esetnederland/esmc-server

ARCHIVED. NO LONGER UPDATED. GO TO https://hub.docker.com/repository/docker/esetnederland/eset-protect-server

ESET PROTECT (Formerly: ESET Security Management Center) - Server

This container provides the Server component of ESET PROTECT. See the https://hub.docker.com/r/esetnederland/esmc-console page for the web console component.

Quickstart

Option 1: Manual

First, create a database container:

shell
docker run --name mysql -e MYSQL_ROOT_PASSWORD=eraadmin -d mysql \
--default-authentication-plugin=mysql_native_password \
--innodb-log-file-size=100M \
--innodb-log-files-in-group=2 \
--max-allowed-packet=30M \
--bind-address=* \
--log_bin_trust_function_creators=1

Then, create the server container:

shell
docker run --name esmc-server --link mysql --rm --tty --interactive --publish 2222:2222 --env DB_ADMIN_USERNAME=root --env DB_ADMIN_PASSWORD=eraadmin esetnederland/esmc-server

Optinally, create a console container:

shell
docker run --rm --tty --interactive --publish 8080:8080 --link esmc-server esetnederland/esmc-console

Option 2: docker-compose

Copy the following content to a file called docker-compose.yml:

yaml
version: '3'

services:
    mysql:
        image: mysql:8.0.17
        command: |
            --default-authentication-plugin=mysql_native_password
            --innodb-log-file-size=100M
            --innodb-log-files-in-group=2
            --max-allowed-packet=30M
            --bind-address=*
            --log_bin_trust_function_creators=1
        restart: unless-stopped
        environment:
            - MYSQL_ROOT_USER=root
            - MYSQL_ROOT_PASSWORD=eraadmin
        volumes:
            - mysql:/var/lib/mysql

    esmc-server:
        image: esetnederland/esmc-server
        depends_on: 
            - mysql
        restart: unless-stopped
        environment:
            - DB_ADMIN_USERNAME=root
            - DB_ADMIN_PASSWORD=eraadmin
        volumes:
            - esmc-server-config:/config
            - esmc-server-data:/data
            - esmc-server-logs:/logs
        ports: 
            - 2222:2222

    esmc-console:
        image: esetnederland/esmc-console
        depends_on: 
            - esmc-server
        restart: unless-stopped
        volumes:
            - esmc-console:/config
        ports: 
            - 8080:8080

volumes:
    mysql:
    esmc-server-config:
    esmc-server-data:
    esmc-server-logs:
    esmc-console:

Then run:

shell
docker-compose up

You should now be able to point your browser to http://127.0.0.1:8080 and login with Administrator / eraadmin.

Configuration

The following environment variables can be used for configuration:

The same settings can also be configured using the following docker secrets:

Volumes

This container uses the following volumes:

• /config
• /data
• /logs

Production deployment

The following compose file deploys the stack using an already existing database and uses Traefik as a reverse proxy:

.env

shell
# General settings
HOSTNAME=esmc.domain.nl

# Let's Encrypt settings
ACME_EMAIL=user@domain.nl

# Passwords
SERVER_ROOT_PASSWORD=eraadmin
CERT_AUTH_PASSWORD=eraadmin

# Certificate settings
CERT_AUTH_COMMON_NAME=ESMC Server Certification Authority
CERT_COUNTRY=NL
CERT_LOCALITY=Sliedrecht
CERT_ORGANIZATION=ESET Nederland
CERT_ORGANIZATIONAL_UNIT=IT
CERT_STATE=ZH

# Database settings
DB_HOSTNAME=db.domain.nl
DB_PORT=3306
DB_NAME=era_db
DB_USER_USERNAME=era_db_user
DB_USER_PASSWORD=eraadmin

# Console settings
HSTS_ENABLE=true
REMOTE_ADDRESS_SOURCE=x-forwarded-for-last

docker-compose.yml

yaml
version: '3'

services:
    traefik:
        image: traefik:2.2
        restart: unless-stopped
        command:
            #- --api.insecure=true # Uncomment to enable dashboard on port 8080
            - --providers.docker=true
            - --providers.docker.exposedbydefault=false
            - --entrypoints.http.address=:80
            - --entrypoints.https.address=:443
            - --entrypoints.em-agent.address=:2222
            - --certificatesResolvers.le.acme.email=${ACME_EMAIL}
            - --certificatesResolvers.le.acme.httpChallenge.entryPoint=http
            - --certificatesResolvers.le.acme.storage=/etc/traefik/acme.json
            #- --providers.file.directory=/etc/traefik/dynamic # Uncomment to use Dynamic configurations
        ports:
            - 80:80
            - 443:443
            - 2222:2222
            - 8080:8080
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - traefik:/etc/traefik

