diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 93c5e4ebc..614264fda 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -9,6 +9,7 @@ {% from 'docker/docker.map.jinja' import DOCKER %} include: + - nginx.ssl - nginx.config - nginx.sostatus diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 8b362a538..31eb6ce45 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -3,7 +3,7 @@ nginx: description: You can enable or disable Nginx. advanced: True helpLink: nginx.html - config: + ssl: replace_cert: description: Enable this if you would like to replace the Security Onion Certificate with your own. global: True @@ -11,19 +11,20 @@ nginx: title: Replace Default Cert helpLink: nginx.html ssl__key: - description: If you enabled the replace_cert option, paste your .key file here. + description: If you enabled the replace_cert option, paste the contents of your .key file here. file: True - title: SSL Key File + title: SSL/TLS Key File advanced: True global: True helpLink: nginx.html ssl__crt: - description: If you enabled the replace_cert option, paste your .crt file here. + description: If you enabled the replace_cert option, paste the contents of your .crt file here. file: True - title: SSL Cert File + title: SSL/TLS Cert File advanced: True global: True helpLink: nginx.html + config: throttle_login_burst: description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow. global: True diff --git a/salt/nginx/ssl.sls b/salt/nginx/ssl.sls new file mode 100644 index 000000000..b6d09b899 --- /dev/null +++ b/salt/nginx/ssl.sls @@ -0,0 +1,79 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'nginx/map.jinja' import NGINXMERGED %} + +{# if the user has selected to replace the crt and key in the ui #} +{% if NGINXMERGED.ssl.replace_cert %} + +managerssl_key: + file.managed: + - name: /etc/pki/managerssl.key + - source: salt://nginx/ssl/ssl.key + - mode: 640 + - group: 939 + +managerssl_crt: + file.managed: + - name: /etc/pki/managerssl.crt + - source: salt://nginx/ssl/ssl.crt + - mode: 644 + +{% else %} + +managerssl_key: + x509.private_key_managed: + - name: /etc/pki/managerssl.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} + - prereq: + - x509: /etc/pki/managerssl.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +# Create a cert for the reverse proxy +managerssl_crt: + x509.certificate_managed: + - name: /etc/pki/managerssl.crt + - ca_server: {{ ca_server }} + - signing_policy: managerssl + - private_key: /etc/pki/managerssl.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 0 + - days_valid: 820 + - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +{% endif %} + +msslkeyperms: + file.managed: + - replace: False + - name: /etc/pki/managerssl.key + - mode: 640 + - group: 939 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/nginx/config/ssl.crt b/salt/nginx/ssl/ssl.crt similarity index 100% rename from salt/nginx/config/ssl.crt rename to salt/nginx/ssl/ssl.crt diff --git a/salt/nginx/config/ssl.key b/salt/nginx/ssl/ssl.key similarity index 100% rename from salt/nginx/config/ssl.key rename to salt/nginx/ssl/ssl.key diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 358357459..48f643e29 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -507,47 +507,7 @@ elasticp12perms: - mode: 640 - group: 930 -managerssl_key: - x509.private_key_managed: - - name: /etc/pki/managerssl.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} - - prereq: - - x509: /etc/pki/managerssl.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 -# Create a cert for the reverse proxy -managerssl_crt: - x509.certificate_managed: - - name: /etc/pki/managerssl.crt - - ca_server: {{ ca_server }} - - signing_policy: managerssl - - private_key: /etc/pki/managerssl.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -msslkeyperms: - file.managed: - - replace: False - - name: /etc/pki/managerssl.key - - mode: 640 - - group: 939 {% endif %}