CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

[fix] Fixes for fleet install

Browse Source
This commit is contained in:
William Wernert
2020-10-22 13:09:26 -04:00
parent 79c4f07ff7
commit 6a3e921924
1 changed files with 66 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
salt/nginx/etc/nginx.conf
View File

@@ -1,5 +1,10 @@
{%- set managerip = salt['pillar.get']('manager:mainip', '') %}
{%- set role = grains.id.split('_') | last %}
{%- if role == 'fleet' %}
{% set MAININT = salt['pillar.get']('host:mainint') %}
{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
{%- endif %}
{%- set managerip = salt['pillar.get']('manager:mainip', '') %}
{%- set url_base = salt['pillar.get']('global:url_base') %}
{%- set fleet_manager = salt['pillar.get']('global:fleet_manager') %}
@@ -37,25 +42,7 @@ http {
include /etc/nginx/conf.d/*.conf;
{%- if airgap is sameas true %}
server {
listen 7788;
server_name {{ url_base }};
root /opt/socore/html/repo;
location /rules/ {
allow all;
sendfile on;
sendfile_max_chunk 1m;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
}
{%- endif %}
{%- if fleet_manager %}
{%- if fleet_manager or role == 'fleet' %}
server {
listen 8090 ssl http2 default_server;
server_name {{ url_base }};
@@ -70,16 +57,21 @@ http {
ssl_prefer_server_ciphers on;
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
{%- if role == 'fleet' %}
grpc_pass grpcs://{{ MAINIP }}:8080;
{%- else %}
grpc_pass grpcs://{{ managerip }}:8080;
{%- endif %}
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
}
}
{%- endif %}
{%- if role in ['eval', 'managersearch', 'manager', 'standalone'] %}
{%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'fleet', 'import'] %}
server {
listen 80 default_server;
server_name _;
@@ -99,6 +91,55 @@ http {
ssl_prefer_server_ciphers on;
}
{%- endif %}
{%- if role == 'fleet' %}
server {
listen 443 ssl http2;
server_name {{ url_base }};
root /opt/socore/html;
index index.html;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /fleet/ {
proxy_pass https://{{ MAINIP }}:8080;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 500 502 503 504 /50x.html;
location = /usr/share/nginx/html/50x.html {
}
}
{%- elif role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %}
{%- if airgap is sameas true %}
server {
listen 7788;
server_name {{ url_base }};
root /opt/socore/html/repo;
location /rules/ {
allow all;
sendfile on;
sendfile_max_chunk 1m;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
}
{%- endif %}
server {
listen 443 ssl http2;
server_name {{ url_base }};
@@ -249,10 +290,11 @@ http {
}
{%- if fleet_node %}
location /fleet/ {
return 301 https://{{ fleet_ip }}/fleet;
}
{%- else %}
location /fleet/ {
@@ -265,6 +307,7 @@ http {
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
}
{%- endif %}
location /thehive/ {