    esmc-server:
        image: esetnederland/esmc-server:latest
        restart: unless-stopped
        environment:
            - CERT_AUTH_COMMON_NAME=${CERT_AUTH_COMMON_NAME}
            - CERT_AUTH_PASSWORD=${CERT_AUTH_PASSWORD}
            - CERT_COUNTRY=${CERT_COUNTRY}
            - CERT_HOSTNAME=${HOSTNAME}
            - CERT_LOCALITY=${CERT_LOCALITY}
            - CERT_ORGANIZATION=${CERT_ORGANIZATION}
            - CERT_ORGANIZATIONAL_UNIT=${CERT_ORGANIZATIONAL_UNIT}
            - CERT_STATE=${CERT_STATE}
            - DB_HOSTNAME=${DB_HOSTNAME}
            - DB_PORT=${DB_PORT}
            - DB_NAME=${DB_NAME}
            - DB_USER_USERNAME=${DB_USER_USERNAME}
            - DB_USER_PASSWORD=${DB_USER_PASSWORD}
            - SERVER_ROOT_PASSWORD=${SERVER_ROOT_PASSWORD}
        volumes:
            - esmc-server-config:/config
            - esmc-server-data:/data
            - esmc-server-logs:/logs
        labels:
            - traefik.enable=true
            - traefik.tcp.routers.em-agent.rule=HostSNI(`*`)
            - traefik.tcp.routers.em-agent.entrypoints=em-agent
            - traefik.tcp.routers.em-agent.service=em-agent
            - traefik.tcp.routers.em-agent.tls=true
            - traefik.tcp.routers.em-agent.tls.passthrough=true
            - traefik.tcp.services.em-agent.loadbalancer.server.port=2222

    esmc-console:
        image: esetnederland/esmc-console:latest
        restart: unless-stopped
        environment:
            - HSTS_ENABLE=${HSTS_ENABLE}
            - REMOTE_ADDRESS_SOURCE=${REMOTE_ADDRESS_SOURCE}
        volumes:
            - esmc-console:/config
        labels:
            - traefik.enable=true
            - traefik.http.routers.esmc-console.rule=Host(`${HOSTNAME}`)
            - traefik.http.routers.esmc-console.entrypoints=http
            - traefik.http.routers.esmc-console.middlewares=esmc-console-redirect
            - traefik.http.routers.esmc-console-secure.rule=Host(`${HOSTNAME}`)
            - traefik.http.routers.esmc-console-secure.entrypoints=https
            - traefik.http.routers.esmc-console-secure.tls=true
            - traefik.http.routers.esmc-console-secure.tls.certresolver=le
            # - traefik.http.routers.esmc-console-secure.tls.options=intermediate@file # Uncomment to use internediate SSL configuration. Needs a dynamic configuration file
            - traefik.http.routers.esmc-console-secure.middlewares=esmc-console-secure-headers,esmc-console-secure-redirect
            - traefik.http.middlewares.esmc-console-redirect.redirectscheme.scheme=https
            - traefik.http.middlewares.esmc-console-secure-headers.headers.customFrameOptionsValue=SAMEORIGIN
            - traefik.http.middlewares.esmc-console-secure-headers.headers.sslredirect=true
            - traefik.http.middlewares.esmc-console-secure-headers.headers.stsSeconds=63072000
            - traefik.http.middlewares.esmc-console-secure-redirect.redirectregex.regex=^(https:\/\/[^:\/]+(:\\d+)?)\/$
            - traefik.http.middlewares.esmc-console-secure-redirect.redirectregex.replacement=${1}/era/webconsole/
            - traefik.http.middlewares.esmc-console-secure-redirect.redirectregex.permanent=true

volumes:
    traefik:
    esmc-server-config:
    esmc-server-data:
    esmc-server-logs:
    esmc-console:

If you want an A+ grade on the Qualys SSL Server test uncomment the dynamic configuration and intermediate ssl lines in the above config, and write the following content to /etc/traefik/dynamic/ssl.toml (or directly to its volume):

toml
[tls.options]
  [tls.options.modern]
    minVersion = "VersionTLS13"

  [tls.options.intermediate]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
    ]

  [tls.options.default]
    minVersion = "VersionTLS12"