sublime-security · ab · Mar 1, 2023 · Mar 15, 2023 · Mar 24, 2023 · Mar 24, 2023
diff --git a/README.md b/README.md
@@ -6,31 +6,30 @@ by Sublime Security
 
 Overview
 ---------
-An open, adaptable email security platform for writing, running, and sharing custom detection and response rules to block phishing attacks, hunt for threats, and more.
+A free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing. Gain visibility and control, hunt for advanced threats, and collaborate with the community.
 
-Why?
-----------
-Traditional email security is a one-size-fits-all black box.
+Sublime uses Message Query Language (MQL), a domain-specific language purpose-built for describing behavior in email. MQL is email provider agnostic, enabling defenders to write, run, and share Detections-as-Code.
 
-The Sublime Platform **gives defenders control over their email environment** and uses an intuitive, interoperable, purpose-built domain-specific language (DSL).
+Learn more about MQL: [Introduction to Message Query Language](https://sublime.security/blog/introduction-to-message-query-language-mql)
 
 Setup
 ----------
 
 ```console
-curl -sL https://sublime.security/install.sh | sh
+curl -sL https://raw.githubusercontent.com/sublime-security/sublime-platform/main/install-and-launch.sh | sh
 ```
 
 [View Docker Quickstart](https://docs.sublimesecurity.com/docs/quickstart-docker)
 
+[View other deployment methods](https://sublime.security/start)
+
 Detection rules
 ----------
-Open-source detection rules are maintained in the [sublime-rules repo](https://github.com/sublime-security/sublime-rules).
-
+Open-source detection rules and links to community Feeds are maintained in the [sublime-rules repo](https://github.com/sublime-security/sublime-rules).
 
 Learn more
 ----------
-- [Sublime overview](https://sublime.security)
 - [Docs](https://docs.sublimesecurity.com)
-- [Message Query Language (MQL) reference](https://docs.sublimesecurity.com/docs/message-query-language) - Sublime's DSL purpose-built for email analysis
+- [API](https://docs.sublimesecurity.com/reference/introduction)
 - [Release log](https://new.sublimesecurity.com)
+- [Message Query Language (MQL)](https://docs.sublimesecurity.com/docs/message-query-language)
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,7 +1,7 @@
-version: '3'
 services:
   sublime_postgres:
     image: postgres:13.2
+    command: -c 'max_connections=200'
     restart: unless-stopped
     container_name: sublime_postgres
     environment:
@@ -82,21 +82,15 @@ services:
     networks:
       - net
   sublime_screenshot_service:
-    image: sublimesec/render-email-html:0.1
+    image: sublimesec/render-email-html:0.2
     restart: unless-stopped
     ports:
       - "8100:8100"
     environment:
-      - S3_ENDPOINT=http://sublimes3:8110
-      - SCREENSHOT_BUCKET=email-screenshots
-      - AWS_REGION=us-east-1
       - DISABLE_DD=true
     container_name: sublime_screenshot_service
-    env_file: sublime.env
     networks:
       - net
-    depends_on:
-      - sublime_create_buckets
   # Keep this name as sublimes3 because underscores don't play nice with certain endpoint validation
   sublimes3:
     container_name: sublimes3
@@ -145,6 +139,8 @@ services:
       WORKERS: 2
       WEB_CONCURRENCY: 5
       KEEP_ALIVE: 2
+      WORKER_TIMEOUT: 30
+      GRACEFUL_WORKER_TIMEOUT: 30
 
 networks:
   net:
@@ -153,3 +149,4 @@ volumes:
   postgres:
   logs:
   s3_data:
+  persistent_storage:
diff --git a/install-and-launch.sh b/install-and-launch.sh
@@ -80,7 +80,7 @@ if [ -z "$interactive" ]; then
     # ascii art
     # credit: https://patorjk.com/
     # font: Cyberlarge
-    cat <<EOF
+    cat <<'EOF'
 
 ======================================================================
 |   _______ _     _ ______         _____ _______ _______             |
@@ -410,6 +410,8 @@ launch_sublime() {
         else
             echo "Daily update check is already setup"
         fi
+    else
+        echo "Automatic updates not enabled"
     fi
 
     print_info "Launching Sublime Platform..."

