diff --git a/salt/auth/init.sls b/salt/auth/init.sls new file mode 100644 index 000000000..bed7d18d5 --- /dev/null +++ b/salt/auth/init.sls @@ -0,0 +1,38 @@ +so-auth-api-dir: + file.directory: + - name: /opt/so/conf/auth/api + - user: 939 + - group: 939 + - makedirs: True + +so-auth-api-image: + cmd.run: + - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.4 + +so-auth-ui-image: + cmd.run: + - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.4 + +so-auth-api: + docker_container.running: + - require: + - so-auth-api-image + - image: docker.io/soshybridhunter/so-auth-api:HH1.1.4 + - hostname: so-auth-api + - name: so-auth-api + - environment: + - BASE_PATH: "/so-auth/api" + - binds: + - /opt/so/conf/auth/api:/data + - port_bindings: + - 0.0.0.0:5656:5656 + +so-auth-ui: + docker_container.running: + - require: + - so-auth-ui-image + - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.4 + - hostname: so-auth-ui + - name: so-auth-ui + - port_bindings: + - 0.0.0.0:4242:80 diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval index 23257b807..d3e377881 100644 --- a/salt/common/nginx/nginx.conf.so-eval +++ b/salt/common/nginx/nginx.conf.so-eval @@ -58,9 +58,9 @@ http { # } #} server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; } @@ -88,8 +88,8 @@ http { # } location /grafana/ { - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; + rewrite /grafana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -100,10 +100,9 @@ http { } location /kibana/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; + auth_request /so-auth/api/auth/; + rewrite /kibana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -114,7 +113,7 @@ http { } location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; + proxy_pass http://{{ masterip }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -126,9 +125,8 @@ http { location /navigator/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; - proxy_pass http://{{ masterip }}:4200/navigator/; + auth_request /so-auth/api/auth/; + proxy_pass http://{{ masterip }}:4200/navigator/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -139,7 +137,7 @@ http { } location /api/ { - proxy_pass https://{{ masterip }}:8080/api/; + proxy_pass https://{{ masterip }}:8080/api/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Upgrade $http_upgrade; @@ -152,7 +150,7 @@ http { } location /fleet/ { - proxy_pass https://{{ masterip }}:8080/fleet/; + proxy_pass https://{{ masterip }}:8080/fleet/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -163,10 +161,10 @@ http { } location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; + proxy_pass http://{{ masterip }}:9000/thehive/; proxy_read_timeout 90; proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_http_version 1.1; # this is essential for chunked responses to work proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -175,10 +173,10 @@ http { } location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; + proxy_pass http://{{ masterip }}:9001/cortex/; proxy_read_timeout 90; proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_http_version 1.1; # this is essential for chunked responses to work proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -187,7 +185,7 @@ http { } location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; + proxy_pass http://{{ masterip }}:7000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -198,17 +196,16 @@ http { } location /sensoroni/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; - proxy_pass http://{{ masterip }}:9822/; + auth_request /so-auth/api/auth/; + proxy_pass http://{{ masterip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; } @@ -225,15 +222,34 @@ http { } location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; + proxy_pass http://{{ masterip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; - } + + location /so-auth/loginpage/ { + proxy_pass http://{{ masterip }}:4242/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /so-auth/api/ { + proxy_pass http://{{ masterip }}:5656/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + } + + error_page 401 = @error401; + + location @error401 { + add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/"; + return 302 http://{{ masterip }}/so-auth/loginpage/; + } + error_page 404 /404.html; location = /40x.html { } diff --git a/salt/top.sls b/salt/top.sls index b6bd14bd7..efa770e29 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -51,6 +51,7 @@ base: - firewall - master - idstools + - auth {%- if OSQUERY != 0 %} - mysql {%- endif %} diff --git a/setup/so-setup.sh b/setup/so-setup.sh index 6c26783ae..5fa4fa7b7 100644 --- a/setup/so-setup.sh +++ b/setup/so-setup.sh @@ -655,6 +655,7 @@ if (whiptail_you_sure) ; then echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX" checkin_at_boot >> $SETUPLOG 2>&1 echo -e "XX\n97\nFinishing touches... \nXXX" + salt-call state.apply auth >> $SETUPLOG 2>&1 filter_unused_nics >> $SETUPLOG 2>&1 network_setup >> $SETUPLOG 2>&1 echo -e "XXX\n98\nVerifying Setup... \nXXX"