From cfd1b82e004d682b0de5ba81be3fd741655a7cbc Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 8 Jul 2020 13:49:33 -0400 Subject: [PATCH 01/17] [refactor] Redirect to correct url_base + combine configs --- ...{nginx.conf.so-mastersearch => nginx.conf} | 87 ++--- salt/nginx/etc/nginx.conf.so-eval | 326 ------------------ salt/nginx/etc/nginx.conf.so-fleet | 100 ------ salt/nginx/etc/nginx.conf.so-heavynode | 89 ----- salt/nginx/etc/nginx.conf.so-helix | 89 ----- salt/nginx/etc/nginx.conf.so-master | 326 ------------------ salt/nginx/etc/nginx.conf.so-node | 89 ----- salt/nginx/etc/nginx.conf.so-sensor | 89 ----- salt/nginx/etc/nginx.conf.so-standalone | 326 ------------------ salt/nginx/init.sls | 2 +- 10 files changed, 32 insertions(+), 1491 deletions(-) rename salt/nginx/etc/{nginx.conf.so-mastersearch => nginx.conf} (85%) delete mode 100644 salt/nginx/etc/nginx.conf.so-eval delete mode 100644 salt/nginx/etc/nginx.conf.so-fleet delete mode 100644 salt/nginx/etc/nginx.conf.so-heavynode delete mode 100644 salt/nginx/etc/nginx.conf.so-helix delete mode 100644 salt/nginx/etc/nginx.conf.so-master delete mode 100644 salt/nginx/etc/nginx.conf.so-node delete mode 100644 salt/nginx/etc/nginx.conf.so-sensor delete mode 100644 salt/nginx/etc/nginx.conf.so-standalone diff --git a/salt/nginx/etc/nginx.conf.so-mastersearch b/salt/nginx/etc/nginx.conf similarity index 85% rename from salt/nginx/etc/nginx.conf.so-mastersearch rename to salt/nginx/etc/nginx.conf index 952f18cd9..4086970e6 100644 --- a/salt/nginx/etc/nginx.conf.so-mastersearch +++ b/salt/nginx/etc/nginx.conf @@ -1,20 +1,19 @@ {%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} -{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} -{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ +{%- set role = grains.id.split('_') | last %} +{%- set url_base = salt['pillar.get']('master:url_base') %} + +{%- set fleet_master = salt['pillar.get']('static:fleet_master') %} +{%- set fleet_node = salt['pillar.get']('static:fleet_node') %} +{%- set fleet_ip = salt['pillar.get']('static:fleet_ip', None) %} worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; -# Load dynamic modules. See /usr/share/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { @@ -34,42 +33,12 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. include /etc/nginx/conf.d/*.conf; - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - # location / { - # } - - # error_page 404 /404.html; - # location = /40x.html { - # } - - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - -{% if FLEET_MASTER %} + {%- if fleet_master %} server { listen 8090 ssl http2 default_server; - server_name _; + server_name {{ url_base }}; root /opt/socore/html; index blank.html; @@ -86,15 +55,26 @@ http { grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; } - } -{% endif %} -# Settings for a TLS enabled server. + } + {%- endif %} + + {&- if role in ['eval', 'mastersearch', 'master', 'standalone'] &} + server { + listen 80 default_server; + server_name _; + return 301 https://{{ url_base }}$request_uri; + } + + server { + listen 443 ssl http2 default_server; + server_name _; + return 301 https://{{ url_base }}$request_uri; + } server { listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; + server_name {{ url_base }}; root /opt/socore/html; index index.html; @@ -105,8 +85,6 @@ http { ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { proxy_pass http://{{ masterip }}:9822; @@ -231,11 +209,12 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } - {%- if FLEET_NODE %} + {%- if fleet_node %} location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; + return 301 https://{{ fleet_ip }}/fleet; } - {%- else %} + {%- else %} + location /fleet/ { proxy_pass https://{{ masterip }}:8080; proxy_read_timeout 90; @@ -246,7 +225,7 @@ http { proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Proto $scheme; } - {%- endif %} + {%- endif %} location /thehive/ { proxy_pass http://{{ masterip }}:9000/thehive/; @@ -313,13 +292,9 @@ http { return 302 /auth/self-service/browser/flows/login; } - #error_page 404 /404.html; - # location = /40x.html { - #} - error_page 500 502 503 504 /50x.html; location = /usr/share/nginx/html/50x.html { } } - + {%- endif %} } diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval deleted file mode 100644 index 7e3a9a401..000000000 --- a/salt/nginx/etc/nginx.conf.so-eval +++ /dev/null @@ -1,326 +0,0 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} -{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} -{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - # location / { - # } - - # error_page 404 /404.html; - # location = /40x.html { - # } - - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - -{% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - } -{% endif %} - -# Settings for a TLS enabled server. - - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - auth_request /auth/sessions/whoami; - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} - - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } - - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } - - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } - - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - error_page 401 = @error401; - - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /usr/share/nginx/html/40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -} diff --git a/salt/nginx/etc/nginx.conf.so-fleet b/salt/nginx/etc/nginx.conf.so-fleet deleted file mode 100644 index 937f09a5b..000000000 --- a/salt/nginx/etc/nginx.conf.so-fleet +++ /dev/null @@ -1,100 +0,0 @@ -{% set MAININT = salt['pillar.get']('host:mainint') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} - -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - include /etc/nginx/conf.d/*.conf; - - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ MAINIP }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - } - - - server { - listen 443 ssl http2 default_server; - server_name _; - root /opt/socore/html/packages; - index index.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location /fleet/ { - proxy_pass https://{{ MAINIP }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -} diff --git a/salt/nginx/etc/nginx.conf.so-heavynode b/salt/nginx/etc/nginx.conf.so-heavynode deleted file mode 100644 index 7ec3fef7d..000000000 --- a/salt/nginx/etc/nginx.conf.so-heavynode +++ /dev/null @@ -1,89 +0,0 @@ -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - root /usr/share/nginx/html; - - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; - - location / { - } - - error_page 404 /404.html; - location = /40x.html { - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - } - } - -# Settings for a TLS enabled server. -# -# server { -# listen 443 ssl http2 default_server; -# listen [::]:443 ssl http2 default_server; -# server_name _; -# root /usr/share/nginx/html; -# -# ssl_certificate "/etc/pki/nginx/server.crt"; -# ssl_certificate_key "/etc/pki/nginx/private/server.key"; -# ssl_session_cache shared:SSL:1m; -# ssl_session_timeout 10m; -# ssl_ciphers HIGH:!aNULL:!MD5; -# ssl_prefer_server_ciphers on; -# -# # Load configuration files for the default server block. -# include /etc/nginx/default.d/*.conf; -# -# location / { -# } -# -# #error_page 404 /404.html; -# # location = /40x.html { -# #} -# -# error_page 500 502 503 504 /50x.html; -# location = /usr/share/nginx/html/50x.html { -# } -# } - -} diff --git a/salt/nginx/etc/nginx.conf.so-helix b/salt/nginx/etc/nginx.conf.so-helix deleted file mode 100644 index e5a68c09d..000000000 --- a/salt/nginx/etc/nginx.conf.so-helix +++ /dev/null @@ -1,89 +0,0 @@ -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - root /usr/share/nginx/html; - - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; - - location / { - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -# Settings for a TLS enabled server. -# -# server { -# listen 443 ssl http2 default_server; -# listen [::]:443 ssl http2 default_server; -# server_name _; -# root /usr/share/nginx/html; -# -# ssl_certificate "/etc/pki/nginx/server.crt"; -# ssl_certificate_key "/etc/pki/nginx/private/server.key"; -# ssl_session_cache shared:SSL:1m; -# ssl_session_timeout 10m; -# ssl_ciphers HIGH:!aNULL:!MD5; -# ssl_prefer_server_ciphers on; -# -# # Load configuration files for the default server block. -# include /etc/nginx/default.d/*.conf; -# -# location / { -# } -# -# error_page 404 /404.html; -# location = /40x.html { -# } -# -# error_page 500 502 503 504 /50x.html; -# location = /50x.html { -# } -# } - -} diff --git a/salt/nginx/etc/nginx.conf.so-master b/salt/nginx/etc/nginx.conf.so-master deleted file mode 100644 index de3a3a6c1..000000000 --- a/salt/nginx/etc/nginx.conf.so-master +++ /dev/null @@ -1,326 +0,0 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} -{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} -{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - # location / { - # } - - # error_page 404 /404.html; - # location = /40x.html { - # } - - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - -{% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - } -{% endif %} - -# Settings for a TLS enabled server. - - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - auth_request /auth/sessions/whoami; - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} - - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } - - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } - - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } - - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - error_page 401 = @error401; - - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -} diff --git a/salt/nginx/etc/nginx.conf.so-node b/salt/nginx/etc/nginx.conf.so-node deleted file mode 100644 index e5a68c09d..000000000 --- a/salt/nginx/etc/nginx.conf.so-node +++ /dev/null @@ -1,89 +0,0 @@ -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - root /usr/share/nginx/html; - - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; - - location / { - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -# Settings for a TLS enabled server. -# -# server { -# listen 443 ssl http2 default_server; -# listen [::]:443 ssl http2 default_server; -# server_name _; -# root /usr/share/nginx/html; -# -# ssl_certificate "/etc/pki/nginx/server.crt"; -# ssl_certificate_key "/etc/pki/nginx/private/server.key"; -# ssl_session_cache shared:SSL:1m; -# ssl_session_timeout 10m; -# ssl_ciphers HIGH:!aNULL:!MD5; -# ssl_prefer_server_ciphers on; -# -# # Load configuration files for the default server block. -# include /etc/nginx/default.d/*.conf; -# -# location / { -# } -# -# error_page 404 /404.html; -# location = /40x.html { -# } -# -# error_page 500 502 503 504 /50x.html; -# location = /50x.html { -# } -# } - -} diff --git a/salt/nginx/etc/nginx.conf.so-sensor b/salt/nginx/etc/nginx.conf.so-sensor deleted file mode 100644 index e5a68c09d..000000000 --- a/salt/nginx/etc/nginx.conf.so-sensor +++ /dev/null @@ -1,89 +0,0 @@ -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - root /usr/share/nginx/html; - - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; - - location / { - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -# Settings for a TLS enabled server. -# -# server { -# listen 443 ssl http2 default_server; -# listen [::]:443 ssl http2 default_server; -# server_name _; -# root /usr/share/nginx/html; -# -# ssl_certificate "/etc/pki/nginx/server.crt"; -# ssl_certificate_key "/etc/pki/nginx/private/server.key"; -# ssl_session_cache shared:SSL:1m; -# ssl_session_timeout 10m; -# ssl_ciphers HIGH:!aNULL:!MD5; -# ssl_prefer_server_ciphers on; -# -# # Load configuration files for the default server block. -# include /etc/nginx/default.d/*.conf; -# -# location / { -# } -# -# error_page 404 /404.html; -# location = /40x.html { -# } -# -# error_page 500 502 503 504 /50x.html; -# location = /50x.html { -# } -# } - -} diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone deleted file mode 100644 index de3a3a6c1..000000000 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ /dev/null @@ -1,326 +0,0 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} -{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} -{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - # location / { - # } - - # error_page 404 /404.html; - # location = /40x.html { - # } - - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - -{% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - } -{% endif %} - -# Settings for a TLS enabled server. - - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - auth_request /auth/sessions/whoami; - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} - - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } - - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } - - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } - - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - error_page 401 = @error401; - - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -} diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 73f14a7ed..83b2803fe 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -24,7 +24,7 @@ nginxconf: - user: 939 - group: 939 - template: jinja - - source: salt://nginx/etc/nginx.conf.{{ grains.role }} + - source: salt://nginx/etc/nginx.conf nginxlogdir: file.directory: From 0c3e35c55eca1ab80cd73911e6b27271e7487498 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 8 Jul 2020 14:30:27 -0400 Subject: [PATCH 02/17] [fix] correct jinja template syntax --- salt/nginx/etc/nginx.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 4086970e6..0944ecbf8 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -59,7 +59,7 @@ http { } {%- endif %} - {&- if role in ['eval', 'mastersearch', 'master', 'standalone'] &} + {%- if role in ['eval', 'mastersearch', 'master', 'standalone'] %} server { listen 80 default_server; server_name _; @@ -214,7 +214,6 @@ http { return 301 https://{{ fleet_ip }}/fleet; } {%- else %} - location /fleet/ { proxy_pass https://{{ masterip }}:8080; proxy_read_timeout 90; From a0ffe26334e9af39a520c81649baca7bd8820c82 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 8 Jul 2020 15:56:36 -0400 Subject: [PATCH 03/17] [fix] Only one default_server is allowed per port --- salt/nginx/etc/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 0944ecbf8..6b17290de 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -73,7 +73,7 @@ http { } server { - listen 443 ssl http2 default_server; + listen 443 ssl http2; server_name {{ url_base }}; root /opt/socore/html; index index.html; From 533ed395e7aac7e4eaa9581c8b5a0c000d170d1f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 8 Jul 2020 15:59:31 -0400 Subject: [PATCH 04/17] [fix][WIP] Remove ssl and http2 from redirect server block --- salt/nginx/etc/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 6b17290de..0d58eeeb7 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -67,7 +67,7 @@ http { } server { - listen 443 ssl http2 default_server; + listen 443 default_server; server_name _; return 301 https://{{ url_base }}$request_uri; } From 49e5cb311e28654e987f36f3759bc25a7997a90c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 8 Jul 2020 16:05:48 -0400 Subject: [PATCH 05/17] [fix][WIP] set ssl cert for redirect 443 server block --- salt/nginx/etc/nginx.