_dir/fortify.license" ]; then
export COM_FORTIFY_SSC_LICENSEPATH="$secret_dir/fortify.license"
fi
if [ -z "$COM_FORTIFY_SSC_SECRETKEY" ] && [ -e "$secret_dir/secret.key" ]; then
export COM_FORTIFY_SSC_SECRETKEY="$secret_dir/secret.key"
fi
if [ -z "$HTTP_SERVER_CERTIFICATE_KEYSTORE_FILE" ] && [ -e "$secret_dir/certificate-keystore" ]; then
export HTTP_SERVER_CERTIFICATE_KEYSTORE_FILE="$secret_dir/certificate-keystore"
fi
if [ -z "$HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD_FILE" ] && [ -e "$secret_dir/certificate-keystore-password" ]; then
export HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD_FILE="$secret_dir/certificate-keystore-password"
fi
if [ -z "$HTTP_SERVER_CERTIFICATE_KEY_PASSWORD_FILE" ] && [ -e "$secret_dir/certificate-key-password" ]; then
export HTTP_SERVER_CERTIFICATE_KEY_PASSWORD_FILE="$secret_dir/certificate-key-password"
fi
unset secret_dir
#
# Set JVM system properties and options
#
export CATALINA_OPTS="-XX:MaxRAMPercentage=50.0 -Djava.awt.headless=true $CATALINA_OPTS"
if [ -n "$JVM_TRUSTSTORE_FILE" ]; then
assertIsSetAndReadable "$JVM_TRUSTSTORE_FILE" JVM_TRUSTSTORE_FILE
loadFileToEnv "$JVM_TRUSTSTORE_PASSWORD_FILE" JVM_TRUSTSTORE_PASSWORD_FILE JVM_TRUSTSTORE_PASSWORD
CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStore='$JVM_TRUSTSTORE_FILE'"
CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStorePassword='$JVM_TRUSTSTORE_PASSWORD'"
else
unset JVM_TRUSTSTORE_FILE
unset JVM_TRUSTSTORE_PASSWORD_FILE
fi
if [ -n "$COM_FORTIFY_SSC_LOGPATH" ]; then
# supported by application too, setting this on commandline used configured directory also for ssc_boot.log
CATALINA_OPTS="$CATALINA_OPTS -Dcom.fortify.ssc.logPath='$COM_FORTIFY_SSC_LOGPATH'"
else
unset COM_FORTIFY_SSC_LOGPATH
fi
if [ -n "$COM_FORTIFY_SSC_SECRETKEY" ]; then
assertIsSetAndReadable "$COM_FORTIFY_SSC_SECRETKEY" COM_FORTIFY_SSC_SECRETKEY
CATALINA_OPTS="$CATALINA_OPTS -Dcom.fortify.ssc.secretKey='$COM_FORTIFY_SSC_SECRETKEY'"
else
unset COM_FORTIFY_SSC_SECRETKEY
fi
#
# Set defaults and validate Tomcat configuration values and render Tomcat's server.xml
#
# Use less secure but more compatible SSL configuration by default
# See https://ssl-config.mozilla.org/#server=tomcat
if [ -z "$HTTP_SERVER_TLS_PROTOCOLS" ]; then
export HTTP_SERVER_TLS_PROTOCOLS='TLSv1.3+TLSv1.2'
if [ -z "$HTTP_SERVER_TLS_CIPHERS" ]; then
export HTTP_SERVER_TLS_CIPHERS='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
fi
fi
assertIsSetAndReadable "$HTTP_SERVER_CERTIFICATE_KEYSTORE_FILE" HTTP_SERVER_CERTIFICATE_KEYSTORE_FILE
loadFileToEnv "$HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD_FILE" HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD_FILE HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD
loadFileToEnv "$HTTP_SERVER_CERTIFICATE_KEY_PASSWORD_FILE" HTTP_SERVER_CERTIFICATE_KEY_PASSWORD_FILE HTTP_SERVER_CERTIFICATE_KEY_PASSWORD
case "$HTTP_SERVER_CERTIFICATE_VERIFICATION" in
required | optional)
if [ -n "$HTTP_SERVER_TRUSTSTORE_FILE" ]; then
assertIsSetAndReadable "$HTTP_SERVER_TRUSTSTORE_FILE" HTTP_SERVER_TRUSTSTORE_FILE
loadFileToEnv "$HTTP_SERVER_TRUSTSTORE_PASSWORD_FILE" HTTP_SERVER_TRUSTSTORE_PASSWORD_FILE HTTP_SERVER_TRUSTSTORE_PASSWORD
fi
;;
none | '')
export HTTP_SERVER_CERTIFICATE_VERIFICATION=none
unset HTTP_SERVER_TRUSTSTORE_FILE
unset HTTP_SERVER_TRUSTSTORE_PASSWORD_FILE
;;
*)
echo "Invalid value specified for HTTP_SERVER_CERTIFICATE_VERIFICATION: $HTTP_SERVER_CERTIFICATE_VERIFICATION"
echo "Valid values are: required, optional, none"
exit 1
;;
esac
# normalize deployment context, can be empty and it must not end with slash
HTTP_SERVER_SSC_PATH_PREFIX="/${HTTP_SERVER_SSC_PATH_PREFIX#/}" # ensure leading slash
HTTP_SERVER_SSC_PATH_PREFIX="${HTTP_SERVER_SSC_PATH_PREFIX%/}" # remove trailing slash
#
# Validate remaining settings
#
if [ -n "$COM_FORTIFY_SSC_AUTOCONFIGPATH" ]; then
assertIsSetAndReadable "$COM_FORTIFY_SSC_AUTOCONFIGPATH" COM_FORTIFY_SSC_AUTOCONFIGPATH
assertIsSetAndReadable "$COM_FORTIFY_SSC_LICENSEPATH" COM_FORTIFY_SSC_LICENSEPATH
else
unset COM_FORTIFY_SSC_AUTOCONFIGPATH
unset COM_FORTIFY_SSC_LICENSEPATH
fi
#
# Create directories required on Tomcat startup
#
mkdir -p "$CATALINA_TMPDIR"
mkdir -p "$CATALINA_WORKDIR"
mkdir -p "$CATALINA_LOGSDIR"
# Workaround for runtime-bridge command failing on read-only filesystem [DE-267109]
mkdir -p "${COM_FORTIFY_SSC_LOGPATH}/runtime-bridge"
#
# Render server configuration template and start Tomcat
#
# java "$APP_HOME/tools/AttributeTemplateRenderer.java" "$CATALINA_HOME/conf/server-tpl.xml" "$CATALINA_HOME/conf/server.xml"
exec /bin/bash "${CATALINA_HOME}/bin/catalina.sh" "$@"
exit 9
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
-->
<Connector maxThreads="4" minSpareThreads="1"
port="8080"
proxyPort="443"
proxyName="<your_hostname_here>"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
server="Apache"
connectionTimeout="10000"
scheme="https"
secure="true"
/>
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" deployOnStartup="true" autoDeploy="false" failCtxIfServletStartFails="true"
workDir="/fortify/tomcat/work">
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t &quot;%r&quot; %s %b"/>
<!-- Disable stacktrace and server version displayed in server default HTML error pages
(displaying such information is considered a security issue)
Return custom error page for 404 Page not found error -->
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false"
showServerInfo="false"
errorCode.404="webapps/error404.html"
errorCode.0="webapps/errorGeneral.html"/>
<Context path="" docBase="/app/ssc"
useHttpOnly="true"/>
</Host>
</Engine>
</Service>
</Server>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment