mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-07 09:42:46 +01:00
Merge pull request #891 from Security-Onion-Solutions/feature/navigator-to-nginx
Feature/navigator to nginx
This commit is contained in:
William Wernert
GitHub
@@ -44,7 +44,6 @@ eval:
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
{% if PLAYBOOK != '0' %}
|
{% if PLAYBOOK != '0' %}
|
||||||
- so-playbook
|
- so-playbook
|
||||||
- so-navigator
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if FREQSERVER != '0' %}
|
{% if FREQSERVER != '0' %}
|
||||||
- so-freqserver
|
- so-freqserver
|
||||||
@@ -116,7 +115,6 @@ master_search:
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
{% if PLAYBOOK != '0' %}
|
{% if PLAYBOOK != '0' %}
|
||||||
- so-playbook
|
- so-playbook
|
||||||
- so-navigator
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if FREQSERVER != '0' %}
|
{% if FREQSERVER != '0' %}
|
||||||
- so-freqserver
|
- so-freqserver
|
||||||
@@ -159,7 +157,6 @@ master:
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
{% if PLAYBOOK != '0' %}
|
{% if PLAYBOOK != '0' %}
|
||||||
- so-playbook
|
- so-playbook
|
||||||
- so-navigator
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if FREQSERVER != '0' %}
|
{% if FREQSERVER != '0' %}
|
||||||
- so-freqserver
|
- so-freqserver
|
||||||
|
|||||||
@@ -1,6 +1,5 @@
|
|||||||
{% set docker = {
|
{% set docker = {
|
||||||
'containers': [
|
'containers': [
|
||||||
'so-playbook',
|
'so-playbook'
|
||||||
'so-navigator'
|
|
||||||
]
|
]
|
||||||
} %}
|
} %}
|
||||||
@@ -81,7 +81,6 @@ if [ $MASTERCHECK != 'so-helix' ]; then
|
|||||||
"so-kratos:$VERSION" \
|
"so-kratos:$VERSION" \
|
||||||
"so-logstash:$VERSION" \
|
"so-logstash:$VERSION" \
|
||||||
"so-mysql:$VERSION" \
|
"so-mysql:$VERSION" \
|
||||||
"so-navigator:$VERSION" \
|
|
||||||
"so-nginx:$VERSION" \
|
"so-nginx:$VERSION" \
|
||||||
"so-playbook:$VERSION" \
|
"so-playbook:$VERSION" \
|
||||||
"so-redis:$VERSION" \
|
"so-redis:$VERSION" \
|
||||||
|
|||||||
@@ -18,7 +18,6 @@ TRUSTED_CONTAINERS=( \
|
|||||||
"so-kibana:$VERSION" \
|
"so-kibana:$VERSION" \
|
||||||
"so-logstash:$VERSION" \
|
"so-logstash:$VERSION" \
|
||||||
"so-mysql:$VERSION" \
|
"so-mysql:$VERSION" \
|
||||||
"so-navigator:$VERSION" \
|
|
||||||
"so-playbook:$VERSION" \
|
"so-playbook:$VERSION" \
|
||||||
"so-redis:$VERSION" \
|
"so-redis:$VERSION" \
|
||||||
"so-sensoroni:$VERSION" \
|
"so-sensoroni:$VERSION" \
|
||||||
|
|||||||
@@ -1,4 +1,6 @@
|
|||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
|
{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
|
||||||
{%- set ELASTICSEARCH_HOST = salt['pillar.get']('node:mainip', '') -%}
|
{%- set ELASTICSEARCH_HOST = salt['pillar.get']('node:mainip', '') -%}
|
||||||
{%- set ELASTICSEARCH_PORT = salt['pillar.get']('node:es_port', '') -%}
|
{%- set ELASTICSEARCH_PORT = salt['pillar.get']('node:es_port', '') -%}
|
||||||
@@ -9,8 +11,6 @@
|
|||||||
{%- set LOG_SIZE_LIMIT = salt['pillar.get']('master:log_size_limit', '') -%}
|
{%- set LOG_SIZE_LIMIT = salt['pillar.get']('master:log_size_limit', '') -%}
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
|
|
||||||
#!/bin/bash
|
|
||||||
#
|
|
||||||
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
|
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
|
||||||
#
|
#
|
||||||
# This program is free software: you can redistribute it and/or modify
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
|||||||
@@ -13,7 +13,6 @@ role:
|
|||||||
- {{ portgroups.wazuh_authd }}
|
- {{ portgroups.wazuh_authd }}
|
||||||
- {{ portgroups.playbook }}
|
- {{ portgroups.playbook }}
|
||||||
- {{ portgroups.mysql }}
|
- {{ portgroups.mysql }}
|
||||||
- {{ portgroups.navigator }}
|
|
||||||
- {{ portgroups.kibana }}
|
- {{ portgroups.kibana }}
|
||||||
- {{ portgroups.redis }}
|
- {{ portgroups.redis }}
|
||||||
- {{ portgroups.influxdb }}
|
- {{ portgroups.influxdb }}
|
||||||
@@ -95,7 +94,6 @@ role:
|
|||||||
- {{ portgroups.wazuh_authd }}
|
- {{ portgroups.wazuh_authd }}
|
||||||
- {{ portgroups.playbook }}
|
- {{ portgroups.playbook }}
|
||||||
- {{ portgroups.mysql }}
|
- {{ portgroups.mysql }}
|
||||||
- {{ portgroups.navigator }}
|
|
||||||
- {{ portgroups.kibana }}
|
- {{ portgroups.kibana }}
|
||||||
- {{ portgroups.redis }}
|
- {{ portgroups.redis }}
|
||||||
- {{ portgroups.influxdb }}
|
- {{ portgroups.influxdb }}
|
||||||
@@ -174,7 +172,6 @@ role:
|
|||||||
- {{ portgroups.wazuh_authd }}
|
- {{ portgroups.wazuh_authd }}
|
||||||
- {{ portgroups.playbook }}
|
- {{ portgroups.playbook }}
|
||||||
- {{ portgroups.mysql }}
|
- {{ portgroups.mysql }}
|
||||||
- {{ portgroups.navigator }}
|
|
||||||
- {{ portgroups.kibana }}
|
- {{ portgroups.kibana }}
|
||||||
- {{ portgroups.redis }}
|
- {{ portgroups.redis }}
|
||||||
- {{ portgroups.influxdb }}
|
- {{ portgroups.influxdb }}
|
||||||
@@ -253,7 +250,6 @@ role:
|
|||||||
- {{ portgroups.wazuh_authd }}
|
- {{ portgroups.wazuh_authd }}
|
||||||
- {{ portgroups.playbook }}
|
- {{ portgroups.playbook }}
|
||||||
- {{ portgroups.mysql }}
|
- {{ portgroups.mysql }}
|
||||||
- {{ portgroups.navigator }}
|
|
||||||
- {{ portgroups.kibana }}
|
- {{ portgroups.kibana }}
|
||||||
- {{ portgroups.redis }}
|
- {{ portgroups.redis }}
|
||||||
- {{ portgroups.influxdb }}
|
- {{ portgroups.influxdb }}
|
||||||
@@ -330,7 +326,6 @@ role:
|
|||||||
- {{ portgroups.wazuh_agent }}
|
- {{ portgroups.wazuh_agent }}
|
||||||
- {{ portgroups.playbook }}
|
- {{ portgroups.playbook }}
|
||||||
- {{ portgroups.mysql }}
|
- {{ portgroups.mysql }}
|
||||||
- {{ portgroups.navigator }}
|
|
||||||
- {{ portgroups.kibana }}
|
- {{ portgroups.kibana }}
|
||||||
- {{ portgroups.redis }}
|
- {{ portgroups.redis }}
|
||||||
- {{ portgroups.influxdb }}
|
- {{ portgroups.influxdb }}
|
||||||
|
|||||||
@@ -48,9 +48,6 @@ firewall:
|
|||||||
mysql:
|
mysql:
|
||||||
tcp:
|
tcp:
|
||||||
- 3306
|
- 3306
|
||||||
navigator:
|
|
||||||
tcp:
|
|
||||||
- 4200
|
|
||||||
nginx:
|
nginx:
|
||||||
tcp:
|
tcp:
|
||||||
- 80
|
- 80
|
||||||
|
|||||||
@@ -18,7 +18,6 @@ TRUSTED_CONTAINERS=( \
|
|||||||
"so-wazuh:$VERSION" \
|
"so-wazuh:$VERSION" \
|
||||||
"so-kibana:$VERSION" \
|
"so-kibana:$VERSION" \
|
||||||
"so-elastalert:$VERSION" \
|
"so-elastalert:$VERSION" \
|
||||||
"so-navigator:$VERSION" \
|
|
||||||
"so-filebeat:$VERSION" \
|
"so-filebeat:$VERSION" \
|
||||||
"so-suricata:$VERSION" \
|
"so-suricata:$VERSION" \
|
||||||
"so-logstash:$VERSION" \
|
"so-logstash:$VERSION" \
|
||||||
|
|||||||
@@ -14,318 +14,312 @@ pid /run/nginx.pid;
|
|||||||
include /usr/share/nginx/modules/*.conf;
|
include /usr/share/nginx/modules/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
types_hash_max_size 2048;
|
types_hash_max_size 2048;
|
||||||
client_max_body_size 1024M;
|
client_max_body_size 1024M;
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
||||||
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
||||||
# for more information.
|
# for more information.
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
#server {
|
#server {
|
||||||
# listen 80 default_server;
|
# listen 80 default_server;
|
||||||
# listen [::]:80 default_server;
|
# listen [::]:80 default_server;
|
||||||
# server_name _;
|
# server_name _;
|
||||||
# root /opt/socore/html;
|
# root /opt/socore/html;
|
||||||
# index index.html;
|
# index index.html;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
#include /etc/nginx/default.d/*.conf;
|
#include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
# location / {
|
# location / {
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# error_page 404 /404.html;
|
# error_page 404 /404.html;
|
||||||
# location = /40x.html {
|
# location = /40x.html {
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# error_page 500 502 503 504 /50x.html;
|
# error_page 500 502 503 504 /50x.html;
|
||||||
# location = /50x.html {
|
# location = /50x.html {
|
||||||
# }
|
# }
|
||||||
#}
|
#}
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
{% if FLEET_MASTER %}
|
{% if FLEET_MASTER %}
|
||||||
server {
|
server {
|
||||||
listen 8090 ssl http2 default_server;
|
listen 8090 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html;
|
root /opt/socore/html;
|
||||||
index blank.html;
|
index blank.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
||||||
grpc_pass grpcs://{{ masterip }}:8080;
|
grpc_pass grpcs://{{ masterip }}:8080;
|
||||||
grpc_set_header Host $host;
|
grpc_set_header Host $host;
|
||||||
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# Settings for a TLS enabled server.
