diff --git a/.github/workflows/molecule-test.yml b/.github/workflows/molecule-test.yml index 35b14fc..7a0907e 100644 --- a/.github/workflows/molecule-test.yml +++ b/.github/workflows/molecule-test.yml @@ -19,8 +19,8 @@ jobs: matrix: # Better to use one scenario per OS for faster performance and easier debugging scenario: - - centos-8 - - ubuntu-2004 + - ubuntu-2204 + - rocky9 steps: - name: Checkout diff --git a/CHANGELOG b/CHANGELOG index 1c6286c..c9b7d6b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,19 @@ +2.2.0 +* fix for #28 issues with dependencies and python 3.10 +* python3 only supported +* breaks support for ubuntu 2004 +* support ubuntu 2204 +* breaks support for Redhat family 8 +* Adds support for Redhat family 9 +* installs from source by default +* redesign install using virtualenv +* Update to burpui_version 1.0.0 +* See the breaking changes in https://burp-ui.readthedocs.io/en/latest/changelog.html#id1 +* Parallel option will be added and tested on next version +* breaks compatibility with old burpui versions +* closes #12 added doc about hashpassword + + 2.1.0: * Fixes on molecule v4 tests and latest galaxy meta compatibility diff --git a/README.md b/README.md index b62ce95..e4b6ab2 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,19 @@ VARS defaults/main.yml +```yaml +# burp backend to load either one of 'burp1', 'burp2', 'parallel' or 'multi'. +# If you choose 'multi', you will have to declare at lease one 'Agent' section. +# If you choose 'parallel', you need to configure the [Parallel] section. +# If you choose either 'burp1' or 'burp2', you need to configure the [Burp] +# section. +# The [Burp] section is also used with the 'parallel' backend for the restoration +# process. +# You can also use whatever custom backend you like if it is located in the +# 'plugins' directory and if it implements the right interface. +burpui_backend = burp2 +``` + By default this role will configure nginx as proxy for gunicorn (the service that starts burpui), the variable that will expose the tcp port for burpui is: burpui_nginx_port: "8080" @@ -32,21 +45,31 @@ To enable users you can add a list of basic users: ```yaml # Enable mixed to allow plain passwords https://git.ziirish.me/ziirish/burp-ui/issues/177#note_1794 burpui_basic_enabled: false -burpui_basic_mixed: "true" burpui_basic_users: - - { name: "admin", password: "admin" } + - { name: "admin", password: "plain$$admin" } +``` + +Use the following method to create hash passwords: + + pip install --user werkzeug + +```python +werkzeug.security.generate_password_hash('plainpassword', method='pbkdf2:sha256') + +'pbkdf2:sha256:260000$hZ7teoNFWtkS6g4J$4ff797c0f8d1d59009a8ef8d9ee1d1126fae1713d7128d66d1132005dcfe7c9a' ``` Other optional acl for users is to use the basic acl: +Check the burp-ui docs, you can use wildcards and others special characters here. ```yaml # http://burp-ui.readthedocs.io/en/latest/usage.html#basic-acl -burpui_basic_acl_enabled: false +burpui_global_acl: 'basic' burpui_basic_acl_admins: "user1,user2" burpui_basic_acl_users: false -#burpui_basic_acl_users: -# - { name: "user3", value: '["client4", "client5"]' } -# - { name: "user4", value: '{"agent2": ["client8"], "agent1": ["client6", "client7"]}' } +burpui_basic_acl_users: + - { name: "user3", value: '["client4", "client5"]' } + - { name: "user4", value: '{"agent2": ["client8"], "agent1": ["client6", "client7"]}' } ``` ### Multi-agent mode: @@ -57,7 +80,7 @@ To enable the connection of burpui multi-agent mode, use these vars, example: ```yaml # bui-agent -burpui_standalone: false +burpui_backend: multi burpui_agents: - { name: "localhost", address: "127.0.0.1", port: "5001", password: "password", ssl: "false" } - { name: "host2", address: "192.168.122.202", port: "5001", password: "password", ssl: "false" } @@ -79,26 +102,19 @@ Upgrade steps are managed automatically by this role. Installed services ================== -It uses http://supervisord.org/ for better management of third-party services on the system and to be compatible with most systems (ubuntu trusty+, debian, centos, fedora, etc). -supervisor is used for bui-celery +by default systemd is used for bui-celery and gunicorn default service manager for the package manager of your distribution is used for gunicorn (the service responsible to start burpui) and same for nginx (the proxy configured to expose burpui) -So to restart installed services/daemons you should use: - - sudo supervisorctl restart bui-celery (depends on the service you want to restart) - -you can also use supervisorctl shell: - - sudo supervisorctl +Python virtualenv is used, by default you will see packages in: -And then interactively use all options. + /venv_apps/bui/lib/python3.10/site-packages/ -*Logs:* +And binaries in: -Also supervisord allow proper stdout and stderror to logs redirection, so all logs are under `/var/logs/supervisor` + /venv_apps/bui/bin -Logs are also rotated by logrotate automatically. +You can change the variable for virtualenv, see defaults vars. Accessing burpui ---------------- diff --git a/ansible.cfg b/ansible.cfg index 6cc8eee..3431c0a 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -12,6 +12,3 @@ roles_path = ../:/etc/ansible/roles host_key_checking = False retry_files_enabled = False - -[ssh_connection] -pipelining = True diff --git a/defaults/main.yml b/defaults/main.yml index 4130e22..62a113d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,12 +2,15 @@ # file defaults/main.yml # use syntax: https://pip.pypa.io/en/stable/reference/pip_install/#git -burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@stable#egg=burp-ui' -burpui_use_dev: False +burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' +burpui_use_dev: False # False to use pip version with burpui_version var. +# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 +# This workaround only works with dev version of the package install +# requires: +# burpui_use_dev: True burpui_pip_burpui: "burp-ui" -burpui_version: 0.6.6 -python_pip_executable: "pip3" # pip3 only supported option +burpui_version: 1.0.0 burpui_pip_packages: - { name: "{{ burpui_pip_burpui }}", version: "{{ burpui_version }}" } @@ -18,53 +21,19 @@ burpui_pip_packages: - { name: "{{ burpui_pip_burpui }}[celery]", version: "{{ burpui_version }}" } - { name: "{{ burpui_pip_burpui }}[websocket]", version: "{{ burpui_version }}" } -# https://git.ziirish.me/ziirish/burp-ui/-/blob/master/requirements.txt -burpui_pip_dev_present: - #- "cryptography" - - "redis==3.5.3" - #- "Flask-Migrate" - - "celery>=5.1.0" - - "cffi>=1.14.5" - - "gevent>=21.1.2" - - "ujson>=1.35" - - "urllib3>=1.19" # required to avoid issues with get_url module - # - "ndg-httpsclient>=0.4.2" # required to avoid issues with get_url module - - "pyasn1==0.4.8" - #- "six>=1.10.0" # try to fix error in dependencies with requests[security] - - "requests[security]>=2.12" # required