enabled/disable nginx via ui

salt/manager/tools/sbin/so-minion

@@ -288,6 +288,13 @@ function add_influxdb_to_minion() {
 	"  " >> $PILLARFILE
 }
 
+function add_nginx_to_minion() {
+    printf '%s\n'\
+    "nginx:"\
+    "  enabled: True"\
+	"  " >> $PILLARFILE
+}
+
 function create_fleet_policy() {
 
 	JSON_STRING=$( jq -n \
@@ -340,6 +347,7 @@ function createEVAL() {
 	add_curator_to_minion
 	add_telegraf_to_minion
 	add_influxdb_to_minion
+	add_nginx_to_minion
 }
 
 function createSTANDALONE() {
@@ -354,6 +362,7 @@ function createSTANDALONE() {
 	add_curator_to_minion
 	add_telegraf_to_minion
 	add_influxdb_to_minion
+	add_nginx_to_minion
 }
 
 function createMANAGER() {
@@ -366,6 +375,7 @@ function createMANAGER() {
 	add_curator_to_minion
 	add_telegraf_to_minion
 	add_influxdb_to_minion
+	add_nginx_to_minion
 }
 
 function createMANAGERSEARCH() {
@@ -378,6 +388,7 @@ function createMANAGERSEARCH() {
 	add_curator_to_minion
 	add_telegraf_to_minion
 	add_influxdb_to_minion
+	add_nginx_to_minion
 }
 
 function createIMPORT() {
@@ -386,6 +397,7 @@ function createIMPORT() {
 	add_kibana_to_minion
 	add_telegraf_to_minion
 	add_influxdb_to_minion
+	add_nginx_to_minion
 }
 
 function createFLEET() {
@@ -410,18 +422,21 @@ function createHEAVYNODE() {
 	add_redis_to_minion
 	add_curator_to_minion
 	add_telegraf_to_minion
+	add_nginx_to_minion
 }
 
 function createSENSOR() {
 	add_sensor_to_minion
 	add_strelka_strelka_to_minion
 	add_telegraf_to_minion
+	add_nginx_to_minion
 }
 
 function createSEARCHNODE() {
 	add_elasticsearch_to_minion
 	add_logstash_to_minion
 	add_telegraf_to_minion
+	add_nginx_to_minion
 	updateMine
 	apply_ES_state
 }

salt/nginx/config.sls

@@ -0,0 +1,110 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - ssl
+
+# Drop the correct nginx config based on role
+nginxconfdir:
+  file.directory:
+    - name: /opt/so/conf/nginx/html
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+nginxhtml:
+  file.recurse:
+    - name: /opt/so/conf/nginx/html
+    - source: salt://nginx/html/
+    - user: 939
+    - group: 939
+
+nginxconf:
+  file.managed:
+    - name: /opt/so/conf/nginx/nginx.conf
+    - user: 939
+    - group: 939
+    - template: jinja
+    - source: salt://nginx/etc/nginx.conf
+    - show_changes: False
+
+nginxlogdir:
+  file.directory:
+    - name: /opt/so/log/nginx/
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+nginxtmp:
+  file.directory:
+    - name: /opt/so/tmp/nginx/tmp
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+navigatorconfig:
+  file.managed:
+    - name: /opt/so/conf/navigator/navigator_config.json
+    - source: salt://nginx/files/navigator_config.json
+    - user: 939
+    - group: 939
+    - makedirs: True
+    - template: jinja
+
+navigatordefaultlayer:
+  file.managed:
+    - name: /opt/so/conf/navigator/nav_layer_playbook.json
+    - source: salt://nginx/files/nav_layer_playbook.json
+    - user: 939
+    - group: 939
+    - makedirs: True
+    - replace: False
+    - template: jinja
+
+navigatorpreattack:
+  file.managed:
+    - name: /opt/so/conf/navigator/pre-attack.json
+    - source: salt://nginx/files/pre-attack.json
+    - user: 939
+    - group: 939
+    - makedirs: True
+    - replace: False
+
+navigatorenterpriseattack:
+  file.managed:
+    - name: /opt/so/conf/navigator/enterprise-attack.json
+    - source: salt://nginx/files/enterprise-attack.json
+    - user: 939
+    - group: 939
+    - makedirs: True
+    - replace: False
+
+nginx_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://nginx/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+#nginx_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://nginx/tools/sbin_jinja
+#    - user: 939
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/nginx/defaults.yaml

@@ -1,3 +1,4 @@
 nginx:
+  enabled: False
   config:
     replace_cert: False

salt/nginx/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - nginx.sostatus
+  
+so-nginx:
+  docker_container.absent:
+    - force: True
+
+so-nginx_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-nginx$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/nginx/enabled.sls

