From b03b75315db902ac33b642da15f3623d002449fa Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 4 Mar 2026 15:45:03 -0500 Subject: [PATCH] Support additional alt names in web cert --- salt/nginx/defaults.yaml | 1 + salt/nginx/etc/nginx.conf | 10 ++++++---- salt/nginx/soc_nginx.yaml | 6 ++++++ salt/nginx/ssl.sls | 13 ++++++++++++- 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml index 3e36233e7..bae5413a8 100644 --- a/salt/nginx/defaults.yaml +++ b/salt/nginx/defaults.yaml @@ -3,6 +3,7 @@ nginx: external_suricata: False ssl: replace_cert: False + alt_names: [] config: throttle_login_burst: 12 throttle_login_rate: 20 diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 6b322c397..0c0e4b463 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -60,6 +60,8 @@ http { {%- endif %} {%- if GLOBALS.is_manager %} + {%- set all_names = [GLOBALS.hostname, GLOBALS.url_base] + NGINXMERGED.ssl.alt_names %} + {%- set full_server_name = all_names | unique | join(' ') %} server { listen 80 default_server; @@ -69,7 +71,7 @@ http { server { listen 8443; - server_name {{ GLOBALS.url_base }}; + server_name {{ full_server_name }}; root /opt/socore/html; location /artifacts/ { try_files $uri =206; @@ -112,7 +114,7 @@ http { server { listen 7788; - server_name {{ GLOBALS.url_base }}; + server_name {{ full_server_name }}; root /nsm/rules; location / { allow all; @@ -128,7 +130,7 @@ http { server { listen 7789 ssl; http2 on; - server_name {{ GLOBALS.url_base }}; + server_name {{ full_server_name }}; root /surirules; add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'"; @@ -161,7 +163,7 @@ http { server { listen 443 ssl; http2 on; - server_name {{ GLOBALS.url_base }}; + server_name {{ full_server_name }}; root /opt/socore/html; index index.html; diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 07abd32ce..de1a083c2 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -30,6 +30,12 @@ nginx: advanced: True global: True helpLink: nginx.html + alt_names: + description: Provide a list of alternate names to allow remote systems the ability to refer to the SOC API as another hostname. + global: True + forcedType: '[]string' + multiline: True + helpLink: nginx.html config: throttle_login_burst: description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow. diff --git a/salt/nginx/ssl.sls b/salt/nginx/ssl.sls index c699e1be3..b90f4af0a 100644 --- a/salt/nginx/ssl.sls +++ b/salt/nginx/ssl.sls @@ -49,6 +49,17 @@ managerssl_key: - docker_container: so-nginx # Create a cert for the reverse proxy +{% set san_list = [GLOBALS.hostname, GLOBALS.node_ip, GLOBALS.url_base] + NGINXMERGED.ssl.alt_names %} +{% set unique_san_list = san_list | unique %} +{% set managerssl_san_list = [] %} +{% for item in unique_san_list %} +{% if item | ipaddr %} +{% do managerssl_san_list.append("IP:" + item) %} +{% else %} +{% do managerssl_san_list.append("DNS:" + item) %} +{% endif %} +{% endfor %} +{% set managerssl_san = managerssl_san_list | join(', ') %} managerssl_crt: x509.certificate_managed: - name: /etc/pki/managerssl.crt @@ -56,7 +67,7 @@ managerssl_crt: - signing_policy: managerssl - private_key: /etc/pki/managerssl.key - CN: {{ GLOBALS.hostname }} - - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" + - subjectAltName: {{ managerssl_san }} - days_remaining: 7 - days_valid: 820 - backup: True