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 0d58eeeb7..f4502d950 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -67,9 +67,16 @@ http { } server { - listen 443 default_server; + listen 443 ssl http2 default_server; server_name _; return 301 https://{{ url_base }}$request_uri; + + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; } server { From 81006ebbd0c907f53d01c7db8e2cb53f914b9766 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 17:46:15 -0400 Subject: [PATCH 06/17] [fix] Reflect new manager syntax --- salt/nginx/etc/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index f4502d950..db0207805 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -59,7 +59,7 @@ http { } {%- endif %} - {%- if role in ['eval', 'mastersearch', 'master', 'standalone'] %} + {%- if role in ['eval', 'managersearch', 'manager', 'standalone'] %} server { listen 80 default_server; server_name _; From a5c790c31e0d91749259f4534b3115ddd7dbb50d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 17:50:53 -0400 Subject: [PATCH 07/17] [fix] managerr -> manager --- salt/nginx/etc/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 1b3a1e386..4c50fb6e3 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -2,7 +2,7 @@ {%- set role = grains.id.split('_') | last %} {%- set url_base = salt['pillar.get']('manager:url_base') %} -{%- set fleet_managerr = salt['pillar.get']('static:fleet_manager') %} +{%- set fleet_manager = salt['pillar.get']('static:fleet_manager') %} {%- set fleet_node = salt['pillar.get']('static:fleet_node') %} {%- set fleet_ip = salt['pillar.get']('static:fleet_ip', None) %} From d63358c8f0fccd58522ee22960c8c4192c22008b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 20 Oct 2020 14:30:06 -0400 Subject: [PATCH 08/17] [fix] Correct pillar reference + nginx errors --- salt/nginx/etc/nginx.conf | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 84689c8fa..66b3ed3f2 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,6 +1,6 @@ {%- set managerip = salt['pillar.get']('manager:mainip', '') %} {%- set role = grains.id.split('_') | last %} -{%- set url_base = salt['pillar.get']('manager:url_base') %} +{%- set url_base = salt['pillar.get']('global:url_base') %} {%- set fleet_manager = salt['pillar.get']('global:fleet_manager') %} {%- set fleet_node = salt['pillar.get']('global:fleet_node') %} @@ -41,13 +41,13 @@ http { server { listen 80 default_server; server_name _; - return 301 https://$host$request_uri; + return 301 https://{{ url_base }}$request_uri; } {%- if airgap is sameas true %} server { listen 7788; - server_name _; + server_name {{ url_base }}; root /opt/socore/html/repo; location /rules/ { allow all; @@ -87,12 +87,6 @@ http { {%- endif %} {%- if role in ['eval', 'managersearch', 'manager', 'standalone'] %} - server { - listen 80 default_server; - server_name _; - return 301 https://{{ url_base }}$request_uri; - } - server { listen 443 ssl http2 default_server; server_name _; From 79c4f07ff7154c9fbbe8796df56590687ba31c0b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 22 Oct 2020 10:43:24 -0400 Subject: [PATCH 09/17] [fix] Don't listen on port 80 on all installs --- salt/nginx/etc/nginx.conf | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 66b3ed3f2..f47fbfdf9 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -37,13 +37,6 @@ http { include /etc/nginx/conf.d/*.conf; - - server { - listen 80 default_server; - server_name _; - return 301 https://{{ url_base }}$request_uri; - } - {%- if airgap is sameas true %} server { listen 7788; @@ -87,6 +80,12 @@ http { {%- endif %} {%- if role in ['eval', 'managersearch', 'manager', 'standalone'] %} + server { + listen 80 default_server; + server_name _; + return 301 https://{{ url_base }}$request_uri; + } + server { listen 443 ssl http2 default_server; server_name _; From 6a3e9219246b4d1e539ee3afa9557cd29a7bea46 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 22 Oct 2020 13:09:26 -0400 Subject: [PATCH 10/17] [fix] Fixes for fleet install --- salt/nginx/etc/nginx.conf | 89 +++++++++++++++++++++++++++++---------- 1 file changed, 66 insertions(+), 23 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index f47fbfdf9..6cb2d0691 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,5 +1,10 @@ -{%- set managerip = salt['pillar.get']('manager:mainip', '') %} {%- set role = grains.id.split('_') | last %} +{%- if role == 'fleet' %} + {% set MAININT = salt['pillar.get']('host:mainint') %} + {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} +{%- endif %} + +{%- set managerip = salt['pillar.get']('manager:mainip', '') %} {%- set url_base = salt['pillar.get']('global:url_base') %} {%- set fleet_manager = salt['pillar.get']('global:fleet_manager') %} @@ -37,25 +42,7 @@ http { include /etc/nginx/conf.d/*.conf; - {%- if airgap is sameas true %} - server { - listen 7788; - server_name {{ url_base }}; - root /opt/socore/html/repo; - location /rules/ { - allow all; - sendfile on; - sendfile_max_chunk 1m; - autoindex on; - autoindex_exact_size off; - autoindex_format html; - autoindex_localtime on; - } - } - {%- endif %} - - - {%- if fleet_manager %} + {%- if fleet_manager or role == 'fleet' %} server { listen 8090 ssl http2 default_server; server_name {{ url_base }}; @@ -70,16 +57,21 @@ http { ssl_prefer_server_ciphers on; location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + {%- if role == 'fleet' %} + grpc_pass grpcs://{{ MAINIP }}:8080; + {%- else %} grpc_pass grpcs://{{ managerip }}:8080; + {%- endif %} grpc_set_header Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; } - } {%- endif %} - {%- if role in ['eval', 'managersearch', 'manager', 'standalone'] %} + + {%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'fleet', 'import'] %} + server { listen 80 default_server; server_name _; @@ -99,6 +91,55 @@ http { ssl_prefer_server_ciphers on; } + {%- endif %} + + {%- if role == 'fleet' %} + server { + listen 443 ssl http2; + server_name {{ url_base }}; + root /opt/socore/html; + index index.html; + + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + location /fleet/ { + proxy_pass https://{{ MAINIP }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } + {%- elif role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %} + + {%- if airgap is sameas true %} + server { + listen 7788; + server_name {{ url_base }}; + root /opt/socore/html/repo; + location /rules/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + } + {%- endif %} + server { listen 443 ssl http2; server_name {{ url_base }}; @@ -249,10 +290,11 @@ http { } {%- if fleet_node %} + location /fleet/ { return 301 https://{{ fleet_ip }}/fleet; } - + {%- else %} location /fleet/ { @@ -265,6 +307,7 @@ http { proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Proto $scheme; } + {%- endif %} location /thehive/ { From 6a08086dfa051388c3090ee54a4d0af2df92ceca Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 22 Oct 2020 14:10:06 -0400 Subject: [PATCH 11/17] [refactor] Make variable names consistent --- salt/nginx/etc/nginx.conf | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 6cb2d0691..dcc89f13d 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,10 +1,10 @@ {%- set role = grains.id.split('_') | last %} {%- if role == 'fleet' %} - {% set MAININT = salt['pillar.get']('host:mainint') %} - {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} + {% set main_int = salt['pillar.get']('host:main_int') %} + {% set main_ip = salt['grains.get']('ip_interfaces').get(main_int)[0] %} {%- endif %} -{%- set managerip = salt['pillar.get']('manager:mainip', '') %} +{%- set manager_ip = salt['pillar.get']('manager:main_ip', '') %} {%- set url_base = salt['pillar.get']('global:url_base') %} {%- set fleet_manager = salt['pillar.get']('global:fleet_manager') %} @@ -58,9 +58,9 @@ http { location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { {%- if role == 'fleet' %} - grpc_pass grpcs://{{ MAINIP }}:8080; + grpc_pass grpcs://{{ main_ip }}:8080; {%- else %} - grpc_pass grpcs://{{ managerip }}:8080; + grpc_pass grpcs://{{ manager_ip }}:8080; {%- endif %} grpc_set_header Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -108,7 +108,7 @@ http { ssl_prefer_server_ciphers on; location /fleet/ { - proxy_pass https://{{ MAINIP }}:8080; + proxy_pass https://{{ main_ip }}:8080; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -155,7 +155,7 @@ http { location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ managerip }}:9822; + proxy_pass http://{{ manager_ip }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -169,7 +169,7 @@ http { location / { auth_request /auth/sessions/whoami; - proxy_pass http://{{ managerip }}:9822/; + proxy_pass http://{{ manager_ip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -183,7 +183,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ managerip }}:4433; + proxy_pass http://{{ manager_ip }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -242,7 +242,7 @@ http { location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ managerip }}:3000/; + proxy_pass http://{{ manager_ip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -255,7 +255,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ managerip }}:5601/; + proxy_pass http://{{ manager_ip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -266,7 +266,7 @@ http { } location /nodered/ { - proxy_pass http://{{ managerip }}:1880/; + proxy_pass http://{{ manager_ip }}:1880/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -279,7 +279,7 @@ http { } location /playbook/ { - proxy_pass http://{{ managerip }}:3200/playbook/; + proxy_pass http://{{ manager_ip }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -298,7 +298,7 @@ http { {%- else %} location /fleet/ { - proxy_pass https://{{ managerip }}:8080; + proxy_pass https://{{ manager_ip }}:8080; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -311,7 +311,7 @@ http { {%- endif %} location /thehive/ { - proxy_pass http://{{ managerip }}:9000/thehive/; + proxy_pass http://{{ manager_ip }}:9000/thehive/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -323,7 +323,7 @@ http { } location /cortex/ { - proxy_pass http://{{ managerip }}:9001/cortex/; + proxy_pass http://{{ manager_ip }}:9001/cortex/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -335,7 +335,7 @@ http { } location /soctopus/ { - proxy_pass http://{{ managerip }}:7000/; + proxy_pass http://{{ manager_ip }}:7000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -361,7 +361,7 @@ http { if ($http_authorization = "") { return 403; } - proxy_pass http://{{ managerip }}:9822/; + proxy_pass http://{{ manager_ip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; From 73b83584e6142056930dd53eba9764434b272b55 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 23 Oct 2020 14:32:43 -0400 Subject: [PATCH 12/17] [fix] Remove bad '_' character --- salt/nginx/etc/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index dcc89f13d..dd599abf9 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,6 +1,6 @@ {%- set role = grains.id.split('_') | last %} {%- if role == 'fleet' %} - {% set main_int = salt['pillar.get']('host:main_int') %} + {% set main_int = salt['pillar.get']('host:mainint') %} {% set main_ip = salt['grains.get']('ip_interfaces').get(main_int)[0] %} {%- endif %} From fdb7cb90e3222f6cffa453759e67fa577a218851 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 23 Oct 2020 15:36:01 -0400 Subject: [PATCH 13/17] [wip] Test alt variable usage --- salt/nginx/etc/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index dd599abf9..05e935caa 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,7 +1,7 @@ {%- set role = grains.id.split('_') | last %} {%- if role == 'fleet' %} - {% set main_int = salt['pillar.get']('host:mainint') %} - {% set main_ip = salt['grains.get']('ip_interfaces').get(main_int)[0] %} + {% set mainint = salt['pillar.get']('host:mainint') %} + {% set main_ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} {%- endif %} {%- set manager_ip = salt['pillar.get']('manager:main_ip', '') %} From 46628370752da12650d87b5098eec6c3b44348a9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 26 Oct 2020 10:25:16 -0400 Subject: [PATCH 14/17] [fix] Revert changes from merging dev --- salt/nginx/etc/nginx.conf | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 05e935caa..7774f9f8d 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -4,7 +4,6 @@ {% set main_ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} {%- endif %} -{%- set manager_ip = salt['pillar.get']('manager:main_ip', '') %} {%- set url_base = salt['pillar.get']('global:url_base') %} {%- set fleet_manager = salt['pillar.get']('global:fleet_manager') %} @@ -60,7 +59,7 @@ http { {%- if role == 'fleet' %} grpc_pass grpcs://{{ main_ip }}:8080; {%- else %} - grpc_pass grpcs://{{ manager_ip }}:8080; + grpc_pass grpcs://{{ url_base }}:8080; {%- endif %} grpc_set_header Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -155,7 +154,7 @@ http { location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ manager_ip }}:9822; + proxy_pass http://{{ url_base }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -169,7 +168,7 @@ http { location / { auth_request /auth/sessions/whoami; - proxy_pass http://{{ manager_ip }}:9822/; + proxy_pass http://{{ url_base }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -183,7 +182,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ manager_ip }}:4433; + proxy_pass http://{{ url_base }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -242,7 +241,7 @@ http { location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ manager_ip }}:3000/; + proxy_pass http://{{ url_base }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -255,7 +254,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ manager_ip }}:5601/; + proxy_pass http://{{ url_base }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -266,7 +265,7 @@ http { } location /nodered/ { - proxy_pass http://{{ manager_ip }}:1880/; + proxy_pass http://{{ url_base }}:1880/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -279,7 +278,7 @@ http { } location /playbook/ { - proxy_pass http://{{ manager_ip }}:3200/playbook/; + proxy_pass http://{{ url_base }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -298,7 +297,7 @@ http { {%- else %} location /fleet/ { - proxy_pass https://{{ manager_ip }}:8080; + proxy_pass https://{{ url_base }}:8080; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -311,7 +310,7 @@ http { {%- endif %} location /thehive/ { - proxy_pass http://{{ manager_ip }}:9000/thehive/; + proxy_pass http://{{ url_base }}:9000/thehive/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -323,7 +322,7 @@ http { } location /cortex/ { - proxy_pass http://{{ manager_ip }}:9001/cortex/; + proxy_pass http://{{ url_base }}:9001/cortex/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -335,7 +334,7 @@ http { } location /soctopus/ { - proxy_pass http://{{ manager_ip }}:7000/; + proxy_pass http://{{ url_base }}:7000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -361,7 +360,7 @@ http { if ($http_authorization = "") { return 403; } - proxy_pass http://{{ manager_ip }}:9822/; + proxy_pass http://{{ url_base }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; From 3648e293a18e71d0390df87a98cc4a8e8d0f900f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 26 Oct 2020 14:08:52 -0400 Subject: [PATCH 15/17] [fix] Add -L option to curl to respect redirects --- salt/common/tools/sbin/so-cortex-user-add | 2 +- salt/common/tools/sbin/so-cortex-user-enable | 2 +- salt/common/tools/sbin/so-elastic-clear | 12 ++++++------ salt/common/tools/sbin/so-elasticsearch-indices-rw | 2 +- .../tools/sbin/so-elasticsearch-pipeline-stats | 8 ++++---- .../tools/sbin/so-elasticsearch-pipelines-list | 8 ++++---- .../tools/sbin/so-elasticsearch-templates-list | 8 ++++---- .../tools/sbin/so-elasticsearch-templates-load | 8 ++++---- salt/common/tools/sbin/so-fleet-user-add | 2 +- salt/common/tools/sbin/so-index-list | 4 ++-- salt/common/tools/sbin/so-kibana-config-export | 2 +- salt/common/tools/sbin/so-thehive-user-add | 2 +- salt/common/tools/sbin/so-thehive-user-enable | 2 +- salt/common/tools/sbin/so-user | 14 +++++++------- .../files/bin/so-curator-closed-delete-delete | 12 ++++++------ .../elasticsearch/files/so-elasticsearch-pipelines | 8 ++++---- salt/kibana/bin/keepkibanahappy.sh | 8 ++++---- salt/nodered/files/nodered_load_flows | 4 ++-- salt/thehive/scripts/cortex_init | 14 +++++++------- salt/thehive/scripts/hive_init | 6 +++--- salt/utility/bin/crossthestreams | 6 +++--- salt/utility/bin/eval | 4 ++-- salt/wazuh/files/agent/wazuh-register-agent | 8 ++++---- 23 files changed, 73 insertions(+), 73 deletions(-) diff --git a/salt/common/tools/sbin/so-cortex-user-add b/salt/common/tools/sbin/so-cortex-user-add index 728ad25f1..5785a7f22 100755 --- a/salt/common/tools/sbin/so-cortex-user-add +++ b/salt/common/tools/sbin/so-cortex-user-add @@ -43,7 +43,7 @@ fi read -rs CORTEX_PASS # Create new user in Cortex -resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_USER\",\"password\" : \"$CORTEX_PASS\" }") +resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_USER\",\"password\" : \"$CORTEX_PASS\" }") if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to Cortex." else diff --git a/salt/common/tools/sbin/so-cortex-user-enable b/salt/common/tools/sbin/so-cortex-user-enable index cbfdceb25..5fded5c33 100755 --- a/salt/common/tools/sbin/so-cortex-user-enable +++ b/salt/common/tools/sbin/so-cortex-user-enable @@ -46,7 +46,7 @@ case "${2^^}" in ;; esac -resp=$(curl -sk -XPATCH -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/user/${CORTEX_USER}" -d "{\"status\":\"${CORTEX_STATUS}\" }") +resp=$(curl -sk -XPATCH -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/user/${CORTEX_USER}" -d "{\"status\":\"${CORTEX_STATUS}\" }") if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully updated user in Cortex." else diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index 432e61c2b..941cc4538 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -51,9 +51,9 @@ if [ $SKIP -ne 1 ]; then # List indices echo {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -k https://{{ NODEIP }}:9200/_cat/indices?v + curl -k -L https://{{ NODEIP }}:9200/_cat/indices?v {% else %} - curl {{ NODEIP }}:9200/_cat/indices?v + curl -L {{ NODEIP }}:9200/_cat/indices?v {% endif %} echo # Inform user we are about to delete all data @@ -94,16 +94,16 @@ fi echo "Deleting data..." {% if grains['role'] in ['so-node','so-heavynode'] %} -INDXS=$(curl -s -XGET -k https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') +INDXS=$(curl -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') {% else %} -INDXS=$(curl -s -XGET {{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') +INDXS=$(curl -s -XGET -L {{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') {% endif %} for INDX in ${INDXS} do {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -XDELETE -k https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 + curl -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 {% else %} - curl -XDELETE "{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 + curl -XDELETE -L "{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 {% endif %} done diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-rw b/salt/common/tools/sbin/so-elasticsearch-indices-rw index 6e9eebe47..dc9aee9d8 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-rw +++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw @@ -22,5 +22,5 @@ THEHIVEESPORT=9400 echo "Removing read only attributes for indices..." echo for p in $ESPORT $THEHIVEESPORT; do - curl -XPUT -H "Content-Type: application/json" http://$IP:$p/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; + curl -XPUT -H "Content-Type: application/json" -L http://$IP:$p/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; done diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats index e1a0bfd3d..a4bc2e220 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats @@ -20,14 +20,14 @@ if [ "$1" == "" ]; then {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -s -k https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" + curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" {% else %} - curl -s {{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" + curl -s -L {{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" {% endif %} else {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -s -k https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" + curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" {% else %} - curl -s {{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" + curl -s -L {{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" {% endif %} fi diff --git a/salt/common/tools/sbin/so-elasticsearch-pipelines-list b/salt/common/tools/sbin/so-elasticsearch-pipelines-list index 58dbf9c9b..d1dda8dee 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipelines-list +++ b/salt/common/tools/sbin/so-elasticsearch-pipelines-list @@ -18,14 +18,14 @@ . /usr/sbin/so-common if [ "$1" == "" ]; then {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -s -k https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' + curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' {% else %} - curl -s {{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' + curl -s -L {{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' {% endif %} else {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -s -k https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq + curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq {% else %} - curl -s {{ NODEIP }}:9200/_ingest/pipeline/$1 | jq + curl -s -L {{ NODEIP }}:9200/_ingest/pipeline/$1 | jq {% endif %} fi diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-list b/salt/common/tools/sbin/so-elasticsearch-templates-list index 85ef27760..a5850534e 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-list +++ b/salt/common/tools/sbin/so-elasticsearch-templates-list @@ -18,14 +18,14 @@ . /usr/sbin/so-common if [ "$1" == "" ]; then {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -s -k https://{{ NODEIP }}:9200/_template/* | jq 'keys' + curl -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys' {% else %} - curl -s {{ NODEIP }}:9200/_template/* | jq 'keys' + curl -s -L {{ NODEIP }}:9200/_template/* | jq 'keys' {% endif %} else {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -s -k https://{{ NODEIP }}:9200/_template/$1 | jq + curl -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq {% else %} - curl -s {{ NODEIP }}:9200/_template/$1 | jq + curl -s -L {{ NODEIP }}:9200/_template/$1 | jq {% endif %} fi diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-load b/salt/common/tools/sbin/so-elasticsearch-templates-load index 48558af34..76558e17a 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-load +++ b/salt/common/tools/sbin/so-elasticsearch-templates-load @@ -31,9 +31,9 @@ COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -k --output /dev/null --silent --head --fail https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" {% else %} - curl --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl --output /dev/null --silent --head --fail -L http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" {% endif %} if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" @@ -56,9 +56,9 @@ cd ${ELASTICSEARCH_TEMPLATES} echo "Loading templates..." {% if grains['role'] in ['so-node','so-heavynode'] %} -for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl -k ${ELASTICSEARCH_AUTH} -s -XPUT https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done {% else %} -for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl ${ELASTICSEARCH_AUTH} -s -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl ${ELASTICSEARCH_AUTH} -s -XPUT -L http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done {% endif %} echo diff --git a/salt/common/tools/sbin/so-fleet-user-add b/salt/common/tools/sbin/so-fleet-user-add index 5e2e91fe6..4230a1884 100755 --- a/salt/common/tools/sbin/so-fleet-user-add +++ b/salt/common/tools/sbin/so-fleet-user-add @@ -59,6 +59,6 @@ if [[ $? -eq 0 ]]; then echo "Successfully added user to Fleet" else echo "Unable to add user to Fleet; user might already exist" - echo $resp + echo "$MYSQL_OUTPUT" exit 2 fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-index-list b/salt/common/tools/sbin/so-index-list index f349cb0d4..0352e7e3e 100755 --- a/salt/common/tools/sbin/so-index-list +++ b/salt/common/tools/sbin/so-index-list @@ -16,7 +16,7 @@ # along with this program. If not, see . {% if grains['role'] in ['so-node','so-heavynode'] %} -curl -X GET -k https://localhost:9200/_cat/indices?v +curl -X GET -k -L https://localhost:9200/_cat/indices?v {% else %} -curl -X GET localhost:9200/_cat/indices?v +curl -X GET -L localhost:9200/_cat/indices?v {% endif %} diff --git a/salt/common/tools/sbin/so-kibana-config-export b/salt/common/tools/sbin/so-kibana-config-export index 7f578a3ba..6dd82a10a 100755 --- a/salt/common/tools/sbin/so-kibana-config-export +++ b/salt/common/tools/sbin/so-kibana-config-export @@ -23,7 +23,7 @@ KIBANA_HOST={{ MANAGER }} KSO_PORT=5601 OUTFILE="saved_objects.ndjson" -curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE +curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE # Clean up using PLACEHOLDER sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add index 6ddca526c..2fb9e6d4b 100755 --- a/salt/common/tools/sbin/so-thehive-user-add +++ b/salt/common/tools/sbin/so-thehive-user-add @@ -47,7 +47,7 @@ if ! check_password "$THEHIVE_PASS"; then fi # Create new user in TheHive -resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}") +resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHIVE_IP/thehive/api/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}") if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to TheHive" else diff --git a/salt/common/tools/sbin/so-thehive-user-enable b/salt/common/tools/sbin/so-thehive-user-enable index 94430b889..714643a83 100755 --- a/salt/common/tools/sbin/so-thehive-user-enable +++ b/salt/common/tools/sbin/so-thehive-user-enable @@ -46,7 +46,7 @@ case "${2^^}" in ;; esac -resp=$(curl -sk -XPATCH -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user/${THEHIVE_USER}" -d "{\"status\":\"${THEHIVE_STATUS}\" }") +resp=$(curl -sk -XPATCH -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHIVE_IP/thehive/api/user/${THEHIVE_USER}" -d "{\"status\":\"${THEHIVE_STATUS}\" }") if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully updated user in TheHive" else diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 02046a3e5..42bcf65f5 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -56,14 +56,14 @@ function verifyEnvironment() { require "openssl" require "sqlite3" [[ ! -f $databasePath ]] && fail "Unable to find database file; specify path via KRATOS_DB_PATH environment variable" - response=$(curl -Ss ${kratosUrl}/) + response=$(curl -Ss -L ${kratosUrl}/) [[ "$response" != "404 page not found" ]] && fail "Unable to communicate with Kratos; specify URL via KRATOS_URL environment variable" } function findIdByEmail() { email=$1 - response=$(curl -Ss ${kratosUrl}/identities) + response=$(curl -Ss -L ${kratosUrl}/identities) identityId=$(echo "${response}" | jq ".[] | select(.verifiable_addresses[0].value == \"$email\") | .id") echo $identityId } @@ -113,7 +113,7 @@ function updatePassword() { } function listUsers() { - response=$(curl -Ss ${kratosUrl}/identities) + response=$(curl -Ss -L ${kratosUrl}/identities) [[ $? != 0 ]] && fail "Unable to communicate with Kratos" echo "${response}" | jq -r ".[] | .verifiable_addresses[0].value" | sort @@ -131,7 +131,7 @@ function createUser() { EOF ) - response=$(curl -Ss ${kratosUrl}/identities -d "$addUserJson") + response=$(curl -Ss -L ${kratosUrl}/identities -d "$addUserJson") [[ $? != 0 ]] && fail "Unable to communicate with Kratos" identityId=$(echo "${response}" | jq ".id") @@ -153,7 +153,7 @@ function updateStatus() { identityId=$(findIdByEmail "$email") [[ ${identityId} == "" ]] && fail "User not found" - response=$(curl -Ss "${kratosUrl}/identities/$identityId") + response=$(curl -Ss -L "${kratosUrl}/identities/$identityId") [[ $? != 0 ]] && fail "Unable to communicate with Kratos" oldConfig=$(echo "select config from identity_credentials where identity_id=${identityId};" | sqlite3 "$databasePath") @@ -171,7 +171,7 @@ function updateStatus() { fi updatedJson=$(echo "$response" | jq ".traits.status = \"$status\" | del(.verifiable_addresses) | del(.id) | del(.schema_url)") - response=$(curl -Ss -XPUT ${kratosUrl}/identities/$identityId -d "$updatedJson") + response=$(curl -Ss -XPUT -L ${kratosUrl}/identities/$identityId -d "$updatedJson") [[ $? != 0 ]] && fail "Unable to mark user as locked" } @@ -191,7 +191,7 @@ function deleteUser() { identityId=$(findIdByEmail "$email") [[ ${identityId} == "" ]] && fail "User not found" - response=$(curl -Ss -XDELETE "${kratosUrl}/identities/$identityId") + response=$(curl -Ss -XDELETE -L "${kratosUrl}/identities/$identityId") [[ $? != 0 ]] && fail "Unable to communicate with Kratos" } diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index 8909512db..b7ddac731 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -37,9 +37,9 @@ LOG="/opt/so/log/curator/so-curator-closed-delete.log" # If both conditions are true, keep on looping until one of the conditions is false. while [[ $(du -hs --block-size=1GB /nsm/elasticsearch/nodes | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]] && {% if grains['role'] in ['so-node','so-heavynode'] %} -curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E " close (logstash-|so-)" > /dev/null; do +curl -s -k -L https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E " close (logstash-|so-)" > /dev/null; do {% else %} -curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E " close (logstash-|so-)" > /dev/null; do +curl -s -L {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E " close (logstash-|so-)" > /dev/null; do {% endif %} # We need to determine OLDEST_INDEX. @@ -48,16 +48,16 @@ curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E " c # Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field. # Finally, select the first entry in that sorted list. {% if grains['role'] in ['so-node','so-heavynode'] %} - OLDEST_INDEX=$(curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E " close (logstash-|so-)" | awk '{print $2}' | sort -t- -k3 | head -1) + OLDEST_INDEX=$(curl -s -k -L https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E " close (logstash-|so-)" | awk '{print $2}' | sort -t- -k3 | head -1) {% else %} - OLDEST_INDEX=$(curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E " close (logstash-|so-)" | awk '{print $2}' | sort -t- -k3 | head -1) + OLDEST_INDEX=$(curl -s -L {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E " close (logstash-|so-)" | awk '{print $2}' | sort -t- -k3 | head -1) {% endif %} # Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it. {% if grains['role'] in ['so-node','so-heavynode'] %} - curl -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} + curl -XDELETE -k -L https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} {% else %} - curl -XDELETE {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} + curl -XDELETE -L {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} {% endif %} # Finally, write a log entry that says we deleted it. diff --git a/salt/elasticsearch/files/so-elasticsearch-pipelines b/salt/elasticsearch/files/so-elasticsearch-pipelines index eed62da24..dce6a081b 100755 --- a/salt/elasticsearch/files/so-elasticsearch-pipelines +++ b/salt/elasticsearch/files/so-elasticsearch-pipelines @@ -28,9 +28,9 @@ COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do {% if grains['role'] in ['so-node','so-heavynode'] %} - curl ${ELASTICSEARCH_AUTH} -k --output /dev/null --silent --head --fail https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl ${ELASTICSEARCH_AUTH} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" {% else %} - curl ${ELASTICSEARCH_AUTH} --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl ${ELASTICSEARCH_AUTH} --output /dev/null --silent --head --fail -L http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" {% endif %} if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" @@ -52,9 +52,9 @@ cd ${ELASTICSEARCH_INGEST_PIPELINES} echo "Loading pipelines..." {% if grains['role'] in ['so-node','so-heavynode'] %} -for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -k -XPUT https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done +for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done {% else %} -for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done +for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -XPUT -L http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done {% endif %} echo diff --git a/salt/kibana/bin/keepkibanahappy.sh b/salt/kibana/bin/keepkibanahappy.sh index e8534ec12..541a666bd 100644 --- a/salt/kibana/bin/keepkibanahappy.sh +++ b/salt/kibana/bin/keepkibanahappy.sh @@ -4,7 +4,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 30 ]]; do - curl --output /dev/null --silent --head --fail http://{{ ES }}:9200 + curl --output /dev/null --silent --head --fail -L http://{{ ES }}:9200 if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -28,7 +28,7 @@ MAX_WAIT=240 # Check to see if Kibana is available wait_step=0 - until curl -s -XGET http://{{ ES }}:5601 > /dev/null ; do + until curl -s -XGET -L http://{{ ES }}:5601 > /dev/null ; do wait_step=$(( ${wait_step} + 1 )) echo "Waiting on Kibana...Attempt #$wait_step" if [ ${wait_step} -gt ${MAX_WAIT} ]; then @@ -42,12 +42,12 @@ wait_step=0 # Apply Kibana template echo echo "Applying Kibana template..." - curl -s -XPUT http://{{ ES }}:9200/_template/kibana \ + curl -s -XPUT -L http://{{ ES }}:9200/_template/kibana \ -H 'Content-Type: application/json' \ -d'{"index_patterns" : ".kibana", "settings": { "number_of_shards" : 1, "number_of_replicas" : 0 }, "mappings" : { "search": {"properties": {"hits": {"type": "integer"}, "version": {"type": "integer"}}}}}' echo - curl -s -XPUT "{{ ES }}:9200/.kibana/_settings" \ + curl -s -XPUT -L "{{ ES }}:9200/.kibana/_settings" \ -H 'Content-Type: application/json' \ -d'{"index" : {"number_of_replicas" : 0}}' echo diff --git a/salt/nodered/files/nodered_load_flows b/salt/nodered/files/nodered_load_flows index 78bab818a..3d6ed2a8c 100644 --- a/salt/nodered/files/nodered_load_flows +++ b/salt/nodered/files/nodered_load_flows @@ -3,10 +3,10 @@ default_salt_dir=/opt/so/saltstack/default echo "Waiting for connection" -until $(curl --output /dev/null --silent --head http://{{ ip }}:1880); do +until $(curl --output /dev/null --silent --head -L http://{{ ip }}:1880); do echo '.' sleep 1 done echo "Loading flows..." -curl -XPOST -v -H "Content-Type: application/json" -d @$default_salt_dir/salt/nodered/so_flows.json {{ ip }}:1880/flows +curl -XPOST -v -H "Content-Type: application/json" -d @$default_salt_dir/salt/nodered/so_flows.json -L {{ ip }}:1880/flows echo "Done loading..." diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index 6f5d890ae..d358b8dd4 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -29,25 +29,25 @@ cortex_init(){ # Migrate DB - curl -v -k -XPOST "https://$CORTEX_IP:/cortex/api/maintenance/migrate" + curl -v -k -XPOST -L "https://$CORTEX_IP:/cortex/api/maintenance/migrate" # Create intial Cortex superadmin - curl -v -k "https://$CORTEX_IP/cortex/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}" + curl -v -k -L "https://$CORTEX_IP/cortex/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}" # Create user-supplied org - curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization" -d "{ \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}" + curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/organization" -d "{ \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}" # Create user-supplied org user - curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }" + curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }" # Enable URLScan.io Analyzer - curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}' + curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}' # Enable Cert PassiveDNS Analyzer - curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}' + curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "https://$CORTEX_IP/cortex/api/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}' # Revoke $CORTEX_USER key - curl -k -XDELETE -H "Authorization: Bearer $CORTEX_KEY" "https:///$CORTEX_IP/api/user/$CORTEX_USER/key" + curl -k -XDELETE -H "Authorization: Bearer $CORTEX_KEY" -L "https:///$CORTEX_IP/api/user/$CORTEX_USER/key" # Update SOCtopus config with apikey value #sed -i "s/cortex_key = .