diff --git a/nginx-custom-ssl/Dockerfile b/nginx-custom-ssl/Dockerfile
@@ -0,0 +1,10 @@
+FROM nginx:1.23.3
+
+COPY conf/nginx.conf /etc/nginx/nginx.conf
+COPY conf/ssl-params.conf /etc/nginx/ssl-params.conf
+
+COPY certs/nginx.crt /etc/ssl/certs/nginx.crt
+COPY certs/nginx.key /etc/ssl/private/nginx.key
+COPY certs/dhparam.pem /etc/ssl/certs/dhparam.pem
+
+CMD nginx -g "daemon off;"
diff --git a/nginx-custom-ssl/README.md b/nginx-custom-ssl/README.md
@@ -0,0 +1,13 @@
+# nginx-custom-ssl
+
+SSL support with custom cert.
+
+To enable SSL with your custom certificate, follow the steps below:
+
+1. Copy your certificate and key to certs/nginx.crt and certs/nginx.key
+2. Copy your dhparam file to certs/dhparam.pem
+3. Edit conf/nginx.conf to update `__server_names__` to your domain or IP address
+4. Perform any other configuration edits that you might need
+5. Run `docker build -t sublime_nginx_custom_ssl .`
+6. Run `cd ..` (back to sublime-platform directory)
+7. Run `docker compose --profile nginx-custom-ssl up`
diff --git a/nginx-custom-ssl/certs/.keep b/nginx-custom-ssl/certs/.keep
diff --git a/nginx-custom-ssl/conf/nginx.conf b/nginx-custom-ssl/conf/nginx.conf
@@ -0,0 +1,56 @@
+events {
+	worker_connections 1024;
+}
+
+http {
+	# language server websockets
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		'' close;
+	}
+
+	server {
+		listen 80 default_server;
+		listen [::]:80 default_server;
+		server_name __server_names__;
+		return 302 https://$server_name$request_uri;
+	}
+
+	server {
+		listen 443 ssl http2 default_server;
+	        listen [::]:443 ssl http2 default_server;
+
+		ssl_certificate /etc/ssl/certs/nginx.crt;
+		ssl_certificate_key /etc/ssl/private/nginx.key;
+
+	        include ssl-params.conf;
+
+		location /v1 {
+			proxy_pass http://sublime_mantis:8000;
+			proxy_set_header Host $host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Host $server_name;
+
+			# language server websockets
+			proxy_set_header Upgrade $http_upgrade;
+			proxy_set_header Connection $connection_upgrade;
+		}
+
+		location /v0 {
+			proxy_pass http://sublime_mantis:8000;
+			proxy_set_header Host $host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Host $server_name;
+		}
+
+		location / {
+			proxy_pass http://sublime_dashboard;
+			proxy_set_header Host $host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Host $server_name;
+		}
+	}
+}
diff --git a/nginx-custom-ssl/conf/ssl-params.conf b/nginx-custom-ssl/conf/ssl-params.conf
@@ -0,0 +1,21 @@
+# from https://cipherli.st/
+# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
diff --git a/nginx-letsencrypt/nginx.conf b/nginx-letsencrypt/nginx.conf
@@ -9,6 +9,8 @@ http {
 		'' close;
 	}
 
+	client_max_body_size 50M;
+
 	server {
 		listen 80;
 		server_name ___server_names___;

diff --git a/update-and-run.sh b/update-and-run.sh
@@ -12,9 +12,15 @@ linux*) cmd_prefix="sudo " ;;
 darwin*) cmd_prefix="" ;;
 esac
 
+if [ ! -z "$cmd_prefix_override" ]; then
+    cmd_prefix=$cmd_prefix_override
+fi
+
 if [ "$1" != "always_launch" ]; then
     if ! $cmd_prefix docker compose ps | grep "mantis" >/dev/null 2>&1; then
-        print_error "docker compose appears to be brought down. Will not proceed to avoid relaunching."
+        print_error "Sublime Platform appears to have been manually shut down. Will not proceed to avoid relaunching."
+        print_warning "If you wish to relaunch, please refer to the documentation here:"
+        print_warning "https://docs.sublimesecurity.com/docs/quickstart-docker#how-to-update"
         exit 0
     fi
 fi
@@ -23,7 +29,7 @@ if [ -z "$(git status --porcelain)" ]; then
     echo "git working dir clean. Proceeding with git updates."
 
     old_ref=$(git rev-parse HEAD)
-    git pull
+    logrun git pull
     new_ref=$(git rev-parse HEAD)
 
     if [ "${old_ref}" != "${new_ref}" ]; then

diff --git a/utils.sh b/utils.sh
@@ -48,3 +48,8 @@ print_info() {
 print_warning() {
     print_color "\n$1\n" "warning"
 }
+
+logrun() {
+    echo >&2 "+ $*"
+    "$@"
+}