|
# Settings for a TLS enabled server.
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2 default_server;
|
listen 443 ssl http2 default_server;
|
||||||
#listen [::]:443 ssl http2 default_server;
|
#listen [::]:443 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html;
|
root /opt/socore/html;
|
||||||
index index.html;
|
index index.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
#include /etc/nginx/default.d/*.conf;
|
#include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
|
location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
|
||||||
proxy_pass http://{{ masterip }}:9822;
|
proxy_pass http://{{ masterip }}:9822;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_pass http://{{ masterip }}:9822/;
|
proxy_pass http://{{ masterip }}:9822/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/auth/.*?(whoami|login|logout|settings) {
|
location ~ ^/auth/.*?(whoami|login|logout|settings) {
|
||||||
rewrite /auth/(.*) /$1 break;
|
rewrite /auth/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:4433;
|
proxy_pass http://{{ masterip }}:4433;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /cyberchef/ {
|
location /cyberchef/ {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /cyberchef {
|
location /navigator/ {
|
||||||
rewrite ^ /cyberchef/ permanent;
|
auth_request /auth/sessions/whoami;
|
||||||
}
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
location /packages/ {
|
location /packages/ {
|
||||||
try_files $uri =206;
|
try_files $uri =206;
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /grafana/ {
|
location /grafana/ {
|
||||||
rewrite /grafana/(.*) /$1 break;
|
rewrite /grafana/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:3000/;
|
proxy_pass http://{{ masterip }}:3000/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /kibana/ {
|
location /kibana/ {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
rewrite /kibana/(.*) /$1 break;
|
rewrite /kibana/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:5601/;
|
proxy_pass http://{{ masterip }}:5601/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /nodered/ {
|
location /nodered/ {
|
||||||
proxy_pass http://{{ masterip }}:1880/;
|
proxy_pass http://{{ masterip }}:1880/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /playbook/ {
|
location /playbook/ {
|
||||||
proxy_pass http://{{ masterip }}:3200/playbook/;
|
proxy_pass http://{{ masterip }}:3200/playbook/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{%- if FLEET_NODE %}
|
||||||
|
location /fleet/ {
|
||||||
|
return 301 https://{{ FLEET_IP }}/fleet;
|
||||||
|
}
|
||||||
|
{%- else %}
|
||||||
|
location /fleet/ {
|
||||||
|
proxy_pass https://{{ masterip }}:8080;
|
||||||
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
location /navigator/ {
|
location /thehive/ {
|
||||||
auth_request /auth/sessions/whoami;
|
proxy_pass http://{{ masterip }}:9000/thehive/;
|
||||||
proxy_pass http://{{ masterip }}:4200/navigator/;
|
proxy_read_timeout 90;
|
||||||
proxy_read_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_http_version 1.1; # this is essential for chunked responses to work
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
{%- if FLEET_NODE %}
|
location /cortex/ {
|
||||||
location /fleet/ {
|
proxy_pass http://{{ masterip }}:9001/cortex/;
|
||||||
return 301 https://{{ FLEET_IP }}/fleet;
|
proxy_read_timeout 90;
|
||||||
}
|
proxy_connect_timeout 90;
|
||||||
{%- else %}
|
proxy_http_version 1.1; # this is essential for chunked responses to work
|
||||||
location /fleet/ {
|
proxy_set_header Host $host;
|
||||||
proxy_pass https://{{ masterip }}:8080;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_read_timeout 90;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_connect_timeout 90;
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Host $host;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
}
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
{%- endif %}
|
|
||||||
|
|
||||||
location /thehive/ {
|
location /soctopus/ {
|
||||||
proxy_pass http://{{ masterip }}:9000/thehive/;
|
proxy_pass http://{{ masterip }}:7000/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_http_version 1.1; # this is essential for chunked responses to work
|
proxy_set_header Host $host;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
location /cortex/ {
|
location /kibana/app/soc/ {
|
||||||
proxy_pass http://{{ masterip }}:9001/cortex/;
|
rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
|
||||||
proxy_read_timeout 90;
|
}
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_http_version 1.1; # this is essential for chunked responses to work
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /soctopus/ {
|
location /kibana/app/fleet/ {
|
||||||
proxy_pass http://{{ masterip }}:7000/;
|
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
|
||||||
proxy_read_timeout 90;
|
}
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /kibana/app/soc/ {
|
location /kibana/app/soctopus/ {
|
||||||
rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
|
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /kibana/app/fleet/ {
|
location /sensoroniagents/ {
|
||||||
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
|
proxy_pass http://{{ masterip }}:9822/;
|
||||||
}
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
location /kibana/app/soctopus/ {
|
error_page 401 = @error401;
|
||||||
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /sensoroniagents/ {
|
location @error401 {
|
||||||
proxy_pass http://{{ masterip }}:9822/;
|
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
|
||||||
proxy_read_timeout 90;
|
return 302 /auth/self-service/browser/flows/login;
|
||||||
proxy_connect_timeout 90;
|
}
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
error_page 401 = @error401;
|
#error_page 404 /404.html;
|
||||||
|
# location = /usr/share/nginx/html/40x.html {
|
||||||
|
#}
|
||||||
|
|
||||||
location @error401 {
|
error_page 500 502 503 504 /50x.html;
|
||||||
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
|
location = /usr/share/nginx/html/50x.html {
|
||||||
return 302 /auth/self-service/browser/flows/login;
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#error_page 404 /404.html;
|
|
||||||
# location = /usr/share/nginx/html/40x.html {
|
|
||||||
#}
|
|
||||||
|
|
||||||
error_page 500 502 503 504 /50x.html;
|
|
||||||
location = /usr/share/nginx/html/50x.html {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -14,87 +14,87 @@ pid /run/nginx.pid;
|
|||||||
include /usr/share/nginx/modules/*.conf;
|
include /usr/share/nginx/modules/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
types_hash_max_size 2048;
|
types_hash_max_size 2048;
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 8090 ssl http2 default_server;
|
listen 8090 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html;
|
root /opt/socore/html;
|
||||||
index blank.html;
|
index blank.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
||||||
grpc_pass grpcs://{{ MAINIP }}:8080;
|
grpc_pass grpcs://{{ MAINIP }}:8080;
|
||||||
grpc_set_header Host $host;
|
grpc_set_header Host $host;
|
||||||
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2 default_server;
|
listen 443 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html/packages;
|
root /opt/socore/html/packages;
|
||||||
index index.html;
|
index index.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
location /fleet/ {
|
location /fleet/ {
|
||||||
proxy_pass https://{{ MAINIP }}:8080;
|
proxy_pass https://{{ MAINIP }}:8080;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
#error_page 404 /404.html;
|
#error_page 404 /404.html;
|
||||||
# location = /40x.html {
|
# location = /40x.html {
|
||||||
#}
|
#}
|
||||||
|
|
||||||
error_page 500 502 503 504 /50x.html;
|
error_page 500 502 503 504 /50x.html;
|
||||||
location = /usr/share/nginx/html/50x.html {
|
location = /usr/share/nginx/html/50x.html {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,50 +11,50 @@ pid /run/nginx.pid;
|
|||||||
include /usr/share/nginx/modules/*.conf;
|
include /usr/share/nginx/modules/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
types_hash_max_size 2048;
|
types_hash_max_size 2048;
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
||||||
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
||||||
# for more information.
|
# for more information.
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /usr/share/nginx/html;
|
root /usr/share/nginx/html;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
include /etc/nginx/default.d/*.conf;
|
include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
}
|
}
|
||||||
|
|
||||||
error_page 404 /404.html;
|
error_page 404 /404.html;
|
||||||
location = /40x.html {
|
location = /40x.html {
|
||||||
}
|
}
|
||||||
|
|
||||||
error_page 500 502 503 504 /50x.html;
|
error_page 500 502 503 504 /50x.html;
|
||||||
location = /50x.html {
|
location = /50x.html {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Settings for a TLS enabled server.
