For some applications/environments it is desirable to run the contrast-service on a separate host/container from the web application. This can be done for Assess but is not recommended for Protect due to the sheer amount of transactions it can generate.
Create the contrast-service image
The following example describes how this can be accomplished with docker and docker-compose.
Dockerfile example for creating a contrast-service image:
FROM ubuntu:20.04
# Install the necessary ubuntu dependencies
RUN apt-get update && apt-get install -y gnupg2 ca-certificates curl software-properties-common
# Add the contrast public key
ADD https://pkg.contrastsecurity.com/api/gpg/key/public ./publickey
RUN apt-key add ./publickey
RUN add-apt-repository "deb https://pkg.contrastsecurity.com/debian-public/ focal contrast"
# Install contrast-service
RUN apt-get update && apt-get install -y contrast-service
# Copy the contrast_security.yaml
COPY ./contrast_security.yaml .
# Execute the testbench agent
ENTRYPOINT ["contrast-service"]
Configure authentication for the contrast-service
The contrast_security.yaml is copied in to supply authentication and logging values. Environmental variables can also be used to supply these, see our Doc site on these conversions.
Example for the contrast-service container.
api:
url: https:<HOST>:<PORT>/Contrast
api_key: <API_KEY>
service_key: <SERVICE_KEY>
user_name: <AGENT_USER_NAME>
agent:
service:
logger:
path: /proc/1/fd/1
level: INFO
Configuration of the contrast-service
The environment: configuration for both containers sets the following:
CONTRAST__AGENT__SERVICE__HOST=contrastserviceCONTRAST__AGENT__SERVICE__PORT=30555
HOST referring to the name set for the contrast-service container.
Docker-compose example:
version: '2'
services:
svc:
container_name: contrastservice
hostname: contrastservice
build:
context: .
dockerfile: contrast-service/Dockerfile
environment:
- CONTRAST__AGENT__SERVICE__HOST=contrastservice
- CONTRAST__AGENT__SERVICE__PORT=30555
- CONTRAST__AGENT__SERVICE__LOGGER__LEVEL=INFO
networks:
- extbridge
web:
build: .
ports:
- "8000:8000"
depends_on:
- svc
environment:
- CONTRAST__APPLICATION__NAME=TestApplication
- CONTRAST__SERVER__NAME=Docker
- CONTRAST__AGENT__SERVICE__HOST=contrastservice
- CONTRAST__AGENT__SERVICE__PORT=30555
- CONTRAST__AGENT__LOGGER__LEVEL=INFO
networks:
- extbridge
networks:
extbridge:
driver: bridge
Note: When configuring orchestration for the containers, the contrast-service container must come up before the web application's container. This can be accomplished with depends_on in the compose file.
References:
- Example on github (This is for the GO agent but the contrast-service configuration would be the same for (Node,Python& Ruby) agents as well.
https://github.com/Contrast-Security-OSS/go-test-bench/blob/main/docker-compose.demo.yml - Container communication:
https://www.tutorialworks.com/container-networking