Deploying DefectDojo on Azure Cloud with Secure PostgreSQL Integration - Complete Walkthrough
Photo by Nacho Rochon on Unsplash
DefectDojo is an open-source platform designed for DevSecOps, ASPM (Application Security Process Management), vulnerability management, and more.
This guide provides step-by-step instructions to set up and configure DefectDojo on an Azure Virtual Machine (VM) with a secure PostgreSQL database. We'll create necessary network configurations and ensure secure access with SSL/TLS.
Step 1: Create an Azure Virtual Machine
Create the VM:
Open the Azure portal and go to "Virtual machines".
Click "Create" and choose "Azure virtual machine".
Configure the following settings:
Image: Ubuntu Server: Linux (ubuntu 24.04)
Size: Standard B2s (2 vCPUs, 4GB RAM)
Storage: 30GB SSD
DNS Name: Set it to something like defect-dojo-nebula.eastus.cloudapp.azure.com.
Networking Configuration:
Allow inbound ports 80 (HTTP) and 443 (HTTPS).
Allow your IP address for SSH (port 22).
Provision the VM and connect via SSH.
To connect to the VM using the private SSH key:
In your local machine:
cp defect-dojo_key.pem ~/.ssh/ cd ~/.ssh/ chmod 400 defect-dojo_key.pem ssh -i defect-dojo_key.pem azureuser@defect-dojo-nebula.eastus.cloudapp.azure.com
Step 2: Create Azure PostgreSQL Database with VNET Integration and peer VNETs
Create the PostgreSQL Database:
Navigate to "Azure Database for PostgreSQL" and click "Create".
Select "Single Server" and configure the basic settings.
Disable public access.
Configure VNET Integration:
Enable VNET integration for the PostgreSQL server.
This automatically creates a private DNS zone, e.g., defect-dojo-db-test.private.postgres.database.azure.com
Peer VNETs:
In the Azure portal, search for the VNET of Azure Virtual Machine and select "Peerings".
Create a peering connection to VNET of the Database.
Update Private DNS Zone:
In the private DNS zone, select
Virtual Network Links
.Add both VNETs with auto-registration enabled.
Step 3: Configure the Azure VM
Install Required Software:
sudo apt-get update sudo apt-get install -y postgresql-client certbot
Install docker based on instructions here: https://docs.docker.com/engine/install/ubuntu/
Check PostgreSQL Connection:
Find the Database connection details under
Connect
section:psql -h defect-dojo-db-test.postgres.database.azure.com -p 5432 -U test_admin postgres
Step 4: Set Up SSL Certificates
Generate SSL Certificates:
certbot certonly # Select option 1 and follow the prompts to generate .pem files.
Certificate is saved at: /etc/letsencrypt/live/defect-dojo-nebula.eastus.cloudapp.azure.co.. Key is saved at: /etc/letsencrypt/live/defect-dojo-nebula.eastus.cloudapp.azure.co..
Step 5: Deploy DefectDojo
Clone the DefectDojo Repository:
git clone https://github.com/DefectDojo/django-DefectDojo.git cd django-DefectDojo
Move SSL Certificates:
cp /etc/letsencrypt/live/defect-dojo-nebula.eastus.cloudapp.azure.com/fullchain.pem nginx/ cp /etc/letsencrypt/live/defect-dojo-nebula.eastus.cloudapp.azure.com/privkey.pem nginx/ chmod 400 nginx/privkey.pem
Configure Docker:
rm -f docker-compose.override.yml ln -s docker-compose.override.https.yml docker-compose.override.yml
Edit Configuration Files:
docker-compose.override.https.yml:
--- services: nginx: environment: USE_TLS: 'true' GENERATE_TLS_CERTIFICATE: 'false' ports: - target: 8443 published: 443 protocol: tcp mode: host uwsgi: environment: DD_SESSION_COOKIE_SECURE: 'True' DD_CSRF_COOKIE_SECURE: 'True'
Dockerfile.nginx-alpine and Dockerfile.nginx-debian:
COPY wsgi_params nginx/nginx.conf nginx/nginx_TLS.conf /etc/nginx/ COPY nginx/fullchain.pem nginx/privkey.pem /etc/nginx/ssl/ RUN \ chmod 400 /etc/nginx/ssl/privkey.pem
docker/environments/postgres-redis.env:
## Change the below variables based on your Azure Postgres DB Values. DD_DATABASE_URL=postgresql://test_admin:NotMyPassword404@defect-dojo-db-test.postgres.database.azure.com:5432/postgres DD_DATABASE_ENGINE=django.db.backends.postgresql DD_DATABASE_HOST=postgres DD_DATABASE_PORT=5432 DD_DATABASE_NAME=postgres DD_DATABASE_USER=test_admin DD_DATABASE_PASSWORD=NotMyPassword404 DD_TEST_DATABASE_NAME=test_defectdojo DD_TEST_DATABASE_URL=postgresql://defectdojo:defectdojo@postgres:5432/test_defectdojo DD_CELERY_BROKER_URL=redis://redis:6379/0 DD_DOCKERCOMPOSE_DATABASE=postgres DD_DOCKERCOMPOSE_BROKER=redis
nginx/nginx_TLS.conf:
#change from here server { listen 8080; location / { return 301 https://your-azure-vm-dns-name.cloudapp.azure.com/; # changed } } # Disable metrics auth for localhost (for nginx prometheus exporter) geo $metrics_auth_bypass { 127.0.0.1/32 "off"; default "Metrics"; } server { server_tokens off; listen 8443 ssl; server_name your-azure-vm-dns-name.cloudapp.azure.com; # changed ssl_certificate /etc/nginx/ssl/fullchain.pem; # changed ssl_certificate_key /etc/nginx/ssl/privkey.pem; # changed
Step 6: Build and Run DefectDojo
Build Docker Images:
# Start Docker systemctl start docker # Build Images ./dc-build.sh
Run Docker Containers:
./dc-up.sh postgres-redis
Recommendation is to use postgres-redis profile since support for MySQL and RabbitMQ will be deprecated by Defect Dojo team.
Retrieve Admin Password:
docker-compose logs initializer | grep "Admin password:"
Visit the Site:
Open your browser and go to
https://{your-azure-VM-DNS-name/
.Log in with the admin credentials.
Step 7: Run Docker Containers in Detached Mode
Stop Running Containers:
./dc-stop.sh
Remove Docker Containers:
./dc-down.sh
Rebuild Docker Images:
./dc-build.sh
Run Containers in Detached Mode:
./dc-up-d.sh postgres-redis
Conclusion
Deploying DefectDojo on Azure provides a robust, scalable solution for DevSecOps teams looking to manage vulnerabilities effectively while leveraging cloud services. This guide outlined the essential steps from setting up virtual networks to configuring Docker containers with SSL encryption, ensuring your application is both secure and accessible within an Azure environment.
Check out DefectDojo documentation here:
https://documentation.defectdojo.com/
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/DOCKER.md