|
# Settings for a TLS enabled server.
|
||||||
#
|
#
|
||||||
|
|||||||
@@ -14,318 +14,312 @@ pid /run/nginx.pid;
|
|||||||
include /usr/share/nginx/modules/*.conf;
|
include /usr/share/nginx/modules/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
types_hash_max_size 2048;
|
types_hash_max_size 2048;
|
||||||
client_max_body_size 1024M;
|
client_max_body_size 1024M;
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
||||||
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
||||||
# for more information.
|
# for more information.
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
#server {
|
#server {
|
||||||
# listen 80 default_server;
|
# listen 80 default_server;
|
||||||
# listen [::]:80 default_server;
|
# listen [::]:80 default_server;
|
||||||
# server_name _;
|
# server_name _;
|
||||||
# root /opt/socore/html;
|
# root /opt/socore/html;
|
||||||
# index index.html;
|
# index index.html;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
#include /etc/nginx/default.d/*.conf;
|
#include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
# location / {
|
# location / {
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# error_page 404 /404.html;
|
# error_page 404 /404.html;
|
||||||
# location = /40x.html {
|
# location = /40x.html {
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# error_page 500 502 503 504 /50x.html;
|
# error_page 500 502 503 504 /50x.html;
|
||||||
# location = /50x.html {
|
# location = /50x.html {
|
||||||
# }
|
# }
|
||||||
#}
|
#}
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
{% if FLEET_MASTER %}
|
{% if FLEET_MASTER %}
|
||||||
server {
|
server {
|
||||||
listen 8090 ssl http2 default_server;
|
listen 8090 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html;
|
root /opt/socore/html;
|
||||||
index blank.html;
|
index blank.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
||||||
grpc_pass grpcs://{{ masterip }}:8080;
|
grpc_pass grpcs://{{ masterip }}:8080;
|
||||||
grpc_set_header Host $host;
|
grpc_set_header Host $host;
|
||||||
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# Settings for a TLS enabled server.
|
# Settings for a TLS enabled server.
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2 default_server;
|
listen 443 ssl http2 default_server;
|
||||||
#listen [::]:443 ssl http2 default_server;
|
#listen [::]:443 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html;
|
root /opt/socore/html;
|
||||||
index index.html;
|
index index.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
#include /etc/nginx/default.d/*.conf;
|
#include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
|
location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
|
||||||
proxy_pass http://{{ masterip }}:9822;
|
proxy_pass http://{{ masterip }}:9822;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_pass http://{{ masterip }}:9822/;
|
proxy_pass http://{{ masterip }}:9822/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/auth/.*?(whoami|login|logout|settings) {
|
location ~ ^/auth/.*?(whoami|login|logout|settings) {
|
||||||
rewrite /auth/(.*) /$1 break;
|
rewrite /auth/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:4433;
|
proxy_pass http://{{ masterip }}:4433;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /cyberchef/ {
|
location /cyberchef/ {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /cyberchef {
|
location /navigator/ {
|
||||||
rewrite ^ /cyberchef/ permanent;
|
auth_request /auth/sessions/whoami;
|
||||||
}
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
location /packages/ {
|
location /packages/ {
|
||||||
try_files $uri =206;
|
try_files $uri =206;
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /grafana/ {
|
location /grafana/ {
|
||||||
rewrite /grafana/(.*) /$1 break;
|
rewrite /grafana/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:3000/;
|
proxy_pass http://{{ masterip }}:3000/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /kibana/ {
|
location /kibana/ {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
rewrite /kibana/(.*) /$1 break;
|
rewrite /kibana/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:5601/;
|
proxy_pass http://{{ masterip }}:5601/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /nodered/ {
|
location /nodered/ {
|
||||||
proxy_pass http://{{ masterip }}:1880/;
|
proxy_pass http://{{ masterip }}:1880/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /playbook/ {
|
location /playbook/ {
|
||||||
proxy_pass http://{{ masterip }}:3200/playbook/;
|
proxy_pass http://{{ masterip }}:3200/playbook/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{%- if FLEET_NODE %}
|
||||||
|
location /fleet/ {
|
||||||
|
return 301 https://{{ FLEET_IP }}/fleet;
|
||||||
|
}
|
||||||
|
{%- else %}
|
||||||
|
location /fleet/ {
|
||||||
|
proxy_pass https://{{ masterip }}:8080;
|
||||||
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
location /navigator/ {
|
location /thehive/ {
|
||||||
auth_request /auth/sessions/whoami;
|
proxy_pass http://{{ masterip }}:9000/thehive/;
|
||||||
proxy_pass http://{{ masterip }}:4200/navigator/;
|
proxy_read_timeout 90;
|
||||||
proxy_read_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_http_version 1.1; # this is essential for chunked responses to work
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
{%- if FLEET_NODE %}
|
location /cortex/ {
|
||||||
location /fleet/ {
|
proxy_pass http://{{ masterip }}:9001/cortex/;
|
||||||
return 301 https://{{ FLEET_IP }}/fleet;
|
proxy_read_timeout 90;
|
||||||
}
|
proxy_connect_timeout 90;
|
||||||
{%- else %}
|
proxy_http_version 1.1; # this is essential for chunked responses to work
|
||||||
location /fleet/ {
|
proxy_set_header Host $host;
|
||||||
proxy_pass https://{{ masterip }}:8080;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_read_timeout 90;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_connect_timeout 90;
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Host $host;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
}
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
{%- endif %}
|
|
||||||
|
|
||||||
location /thehive/ {
|
location /soctopus/ {
|
||||||
proxy_pass http://{{ masterip }}:9000/thehive/;
|
proxy_pass http://{{ masterip }}:7000/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_http_version 1.1; # this is essential for chunked responses to work
|
proxy_set_header Host $host;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
location /cortex/ {
|
location /kibana/app/soc/ {
|
||||||
proxy_pass http://{{ masterip }}:9001/cortex/;
|
rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
|
||||||
proxy_read_timeout 90;
|
}
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_http_version 1.1; # this is essential for chunked responses to work
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /soctopus/ {
|
location /kibana/app/fleet/ {
|
||||||
proxy_pass http://{{ masterip }}:7000/;
|
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
|
||||||
proxy_read_timeout 90;
|
}
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /kibana/app/soc/ {
|
location /kibana/app/soctopus/ {
|
||||||
rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
|
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /kibana/app/fleet/ {
|
location /sensoroniagents/ {
|
||||||
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
|
proxy_pass http://{{ masterip }}:9822/;
|
||||||
}
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
location /kibana/app/soctopus/ {
|
error_page 401 = @error401;
|
||||||
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /sensoroniagents/ {
|
location @error401 {
|
||||||
proxy_pass http://{{ masterip }}:9822/;
|
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
|
||||||
proxy_read_timeout 90;
|
return 302 /auth/self-service/browser/flows/login;
|
||||||
proxy_connect_timeout 90;
|
}
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
error_page 401 = @error401;
|
#error_page 404 /404.html;
|
||||||
|
# location = /40x.html {
|
||||||
|
#}
|
||||||
|
|
||||||
location @error401 {
|
error_page 500 502 503 504 /50x.html;
|
||||||
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
|
location = /usr/share/nginx/html/50x.html {
|
||||||
return 302 /auth/self-service/browser/flows/login;
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#error_page 404 /404.html;
|
|
||||||
# location = /40x.html {
|
|
||||||
#}
|
|
||||||
|
|
||||||
error_page 500 502 503 504 /50x.html;
|
|
||||||
location = /usr/share/nginx/html/50x.html {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -14,318 +14,311 @@ pid /run/nginx.pid;
|
|||||||
include /usr/share/nginx/modules/*.conf;
|
include /usr/share/nginx/modules/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
types_hash_max_size 2048;
|
types_hash_max_size 2048;
|
||||||
client_max_body_size 1024M;
|
client_max_body_size 1024M;
