From 40b5b96e17fb446f8e01a909009537d05024b705 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 13 Aug 2020 15:00:44 -0400
Subject: [PATCH] Respond with 403 status code to unauthorized sensor requests

---
 salt/nginx/etc/nginx.conf.so-eval          | 3 +++
 salt/nginx/etc/nginx.conf.so-manager       | 3 +++
 salt/nginx/etc/nginx.conf.so-managersearch | 3 +++
 salt/nginx/etc/nginx.conf.so-standalone    | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval
index 9c919c764..8032ed0ce 100644
--- a/salt/nginx/etc/nginx.conf.so-eval
+++ b/salt/nginx/etc/nginx.conf.so-eval
@@ -297,6 +297,9 @@ http {
 		}
 
 		location /sensoroniagents/ {
+			if ($http_authorization = "") {
+				return 403;
+			}
 			proxy_pass            http://{{ managerip }}:9822/;
 			proxy_read_timeout    90;
 			proxy_connect_timeout 90;
diff --git a/salt/nginx/etc/nginx.conf.so-manager b/salt/nginx/etc/nginx.conf.so-manager
index cf7545942..42caa7841 100644
--- a/salt/nginx/etc/nginx.conf.so-manager
+++ b/salt/nginx/etc/nginx.conf.so-manager
@@ -297,6 +297,9 @@ http {
 		}
 
 		location /sensoroniagents/ {
+			if ($http_authorization = "") {
+				return 403;
+			}
 			proxy_pass            http://{{ managerip }}:9822/;
 			proxy_read_timeout    90;
 			proxy_connect_timeout 90;
diff --git a/salt/nginx/etc/nginx.conf.so-managersearch b/salt/nginx/etc/nginx.conf.so-managersearch
index 4b9daba4e..0f0e052c8 100644
--- a/salt/nginx/etc/nginx.conf.so-managersearch
+++ b/salt/nginx/etc/nginx.conf.so-managersearch
@@ -296,6 +296,9 @@ http {
 		}
 
 		location /sensoroniagents/ {
+			if ($http_authorization = "") {
+				return 403;
+			}
 			proxy_pass            http://{{ managerip }}:9822/;
 			proxy_read_timeout    90;
 			proxy_connect_timeout 90;
diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone
index cf7545942..42caa7841 100644
--- a/salt/nginx/etc/nginx.conf.so-standalone
+++ b/salt/nginx/etc/nginx.conf.so-standalone
@@ -297,6 +297,9 @@ http {
 		}
 
 		location /sensoroniagents/ {
+			if ($http_authorization = "") {
+				return 403;
+			}
 			proxy_pass            http://{{ managerip }}:9822/;
 			proxy_read_timeout    90;
 			proxy_connect_timeout 90;