From 47f02389fc4c1f69691bde0707053e6ed60efc9d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 27 Jan 2020 15:23:35 -0500 Subject: [PATCH] Add so-auth to master and master/search --- salt/common/nginx/nginx.conf.so-master | 38 ++++++++++++++------ salt/common/nginx/nginx.conf.so-mastersearch | 38 ++++++++++++++------ 2 files changed, 54 insertions(+), 22 deletions(-) diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master index 0a0c31d6a..3cac44155 100644 --- a/salt/common/nginx/nginx.conf.so-master +++ b/salt/common/nginx/nginx.conf.so-master @@ -88,7 +88,7 @@ http { # } location /grafana/ { - rewrite /grafana/(.*) /$1 break; + rewrite /grafana/(.*) /$1 break; proxy_pass http://{{ masterip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -100,9 +100,8 @@ http { } location /kibana/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; - rewrite /kibana/(.*) /$1 break; + auth_request /so-auth/api/auth/; + rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ masterip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -125,8 +124,7 @@ http { } location /navigator/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + auth_request /so-auth/api/auth/; proxy_pass http://{{ masterip }}:4200/navigator/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -151,9 +149,8 @@ http { } location /fleet/ { - rewrite /fleet/(.*) /$1 break; - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + rewrite /fleet/(.*) /$1 break; + auth_request /so-auth/api/auth/; proxy_pass https://{{ masterip }}:8080/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -200,8 +197,7 @@ http { } location /sensoroni/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + auth_request /so-auth/api/auth/; proxy_pass http://{{ masterip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -238,6 +234,26 @@ http { } + + location /so-auth/loginpage/ { + proxy_pass http://{{ masterip }}:4242/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /so-auth/api/ { + proxy_pass http://{{ masterip }}:5656/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + } + + error_page 401 = @error401; + + location @error401 { + add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/"; + return 302 http://{{ masterip }}/so-auth/loginpage/; + } + error_page 404 /404.html; location = /40x.html { } diff --git a/salt/common/nginx/nginx.conf.so-mastersearch b/salt/common/nginx/nginx.conf.so-mastersearch index 265413fa2..6fa080f5b 100644 --- a/salt/common/nginx/nginx.conf.so-mastersearch +++ b/salt/common/nginx/nginx.conf.so-mastersearch @@ -88,7 +88,7 @@ http { # } location /grafana/ { - rewrite /grafana/(.*) /$1 break; + rewrite /grafana/(.*) /$1 break; proxy_pass http://{{ masterip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -100,9 +100,8 @@ http { } location /kibana/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; - rewrite /kibana/(.*) /$1 break; + auth_request /so-auth/api/auth/; + rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ masterip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -125,8 +124,7 @@ http { } location /navigator/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + auth_request /so-auth/api/auth/; proxy_pass http://{{ masterip }}:4200/navigator/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -151,9 +149,8 @@ http { } location /fleet/ { - rewrite /fleet/(.*) /$1 break; - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + rewrite /fleet/(.*) /$1 break; + auth_request /so-auth/api/auth/; proxy_pass https://{{ masterip }}:8080/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -212,8 +209,7 @@ http { } location /sensoroni/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + auth_request /so-auth/api/auth/; proxy_pass http://{{ masterip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -250,6 +246,26 @@ http { } + + location /so-auth/loginpage/ { + proxy_pass http://{{ masterip }}:4242/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /so-auth/api/ { + proxy_pass http://{{ masterip }}:5656/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + } + + error_page 401 = @error401; + + location @error401 { + add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/"; + return 302 http://{{ masterip }}/so-auth/loginpage/; + } + error_page 404 /404.html; location = /40x.html { }