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
||||||
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
||||||
# for more information.
|
# for more information.
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
#server {
|
#server {
|
||||||
# listen 80 default_server;
|
# listen 80 default_server;
|
||||||
# listen [::]:80 default_server;
|
# listen [::]:80 default_server;
|
||||||
# server_name _;
|
# server_name _;
|
||||||
# root /opt/socore/html;
|
# root /opt/socore/html;
|
||||||
# index index.html;
|
# index index.html;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
#include /etc/nginx/default.d/*.conf;
|
#include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
# location / {
|
# location / {
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# error_page 404 /404.html;
|
# error_page 404 /404.html;
|
||||||
# location = /40x.html {
|
# location = /40x.html {
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# error_page 500 502 503 504 /50x.html;
|
# error_page 500 502 503 504 /50x.html;
|
||||||
# location = /50x.html {
|
# location = /50x.html {
|
||||||
# }
|
# }
|
||||||
#}
|
#}
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
{% if FLEET_MASTER %}
|
{% if FLEET_MASTER %}
|
||||||
server {
|
server {
|
||||||
listen 8090 ssl http2 default_server;
|
listen 8090 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html;
|
root /opt/socore/html;
|
||||||
index blank.html;
|
index blank.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
||||||
grpc_pass grpcs://{{ masterip }}:8080;
|
grpc_pass grpcs://{{ masterip }}:8080;
|
||||||
grpc_set_header Host $host;
|
grpc_set_header Host $host;
|
||||||
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# Settings for a TLS enabled server.
|
# Settings for a TLS enabled server.
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2 default_server;
|
listen 443 ssl http2 default_server;
|
||||||
#listen [::]:443 ssl http2 default_server;
|
#listen [::]:443 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html;
|
root /opt/socore/html;
|
||||||
index index.html;
|
index index.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
#include /etc/nginx/default.d/*.conf;
|
#include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
|
location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
|
||||||
proxy_pass http://{{ masterip }}:9822;
|
proxy_pass http://{{ masterip }}:9822;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_pass http://{{ masterip }}:9822/;
|
proxy_pass http://{{ masterip }}:9822/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/auth/.*?(whoami|login|logout|settings) {
|
location ~ ^/auth/.*?(whoami|login|logout|settings) {
|
||||||
rewrite /auth/(.*) /$1 break;
|
rewrite /auth/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:4433;
|
proxy_pass http://{{ masterip }}:4433;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /cyberchef/ {
|
location /cyberchef/ {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /cyberchef {
|
location /navigator/ {
|
||||||
rewrite ^ /cyberchef/ permanent;
|
auth_request /auth/sessions/whoami;
|
||||||
}
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
location /packages/ {
|
location /packages/ {
|
||||||
try_files $uri =206;
|
try_files $uri =206;
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /grafana/ {
|
location /grafana/ {
|
||||||
rewrite /grafana/(.*) /$1 break;
|
rewrite /grafana/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:3000/;
|
proxy_pass http://{{ masterip }}:3000/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /kibana/ {
|
location /kibana/ {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
rewrite /kibana/(.*) /$1 break;
|
rewrite /kibana/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:5601/;
|
proxy_pass http://{{ masterip }}:5601/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /nodered/ {
|
location /nodered/ {
|
||||||
proxy_pass http://{{ masterip }}:1880/;
|
proxy_pass http://{{ masterip }}:1880/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /playbook/ {
|
location /playbook/ {
|
||||||
proxy_pass http://{{ masterip }}:3200/playbook/;
|
proxy_pass http://{{ masterip }}:3200/playbook/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{%- if FLEET_NODE %}
|
||||||
|
location /fleet/ {
|
||||||
|
return 301 https://{{ FLEET_IP }}/fleet;
|
||||||
|
}
|
||||||
|
{%- else %}
|
||||||
|
location /fleet/ {
|
||||||
|
proxy_pass https://{{ masterip }}:8080;
|
||||||
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
location /navigator/ {
|
location /thehive/ {
|
||||||
auth_request /auth/sessions/whoami;
|
proxy_pass http://{{ masterip }}:9000/thehive/;
|
||||||
proxy_pass http://{{ masterip }}:4200/navigator/;
|
proxy_read_timeout 90;
|
||||||
proxy_read_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_http_version 1.1; # this is essential for chunked responses to work
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
{%- if FLEET_NODE %}
|
location /cortex/ {
|
||||||
location /fleet/ {
|
proxy_pass http://{{ masterip }}:9001/cortex/;
|
||||||
return 301 https://{{ FLEET_IP }}/fleet;
|
proxy_read_timeout 90;
|
||||||
}
|
proxy_connect_timeout 90;
|
||||||
{%- else %}
|
proxy_http_version 1.1; # this is essential for chunked responses to work
|
||||||
location /fleet/ {
|
proxy_set_header Host $host;
|
||||||
proxy_pass https://{{ masterip }}:8080;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_read_timeout 90;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_connect_timeout 90;
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Host $host;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
}
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
{%- endif %}
|
|
||||||
|
|
||||||
location /thehive/ {
|
location /soctopus/ {
|
||||||
proxy_pass http://{{ masterip }}:9000/thehive/;
|
proxy_pass http://{{ masterip }}:7000/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_http_version 1.1; # this is essential for chunked responses to work
|
proxy_set_header Host $host;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
