Deploying DefectDojo on Azure Cloud with Secure PostgreSQL Integration - Complete Walkthrough

·

4 min read

DefectDojo is an open-source platform designed for DevSecOps, ASPM (Application Security Process Management), vulnerability management, and more.

This guide provides step-by-step instructions to set up and configure DefectDojo on an Azure Virtual Machine (VM) with a secure PostgreSQL database. We'll create necessary network configurations and ensure secure access with SSL/TLS.

Step 1: Create an Azure Virtual Machine

  1. Create the VM:

    • Open the Azure portal and go to "Virtual machines".

    • Click "Create" and choose "Azure virtual machine".

    • Configure the following settings:

  2. Networking Configuration:

    • Allow inbound ports 80 (HTTP) and 443 (HTTPS).

    • Allow your IP address for SSH (port 22).

  3. Provision the VM and connect via SSH.

    To connect to the VM using the private SSH key:

    In your local machine:

     cp defect-dojo_key.pem ~/.ssh/
     cd ~/.ssh/
     chmod 400 defect-dojo_key.pem
     ssh -i defect-dojo_key.pem azureuser@defect-dojo-nebula.eastus.cloudapp.azure.com
    

    Step 2: Create Azure PostgreSQL Database with VNET Integration and peer VNETs

    1. Create the PostgreSQL Database:

      • Navigate to "Azure Database for PostgreSQL" and click "Create".

      • Select "Single Server" and configure the basic settings.

      • Disable public access.

    2. Configure VNET Integration:

    3. Peer VNETs:

      • In the Azure portal, search for the VNET of Azure Virtual Machine and select "Peerings".

      • Create a peering connection to VNET of the Database.

    4. Update Private DNS Zone:

      • In the private DNS zone, select Virtual Network Links.

      • Add both VNETs with auto-registration enabled.

Step 3: Configure the Azure VM

  1. Install Required Software:

     sudo apt-get update
     sudo apt-get install -y postgresql-client certbot
    

    Install docker based on instructions here: https://docs.docker.com/engine/install/ubuntu/

  2. Check PostgreSQL Connection:

    Find the Database connection details under Connect section:

     psql -h defect-dojo-db-test.postgres.database.azure.com -p 5432 -U test_admin postgres
    

Step 4: Set Up SSL Certificates

  1. Generate SSL Certificates:

     certbot certonly
     # Select option 1 and follow the prompts to generate .pem files.
    

    Certificate is saved at: /etc/letsencrypt/live/defect-dojo-nebula.eastus.cloudapp.azure.co.. Key is saved at: /etc/letsencrypt/live/defect-dojo-nebula.eastus.cloudapp.azure.co..

Step 5: Deploy DefectDojo

  1. Clone the DefectDojo Repository:

     git clone https://github.com/DefectDojo/django-DefectDojo.git
     cd django-DefectDojo
    
  2. Move SSL Certificates:

     cp /etc/letsencrypt/live/defect-dojo-nebula.eastus.cloudapp.azure.com/fullchain.pem nginx/
     cp /etc/letsencrypt/live/defect-dojo-nebula.eastus.cloudapp.azure.com/privkey.pem nginx/
     chmod 400 nginx/privkey.pem
    
  3. Configure Docker:

     rm -f docker-compose.override.yml
     ln -s docker-compose.override.https.yml docker-compose.override.yml
    
  4. Edit Configuration Files:

    • docker-compose.override.https.yml:

        ---
        services:
          nginx:
            environment:
              USE_TLS: 'true'
              GENERATE_TLS_CERTIFICATE: 'false'
            ports:
              - target: 8443
                published: 443
                protocol: tcp
                mode: host
          uwsgi:
            environment:
              DD_SESSION_COOKIE_SECURE: 'True'
              DD_CSRF_COOKIE_SECURE: 'True'
      
    • Dockerfile.nginx-alpine and Dockerfile.nginx-debian:

        COPY wsgi_params nginx/nginx.conf nginx/nginx_TLS.conf /etc/nginx/
        COPY nginx/fullchain.pem nginx/privkey.pem /etc/nginx/ssl/
        RUN \
          chmod 400 /etc/nginx/ssl/privkey.pem
      
    • docker/environments/postgres-redis.env:

        ## Change the below variables based on your Azure Postgres DB Values.
        DD_DATABASE_URL=postgresql://test_admin:NotMyPassword404@defect-dojo-db-test.postgres.database.azure.com:5432/postgres
        DD_DATABASE_ENGINE=django.db.backends.postgresql
        DD_DATABASE_HOST=postgres
        DD_DATABASE_PORT=5432
      
        DD_DATABASE_NAME=postgres
        DD_DATABASE_USER=test_admin
        DD_DATABASE_PASSWORD=NotMyPassword404
      
        DD_TEST_DATABASE_NAME=test_defectdojo
        DD_TEST_DATABASE_URL=postgresql://defectdojo:defectdojo@postgres:5432/test_defectdojo
      
        DD_CELERY_BROKER_URL=redis://redis:6379/0
      
        DD_DOCKERCOMPOSE_DATABASE=postgres
        DD_DOCKERCOMPOSE_BROKER=redis
      
    • nginx/nginx_TLS.conf:

        #change from here
        server {
            listen 8080;
            location / {
                return 301 https://your-azure-vm-dns-name.cloudapp.azure.com/; # changed
            }
        }
        # Disable metrics auth for localhost (for nginx prometheus exporter)
        geo $metrics_auth_bypass {
          127.0.0.1/32 "off";
          default "Metrics";
        }
        server {
          server_tokens off;
          listen 8443 ssl;
          server_name your-azure-vm-dns-name.cloudapp.azure.com; # changed
          ssl_certificate /etc/nginx/ssl/fullchain.pem; # changed
          ssl_certificate_key /etc/nginx/ssl/privkey.pem; # changed
      

Step 6: Build and Run DefectDojo

  1. Build Docker Images:

     # Start Docker
     systemctl start docker
     # Build Images
     ./dc-build.sh
    
  2. Run Docker Containers:

     ./dc-up.sh postgres-redis
    

    Recommendation is to use postgres-redis profile since support for MySQL and RabbitMQ will be deprecated by Defect Dojo team.

  3. Retrieve Admin Password:

     docker-compose logs initializer | grep "Admin password:"
    
  4. Visit the Site:

Step 7: Run Docker Containers in Detached Mode

  1. Stop Running Containers:

     ./dc-stop.sh
    
  2. Remove Docker Containers:

     ./dc-down.sh
    
  3. Rebuild Docker Images:

     ./dc-build.sh
    
  4. Run Containers in Detached Mode:

     ./dc-up-d.sh postgres-redis
    

Conclusion

Deploying DefectDojo on Azure provides a robust, scalable solution for DevSecOps teams looking to manage vulnerabilities effectively while leveraging cloud services. This guide outlined the essential steps from setting up virtual networks to configuring Docker containers with SSL encryption, ensuring your application is both secure and accessible within an Azure environment.

Check out DefectDojo documentation here:

https://documentation.defectdojo.com/

https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/DOCKER.md