Data Center Edition

The features introduced on this page are only available in the RIPS Data Center Edition.

The RIPS Data Center Edition allows you to split up your RIPS installation into multiple servers to increase the amount of scans that can be handled in parallel.

For the RIPS Data Center Edition you need one master server that runs the API, UI, database, storage, and the scaler that assigns scans to servers. It is highly recommended to place a reverse proxy in front of the API, UI, and storage.

There can be a variable amount of worker servers that run nothing but the analysis engines. They communicate with the RIPS master server through the reverse proxy and the API.

Preparation (All Servers)

Switch to a root shell, for example with sudo -i or su and install Docker CE as described in https://docs.docker.com/engine/installation/Do not use the Docker version that comes with your distribution, it might not be compatible with the installer.

The following example shows the installation of Docker on Ubuntu 18.04. A more detailed guide to install Docker on Ubuntu can be found in the official documentation.

Docker CE on Ubuntu
apt-get remove docker docker-engine docker.io containerd runc
apt-get update
apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io

The following example shows the installation of Docker on CentOS 7. A more detailed guide to install Docker on CentOS can be found in the official documentation.

Docker CE on CentOS
yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce docker-ce-cli containerd.io

Download (All Servers)

Create an installation directory with secure permissions.

mkdir -p /opt/rips
chown root:root /opt/rips
chmod 750 /opt/rips

Download the installer rips3.py from https://files.ripstech.com/installer/rips3.py and make it executable.

wget https://files.ripstech.com/installer/rips3.py -O /opt/rips/rips3.py
chown root:root /opt/rips/rips3.py
chmod 755 /opt/rips/rips3.py

Installation (Master Server)

To install RIPS on your master server run rips3.py rips:install. Direct access to the UI, Admin UI, and API should be prevented by binding their addresses to localhost with the parameters --ui-address 127.0.0.1, --ui-admin-address 127.0.0.1, and --api-address 127.0.0.1. The UI port should be changed from the default value 80 to a different value. In this example we will assume that --ui-port 9090 is used. Make sure to set the address of the reverse proxy as API URL, for example --api-url https://api.rips.intranet.example.org. This address is used by the user interface to connect from the clients browsers to the API. An incorrect API URL will result in connection problems when using the user interface.  It is also recommended to specify the URL of the user interface with the parameter --ui-url. This value is used for e-mails that are send by RIPS to link to the user interface.

/opt/rips/rips3.py rips:install --ui-url https://ui.rips.intranet.example.org --api-url https://api.rips.intranet.example.org --ui-address 127.0.0.1 --ui-admin-address 127.0.0.1 --api-address 127.0.0.1 --ui-port 9090 --master=1 --worker=0

The installer will ask for your download credentials. Please refer to your purchase email for your user name and password. At the end of the process, the installer creates a new user account and you can set your private account credentials.

For security reasons LDAP support is disabled by default. If you would like to enable LDAP please use the parameter --ldap=1. You can find more information about the configuration of LDAP in the user guide.

Proxy

It is highly recommend to place a HTTP reverse proxy in front of RIPS for TLS encryption, access logging, and similar tasks. This section explains how RIPS and the reverse proxy have to be configured to do this.

If you are running SELinux make sure that httpd_can_network_connect is set to true. You can enable it by running:

setsebool -P httpd_can_network_connect true

NGINX

server {
    listen 443 ssl;
    include /etc/nginx/ssl.conf;
    server_name ui.rips.intranet.example.org;

    location / {
        proxy_pass http://127.0.0.1:9090;
    }
}
server {
    listen 443 ssl;
    include /etc/nginx/ssl.conf;
    server_name admin.rips.intranet.example.org;

    location / {
        proxy_pass http://127.0.0.1:8070;
    }
}
server {
    listen 443 ssl;
    include /etc/nginx/ssl.conf;
    server_name api.rips.intranet.example.org;

    location / {
        proxy_connect_timeout 60;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        proxy_pass http://127.0.0.1:8080;
        client_max_body_size 900M;
    }
}
server {
    listen 443 ssl;
    include /etc/nginx/ssl.conf;
    server_name storage.rips.intranet.example.org;

    # To allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # To disable buffering
    proxy_buffering off;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;

        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        proxy_connect_timeout 300;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        proxy_pass http://127.0.0.1:9000;
    }
}

Source: https://docs.min.io/docs/setup-nginx-proxy-with-minio.html

For additional resources please refer to:

Apache

The modules mod_proxy and mod_proxy_http have to be enabled.

<VirtualHost *:443>
  ServerName ui.rips.intranet.example.org
  Include /etc/apache2/ssl.conf

  ProxyPass / http://127.0.0.1:9090/
  ProxyPassReverse / http://127.0.0.1:9090/
</VirtualHost>
<VirtualHost *:443>
  ServerName admin.rips.intranet.example.org
  Include /etc/apache2/ssl.conf

  ProxyPass / http://127.0.0.1:8070/
  ProxyPassReverse / http://127.0.0.1:8070/
</VirtualHost>
<VirtualHost *:443>
  ServerName api.rips.intranet.example.org
  Include /etc/apache2/ssl.conf

  ProxyPass / http://127.0.0.1:8080/ timeout=600
  ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
<VirtualHost *:443>
  ServerName storage.rips.intranet.example.org
  Include /etc/apache2/ssl.conf

  ProxyRequests Off
  ProxyVia Block
  ProxyPreserveHost On

  <Proxy *>
    Require all granted
  </Proxy>

  ProxyPass / http://127.0.0.1:9000/ timeout=600
  ProxyPassReverse / http://127.0.0.1:9000/
</VirtualHost>

Source: https://docs.min.io/docs/setup-apache-http-proxy-with-minio-server.html

For additional resources please refer to:

Installation (Worker Server)

To create a worker use the parameters --master=0 --worker=1. Additionally you have to specify the addresses of the API and the storage server with --api-url and --storage-url. Those are required for the worker to contact the master server.

/opt/rips/rips3.py rips:install --api-url https://api.rips.intranet.example.org --storage-url https://storage.rips.intranet.example.org --master=0 --worker=1

The installer will ask for your download credentials. Please refer to your purchase email for your user name and password.

Before the installation starts the installer asks you to copy the credentials directory from the master server to the worker server. This directory contains credentials that are required to access the API and the storage server. It can be synchronized using scp, for example the following command can be executed on the master server. Make sure to replace the host name with your own.

scp -p /var/rips3/credentials/* root@worker:/var/rips3/credentials

Once the RIPS worker is installed and started it will automatically register at the API. The scaler will then automatically assign scans to it based on the system resources of the worker and the size of the scans.

Administration

Use the admin interface to manage your organizations, departments, and servers. To access the admin interface you have to create an admin user through the command line interface of the RIPS installer on your master server.

/opt/rips/rips3.py rips:exec api ./bin/console rips:user:create -- --admin --organization System