location /cortex/ {
|
location /kibana/app/soc/ {
|
||||||
proxy_pass http://{{ masterip }}:9001/cortex/;
|
rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
|
||||||
proxy_read_timeout 90;
|
}
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_http_version 1.1; # this is essential for chunked responses to work
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /soctopus/ {
|
location /kibana/app/fleet/ {
|
||||||
proxy_pass http://{{ masterip }}:7000/;
|
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
|
||||||
proxy_read_timeout 90;
|
}
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /kibana/app/soc/ {
|
location /kibana/app/soctopus/ {
|
||||||
rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
|
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /kibana/app/fleet/ {
|
location /sensoroniagents/ {
|
||||||
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
|
proxy_pass http://{{ masterip }}:9822/;
|
||||||
}
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
location /kibana/app/soctopus/ {
|
error_page 401 = @error401;
|
||||||
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /sensoroniagents/ {
|
location @error401 {
|
||||||
proxy_pass http://{{ masterip }}:9822/;
|
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
|
||||||
proxy_read_timeout 90;
|
return 302 /auth/self-service/browser/flows/login;
|
||||||
proxy_connect_timeout 90;
|
}
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
error_page 401 = @error401;
|
#error_page 404 /404.html;
|
||||||
|
# location = /40x.html {
|
||||||
|
#}
|
||||||
|
|
||||||
location @error401 {
|
error_page 500 502 503 504 /50x.html;
|
||||||
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
|
location = /usr/share/nginx/html/50x.html {
|
||||||
return 302 /auth/self-service/browser/flows/login;
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#error_page 404 /404.html;
|
|
||||||
# location = /40x.html {
|
|
||||||
#}
|
|
||||||
|
|
||||||
error_page 500 502 503 504 /50x.html;
|
|
||||||
location = /usr/share/nginx/html/50x.html {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -14,318 +14,312 @@ pid /run/nginx.pid;
|
|||||||
include /usr/share/nginx/modules/*.conf;
|
include /usr/share/nginx/modules/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
types_hash_max_size 2048;
|
types_hash_max_size 2048;
|
||||||
client_max_body_size 1024M;
|
client_max_body_size 1024M;
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
||||||
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
||||||
# for more information.
|
# for more information.
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
#server {
|
#server {
|
||||||
# listen 80 default_server;
|
# listen 80 default_server;
|
||||||
# listen [::]:80 default_server;
|
# listen [::]:80 default_server;
|
||||||
# server_name _;
|
# server_name _;
|
||||||
# root /opt/socore/html;
|
# root /opt/socore/html;
|
||||||
# index index.html;
|
# index index.html;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
#include /etc/nginx/default.d/*.conf;
|
#include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
# location / {
|
# location / {
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# error_page 404 /404.html;
|
# error_page 404 /404.html;
|
||||||
# location = /40x.html {
|
# location = /40x.html {
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# error_page 500 502 503 504 /50x.html;
|
# error_page 500 502 503 504 /50x.html;
|
||||||
# location = /50x.html {
|
# location = /50x.html {
|
||||||
# }
|
# }
|
||||||
#}
|
#}
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
{% if FLEET_MASTER %}
|
{% if FLEET_MASTER %}
|
||||||
server {
|
server {
|
||||||
listen 8090 ssl http2 default_server;
|
listen 8090 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html;
|
root /opt/socore/html;
|
||||||
index blank.html;
|
index blank.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
|
||||||
grpc_pass grpcs://{{ masterip }}:8080;
|
grpc_pass grpcs://{{ masterip }}:8080;
|
||||||
grpc_set_header Host $host;
|
grpc_set_header Host $host;
|
||||||
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# Settings for a TLS enabled server.
|
# Settings for a TLS enabled server.
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2 default_server;
|
listen 443 ssl http2 default_server;
|
||||||
#listen [::]:443 ssl http2 default_server;
|
#listen [::]:443 ssl http2 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /opt/socore/html;
|
root /opt/socore/html;
|
||||||
index index.html;
|
index index.html;
|
||||||
|
|
||||||
ssl_certificate "/etc/pki/nginx/server.crt";
|
ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
ssl_certificate_key "/etc/pki/nginx/server.key";
|
ssl_certificate_key "/etc/pki/nginx/server.key";
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
#include /etc/nginx/default.d/*.conf;
|
#include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
|
location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) {
|
||||||
proxy_pass http://{{ masterip }}:9822;
|
proxy_pass http://{{ masterip }}:9822;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_pass http://{{ masterip }}:9822/;
|
proxy_pass http://{{ masterip }}:9822/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ ^/auth/.*?(whoami|login|logout|settings) {
|
location ~ ^/auth/.*?(whoami|login|logout|settings) {
|
||||||
rewrite /auth/(.*) /$1 break;
|
rewrite /auth/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:4433;
|
proxy_pass http://{{ masterip }}:4433;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /cyberchef/ {
|
location /cyberchef/ {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /cyberchef {
|
location /navigator/ {
|
||||||
rewrite ^ /cyberchef/ permanent;
|
auth_request /auth/sessions/whoami;
|
||||||
}
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
location /packages/ {
|
location /packages/ {
|
||||||
try_files $uri =206;
|
try_files $uri =206;
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /grafana/ {
|
location /grafana/ {
|
||||||
rewrite /grafana/(.*) /$1 break;
|