@@ -0,0 +1,69 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+
+include:
+  - nginx.config
+  - nginx.sostatus
+
+so-nginx:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }}
+    - hostname: so-nginx
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }}
+    - extra_hosts:
+      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
+    - binds:
+      - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - /opt/so/log/nginx/:/var/log/nginx:rw
+      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
+      - /opt/so/tmp/nginx/:/run:rw
+      - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages
+      - /nsm/elastic-fleet/artifacts/:/opt/socore/html/artifacts 
+      {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
+      - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro
+      - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro
+      # ATT&CK Navigator binds
+      - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro
+      - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro
+      - /opt/so/conf/navigator/enterprise-attack.json:/opt/socore/html/navigator/assets/enterprise-attack.json:ro
+      - /opt/so/conf/navigator/pre-attack.json:/opt/socore/html/navigator/assets/pre-attack.json:ro
+      - /nsm/repo:/opt/socore/html/repo:ro
+      {% endif %}
+    - cap_add: NET_BIND_SERVICE
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-nginx'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
+    - watch:
+      - file: nginxconf
+      - file: nginxconfdir
+    - require:
+      - file: nginxconf
+      {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
+      - x509: managerssl_key
+      - x509: managerssl_crt
+      - file: navigatorconfig
+      - file: navigatordefaultlayer
+      {% endif %}
+
+delete_so-nginx_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-nginx$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/nginx/init.sls

@@ -1,156 +1,13 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-{% from 'allowed_states.map.jinja' import allowed_states %}
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-{% if sls in allowed_states %}
+# https://securityonion.net/license; you may not use this file except in compliance with the
-{% from 'docker/docker.map.jinja' import DOCKER %}
+# Elastic License 2.0.
+
+{% from 'nginx/map.jinja' import NGINXMERGED %}
 
 include:
-  - ssl
+{% if NGINXMERGED.enabled %}
-
+  - nginx.enabled
-# Drop the correct nginx config based on role
-nginxconfdir:
-  file.directory:
-    - name: /opt/so/conf/nginx/html
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxhtml:
-  file.recurse:
-    - name: /opt/so/conf/nginx/html
-    - source: salt://nginx/html/
-    - user: 939
-    - group: 939
-
-nginxconf:
-  file.managed:
-    - name: /opt/so/conf/nginx/nginx.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://nginx/etc/nginx.conf
-    - show_changes: False
-
-nginxlogdir:
-  file.directory:
-    - name: /opt/so/log/nginx/
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxtmp:
-  file.directory:
-    - name: /opt/so/tmp/nginx/tmp
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-navigatorconfig:
-  file.managed:
-    - name: /opt/so/conf/navigator/navigator_config.json
-    - source: salt://nginx/files/navigator_config.json
-    - user: 939
-    - group: 939
-    - makedirs: True
-    - template: jinja
-
-navigatordefaultlayer:
-  file.managed:
-    - name: /opt/so/conf/navigator/nav_layer_playbook.json
-    - source: salt://nginx/files/nav_layer_playbook.json
-    - user: 939
-    - group: 939
-    - makedirs: True
-    - replace: False
-    - template: jinja
-
-navigatorpreattack:
-  file.managed:
-    - name: /opt/so/conf/navigator/pre-attack.json
-    - source: salt://nginx/files/pre-attack.json
-    - user: 939
-    - group: 939
-    - makedirs: True
-    - replace: False
-
-navigatorenterpriseattack:
-  file.managed:
-    - name: /opt/so/conf/navigator/enterprise-attack.json
-    - source: salt://nginx/files/enterprise-attack.json
-    - user: 939
-    - group: 939
-    - makedirs: True
-    - replace: False
-
-nginx_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://nginx/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
-
-#nginx_sbin_jinja:
-#  file.recurse:
-#    - name: /usr/sbin
-#    - source: salt://nginx/tools/sbin_jinja
-#    - user: 939
-#    - group: 939 
-#    - file_mode: 755
-#    - template: jinja
-
-so-nginx:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }}
-    - hostname: so-nginx
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }}
-    - extra_hosts:
-      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    - binds:
-      - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - /opt/so/log/nginx/:/var/log/nginx:rw
-      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
-      - /opt/so/tmp/nginx/:/run:rw
-      - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages
-      - /nsm/elastic-fleet/artifacts/:/opt/socore/html/artifacts 
-  {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
-      - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro
-      - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro
-      # ATT&CK Navigator binds
-      - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro
-      - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro
-      - /opt/so/conf/navigator/enterprise-attack.json:/opt/socore/html/navigator/assets/enterprise-attack.json:ro
-      - /opt/so/conf/navigator/pre-attack.json:/opt/socore/html/navigator/assets/pre-attack.json:ro
-      - /nsm/repo:/opt/socore/html/repo:ro
-  
-  {% endif %}
-    - cap_add: NET_BIND_SERVICE
-    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-nginx'].port_bindings %}
-      - {{ BINDING }}
-      {% endfor %}
-    - watch:
-      - file: nginxconf
-      - file: nginxconfdir
-    - require:
-      - file: nginxconf
-  {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
-      - x509: managerssl_key
-      - x509: managerssl_crt
-      - file: navigatorconfig
-      - file: navigatordefaultlayer
-  {% endif %}
-
-append_so-nginx_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-nginx
-
 {% else %}
-
+  - nginx.disabled
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
 {% endif %}

salt/nginx/map.jinja

@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'nginx/defaults.yaml' as NGINXDEFAULTS %}
+{% set NGINXMERGED = salt['pillar.get']('nginx', NGINXDEFAULTS.nginx, merge=True) %}

salt/nginx/soc_nginx.yaml

@@ -1,4 +1,7 @@
 nginx:
+  enabled: 
+    description: You can enable or disable Nginx.
+    helpLink: nginx.html
   config:
     replace_cert:
       description: Enable this if you would like to replace the Security Onion Certificate with your own.

salt/nginx/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-nginx_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-nginx
+    - unless: grep -q so-nginx /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}