Merge pull request #10310 from Security-Onion-Solutions/kilo

nginx changes: add rate limiting, remove old HH html

salt/nginx/config.map.jinja

@@ -0,0 +1,3 @@
+{% import_yaml 'nginx/defaults.yaml' as NGDEFAULTS %}
+
+{% set NGMERGED = salt['pillar.get']('nginx', NGDEFAULTS.nginx, merge=True) %}

salt/nginx/defaults.yaml

@@ -1,3 +1,5 @@
 nginx:
     config:
-        replace_cert: False
+        replace_cert: False
+        throttle_login_burst: 6
+        throttle_login_rate: 10

salt/nginx/etc/nginx.conf

@@ -1,5 +1,6 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
 {%- from 'docker/docker.map.jinja' import DOCKER %}
+{%- from 'nginx/config.map.jinja' import NGMERGED %}
 {%- set role = grains.id.split('_') | last %}
 {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
 {%- set influxauth = ('so:' + influxpass) | base64_encode %}
@@ -33,6 +34,8 @@ http {
 	include             /etc/nginx/mime.types;
 	default_type        application/octet-stream;
 
+	limit_req_zone $binary_remote_addr zone=auth_throttle:10m rate={{ NGMERGED.config.throttle_login_rate }}r/m;
+
 	include /etc/nginx/conf.d/*.conf;
 
 	{%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %}
@@ -143,7 +146,21 @@ http {
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		}
 
-		location ~ ^/auth/.*?(whoami|login|logout|settings) {
+		location ~ ^/auth/.*?(login) {
+			rewrite               /auth/(.*) /$1 break;
+			limit_req             zone=auth_throttle burst={{ NGMERGED.config.throttle_login_burst }} nodelay;
+			limit_req_status      429;
+			proxy_pass            http://{{ GLOBALS.manager }}:4433;
+			proxy_read_timeout    90;
+			proxy_connect_timeout 90;
+			proxy_set_header      Host $host;
+			proxy_set_header      X-Real-IP $remote_addr;
+			proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header      Proxy "";
+			proxy_set_header      X-Forwarded-Proto $scheme;
+		}
+
+		location ~ ^/auth/.*?(whoami|logout|settings) {
 			rewrite               /auth/(.*) /$1 break;
 			proxy_pass            http://{{ GLOBALS.manager }}:4433;
 			proxy_read_timeout    90;
@@ -276,6 +293,7 @@ http {
 
 		error_page 401 = @error401;
 		error_page 403 = @error403;
+		error_page 429 = @error429;
 
 		location @error401 {
 			add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
@@ -287,6 +305,10 @@ http {
 			return        302 /auth/self-service/login/browser;
 		}
 
+		location @error429 {
+			return        302 /login/?thr={{ (120 / NGMERGED.config.throttle_login_rate) | round | int }};
+		}
+
 		error_page 500 502 503 504 /50x.html;
 				location = /usr/share/nginx/html/50x.html {
 		}

salt/nginx/html/index.html

@@ -1,13 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<title>Security Onion - Hybrid Hunter</title>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
-<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
-</head>
-<body>
-Security Onion
-</body>
-</html>

salt/nginx/init.sls

@@ -2,6 +2,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'nginx/config.map.jinja' import NGMERGED %}
 
 include:
   - ssl
@@ -9,18 +10,11 @@ include:
 # Drop the correct nginx config based on role
 nginxconfdir:
   file.directory:
-    - name: /opt/so/conf/nginx/html
+    - name: /opt/so/conf/nginx
     - user: 939
     - group: 939
     - makedirs: True
 
-nginxhtml:
-  file.recurse:
-    - name: /opt/so/conf/nginx/html
-    - source: salt://nginx/html/
-    - user: 939
-    - group: 939
-
 nginxconf:
   file.managed:
     - name: /opt/so/conf/nginx/nginx.conf

salt/nginx/soc_nginx.yaml

@@ -20,3 +20,11 @@ nginx:
       advanced: True
       global: True
       helpLink: nginx.html
+    throttle_login_burst:
+      description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.
+      global: True
+      helpLink: nginx.html
+    throttle_login_rate:
+      description: Number of login API requests per minute that can be processed without triggering a rate limit. Higher values allow more repeated login attempts. Requests are counted by unique client IP and averaged over time. Note that a single login flow will perform multiple requests to the login API, so this value will need to be adjusted accordingly.
+      global: True
+      helpLink: nginx.html