rewrite /grafana/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:3000/;
|
proxy_pass http://{{ masterip }}:3000/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /kibana/ {
|
location /kibana/ {
|
||||||
auth_request /auth/sessions/whoami;
|
auth_request /auth/sessions/whoami;
|
||||||
rewrite /kibana/(.*) /$1 break;
|
rewrite /kibana/(.*) /$1 break;
|
||||||
proxy_pass http://{{ masterip }}:5601/;
|
proxy_pass http://{{ masterip }}:5601/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /nodered/ {
|
location /nodered/ {
|
||||||
proxy_pass http://{{ masterip }}:1880/;
|
proxy_pass http://{{ masterip }}:1880/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /playbook/ {
|
location /playbook/ {
|
||||||
proxy_pass http://{{ masterip }}:3200/playbook/;
|
proxy_pass http://{{ masterip }}:3200/playbook/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{%- if FLEET_NODE %}
|
||||||
|
location /fleet/ {
|
||||||
|
return 301 https://{{ FLEET_IP }}/fleet;
|
||||||
|
}
|
||||||
|
{%- else %}
|
||||||
|
location /fleet/ {
|
||||||
|
proxy_pass https://{{ masterip }}:8080;
|
||||||
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
location /navigator/ {
|
location /thehive/ {
|
||||||
auth_request /auth/sessions/whoami;
|
proxy_pass http://{{ masterip }}:9000/thehive/;
|
||||||
proxy_pass http://{{ masterip }}:4200/navigator/;
|
proxy_read_timeout 90;
|
||||||
proxy_read_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_http_version 1.1; # this is essential for chunked responses to work
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
{%- if FLEET_NODE %}
|
location /cortex/ {
|
||||||
location /fleet/ {
|
proxy_pass http://{{ masterip }}:9001/cortex/;
|
||||||
return 301 https://{{ FLEET_IP }}/fleet;
|
proxy_read_timeout 90;
|
||||||
}
|
proxy_connect_timeout 90;
|
||||||
{%- else %}
|
proxy_http_version 1.1; # this is essential for chunked responses to work
|
||||||
location /fleet/ {
|
proxy_set_header Host $host;
|
||||||
proxy_pass https://{{ masterip }}:8080;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_read_timeout 90;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_connect_timeout 90;
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Host $host;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
}
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
{%- endif %}
|
|
||||||
|
|
||||||
location /thehive/ {
|
location /soctopus/ {
|
||||||
proxy_pass http://{{ masterip }}:9000/thehive/;
|
proxy_pass http://{{ masterip }}:7000/;
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
proxy_connect_timeout 90;
|
proxy_connect_timeout 90;
|
||||||
proxy_http_version 1.1; # this is essential for chunked responses to work
|
proxy_set_header Host $host;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header Proxy "";
|
||||||
proxy_set_header Proxy "";
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
location /cortex/ {
|
location /kibana/app/soc/ {
|
||||||
proxy_pass http://{{ masterip }}:9001/cortex/;
|
rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
|
||||||
proxy_read_timeout 90;
|
}
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_http_version 1.1; # this is essential for chunked responses to work
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /soctopus/ {
|
location /kibana/app/fleet/ {
|
||||||
proxy_pass http://{{ masterip }}:7000/;
|
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
|
||||||
proxy_read_timeout 90;
|
}
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /kibana/app/soc/ {
|
location /kibana/app/soctopus/ {
|
||||||
rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent;
|
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /kibana/app/fleet/ {
|
location /sensoroniagents/ {
|
||||||
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
|
proxy_pass http://{{ masterip }}:9822/;
|
||||||
}
|
proxy_read_timeout 90;
|
||||||
|
proxy_connect_timeout 90;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
location /kibana/app/soctopus/ {
|
error_page 401 = @error401;
|
||||||
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /sensoroniagents/ {
|
location @error401 {
|
||||||
proxy_pass http://{{ masterip }}:9822/;
|
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
|
||||||
proxy_read_timeout 90;
|
return 302 /auth/self-service/browser/flows/login;
|
||||||
proxy_connect_timeout 90;
|
}
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Proxy "";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
error_page 401 = @error401;
|
#error_page 404 /404.html;
|
||||||
|
# location = /40x.html {
|
||||||
|
#}
|
||||||
|
|
||||||
location @error401 {
|
error_page 500 502 503 504 /50x.html;
|
||||||
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
|
location = /usr/share/nginx/html/50x.html {
|
||||||
return 302 /auth/self-service/browser/flows/login;
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#error_page 404 /404.html;
|
|
||||||
# location = /40x.html {
|
|
||||||
#}
|
|
||||||
|
|
||||||
error_page 500 502 503 504 /50x.html;
|
|
||||||
location = /usr/share/nginx/html/50x.html {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -40,6 +40,15 @@ nginxtmp:
|
|||||||
- group: 939
|
- group: 939
|
||||||
- makedirs: True
|
- makedirs: True
|
||||||
|
|
||||||
|
navigatorconfig:
|
||||||
|
file.managed:
|
||||||
|
- name: /opt/so/conf/navigator/navigator_config.json
|
||||||
|
- source: salt://nginx/files/navigator_config.json
|
||||||
|
- user: 939
|
||||||
|
- group: 939
|
||||||
|
- makedirs: True
|
||||||
|
- template: jinja
|
||||||
|
|
||||||
so-nginx:
|
so-nginx:
|
||||||
docker_container.running:
|
docker_container.running:
|
||||||
- image: {{ MASTER }}:5000/soshybridhunter/so-nginx:{{ VERSION }}
|
- image: {{ MASTER }}:5000/soshybridhunter/so-nginx:{{ VERSION }}
|
||||||
@@ -52,6 +61,9 @@ so-nginx:
|
|||||||
- /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
|
- /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
|
||||||
- /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
|
- /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
|