to avoid issues with get_url module - - "Flask-Limiter==1.4" - - trio>=0.18.0 - - Flask>=1.1.2 - - Flask-Login>=0.5.0 - - Flask-Bower>=1.3.0 - - Flask-Babel>=2.0.0 - - Flask-WTF>=0.14.3 - - flask-restx>=0.3.0 - - Flask-Caching>=1.10.1 - - Flask-Session>=0.3.2 - - WTForms>=2.3.3 - - arrow>=0.14.2 - - pluginbase>=1.0.0 - - tzlocal>=2.1 - - pyOpenSSL>=20.0.1 - - configobj>=5.0.6 - - async_generator>=1.10 - - Click>=7.1.2 - -burpui_pip_present: - #- "cryptography" - - "redis==3.5.3" - #- "Flask-Migrate" - - "celery>=5.1.0" - - "cffi>=1.14.5" - - "gevent>=21.1.2" - - "ujson>=1.35" - - "urllib3>=1.19" # required to avoid issues with get_url module - # - "ndg-httpsclient>=0.4.2" # required to avoid issues with get_url module - - "pyasn1==0.4.8" - #- "six>=1.10.0" # try to fix error in dependencies with requests[security] - - "requests[security]>=2.12" # required to avoid issues with get_url module +##### --- CONFIG SECTION --- ##### +# burp backend to load either one of 'burp1', 'burp2', 'parallel' or 'multi'. +# If you choose 'multi', you will have to declare at lease one 'Agent' section. +# If you choose 'parallel', you need to configure the [Parallel] section. +# Parallel is not yet added and tested, see issue#33 +# If you choose 'burp2', you need to configure the [Burp] +# section. +# The [Burp] section is also used with the 'parallel' backend for the restoration +# process. +# You can also use whatever custom backend you like if it is located in the +# 'plugins' directory and if it implements the right interface. +burpui_backend: burp2 burpui_nginx_port: "8080" # This is to check availability and nginx template as reverse proxy @@ -72,11 +41,11 @@ burpui_global_port: "5000" #[Global] # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#configuration -burpui_standalone: true -burpui_global_version: "2" -burpui_global_auth: "basic" -burpui_global_acl: "basic" -burpui_global_prefix: "none" +burpui_global_version: '2' +burpui_global_auth: 'basic' +# use burpui_global_acl: 'basic' to enable this +burpui_global_acl: 'none' # By default don't enable acl +burpui_global_audit: 'none' burpui_global_plugins: 'none' #[UI] burpui_ui_refresh: "180" @@ -91,10 +60,13 @@ burpui_production_cache: "redis" burpui_production_redis: "localhost:6379" burpui_production_celery: "true" burpui_production_database: "sqlite:////var/spool/burpui/celery.db" -burpui_production_limiter: false +burpui_production_limiter: "false" +burpui_production_prefix: "none" # limiter ratio # see https://flask-limiter.readthedocs.io/en/stable/#ratelimit-string burpui_production_ratio: '60/minute' +burpui_production_num_proxies: '0' +burpui_production_proxy_fix_args: "{'x_proto': {num_proxies}, 'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}" #[Security] burpui_security_includes: "/etc/burp" burpui_security_enforce: "false" @@ -120,9 +92,11 @@ burpui_backend_bconfcli: "/etc/burp/burp.conf" burpui_backend_bconfsrv: "/etc/burp/burp-server.conf" burpui_backend_tmpdir: "/tmp" burpui_backend_timeout: "60" -#[LDAP] +burpui_backend_deep_inspection: "false" +# [Global] +# auth = ldap +#[LDAP:AUTH] # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#ldap -burpui_ldap_enabled: false burpui_ldap_priority: "1" burpui_ldap_host: "127.0.0.1" burpui_ldap_port: "389" @@ -135,43 +109,59 @@ burpui_ldap_base: '"ou=users,dc=example,dc=com"' burpui_ldap_binddn: '"cn=admin,dc=example,dc=com"' burpui_ldap_bindpw: "Sup3rS3cr3tPa$$w0rd" -#[BASIC] +#[BASIC:AUTH] burpui_basic_enabled: false burpui_basic_priority: "2" # Enable mixed to allow plain passwords https://git.ziirish.me/ziirish/burp-ui/issues/177#note_1794 burpui_basic_mixed: "true" burpui_basic_users: - - { name: "admin", password: "admin" } + - { name: "admin", password: "plain$$adminstrongpassword" } + -#[LOCAL] +#[LOCAL:AUTH] # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#local burpui_local_enabled: false burpui_local_priority: "3" burpui_local_users: "user1,user2" # Minimum uid that will be allowed to login burpui_local_limit: 1000 - +#[ACL] +burpui_acl_extended: 'true' +burpui_acl_assume_rw: 'true' +burpui_acl_inverse_inheritance: 'false' +burpui_acl_implicit_link: 'true' +burpui_acl_legacy: 'false' #[BASIC:ACL] burpui_basic_acl_enabled: false burpui_basic_acl_priority: 100 burpui_basic_acl_admins: "user1,user2" burpui_basic_acl_users: false # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#basic-acl -#burpui_basic_acl_users: -# - +moderator = user5,user6 -# - @moderator = '{"agents":{"ro":["agent1"]}}' +# burpui_basic_acl_users: +# - '+moderator = user5,user6' +# - '@moderator = '{"agents":{"ro":["agent1"]}}' # bui-agent -# change burpui_standalone: false # To use multiple agents: +# set burpui_backend: multiagent burpui_agents: - { name: "localhost", address: "127.0.0.1", port: "5001", password: "password", ssl: "false" } +# TODO: Add support for parallel backend +# https://burp-ui.readthedocs.io/en/latest/advanced_usage.html#parallel +# burpui_parallel_host: localhost +# burpui_parallel_port: 1111 +# burpui_parallel_timeout: 15 +# burpui_parallel_password: xxsdfsdfsf +# burpui_parallel_ssl: true +# burpui_parallel_concurrency: 2 +# burpui_parallel_init_wait: 15 + # Bui Celery burpui_sv_priority: "20" burpui_sv_directory: "/tmp" burpui_sv_environment: "C_FORCE_ROOT=true" -burpui_sv_command: "/usr/local/bin/bui-celery -c /etc/burp/burpui.cfg -- --beat" +burpui_sv_command: "{{ burpui_virtualenv_bin }}/bui-celery -c /etc/burp/burpui.cfg -- --beat" burpui_sv_autostart: "true" burpui_sv_autorestart: "true" burpui_sv_stdout_logfile: "/var/log/supervisor/%(program_name)s.log" @@ -186,3 +176,47 @@ burpui_group: 'root' gunicorn_systemd_service: True bui_use_systemd: True gunicorn_upstart_service: False + +# Burpui audit basic +# https://burp-ui.readthedocs.io/en/latest/advanced_usage.html#basic-audit +burpui_audit_priority: '100' +burpui_audit_level: 'WARNING' +burpui_audit_logfile: 'none' +burpui_audit_max_bytes: '30 * 1024 * 1024' +burpui_audit_rotate: '5' + +##### --- END CONFIG SECTION --- ##### + +##### --- PIP PACKAGES SECTION --- ##### + +# https://git.ziirish.me/ziirish/burp-ui/-/blob/master/requirements.txt +burpui_virtualenv: /venv_apps/bui +burpui_virtualenv_bin: "{{ burpui_virtualenv}}/bin" +burpui_virtualenv_python: python3 + +# There are links in virtualenv_bin to link to /usr/local/bin +burpui_bin_links: + - bui-agent-legacy + - bui-celery + - bui-manage + - bui-monitor + - burp-ui + - burp-ui-legacy + - jsonschema + - normalizer + +burpui_pip_present: + #- "cryptography" + - "redis==3.5.3" + #- "Flask-Migrate" + - "celery>=5.1.0" + - "cffi>=1.14.5" + - "gevent>=21.1.2" + - "ujson>=1.35" + - "urllib3>=1.19" # required to avoid issues with get_url module + # - "ndg-httpsclient>=0.4.2" # required to avoid issues with get_url module + - "pyasn1==0.4.8" + #- "six>=1.10.0" # try to fix error in dependencies with requests[security] + - "requests[security]>=2.12" # required to avoid issues with get_url module + +##### --------------------------- ##### diff --git a/files/requirements_dev.txt b/files/requirements_dev.txt new file mode 100644 index 0000000..4f2ceab --- /dev/null +++ b/files/requirements_dev.txt @@ -0,0 +1,34 @@ +redis==3.5.3 +#- Flask-Migrate +celery>=5.1.0 +cffi>=1.14.5 +gevent>=21.12.0 +ujson>=1.35 +urllib3>=1.19 # required to avoid issues with get_url module +# - ndg-httpsclient>=0.4.2 # required to avoid issues with get_url module +pyasn1==0.4.8 +#- six>=1.10.0 # try to fix error in dependencies with requests[security] +requests[security]>=2.12 # required to avoid issues with get_url module +Flask-Limiter==1.4 +trio>=0.18.0 +# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 +Flask>=1.1.4 +Flask-Login>=0.5.0 +Flask-Bower>=1.3.0 +Flask-Babel>=2.0.0 +Flask-WTF>=0.14.3 +flask-restx>=0.3.0 +Flask-Caching>=1.10.1 +Flask-Session>=0.3.2 +WTForms>=2.3.3 +arrow>=1.1.1 +pluginbase>=1.0.0 +tzlocal>=2.1 +# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 +pyOpenSSL>=20.0.1 +configobj>=5.0.6 +async_generator>=1.10 +Click>=7.1.2 +# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 +Werkzeug==2.0.2 +cryptography==36.0.2 diff --git a/meta/main.yml b/meta/main.yml index a878927..12b9f05 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,7 +18,7 @@ galaxy_info: # - CC-BY license: MIT - min_ansible_version: 2.0 + min_ansible_version: 2.13 # Optionally specify the branch Galaxy will use when accessing the GitHub # repo for this role. During role install, if no tags are available, @@ -136,7 +136,8 @@ galaxy_info: # - 9.3 - name: Ubuntu versions: - - all + - jammy + - kinetic # - lucid # - maverick # - natty @@ -172,7 +173,8 @@ galaxy_info: # - any - name: Debian versions: - - all + - bullseye + - bookworm # - etch # - jessie # - lenny diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index f1846a6..7934bb2 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -2,7 +2,6 @@ - name: Converge hosts: all vars: - burpui_standalone: True burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 2e4d691..84b35a2 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -28,7 +28,4 @@ provisioner: name: ansible config_options: defaults: - callback_whitelist: profile_tasks - ssh_connection: - pipelining: true - ssh_args: -o ControlMaster=auto -o ControlPersist=60s + callback_enabled: profile_tasks diff --git a/molecule/local-rocky9/converge.yml b/molecule/local-rocky9/converge.yml new file mode 100644 index 0000000..ccfc714 --- /dev/null +++ b/molecule/local-rocky9/converge.yml @@ -0,0 +1,12 @@ +--- +- name: Converge + hosts: all + tasks: + # - name: Include ansible_burp2_server + # include_role: + # name: coffeeitworks.burp2_server + - name: Include ansible_burpui_server + include_role: + name: ansible_burpui_server + tags: + - burpui-server diff --git a/molecule/local-rocky9/molecule.yml b/molecule/local-rocky9/molecule.yml new file mode 100644 index 0000000..2bd64b9 --- /dev/null +++ b/molecule/local-rocky9/molecule.yml @@ -0,0 +1,31 @@ +--- +# dependency: +# name: galaxy +# options: +# ignore-certs: True +# ignore-errors: True +# role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed +driver: + name: podman +platforms: + + - name: ansible_burpui_rocky9 + image: "docker.io/geerlingguy/docker-rockylinux9-ansible:latest" + #privileged: True + command: "/lib/systemd/systemd" + pre_build_image: true + capabilities: + - SYS_ADMIN + tmpfs: + - /run + - /tmp + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:ro" + groups: + - group1 + +provisioner: + name: ansible + config_options: + defaults: + callback_enabled: profile_tasks diff --git a/molecule/centos-8/verify.yml b/molecule/local-rocky9/verify.yml similarity index 100% rename from molecule/centos-8/verify.yml rename to molecule/local-rocky9/verify.yml diff --git a/molecule/local-stable/converge.yml b/molecule/local-stable/converge.yml index ee8ba1a..c60152c 100644 --- a/molecule/local-stable/converge.yml +++ b/molecule/local-stable/converge.yml @@ -1,12 +1,9 @@ --- - name: Converge hosts: all - vars: - burpui_standalone: True - burpui_use_dev: False tasks: - name: Include ansible_burpui_server include_role: name: ansible_burpui_server tags: - - burpui-server \ No newline at end of file + - burpui-server diff --git a/molecule/local-stable/molecule.yml b/molecule/local-stable/molecule.yml index 25bf3a1..7f2fb73 100644 --- a/molecule/local-stable/molecule.yml +++ b/molecule/local-stable/molecule.yml @@ -1,16 +1,16 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed +# dependency: +# name: galaxy +# options: +# ignore-certs: True +# ignore-errors: True +# role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed driver: name: podman platforms: - - name: ansible_burpui_stable_server-01 - image: "geerlingguy/docker-ubuntu2004-ansible:latest" + - name: ansible_burpui_rocky9 + image: "docker.io/geerlingguy/docker-rockylinux9-ansible:latest" #privileged: True command: "/lib/systemd/systemd" pre_build_image: true @@ -24,10 +24,10 @@ platforms: groups: - group1 - - name: ansible_burpui_stable_server-04 - image: "geerlingguy/docker-centos8-ansible" - command: /usr/sbin/init + - name: ansible_burpui_server-03 + image: "geerlingguy/docker-ubuntu2204-ansible:latest" #privileged: True + command: /sbin/init pre_build_image: true capabilities: - SYS_ADMIN @@ -43,7 +43,4 @@ provisioner: name: ansible config_options: defaults: - callback_whitelist: profile_tasks - ssh_connection: - pipelining: false - ssh_args: -o ControlMaster=auto -o ControlPersist=60s + callback_enabled: profile_tasks diff --git a/molecule/local/converge.yml b/molecule/local/converge.yml index f1846a6..69d1548 100644 --- a/molecule/local/converge.yml +++ b/molecule/local/converge.yml @@ -2,12 +2,13 @@ - name: Converge hosts: all vars: - burpui_standalone: True - burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: + # - name: Include ansible_burp2_server + # include_role: + # name: coffeeitworks.burp2_server - name: Include ansible_burpui_server include_role: name: ansible_burpui_server tags: - - burpui-server \ No newline at end of file + - burpui-server diff --git a/molecule/local/molecule.yml b/molecule/local/molecule.yml index 35de51d..0eef09c 100644 --- a/molecule/local/molecule.yml +++ b/molecule/local/molecule.yml @@ -1,16 +1,16 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed +# dependency: +# name: galaxy +# options: +# ignore-certs: True +# ignore-errors: True +# role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed driver: name: podman platforms: - name: ansible_burpui_server-01 - image: "geerlingguy/docker-ubuntu2004-ansible:latest" + image: "geerlingguy/docker-ubuntu2204-ansible:latest" #privileged: True command: "/lib/systemd/systemd" pre_build_image: true @@ -28,7 +28,4 @@ provisioner: name: ansible config_options: defaults: - callback_whitelist: profile_tasks - ssh_connection: - pipelining: false - ssh_args: -o ControlMaster=auto -o ControlPersist=60s + callback_enabled: profile_tasks diff --git a/molecule/centos-8/converge.yml b/molecule/rocky9/converge.yml similarity index 55% rename from molecule/centos-8/converge.yml rename to molecule/rocky9/converge.yml index f1846a6..d2671ff 100644 --- a/molecule/centos-8/converge.yml +++ b/molecule/rocky9/converge.yml @@ -2,9 +2,8 @@ - name: Converge hosts: all vars: - burpui_standalone: True - burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' - burpui_use_dev: True + # burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' + # burpui_use_dev: True tasks: - name: Include ansible_burpui_server include_role: diff --git a/molecule/centos-8/molecule.yml b/molecule/rocky9/molecule.yml similarity index 70% rename from molecule/centos-8/molecule.yml rename to molecule/rocky9/molecule.yml index 196633d..917bcd2 100644 --- a/molecule/centos-8/molecule.yml +++ b/molecule/rocky9/molecule.yml @@ -9,8 +9,8 @@ driver: name: docker platforms: - - name: ansible_burpui_server-04 - image: "geerlingguy/docker-centos8-ansible" + - name: ansible_burpui_server-rocky9 + image: "docker.io/geerlingguy/docker-rockylinux9-ansible:latest" command: /sbin/init privileged: True pre_build_image: true @@ -28,7 +28,4 @@ provisioner: name: ansible config_options: defaults: - callback_whitelist: profile_tasks - ssh_connection: - pipelining: true - ssh_args: -o ControlMaster=auto -o ControlPersist=60s + callback_enabled: profile_tasks diff --git a/molecule/ubuntu-2004/verify.yml b/molecule/rocky9/verify.yml similarity index 100% rename from molecule/ubuntu-2004/verify.yml rename to molecule/rocky9/verify.yml diff --git a/molecule/ubuntu-2004/molecule.yml b/molecule/ubuntu-2004/molecule.yml deleted file mode 100644 index ce99657..0000000 --- a/molecule/ubuntu-2004/molecule.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed -driver: - name: docker -platforms: - - - name: ansible_burpui_server-03 - image: "geerlingguy/docker-ubuntu2004-ansible" - privileged: True - command: /sbin/init - pre_build_image: true - capabilities: - - SYS_ADMIN - tmpfs: - - /run - - /tmp - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:ro" - groups: - - use_pip_package - -provisioner: - name: ansible - config_options: - defaults: - callback_whitelist: profile_tasks - ssh_connection: - pipelining: true - ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/ubuntu-2004/converge.yml b/molecule/ubuntu-2204/converge.yml similarity index 55% rename from molecule/ubuntu-2004/converge.yml rename to molecule/ubuntu-2204/converge.yml index 8533fdb..ff2efe1 100644 --- a/molecule/ubuntu-2004/converge.yml +++ b/molecule/ubuntu-2204/converge.yml @@ -2,9 +2,8 @@ - name: Converge hosts: all vars: - burpui_standalone: True - burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' - burpui_use_dev: True + # burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' + # burpui_use_dev: True tasks: - name: Include ansible_burpui_server include_role: diff --git a/molecule/ubuntu-2204/molecule.yml b/molecule/ubuntu-2204/molecule.yml new file mode 100644 index 0000000..55d067d --- /dev/null +++ b/molecule/ubuntu-2204/molecule.yml @@ -0,0 +1,31 @@ +--- +# dependency: +# name: galaxy +# options: +# ignore-certs: True +# ignore-errors: True +# role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed +driver: + name: docker +platforms: + + - name: ansible_burpui_server-03 + image: "geerlingguy/docker-ubuntu2204-ansible:latest" + privileged: True + command: /sbin/init + pre_build_image: true + capabilities: + - SYS_ADMIN + tmpfs: + - /run + - /tmp + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:ro" + groups: + - use_pip_package + +provisioner: + name: ansible + config_options: + defaults: + callback_enabled: profile_tasks diff --git a/molecule/ubuntu-2204/verify.yml b/molecule/ubuntu-2204/verify.yml new file mode 100644 index 0000000..a82dd6f --- /dev/null +++ b/molecule/ubuntu-2204/verify.yml @@ -0,0 +1,9 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + tasks: + - name: Example assertion + assert: + that: true diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index c94e06c..054aee3 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -1,17 +1,17 @@ --- -- name: install EPEL release package for RHEL - yum: - name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" - state: latest - retries: 2 - delay: 2 - when: ansible_distribution == 'Red Hat Enterprise Linux' +# - name: RedHat | install EPEL release package for RHEL +# yum: +# name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" +# state: latest +# retries: 2 +# delay: 2 +# when: ansible_distribution == 'Red Hat Enterprise Linux' -- name: redhat | install EPEL release package for Centos - yum: +- name: RedHat | install EPEL release package + dnf: name: "epel-release" state: present retries: 3 delay: 2 - when: ansible_distribution == 'CentOS' + when: ansible_os_family == 'RedHat' diff --git a/tasks/bui-celery.yml b/tasks/bui-celery.yml index 8140b0d..ce5a112 100644 --- a/tasks/bui-celery.yml +++ b/tasks/bui-celery.yml @@ -1,15 +1,25 @@ --- # file defaults/bui-celery.yml -- name: create burp ui folder +- name: bui-celery | create burp ui folder file: path: /var/spool/burpui state: directory -- name: include supervisord tasks [DEPRECATED] +- name: bui-celery | include supervisord tasks [DEPRECATED] include_tasks: supervisor.yml when: not bui_use_systemd -- name: include systemd tasks +- name: bui-celery | workaround link to /bin/celery + ansible.builtin.file: + src: "{{ burpui_virtualenv_bin }}/celery" + dest: /bin/celery + owner: root + group: root + mode: '0755' + state: link + + +- name: bui-celery | include systemd tasks include_tasks: systemd.yml when: bui_use_systemd diff --git a/tasks/bui-monitor.yml b/tasks/bui-monitor.yml new file mode 100644 index 0000000..363bd8d --- /dev/null +++ b/tasks/bui-monitor.yml @@ -0,0 +1,2 @@ +# https://burp-ui.readthedocs.io/en/latest/buimonitor.html#architecture +# TODO: Implement this. \ No newline at end of file diff --git a/tasks/bui-upgrade.yml b/tasks/bui-upgrade.yml index 91e1345..136a61f 100644 --- a/tasks/bui-upgrade.yml +++ b/tasks/bui-upgrade.yml @@ -5,8 +5,8 @@ # name: burp-ui[sql] # state: 0.4.2 -- name: Upgrade database schema - shell: LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 bui-manage -c /etc/burp/burpui.cfg db upgrade +- name: bui-upgrade | Upgrade database schema + shell: "LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 {{ burpui_virtualenv_bin }}/bui-manage -c /etc/burp/burpui.cfg db upgrade" ignore_errors: yes changed_when: False diff --git a/tasks/gunicorn.yml b/tasks/gunicorn.yml index d90c308..c56efdf 100644 --- a/tasks/gunicorn.yml +++ b/tasks/gunicorn.yml @@ -1,24 +1,10 @@ --- # https://github.com/ziirish/burp-ui/blob/master/docs/gunicorn.rst -- name: set gunicorn_upstart_service true for Ubuntu 14.04 - set_fact: - gunicorn_upstart_service: True - when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int == 14 - #- name: debug see vars # debug: # msg: "distribution: {{ ansible_distribution }}, major version: {{ ansible_distribution_major_version|int }}, pip exe: {{ python_pip_executable }} " -# gunicorn system package should not be used when using python3 -- name: gunicorn | uninstall gunicorn system packages - package: - name: "{{ item }}" - state: absent - with_items: - - gunicorn - - python-gunicorn - - name: gunicorn | directory /var/log/gunicorn file: path: '/var/log/gunicorn' @@ -31,28 +17,19 @@ pip: name: gunicorn>=19.7.1 state: present - executable: "{{ python_pip_executable }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" -- name: check /usr/local/bin/gunicorn stat +- name: check "{{ burpui_virtualenv }}/gunicorn/bin/gunicorn" stat stat: - path: /usr/local/bin/gunicorn + path: "{{ burpui_virtualenv_bin }}/gunicorn" register: gunicorn_local_bin_stat -- name: set /usr/local/bin/gunicorn as gunicorn path +- name: set "{{ burpui_virtualenv }}/gunicorn/bin/gunicorn" as gunicorn path set_fact: - burpui_gunicorn_bin: /usr/local/bin/gunicorn + burpui_gunicorn_bin: "{{ burpui_virtualenv_bin }}/gunicorn" when: gunicorn_local_bin_stat.stat.exists -- name: check /usr/bin/gunicorn stat - stat: - path: /usr/bin/gunicorn - register: gunicorn_bin_stat - -- name: set /usr/bin/gunicorn as gunicorn path - set_fact: - burpui_gunicorn_bin: /usr/bin/gunicorn - when: gunicorn_bin_stat.stat.exists - - block: - name: gunicorn | Debian configure gunicorn server diff --git a/tasks/main.yml b/tasks/main.yml index 4e1915a..3188648 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,40 +2,44 @@ # file: tasks/main.yml # https://git.ziirish.me/ziirish/burp-ui/blob/master/docker/docker-burpui/assets/setup/install -- include_tasks: multi_os.yml +- name: main | include multi_os.yml + include_tasks: multi_os.yml -- include_tasks: RedHat.yml +- name: main | include RedHat.yml + include_tasks: RedHat.yml when: ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora' -- include_tasks: requirements.yml +- name: main | include requirements.yml + include_tasks: requirements.yml -- include_tasks: requirements_dev.yml +- name: main | include requirements_dev.yml + include_tasks: requirements_dev.yml when: burpui_use_dev -- name: set gunicorn_systemd_service true for Ubuntu 16.04 and newer +- name: main | set gunicorn_systemd_service true for Ubuntu 16.04 and newer set_fact: gunicorn_systemd_service: True when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 16 -- name: set gunicorn_systemd_service true for Debian 8 and newer +- name: main | set gunicorn_systemd_service true for Debian 8 and newer set_fact: gunicorn_systemd_service: True when: ansible_distribution == 'Debian' and ansible_distribution_major_version|int >= 8 -- name: set gunicorn_systemd_service true for RedHat +- name: main | set gunicorn_systemd_service true for RedHat set_fact: gunicorn_systemd_service: True when: ansible_os_family == 'RedHat' -- include_tasks: python3_pip.yml - when: python_pip_executable == "pip3" +- name: main | include python3_pip.yml + include_tasks: python3_pip.yml -- name: create burp folder +- name: main | create burp folder file: path: /etc/burp state: directory -- name: configure burpui server +- name: main | configure burpui server template: src: "{{ item.src }}" dest: "{{ item.dest }}" @@ -46,14 +50,14 @@ - { src: "burpui_site.j2", dest: "{{ burpui_nginx_config_path }}" } notify: restart burpui services -- name: enable nginx site +- name: main | enable nginx site file: src: "{{ burpui_nginx_config_path }}" dest: "/etc/nginx/sites-enabled/burpui" state: link when: ansible_os_family == 'Debian' -- name: fix httproxy issue in ngnix +- name: main | fix httproxy issue in ngnix lineinfile: dest: "/etc/nginx/fastcgi_params" regexp: "{{ item.src }}" @@ -62,7 +66,8 @@ - { src: 'fastcgi_param HTTP_PROXY "";' , value: 'fastcgi_param HTTP_PROXY "";' } # include tasks for gunicorn specific -- include_tasks: gunicorn.yml +- name: main | include gunicorn.yml + include_tasks: gunicorn.yml - include_tasks: bui-celery.yml when: burpui_production_celery | bool @@ -71,7 +76,7 @@ - include_tasks: bui-upgrade.yml when: bui_pip_install.changed and not burpui_installed_check.changed -- name: ensure services are started and enabled +- name: main | ensure services are started and enabled service: name: "{{ item }}" state: started diff --git a/tasks/multi_os.yml b/tasks/multi_os.yml index 1657c93..da62af3 100644 --- a/tasks/multi_os.yml +++ b/tasks/multi_os.yml @@ -1,7 +1,7 @@ --- # file: tasks/multi_os.yml -- name: Gather OS Specific Variables +- name: multi_os | Gather OS Specific Variables include_vars: "{{ item }}" with_first_found: - "../vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml" diff --git a/tasks/python3_pip.yml b/tasks/python3_pip.yml index 786f29a..0959921 100644 --- a/tasks/python3_pip.yml +++ b/tasks/python3_pip.yml @@ -1,10 +1,17 @@ --- +- name: pip3 | install virtualenv from pip3 + pip: + name: "virtualenv>=20.16.6" + state: present + executable: "pip3" + - name: pip3 | check only if burpui is installed pip: name: "{{ burpui_pip_burpui }}" state: present - executable: "{{ python3_pip }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" register: burpui_installed_check check_mode: yes @@ -12,20 +19,22 @@ pip: name: 'pip>=20' state: present - executable: "{{ python3_pip }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" - name: pip3 | install pip packages pip: name: '{{ burpui_pip_present }}' state: present - executable: "{{ python3_pip }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" when: not burpui_use_dev -- name: pip3 | install pip dev packages +- name: pip3 | install pip dev packages from requirements_dev.txt pip: - name: '{{ burpui_pip_dev_present }}' - state: present - executable: "{{ python3_pip }}" + requirements: "{{ burpui_virtualenv }}/requirements_dev.txt" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" when: burpui_use_dev - name: pip3 | Install pip packages by version @@ -33,15 +42,38 @@ name: "{{ item.name }}" state: present version: "{{ item.version}}" - executable: "{{ python3_pip }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" with_items: "{{ burpui_pip_packages }}" register: bui_pip_install when: not burpui_use_dev notify: restart burpui services + +- name: pip3 | workaround link to /bin/flask + ansible.builtin.file: + src: "{{ burpui_virtualenv_bin }}/flask" + dest: /bin/flask + owner: root + group: root + mode: '0755' + state: link - name: pip3 | Install pip packages by tar.gz - shell: "{{ python3_pip }} install -e {{ burpui_pip_burpui_dev }}" + pip: + name: "{{ burpui_pip_burpui_dev }}" + state: present + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" register: bui_pip_install when: burpui_use_dev notify: restart burpui services - changed_when: false + +- name: bui-celery | links to /usr/local/bin + ansible.builtin.file: + src: "{{ burpui_virtualenv_bin }}/{{ item }}" + dest: "{{ burpui_local_bin }}/{{ item }}" + owner: root + group: root + mode: '0755' + state: link + with_items: "{{ burpui_bin_links }}" diff --git a/tasks/requirements.yml b/tasks/requirements.yml index ac8d609..5cf9a26 100644 --- a/tasks/requirements.yml +++ b/tasks/requirements.yml @@ -1,41 +1,53 @@ --- # file: tasks/requirements.yml -- name: ensure cache for apt is updated +- name: requirements | ensure cache for apt is updated apt: update_cache: yes cache_valid_time: 43200 changed_when: false when: ansible_os_family == 'Debian' -- name: install requirements for ansible pip +- name: requirements | create virtualenv dir + ansible.builtin.file: + path: "{{ burpui_virtualenv }}" + state: directory + owner: root + group: root + mode: '0755' + +- name: requirements | ensure install requirements for ansible pip package: name: ['python3-setuptools'] state: present -- name: install burpui package requirements for python3 +- name: requirements | ensure install burpui package requirements for python3 package: name: "{{ burpui_py3_packages| join(',') }}" state: present - when: python_pip_executable == "pip3" -- name: install role packages +- name: requirements | ensure install role packages package: name: "{{ burpui_packages| join(',') }}" state: present -- name: register /usr/local/sbin/burp path +- name: requirements | redis started + service: + name: "{{ redis_service }}" + state: started + enabled: yes + +- name: requirements | ensure register /usr/local/sbin/burp path stat: path: "/usr/local/sbin/burp" register: burp_local_sbin_path -- name: uninstall burpui package requirements for python3 +- name: requirements | ensure uninstall burpui package requirements for python3 package: name: "{{ burpui_system_absent }}" state: absent - when: python_pip_executable == "pip3" -- name: change burp path var burpui_backend_burpbin +- name: requirements | ensure change burp path var burpui_backend_burpbin set_fact: burpui_backend_burpbin: /usr/local/sbin/burp when: burp_local_sbin_path.stat.exists diff --git a/tasks/requirements_dev.yml b/tasks/requirements_dev.yml index 1f7b7a9..429d527 100644 --- a/tasks/requirements_dev.yml +++ b/tasks/requirements_dev.yml @@ -1,10 +1,17 @@ --- # file: tasks/requirements_dev.yml -- name: install burpui package requirements dev +- name: requirements_dev | install burpui package requirements dev package: name: "{{ item }}" state: present with_items: - git +- name: requirements_dev | copy requirements_dev.txt file + ansible.builtin.copy: + src: 'requirements_dev.txt' + dest: "{{ burpui_virtualenv }}/" + owner: root + group: root + mode: '0755' diff --git a/templates/bui-monitor.cfg.j2 b/templates/bui-monitor.cfg.j2 new file mode 100644 index 0000000..d7fa47c --- /dev/null +++ b/templates/bui-monitor.cfg.j2 @@ -0,0 +1,27 @@ +# Burp-UI monitor configuration file +[Global] +# On which port is the application listening +port = 11111 +# On which address is the application listening +# '::1' is the default for local IPv6 +# set it to '127.0.0.1' if you want to listen on local IPv4 address +bind = ::1 +# Pool size: number of 'burp -a m' process to load +pool = 5 +# enable SSL +ssl = true +# ssl cert +sslcert = /var/lib/burp/ssl/server/ssl_cert-server.pem +# ssl key +sslkey = /var/lib/burp/ssl/server/ssl_cert-server.key +# monitor password +password = password123456 + +# burp backend specific options +[Burp] +# burp binary +burpbin = /usr/sbin/burp +# burp client configuration file used for the restoration +bconfcli = /etc/burp/burp.conf +# how many time to wait for the monitor to answer (in seconds) +timeout = 15 diff --git a/templates/burpui.cfg.j2 b/templates/burpui.cfg.j2 index f2d224c..0f4b8cc 100644 --- a/templates/burpui.cfg.j2 +++ b/templates/burpui.cfg.j2 @@ -2,16 +2,16 @@ # @version@ - 0.6.0 # @release@ - stable [Global] -# burp server version 1 or 2 -version = {{ burpui_global_version }} -# Handle multiple bui-servers or not -# If set to 'false', you will need to declare at least one 'Agent' section (see -# bellow) -{% if burpui_standalone %} -single = true -{% else %} -single = false -{% endif %} +# burp backend to load either one of 'burp1', 'burp2', 'parallel' or 'multi'. +# If you choose 'multi', you will have to declare at lease one 'Agent' section. +# If you choose 'parallel', you need to configure the [Parallel] section. +# If you choose either 'burp1' or 'burp2', you need to configure the [Burp] +# section. +# The [Burp] section is also used with the 'parallel' backend for the restoration +# process. +# You can also use whatever custom backend you like if it is located in the +# 'plugins' directory and if it implements the right interface. +backend = {{ burpui_backend }} # authentication plugin (mandatory) # list the misc/auth directory to see the available backends # to disable authentication you can set "auth = none" @@ -22,12 +22,10 @@ auth = {{ burpui_global_auth }} # list misc/acl directory to see the available backends # default is no ACL acl = {{ burpui_global_acl }} -# You can change the prefix if you are behind a reverse-proxy under a custom -# root path. For example: /burpui -# You can also configure your reverse-proxy to announce the prefix through the -# 'X-Script-Name' header. In this case, the bellow prefix will be ignored in -# favour of the one announced by your reverse-proxy -prefix = {{ burpui_global_prefix }} +# audit logger plugin (chainable, see 'auth' plugin option) +# list the misc/audit directory to see the available backends +# default is no audit log +audit = {{ burpui_global_audit }} plugins = {{ burpui_global_plugins }} [UI] @@ -43,6 +41,8 @@ liverefresh = {{ burpui_ui_liverefresh }} # storage backend for session and cache # may be either 'default' or 'redis' storage = {{ burpui_production_storage }} +# redis server to connect to +redis = {{ burpui_production_redis }} # session database to use # may also be a backend url like: redis://localhost:6379/0 # if set to 'redis', the backend url defaults to: @@ -57,8 +57,6 @@ session = {{ burpui_production_session }} # where is the host part, and is the port part of # the below "redis" setting cache = {{ burpui_production_cache }} -# redis server to connect to -redis = {{ burpui_production_redis }} # whether to use celery or not # may also be a broker url like: redis://localhost:6379/0 # if set to "true", the broker url defaults to: @@ -66,11 +64,6 @@ redis = {{ burpui_production_redis }} # where is the host part, and is the port part of # the above "redis" setting celery = {{ burpui_production_celery }} -# database url to store some persistent data -# none or a connect string supported by SQLAlchemy: -# http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls -# example: sqlite:////var/lib/burpui/store.db -database = {{ burpui_production_database }} # whether to rate limit the API or not # may also be a redis url like: redis://localhost:6379/0 # if set to "true" or "redis" or "default", the url defaults to: @@ -82,7 +75,54 @@ limiter = {{ burpui_production_limiter }} # limiter ratio # see https://flask-limiter.readthedocs.io/en/stable/#ratelimit-string ratio = {{ burpui_production_ratio }} +# database url to store some persistent data +# none or a connect string supported by SQLAlchemy: +# http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls +# example: sqlite:////var/lib/burpui/store.db +database = {{ burpui_production_database }} +# You can change the prefix if you are behind a reverse-proxy under a custom +# root path. For example: /burpui +# You can also configure your reverse-proxy to announce the prefix through the +# 'X-Script-Name' header. In this case, the bellow prefix will be ignored in +# favour of the one announced by your reverse-proxy +# prefix option should be moved to Production section in 0.7.0+ +prefix = {{ burpui_production_prefix }} +# ProxyFix - Not yet implemented in 1.0.0 +# number of reverse-proxy to trust in order to retrieve some HTTP headers +# All the details can be found here: +# https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix +# num_proxies = "{{ burpui_production_num_proxies }}" +# alternatively, you can specify your own ProxyFix args. +# The default is: "{'x_proto': {num_proxies}, 'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}" +# if num_proxies > 0, else it defaults to ProxyFix defaults +# proxy_fix_args = {{ burpui_production_proxy_fix_args }} +## http://burp-ui.readthedocs.io/en/latest/advanced_usage.html#websocket +[WebSocket] +## This section contains WebSocket server specific options. +# whether to enable websocket or not +enabled = {{ burpui_websocket_enabled }} +# whether to embed the websocket server or not +# if set to "true", you should have only *one* gunicorn worker +# see here for details: +# https://flask-socketio.readthedocs.io/en/latest/#gunicorn-web-server +embedded = {{ burpui_websocket_embedded }} +# what broker to use to interact between websocket servers +# may be a redis url like: redis://localhost:6379/0 +# if set to "true" or "redis" or "default", the url defaults to: +# redis://:/4 +# where is the host part, and is the port part of +# the above "redis" setting +# set this to none to disable the broker +broker = {{ burpui_websocket_broker }} +# if you choose to run a dedicated websocket server (with embedded = false) +# you can specify here the websocket url. You'll need to double quote your +# string though. +# example: +# url = "document.domain + ':5001'" +url = {{ burpui_websocket_url }} +# whether to enable verbose websocket server logs or not (for development) +debug = {{ burpui_websocket_debug }} [Security] ## This section contains some security options. Make sure you understand the @@ -110,32 +150,6 @@ scookie = {{ burpui_security_scookie }} # /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\ appsecret = {{ burpui_security_appsecret }} -## http://burp-ui.readthedocs.io/en/latest/advanced_usage.html#websocket -[WebSocket] -## This section contains WebSocket server specific options. -# whether to enable websocket or not -enabled = {{ burpui_websocket_enabled }} -# whether to embed the websocket server or not -# if set to "true", you should have only *one* gunicorn worker -# see here for details: -# https://flask-socketio.readthedocs.io/en/latest/#gunicorn-web-server -embedded = {{ burpui_websocket_embedded }} -# what broker to use to interact between websocket servers -# may be a redis url like: redis://localhost:6379/0 -# if set to "true" or "redis" or "default", the url defaults to: -# redis://:/4 -# where is the host part, and is the port part of -# the above "redis" setting -# set this to none to disable the broker -broker = {{ burpui_websocket_broker }} -# if you choose to run a dedicated websocket server (with embedded = false) -# you can specify here the websocket url. You'll need to double quote your -# string though. -# example: -# url = "document.domain + ':5001'" -url = {{ burpui_websocket_url }} -# whether to enable verbose websocket server logs or not (for development) -debug = {{ burpui_websocket_debug }} [Experimental] ## This section contains some experimental features that have not been deeply @@ -145,7 +159,7 @@ debug = {{ burpui_websocket_debug }} # commands on Unix (the InfoZIP utilities) don’t support these extensions. » zip64 = {{ burpui_experimental_zip64 }} -{% if burpui_standalone %} +{% if burpui_backend == 'burp2' or burpui_backend == 'burp1' %} ## burp specific options [Burp] # burp status address (can only be '127.0.0.1' or '::1') @@ -164,12 +178,21 @@ bconfsrv = {{ burpui_backend_bconfsrv }} tmpdir = {{ burpui_backend_tmpdir }} ## how many time to wait for the monitor to answer (in seconds) timeout = {{ burpui_backend_timeout }} +# since burp-2.1.10, timestamps have local offsets, if we detect a burp-server +# version greater than 2.1.10 we'll suppose every backup was made with that +# version. If this is not the case, you may end-up with wrongly computed backup +# dates in the clients overview. For that reason, you can enable the +# 'deep_inspection' option which will check every backup logs in order to +# find out which server version was used. +# The drawback is this process requires some extra work that may slow-down +# burp-ui. +deep_inspection = {{ burpui_backend_deep_inspection }} {% endif %} -{% if burpui_ldap_enabled %} +{% if burpui_global_auth == 'ldap' %} ## https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#ldap ## ldapauth specific options -[LDAP] +[LDAP:AUTH] ## Backend priority. Higher is first priority = {{ burpui_ldap_priority }} ## LDAP host @@ -213,12 +236,11 @@ bindpw = {{ burpui_ldap_bindpw }} ## basicauth specific options ## Note: in case you leave this section commented, the default login/password ## is admin/admin -[BASIC] +[BASIC:AUTH] ## Backend priority. Higher is first priority = {{ burpui_basic_priority }} ## Allow both plain and hashed passwords ## WARNING: This will defaults to false in 0.4.0 -mixed = {{ burpui_basic_mixed }} {% for item in burpui_basic_users %} {{ item.name }} = {{ item.password }} {% endfor %} @@ -228,7 +250,7 @@ mixed = {{ burpui_basic_mixed }} ## localauth specific options ## Note: if not running as root, then burp-ui must be run as group 'shadow' to ## allow PAM to work -[LOCAL] +[LOCAL:AUTH] ## Backend priority. Higher is first priority = {{ burpui_local_priority }} ## List of local users allowed to login. If you don't set this setting, every @@ -238,7 +260,36 @@ users = {{ burpui_local_users }} limit = {{ burpui_local_limit }} {% endif %} -{% if burpui_basic_acl_enabled %} +{% if burpui_global_acl == 'basic' %} +# acl engine global options +[ACL] +# Enable extended matching rules (enabled by default) +# If the rule is a string like 'user1 = desk*', it will match any client that +# matches 'desk*' no mater what agent it is attached to. +# If it is a coma separated list of strings like 'user1 = desk*,laptop*' it +# will match the first matching rule no mater what agent it is attached to. +# If it is a dict like: +# user1 = '{"agents": ["srv*", "www*"], "clients": ["desk*", "laptop*"]}' +# It will also validate against the agent name. +extended = {{ burpui_acl_extended }} +# If you don't explicitly specify ro/rw grants, what should we assume? +assume_rw = {{ burpui_acl_assume_rw }} +# The inheritance order maters, it means depending the order you choose, +# the ACL engine won't handle the grants the same way. +# By default, ACL inherited by groups will have lower priority, unless you +# choose otherwise +inverse_inheritance = {{ burpui_acl_inverse_inheritance }} +# If you specify agents and clients separately, should we link them implicitly? +# For instance, '{"agents": ["agent1", "agent2"], "clients": ["client1", "client2"]}' +# will become: '{"agents": {"agent1": ["client1", "client2"], "agent2": ["client1", "client2"]}}' +implicit_link = {{ burpui_acl_implicit_link }} +# Enable 'legacy' behavior +# Since v0.6.0, if you don't specify the agents name explicitly, users will be +# granted on every agents where a client matches user's ACL. If you enable the +# 'legacy' behavior, you will need to specify the agents explicitly. +# Note: enabling this option will also disable the extended mode +legacy = {{ burpui_acl_legacy }} + ## basicacl specific options ## Note: in case you leave this section commented, the user 'admin' will have ## access to all clients whereas other users will only see the client that have @@ -248,42 +299,12 @@ limit = {{ burpui_local_limit }} # Backend priority. Higher is first priority = {{ burpui_basic_acl_priority }} admin = {{ burpui_basic_acl_admins }} -# List of moderators. Users listed here will inherit the grants of the -# group '@moderator' -+moderator = user5,user6 -@moderator = '{"agents":{"ro":["agent1"]}}' -# NOTE: if you are running single-agent mode, you should specify the ro/rw -# rights of the moderators using this special 'local' agent name: -# NOTE: this is the default when running single-agent mode if you don't -# specify anything else -#@moderator = '{"agents": {"rw": "local"}}' -# Please note the double-quotes and single-quotes on the following lines are -# mandatory! -# You can also overwrite the default behavior by specifying which clients a -# user can access -# Suppose you are running single-agent mode (the default), you only need to -# specify a list of clients a user can access: -user3 = '{"clients": {"ro": ["prod*"], "rw": ["dev*", "test1"]}}' -# In case you are not in a single mode, you can also specify which clients -# a user can access on a specific Agent -user4 = '{"agents": {"agent1": ["client6", "client7"], "agent2": ["client8"]}}' -# You can define read-only and/or read-write grants using: -user5 = '{"agents": {"www*": {"ro": ["desk*"], "rw": ["desk1"]}}}' -# Finally, you can define groups using the syntax "@groupname" and adding -# members using "+groupname". Note: groups can inherit groups! -@group1 = '{"agents": {"ro": ["*"]}}' -@group2 = '{"clients": {"rw": ["dev*"]}}' -+group1 = @group2 -+group2 = user5 -# As a result, user5 will be granted the following rights: -# '{"ro": {"agents": ["*", "agent1"], "www*": ["desk*"]}, "rw": {"clients": ["dev*"], "www*": ["desk1"]}} - {% for item in burpui_basic_acl_users %} {{ item }} {% endfor %} {% endif %} -{% if not burpui_standalone %} +{% if burpui_backend == 'multi' %} ## If you set standalone to 'false', add at least one section like this per ## bui-agent {% for item in burpui_agents %} @@ -293,4 +314,20 @@ port = {{ item.port }} password = {{ item.password }} ssl = {{ item.ssl }} {% endfor %} -{% endif %} \ No newline at end of file +{% endif %} + +{% if burpui_global_audit == 'basic' %} +# Basic audit backend options +[BASIC:AUDIT] +# Backend priority. Higher is first +priority = {{ burpui_audit_priority }} +# debug level (CRITICAL, ERROR, WARNING, INFO, DEBUG) +# the default is the same as your global application level +level = {{ burpui_audit_level }} +# path to a file to log into +logfile = {{ burpui_audit_logfile }} +# maximum logfile size +max_bytes = {{ burpui_audit_max_bytes }} +# number of files to keep +rotate = {{ burpui_audit_rotate }} +{% endif %} diff --git a/vars/Debian.yml b/vars/Debian.yml index 6167668..8e198b2 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -9,6 +9,7 @@ burpui_system_absent: burpui_py3_packages: - python3 - python3-dev + # - python3-virtualenv # Install with pip now - python3-setuptools - python3-pip - libssl-dev # dependecy of ndg-httpsclient @@ -28,11 +29,11 @@ burpui_packages: burp_ui_celery_dependencies: - supervisor -python3_pip: 'pip3' supervisoretc_dir: "/etc/supervisor/conf.d" supervisor_ext: "conf" supervisor_service: supervisor -pip_installed_exe_bin_path: '/usr/local/bin' redis_service: redis-server nginx_config_dir: '/etc/nginx/sites-available' burpui_nginx_config_path: '{{ nginx_config_dir }}/burpui' + +burpui_local_bin: "/usr/local/bin" diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 1b4227f..a234b34 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -13,6 +13,7 @@ burpui_packages: burpui_py3_packages: - python3 - python3-devel + # - python3-virtualenv # Install with pip now - python3-pip - python3-setuptools - redhat-rpm-config @@ -23,11 +24,11 @@ burpui_py3_packages: burp_ui_celery_dependencies: - supervisor -python3_pip: 'pip3' supervisoretc_dir: "/etc/supervisor/conf.d" supervisor_ext: "conf" supervisor_service: supervisord -pip_installed_exe_bin_path: '/usr/bin' redis_service: redis nginx_config_dir: '/etc/nginx/conf.d' burpui_nginx_config_path: '{{ nginx_config_dir }}/burpui.conf' + +burpui_local_bin: "/usr/local/bin" diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 52b6911..c75f063 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -4,15 +4,16 @@ --- burpui_system_absent: - - python36-cryptography + - python3-cryptography burpui_packages: - redis - nginx burpui_py3_packages: - - python36 - - python36-devel + - python3 + - python3-devel + # - python3-virtualenv # Install with pip now - redhat-rpm-config - openssl-devel - libffi-devel @@ -23,11 +24,11 @@ burpui_py3_packages: burp_ui_celery_dependencies: - supervisor -python3_pip: 'pip3.6' supervisoretc_dir: "/etc/supervisor/conf.d" supervisor_ext: "conf" supervisor_service: supervisord -pip_installed_exe_bin_path: '/usr/bin' redis_service: redis nginx_config_dir: '/etc/nginx/conf.d' burpui_nginx_config_path: '{{ nginx_config_dir }}/burpui.conf' + +burpui_local_bin: "/usr/local/bin"