Merge pull request #15555 from Security-Onion-Solutions/altwebcert

Support additional alt names in web cert

salt/nginx/defaults.yaml

@@ -3,6 +3,7 @@ nginx:
   external_suricata: False
   ssl:
     replace_cert: False
+    alt_names: []
   config:
     throttle_login_burst: 12
     throttle_login_rate: 20

salt/nginx/etc/nginx.conf

@@ -60,6 +60,8 @@ http {
     {%- endif %}
 
 	{%- if GLOBALS.is_manager %}
+	{%- set all_names = [GLOBALS.hostname, GLOBALS.url_base] + NGINXMERGED.ssl.alt_names %}
+	{%- set full_server_name = all_names | unique | join(' ') %}
 
 	server {
 		listen 80 default_server;
@@ -69,7 +71,7 @@ http {
 
 	server {
 		listen 8443;
-		server_name {{ GLOBALS.url_base }};
+		server_name {{ full_server_name }};
 		root /opt/socore/html;
 		location /artifacts/ {
 			try_files $uri =206;
@@ -112,7 +114,7 @@ http {
 
 	server {
 		listen 7788;
-		server_name {{ GLOBALS.url_base }};
+		server_name {{ full_server_name }};
 		root /nsm/rules;
 		location / {
 			allow all;
@@ -128,7 +130,7 @@ http {
     server {
         listen 7789 ssl;
 		http2 on;
-        server_name {{ GLOBALS.url_base }};
+        server_name {{ full_server_name }};
         root /surirules;
 
 		add_header 	Content-Security-Policy     "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'";
@@ -161,7 +163,7 @@ http {
 	server {
 		listen       443 ssl;
 		http2 on;
-		server_name  {{ GLOBALS.url_base }};
+		server_name  {{ full_server_name }};
 		root         /opt/socore/html;
 		index        index.html;
 

salt/nginx/soc_nginx.yaml

@@ -30,6 +30,12 @@ nginx:
       advanced: True
       global: True
       helpLink: nginx.html
+    alt_names:
+      description: Provide a list of alternate names to allow remote systems the ability to refer to the SOC API as another hostname.
+      global: True
+      forcedType: '[]string'
+      multiline: True
+      helpLink: nginx.html
   config:
     throttle_login_burst:
       description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.

salt/nginx/ssl.sls

@@ -49,6 +49,17 @@ managerssl_key:
       - docker_container: so-nginx
 
 # Create a cert for the reverse proxy
+{% set san_list = [GLOBALS.hostname, GLOBALS.node_ip, GLOBALS.url_base] + NGINXMERGED.ssl.alt_names %}
+{% set unique_san_list = san_list | unique %}
+{% set managerssl_san_list = [] %}
+{% for item in unique_san_list %}
+{%   if item | ipaddr %}
+{%     do managerssl_san_list.append("IP:" + item) %}
+{%   else %}
+{%     do managerssl_san_list.append("DNS:" + item) %}
+{%   endif %}
+{% endfor %}
+{% set managerssl_san = managerssl_san_list | join(', ') %}
 managerssl_crt:
   x509.certificate_managed:
     - name: /etc/pki/managerssl.crt
@@ -56,7 +67,7 @@ managerssl_crt:
     - signing_policy: managerssl
     - private_key: /etc/pki/managerssl.key
     - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" 
+    - subjectAltName: {{ managerssl_san }}
     - days_remaining: 7
     - days_valid: 820
     - backup: True