||||||
- /opt/so/conf/fleet/packages:/opt/socore/html/packages
|
- /opt/so/conf/fleet/packages:/opt/socore/html/packages
|
||||||
|
# ATT&CK Navigator binds
|
||||||
|
- /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro
|
||||||
|
- /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro
|
||||||
- cap_add: NET_BIND_SERVICE
|
- cap_add: NET_BIND_SERVICE
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
- 80:80
|
- 80:80
|
||||||
|
|||||||
13
salt/top.sls
13
salt/top.sls
@@ -2,7 +2,6 @@
|
|||||||
{%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%}
|
{%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%}
|
||||||
{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
|
{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
|
||||||
{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
|
{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
|
||||||
{%- set NAVIGATOR = salt['pillar.get']('master:navigator', '0') -%}
|
|
||||||
{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
|
{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
|
||||||
{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
|
{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
|
||||||
{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
|
{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
|
||||||
@@ -109,9 +108,6 @@ base:
|
|||||||
{%- if PLAYBOOK != 0 %}
|
{%- if PLAYBOOK != 0 %}
|
||||||
- playbook
|
- playbook
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- if NAVIGATOR != 0 %}
|
|
||||||
- navigator
|
|
||||||
{%- endif %}
|
|
||||||
{%- if FREQSERVER != 0 %}
|
{%- if FREQSERVER != 0 %}
|
||||||
- freqserver
|
- freqserver
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
@@ -159,9 +155,6 @@ base:
|
|||||||
{%- if PLAYBOOK != 0 %}
|
{%- if PLAYBOOK != 0 %}
|
||||||
- playbook
|
- playbook
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- if NAVIGATOR != 0 %}
|
|
||||||
- navigator
|
|
||||||
{%- endif %}
|
|
||||||
{%- if FREQSERVER != 0 %}
|
{%- if FREQSERVER != 0 %}
|
||||||
- freqserver
|
- freqserver
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
@@ -219,9 +212,6 @@ base:
|
|||||||
{%- if PLAYBOOK != 0 %}
|
{%- if PLAYBOOK != 0 %}
|
||||||
- playbook
|
- playbook
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- if NAVIGATOR != 0 %}
|
|
||||||
- navigator
|
|
||||||
{%- endif %}
|
|
||||||
{%- if FREQSERVER != 0 %}
|
{%- if FREQSERVER != 0 %}
|
||||||
- freqserver
|
- freqserver
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
@@ -336,9 +326,6 @@ base:
|
|||||||
{%- if PLAYBOOK != 0 %}
|
{%- if PLAYBOOK != 0 %}
|
||||||
- playbook
|
- playbook
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- if NAVIGATOR != 0 %}
|
|
||||||
- navigator
|
|
||||||
{%- endif %}
|
|
||||||
{%- if FREQSERVER != 0 %}
|
{%- if FREQSERVER != 0 %}
|
||||||
- freqserver
|
- freqserver
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|||||||
@@ -50,7 +50,6 @@ MNIC=eth0
|
|||||||
# MSEARCH=
|
# MSEARCH=
|
||||||
# MSRV=
|
# MSRV=
|
||||||
# MTU=
|
# MTU=
|
||||||
NAVIGATOR=1
|
|
||||||
NIDS=Suricata
|
NIDS=Suricata
|
||||||
# NODE_ES_HEAP_SIZE=
|
# NODE_ES_HEAP_SIZE=
|
||||||
# NODE_LS_HEAP_SIZE=
|
# NODE_LS_HEAP_SIZE=
|
||||||
|
|||||||
@@ -718,7 +718,6 @@ docker_seed_registry() {
|
|||||||
"so-influxdb:$VERSION" \
|
"so-influxdb:$VERSION" \
|
||||||
"so-kibana:$VERSION" \
|
"so-kibana:$VERSION" \
|
||||||
"so-mysql:$VERSION" \
|
"so-mysql:$VERSION" \
|
||||||
"so-navigator:$VERSION" \
|
|
||||||
"so-playbook:$VERSION" \
|
"so-playbook:$VERSION" \
|
||||||
"so-soc:$VERSION" \
|
"so-soc:$VERSION" \
|
||||||
"so-kratos:$VERSION" \
|
"so-kratos:$VERSION" \
|
||||||
@@ -910,7 +909,6 @@ master_pillar() {
|
|||||||
" osquery: $OSQUERY"\
|
" osquery: $OSQUERY"\
|
||||||
" thehive: $THEHIVE"\
|
" thehive: $THEHIVE"\
|
||||||
" playbook: $PLAYBOOK"\
|
" playbook: $PLAYBOOK"\
|
||||||
" navigator: $NAVIGATOR"\
|
|
||||||
" url_base: $REDIRECTIT"\
|
" url_base: $REDIRECTIT"\
|
||||||
""\
|
""\
|
||||||
"kratos:" >> "$pillar_file"
|
"kratos:" >> "$pillar_file"
|
||||||
|
|||||||
@@ -561,11 +561,6 @@ fi
|
|||||||
salt-call state.apply -l info playbook >> $setup_log 2>&1
|
salt-call state.apply -l info playbook >> $setup_log 2>&1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$NAVIGATOR" = 1 ]]; then
|
|
||||||
set_progress_str 78 "$(print_salt_state_apply 'navigator')"
|
|
||||||
salt-call state.apply -l info navigator >> $setup_log 2>&1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ $is_master || $is_helix ]]; then
|
if [[ $is_master || $is_helix ]]; then
|
||||||
set_progress_str 81 "$(print_salt_state_apply 'utility')"
|
set_progress_str 81 "$(print_salt_state_apply 'utility')"
|
||||||
salt-call state.apply -l info utility >> $setup_log 2>&1
|
salt-call state.apply -l info utility >> $setup_log 2>&1
|
||||||
|
|||||||
@@ -343,7 +343,6 @@ whiptail_enable_components() {
|
|||||||
WAZUH "Enable Wazuh" ON \
|
WAZUH "Enable Wazuh" ON \
|
||||||
THEHIVE "Enable TheHive" ON \
|
THEHIVE "Enable TheHive" ON \
|
||||||
PLAYBOOK "Enable Playbook" ON \
|
PLAYBOOK "Enable Playbook" ON \
|
||||||
NAVIGATOR "Enable ATT&CK Navigator" ON \
|
|
||||||
STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
|
STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
|
||||||
local exitstatus=$?
|
local exitstatus=$?
|
||||||
whiptail_check_exitstatus $exitstatus
|
whiptail_check_exitstatus $exitstatus
|
||||||
|
|||||||
@@ -51,7 +51,6 @@ if [ $MASTERCHECK != 'so-helix' ]; then
|
|||||||
"so-kratos:$BUILD$UPDATEVERSION" \
|
"so-kratos:$BUILD$UPDATEVERSION" \
|
||||||
"so-logstash:$BUILD$UPDATEVERSION" \
|
"so-logstash:$BUILD$UPDATEVERSION" \
|
||||||
"so-mysql:$BUILD$UPDATEVERSION" \
|
"so-mysql:$BUILD$UPDATEVERSION" \
|
||||||
"so-navigator:$BUILD$UPDATEVERSION" \
|
|
||||||
"so-nginx:$BUILD$UPDATEVERSION" \
|
"so-nginx:$BUILD$UPDATEVERSION" \
|
||||||
"so-playbook:$BUILD$UPDATEVERSION" \
|
"so-playbook:$BUILD$UPDATEVERSION" \
|
||||||
"so-redis:$BUILD$UPDATEVERSION" \
|
"so-redis:$BUILD$UPDATEVERSION" \
|
||||||
|
|||||||
Reference in New Issue
Block a user