gerosecurity / gerobug Goto Github PK
View Code? Open in Web Editor NEWThe First Open Source Bug Bounty Platform
Home Page: https://gerobug.gerosecurity.com
License: GNU Affero General Public License v3.0
gerobug's Issues
no Pattern to separate Bug bounty reports and regular emails
On read_mail() there is no pattern to separate between bug report or just regular emails.
The could be an issue, that every email will be stored as new bug report on the platform.
Looking forward if you guys can resolve this issue
SSL not auto renewing?
The SSL isn't auto renewing?
Nginx ports still exposed regardless of settings provided to ./run.sh
Here is my setup:
______ ______ ______ ______ ______ __ __ ______
/\ ___\ /\ ___\ /\ == \ /\ __ \ /\ == \ /\ \/\ \ /\ ___\
\ \ \__ \ \ \ __\ \ \ __< \ \ \/\ \ \ \ __< \ \ \_\ \ \ \ \__ \
\ \_____\ \ \_____\ \ \_\ \_\ \ \_____\ \ \_____\ \ \_____\ \ \_____\
\/_____/ \/_____/ \/_/ /_/ \/_____/ \/_____/ \/_____/ \/_____/
================================================================================
Gerobug v2.3 (PRODUCTION READY)
================================================================================
================================================================================
---------------------------------
Welcome to the Gerobug Installer!
---------------------------------
My name is Gero and I will assist you through the installation :)
I need to ask you a few questions before starting the setup.
Server Public IP : <snip>
Is it correct?
1) YES
2) NO
Your choice [1-2]: 1
Server Internal IP : <snip>
Is it correct?
1) YES
2) NO
Your choice [1-2]: 2
Enter Internal / Secondary IP (example: 127.0.0.1): 127.0.0.1
Do you have a domain that you want to use?
example: demo.gerobug.com
1) YES (I will help to implement HTTPS using lets encrypt for you)
2) NO (Gerobug will use HTTP instead of HTTPS) [NOT RECOMMENDED FOR PRODUCTION]
Your choice [1-2]: 2
Gerobug will not implement HTTPS [NOT RECOMMENDED FOR PRODUCTION]
A domain is required to setup HTTPS
Run this script again later when you have a domain to setup HTTPS
or you can change the nginx config manually
Do you have a VPN Server on the network?
1) YES (Gerobug Dashboard will only accept connection from internal IP)
2) NO (Gerobug Dashboard will be accessible from public) [NOT RECOMMENDED FOR PRODUCTION]
Your choice [1-2]: 1
Gerobug Dashboard will only accept connection from INTERNAL IP
So a VPN Server will be required
If you face any trouble, read the documentation :)
Okay, that was all I needed. We are ready to setup Gerobug server now.
Press any key to continue...
================================================================================
So I set my internal IP, chose HTTP only, and set it to only accept connections from the local IP.
And then after it's running, docker compose ps shows:
gerobug-nginx-1 gerobug-nginx "/docker-entrypoint.sh nginx -g 'daemon off;'"
nginx 11 seconds ago Up 10 seconds
0.0.0.0:80->80/tcp, :::80->80/tcp,
0.0.0.0:443->443/tcp, :::443->443/tcp,
0.0.0.0:6320->6320/tcp, :::6320->6320/tcp
So ports 80, 443, and 6320 are all exposed publicly on the machine. Even if there are safeguards in place in the nginx config, the ports are still exposed.
This is because in the docker-compose.yml file, the ports are set like so:
nginx:
build: ./nginx
ports:
- "80:80"
- "443:443"
- "6320:6320"
In the absence of a binding address, compose defaults to 0.0.0.0.
Suggestions
1. I suggest that during the ./run.sh process, it saves the given settings to a .env file (which compose reads by default), something like this:
BIND_ADDRESS=<public or local ip, as chosen during the setup>
HTTP_PORT=<the port chosen during setup>
HTTPS_PORT=<the port chosen during setup>
DASHBOARD_PORT<the port chosen during setup>
And then the compose file changed to something like this:
nginx:
build: ./nginx
ports:
- "${BIND_ADDRESS}:${BIND_PORT}:80"
- "${BIND_ADDRESS}:${BIND_PORT}:443"
- "${BIND_ADDRESS}:${DASHBOARD_PORT}:6320"
You'll notice I also separated the ports out to be configurable as well. I think this is an important option. For example, on the server I wish to run gerobug on, I already have 80 and 443 bound, so I have to edit the compose file manually to make it work.
2. Only bind the HTTPS port if HTTPS is selected
I'm actually not sure how to do this, but it would be a nice way to keep the ports clean and reduce confusion for developers.
I would make a PR, but I think this requires some decisions that I wouldn't want to impose on you guys :)
Logs full
Hi,
The log keeps being full...
Is it normal?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.