*/cortex_key = $CORTEX_KEY/" $SOCTOPUS_CONFIG diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index c44af6339..f47f60b0a 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -36,15 +36,15 @@ thehive_init(){ if [ "$THEHIVE_CONNECTED" == "yes" ]; then # Migrate DB - curl -v -k -XPOST "https://$THEHIVE_IP:/thehive/api/maintenance/migrate" + curl -v -k -XPOST -L "https://$THEHIVE_IP:/thehive/api/maintenance/migrate" # Create intial TheHive user - curl -v -k "https://$THEHIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASSWORD\", \"key\": \"$THEHIVE_KEY\"}" + curl -v -k -L "https://$THEHIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASSWORD\", \"key\": \"$THEHIVE_KEY\"}" # Pre-load custom fields # # reputation - curl -v -k "https://$THEHIVE_IP/thehive/api/list/custom_fields" -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}" + curl -v -k -L "https://$THEHIVE_IP/thehive/api/list/custom_fields" -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}" touch /opt/so/state/thehive.txt diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams index e67ce9f57..6998c7669 100644 --- a/salt/utility/bin/crossthestreams +++ b/salt/utility/bin/crossthestreams @@ -9,7 +9,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 30 ]]; do - curl --output /dev/null --silent --head --fail http://{{ ES }}:9200 + curl --output /dev/null --silent --head --fail -L http://{{ ES }}:9200 if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -29,7 +29,7 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Applying cross cluster search config..." - curl -s -XPUT http://{{ ES }}:9200/_cluster/settings \ + curl -s -XPUT -L http://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" @@ -37,6 +37,6 @@ echo "Applying cross cluster search config..." {%- if salt['pillar.get']('nodestab', {}) %} {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} -curl -XPUT http://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' +curl -XPUT -L http://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' {%- endfor %} {%- endif %} diff --git a/salt/utility/bin/eval b/salt/utility/bin/eval index 87692e40f..f63a61942 100644 --- a/salt/utility/bin/eval +++ b/salt/utility/bin/eval @@ -6,7 +6,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 30 ]]; do - curl --output /dev/null --silent --head --fail http://{{ ES }}:9200 + curl --output /dev/null --silent --head --fail -L http://{{ ES }}:9200 if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -26,6 +26,6 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Applying cross cluster search config..." - curl -s -XPUT http://{{ ES }}:9200/_cluster/settings \ + curl -s -XPUT -L http://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent index c6411b492..6e7f40137 100755 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -52,7 +52,7 @@ register_agent() { echo "" echo "Adding agent:" echo "curl -s -u $USER:**** -k -X POST -d 'name=$AGENT_NAME&ip=$AGENT_IP' $PROTOCOL://$API_IP:$API_PORT/agents" - API_RESULT=$(curl -s -u $USER:"$PASSWORD" -k -X POST -d 'name='$AGENT_NAME'&ip='$AGENT_IP $PROTOCOL://$API_IP:$API_PORT/agents) + API_RESULT=$(curl -s -u $USER:"$PASSWORD" -k -X POST -d 'name='$AGENT_NAME'&ip='$AGENT_IP -L $PROTOCOL://$API_IP:$API_PORT/agents) echo -e $API_RESULT | grep -q "\"error\":0" 2>&1 if [ "$?" != "0" ]; then @@ -84,14 +84,14 @@ remove_agent() { echo "Found: $AGENT_ID" echo "Removing previous registration for '$AGENT_NAME' using ID: $AGENT_ID ..." # curl -u foo:bar -k -X DELETE "https://127.0.0.1:55000/agents/001 - REMOVE_AGENT=$(curl -s -u $USER:"$PASSWORD" -k -X DELETE $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID) + REMOVE_AGENT=$(curl -s -u $USER:"$PASSWORD" -k -X DELETE -L $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID) echo -e $REMOVE_AGENT } get_agent_id() { echo "" echo "Checking for Agent ID..." - AGENT_ID=$(curl -s -u $USER:"$PASSWORD" -k -X GET $PROTOCOL://$API_IP:$API_PORT/agents/name/$AGENT_NAME | rev | cut -d: -f1 | rev | grep -o '".*"' | tr -d '"') + AGENT_ID=$(curl -s -u $USER:"$PASSWORD" -k -X GET -L $PROTOCOL://$API_IP:$API_PORT/agents/name/$AGENT_NAME | rev | cut -d: -f1 | rev | grep -o '".*"' | tr -d '"') } # MAIN @@ -136,7 +136,7 @@ shift $(($OPTIND - 1)) # Default action -> try to register the agent sleep 30s -STATUS=$(curl -s -k -u $USER:$PASSWORD $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g') +STATUS=$(curl -s -k -u $USER:$PASSWORD -L $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g') if [[ $STATUS == "Active" ]]; then echo "Agent $AGENT_ID already registered!" else From 37ede9b993442d2b73272d0f22d8165b25649da7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 26 Oct 2020 15:03:27 -0400 Subject: [PATCH 16/17] [wip] Redirect so-user-add to separate log so ERROR isn't in main log --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 06f103cfc..3c056d23f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -173,7 +173,7 @@ add_web_user() { echo "Attempting to add administrator user for web interface..."; echo "$WEBPASSWD1" | /usr/sbin/so-user add "$WEBUSER"; echo "Add user result: $?"; - } >> "$setup_log" 2>&1 + } >> "/root/so-user-add.log" 2>&1 } # Create an secrets pillar so that passwords survive re-install From 0aaf8d6d9a785a79221a054f79eca57391c54ffb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 26 Oct 2020 16:37:16 -0400 Subject: [PATCH 17/17] [fix] Change 301 to 307 so curl requests work as intended --- salt/nginx/etc/nginx.conf | 6 +- salt/nginx/etc/nginx.conf.so-import | 326 ---------------------------- 2 files changed, 3 insertions(+), 329 deletions(-) delete mode 100644 salt/nginx/etc/nginx.conf.so-import diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 7774f9f8d..facfb4c22 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -74,13 +74,13 @@ http { server { listen 80 default_server; server_name _; - return 301 https://{{ url_base }}$request_uri; + return 307 https://{{ url_base }}$request_uri; } server { listen 443 ssl http2 default_server; server_name _; - return 301 https://{{ url_base }}$request_uri; + return 307 https://{{ url_base }}$request_uri; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; @@ -291,7 +291,7 @@ http { {%- if fleet_node %} location /fleet/ { - return 301 https://{{ fleet_ip }}/fleet; + return 307 https://{{ fleet_ip }}/fleet; } {%- else %} diff --git a/salt/nginx/etc/nginx.conf.so-import b/salt/nginx/etc/nginx.conf.so-import deleted file mode 100644 index 1f180ad09..000000000 --- a/salt/nginx/etc/nginx.conf.so-import +++ /dev/null @@ -1,326 +0,0 @@ -{%- set managerip = salt['pillar.get']('manager:mainip', '') %} -{%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} -{%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} -{%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 2500M; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - # location / { - # } - - # error_page 404 /404.html; - # location = /40x.html { - # } - - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - -{% if FLEET_MANAGER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ managerip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - } -{% endif %} - -# Settings for a TLS enabled server. - - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ managerip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ managerip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ managerip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - auth_request /auth/sessions/whoami; - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ managerip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ managerip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /nodered/ { - proxy_pass http://{{ managerip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ managerip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ managerip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} - - location /thehive/ { - proxy_pass http://{{ managerip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cortex/ { - proxy_pass http://{{ managerip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ managerip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } - - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } - - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } - - location /sensoroniagents/ { - proxy_pass http://{{ managerip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - error_page 401 = @error401; - - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /usr/share/nginx/html/40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -}