From ce63eea78d037d1d92299797a9d743fa5291f4fa Mon Sep 17 00:00:00 2001
From: root <root@srv2.soctools.grena.ge>
Date: Mon, 20 Jun 2022 15:42:52 +0400
Subject: [PATCH] move all used ports on haproxy and remove all unused ports

---
 roles/build/templates/cassandra/Dockerfile.j2 |  1 -
 roles/build/templates/cortex/Dockerfile.j2    |  1 -
 .../templates/elasticsearch/Dockerfile.j2     |  1 -
 roles/build/templates/keycloak/Dockerfile.j2  |  3 --
 roles/build/templates/kibana/Dockerfile.j2    |  1 -
 roles/build/templates/misp/Dockerfile.j2      |  3 --
 roles/build/templates/mysql/Dockerfile.j2     |  1 -
 roles/build/templates/nifi/Dockerfile.j2      |  1 -
 .../templates/odfekibana/Dockerfile-kibana.j2 |  1 -
 roles/build/templates/thehive/Dockerfile.j2   |  1 -
 roles/build/templates/zookeeper/Dockerfile.j2 |  2 +-
 roles/docker/tasks/haproxy.yml                |  9 ++---
 roles/docker/tasks/keycloak.yml               |  2 --
 roles/docker/tasks/misp.yml                   |  2 --
 roles/docker/tasks/odfekibana.yml             |  2 --
 roles/haproxy/templates/haproxy.cfg.j2        | 36 ++++++++-----------
 16 files changed, 21 insertions(+), 46 deletions(-)

diff --git a/roles/build/templates/cassandra/Dockerfile.j2 b/roles/build/templates/cassandra/Dockerfile.j2
index f5d2a60..1be98c2 100644
--- a/roles/build/templates/cassandra/Dockerfile.j2
+++ b/roles/build/templates/cassandra/Dockerfile.j2
@@ -16,5 +16,4 @@ RUN echo "[cassandra]" > /etc/yum.repos.d/cassandra.repo && \
     sed -i -e 's,/etc/cassandra,/usr/share/cassandra,g' /usr/share/cassandra/cassandra.in.sh && \
     yum -y clean all
 COPY cassandrasupervisord.conf /etc/supervisord.conf
-EXPOSE 7000 9042
 ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/cortex/Dockerfile.j2 b/roles/build/templates/cortex/Dockerfile.j2
index a6488ad..7d6de8f 100644
--- a/roles/build/templates/cortex/Dockerfile.j2
+++ b/roles/build/templates/cortex/Dockerfile.j2
@@ -23,6 +23,5 @@ RUN echo "[thehive-project]" > /etc/yum.repos.d/thehive.repo && \
     for I in analyzers/*/requirements.txt; do LC_ALL=en_US.UTF-8 pip3 install --no-cache-dir -U -r $I || true; done && \
     for I in responders/*/requirements.txt; do LC_ALL=en_US.UTF-8 pip3 install --no-cache-dir -U -r $I || true; done && \
     yum -y clean all
-EXPOSE 9001
 COPY cortexsupervisord.conf /etc/supervisord.conf
 ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/elasticsearch/Dockerfile.j2 b/roles/build/templates/elasticsearch/Dockerfile.j2
index 6f273d6..7947f24 100644
--- a/roles/build/templates/elasticsearch/Dockerfile.j2
+++ b/roles/build/templates/elasticsearch/Dockerfile.j2
@@ -17,6 +17,5 @@ RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
 
 RUN echo 'elasticsearch ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
 
-EXPOSE 9200 9300
 ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
 
diff --git a/roles/build/templates/keycloak/Dockerfile.j2 b/roles/build/templates/keycloak/Dockerfile.j2
index 561a646..1b1d181 100644
--- a/roles/build/templates/keycloak/Dockerfile.j2
+++ b/roles/build/templates/keycloak/Dockerfile.j2
@@ -34,9 +34,6 @@ ENV PATH="/opt/jboss/keycloak/bin:${PATH}"
 
 WORKDIR /opt/jboss/keycloak
 
-EXPOSE 8080
-EXPOSE 8443
-
 RUN echo 'jboss ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
 
 COPY keycloaksupervisord.conf /etc/supervisord.conf
diff --git a/roles/build/templates/kibana/Dockerfile.j2 b/roles/build/templates/kibana/Dockerfile.j2
index ef2a476..db7d064 100644
--- a/roles/build/templates/kibana/Dockerfile.j2
+++ b/roles/build/templates/kibana/Dockerfile.j2
@@ -17,7 +17,6 @@ RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
 
 RUN echo 'kibana ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
 
-EXPOSE 5601
 COPY kibanasupervisord.conf /etc/supervisord.conf
 ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
 
diff --git a/roles/build/templates/misp/Dockerfile.j2 b/roles/build/templates/misp/Dockerfile.j2
index 4f7518b..f5e6557 100644
--- a/roles/build/templates/misp/Dockerfile.j2
+++ b/roles/build/templates/misp/Dockerfile.j2
@@ -80,9 +80,6 @@ RUN chown -R apache:apache /var/www/MISP ; \
 
 COPY misp_rh-php72-php-fpm /etc/logrotate.d/rh-php72-php-fpm
 
-# 80/443 - MISP web server, 3306 - mysql, 6379 - redis, 6666 - MISP modules, 50000 - MISP ZeroMQ
-EXPOSE 80 443 6443 6379 6666 50000
-
 ENV PATH "$PATH:/opt/rh/rh-php72/root/bin/"
 
 COPY mispsupervisord.conf /etc/supervisord.conf
diff --git a/roles/build/templates/mysql/Dockerfile.j2 b/roles/build/templates/mysql/Dockerfile.j2
index 393eb3f..6ce391e 100644
--- a/roles/build/templates/mysql/Dockerfile.j2
+++ b/roles/build/templates/mysql/Dockerfile.j2
@@ -6,7 +6,6 @@ RUN yum -y update && yum install -y epel-release centos-release-scl scl-utils &&
     /usr/bin/scl enable rh-mariadb103 -- /opt/rh/rh-mariadb103/root/usr/libexec/mysql-prepare-db-dir /var/opt/rh/rh-mariadb103/lib/mysql 
 RUN yum clean all
 
-EXPOSE 3306
 COPY mysqlsupervisord.conf /etc/supervisord.conf
 
 ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/nifi/Dockerfile.j2 b/roles/build/templates/nifi/Dockerfile.j2
index f85cf47..5f8298b 100644
--- a/roles/build/templates/nifi/Dockerfile.j2
+++ b/roles/build/templates/nifi/Dockerfile.j2
@@ -83,7 +83,6 @@ RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-${
 RUN echo "#!/bin/sh\n" > $NIFI_HOME/bin/nifi-env.sh
 
 # Web HTTP(s) & Socket Site-to-Site Ports
-EXPOSE 8080 8443 10000 8000
 
 WORKDIR ${NIFI_HOME}
 
diff --git a/roles/build/templates/odfekibana/Dockerfile-kibana.j2 b/roles/build/templates/odfekibana/Dockerfile-kibana.j2
index 05a1c40..e61707f 100644
--- a/roles/build/templates/odfekibana/Dockerfile-kibana.j2
+++ b/roles/build/templates/odfekibana/Dockerfile-kibana.j2
@@ -17,7 +17,6 @@ RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
 
 RUN echo 'kibana ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
 
-EXPOSE 5601
 COPY kibanasupervisord.conf /etc/supervisord.conf
 ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
 
diff --git a/roles/build/templates/thehive/Dockerfile.j2 b/roles/build/templates/thehive/Dockerfile.j2
index c1df6fa..fa330f3 100644
--- a/roles/build/templates/thehive/Dockerfile.j2
+++ b/roles/build/templates/thehive/Dockerfile.j2
@@ -15,6 +15,5 @@ RUN echo "[thehive-project]" > /etc/yum.repos.d/thehive.repo && \
     mkdir -p /home/thehive && \
     chown -R thehive:thehive /home/thehive /etc/thehive && \
     yum -y clean all
-EXPOSE 9000
 COPY thehivesupervisord.conf /etc/supervisord.conf
 ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/zookeeper/Dockerfile.j2 b/roles/build/templates/zookeeper/Dockerfile.j2
index 19ae977..a3fd150 100644
--- a/roles/build/templates/zookeeper/Dockerfile.j2
+++ b/roles/build/templates/zookeeper/Dockerfile.j2
@@ -25,7 +25,7 @@ RUN curl -fSL ${MIRROR_BASE_URL}/${ZOOKEEPER_BINARY_PATH} -o ${ZOOKEEPER_BASE_DI
     && cp ${ZOOKEEPER_BASE_DIR}/zookeeper/conf/zoo_sample.cfg ${ZOOKEEPER_BASE_DIR}/zookeeper/conf/zoo.cfg
 
 # Web HTTP(s) & Socket Site-to-Site Ports
-EXPOSE 2181 2888 3888
+#EXPOSE 2181 2888 3888
 
 WORKDIR ${ZOOKEEPER_BASE_DIR}/zookeeper
 
diff --git a/roles/docker/tasks/haproxy.yml b/roles/docker/tasks/haproxy.yml
index 5fb181e..665c5e7 100644
--- a/roles/docker/tasks/haproxy.yml
+++ b/roles/docker/tasks/haproxy.yml
@@ -9,16 +9,17 @@
       - name: "{{ soctools_netname}}"
     networks_cli_compatible: yes
     published_ports:
-      - "443:443"
       - "8888:8888"
-      - "8443:8443"
       - "9443:9443"
       - "9200:9200"
       - "7750:7750"
-      - "5000-5099:5000-5099"
-      - "6000-6099:6000-6099"
       - "9000:9000"
       - "9001:9001"
+      - "12443:12443"
+      - "5601:5601"
+      - "6443:6443"
+      - "5000-5099:5000-5099"
+      - "6000-6099:6000-6099"
     interactive: "yes"
   tags:
     - start-docker-containers
diff --git a/roles/docker/tasks/keycloak.yml b/roles/docker/tasks/keycloak.yml
index dfc073c..7193449 100644
--- a/roles/docker/tasks/keycloak.yml
+++ b/roles/docker/tasks/keycloak.yml
@@ -8,8 +8,6 @@
     networks:
       - name: "{{ soctools_netname }}"
     networks_cli_compatible: yes
-    published_ports:
-      - "12443:8443"
     interactive: "yes"
   with_items: "{{ groups['keycloakcontainers'] }}"
   tags:
diff --git a/roles/docker/tasks/misp.yml b/roles/docker/tasks/misp.yml
index 953f386..acba5ea 100644
--- a/roles/docker/tasks/misp.yml
+++ b/roles/docker/tasks/misp.yml
@@ -9,8 +9,6 @@
       - name: "{{ soctools_netname}}"
     interactive: "yes"
     networks_cli_compatible: yes
-    published_ports:
-      - "6443:6443"
   tags:
     - start-docker-containers
 
diff --git a/roles/docker/tasks/odfekibana.yml b/roles/docker/tasks/odfekibana.yml
index af56622..8426ce6 100644
--- a/roles/docker/tasks/odfekibana.yml
+++ b/roles/docker/tasks/odfekibana.yml
@@ -8,8 +8,6 @@
     networks:
       - name: "{{ soctools_netname }}"
     networks_cli_compatible: yes
-    published_ports:
-      - "5601:5601"
     interactive: "yes"
   with_items: "{{ groups['odfekibanacontainers'] }}"
   tags:
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index 86ee05b..a66a234 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -49,7 +49,7 @@ listen odfeserv
 {% endfor %}
 	
 listen keycloakserv
-        bind *:10443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+        bind *:12443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
         mode http
         maxconn 5000
         fullconn 5000
@@ -86,36 +86,30 @@ listen cortexserv
 	server {{cortexhost}} {{cortexhost}}:9001 check verify none
 {% endfor %}
 
-{% for port in range(50, 60) %}
-listen nifiservtcp77{{port}}
-	bind *:77{{port}}
-	mode tcp
+listen kibanaserv
+        bind *:5601 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+        mode http
         maxconn 5000
         fullconn 5000
         balance source
         option tcpka
-	option tcp-check
-        option tcplog
-	tcp-check connect port 77{{port}}
-{% for nifihost in groups['nificontainers'] %}
-   	server {{nifihost}} {{nifihost}}:77{{port}} check
-
-{% endfor %}
+        option forwardfor
+        option httplog
+{% for kibanahost in groups['odfekibanacontainers'] %}
+        server {{kibanahost}} {{kibanahost}}:5601 ssl check verify none
 {% endfor %}
 
-
-listen nifiservtcp7771
-	bind *:7771
-	mode tcp
+listen mispserv
+        bind *:6443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+        mode http
         maxconn 5000
         fullconn 5000
         balance source
         option tcpka
-	option tcp-check
-        option tcplog
-	tcp-check connect port 7771
-{% for nifihost in groups['nificontainers'] %}
-   	server {{nifihost}} {{nifihost}}:7771 check
+        option forwardfor
+        option httplog
+{% for misphost in groups['mispcontainers'] %}
+        server {{misphost}} {{misphost}}:6443 ssl check verify none
 {% endfor %}
 
 
-- 
GitLab