Reverse Proxy - The Big Commit

salt/ca/files/signing_policies.conf

@@ -25,3 +25,16 @@ x509_signing_policies:
     - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: 3000
     - copypath: /etc/pki/issued_certs/
+    master:
+      - minions: '*'
+      - signing_private_key: /etc/pki/ca.key
+      - signing_cert: /etc/pki/ca.crt
+      - C: US
+      - ST: Utah
+      - L: Salt Lake City
+      - basicConstraints: "critical CA:false"
+      - keyUsage: "critical keyEncipherment"
+      - subjectKeyIdentifier: hash
+      - authorityKeyIdentifier: keyid,issuer:always
+      - days_valid: 3000
+      - copypath: /etc/pki/issued_certs/

salt/common/init.sls

@@ -112,7 +112,7 @@ nginxtmp:
 # Start the core docker
 so-core:
   docker_container.running:
-    - image: toosmooth/so-core:test2
+    - image: toosmooth/so-core:techpreview
     - hostname: so-core
     - user: socore
     - binds:
@@ -121,6 +121,9 @@ so-core:
       - /opt/so/log/nginx/:/var/log/nginx:rw
       - /opt/so/tmp/nginx/:/var/lib/nginx:rw
       - /opt/so/tmp/nginx/:/run:rw
+      - /etc/pki/master.crt:/etc/pki/nginx/server.crt:ro
+      - /etc/pki/master.key:/etc/pki/nginx/server.key:ro
+
     - cap_add: NET_BIND_SERVICE
     - port_bindings:
       - 80:80

salt/common/nginx/nginx.conf.so-master

@@ -1,3 +1,4 @@
+{%- set masterip = salt['pillar.get']('master:mainip', '') %}
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -35,16 +36,64 @@ http {
     # for more information.
     include /etc/nginx/conf.d/*.conf;
 
-    server {
-        listen       80 default_server;
-        listen       [::]:80 default_server;
-        server_name  _;
-        root         /usr/share/nginx/html;
+    #server {
+    #    listen       80 default_server;
+    #    listen       [::]:80 default_server;
+    #    server_name  _;
+    #    root         /opt/socore/html;
+    #    index        index.html;
 
         # Load configuration files for the default server block.
-        include /etc/nginx/default.d/*.conf;
+        #include /etc/nginx/default.d/*.conf;
+
+    #    location / {
+    #    }
+
+    #    error_page 404 /404.html;
+    #        location = /40x.html {
+    #    }
+
+    #    error_page 500 502 503 504 /50x.html;
+    #        location = /50x.html {
+    #    }
+    #}
+    server {
+	      listen 80 default_server;
+	      server_name _;
+	      return 301 https://$host$request_uri;
+    }
+
+
+# Settings for a TLS enabled server.
+
+    server {
+        listen       443 ssl http2 default_server;
+        #listen       [::]:443 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        index.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
 
         location / {
+            try_files $uri $uri.html index.html;
+        }
+
+        location /app/kibana {
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection 'upgrade';
+          proxy_set_header Host $host;
+          proxy_cache_bypass $http_upgrade;
+          proxy_pass http://{{ masterip }}:5601/;
         }
 
         error_page 404 /404.html;
@@ -56,34 +105,4 @@ http {
         }
     }
 
-# Settings for a TLS enabled server.
-#
-#    server {
-#        listen       443 ssl http2 default_server;
-#        listen       [::]:443 ssl http2 default_server;
-#        server_name  _;
-#        root         /usr/share/nginx/html;
-#
-#        ssl_certificate "/etc/pki/nginx/server.crt";
-#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
-#        ssl_session_cache shared:SSL:1m;
-#        ssl_session_timeout  10m;
-#        ssl_ciphers HIGH:!aNULL:!MD5;
-#        ssl_prefer_server_ciphers on;
-#
-#        # Load configuration files for the default server block.
-#        include /etc/nginx/default.d/*.conf;
-#
-#        location / {
-#        }
-#
-#        error_page 404 /404.html;
-#            location = /40x.html {
-#        }
-#
-#        error_page 500 502 503 504 /50x.html;
-#            location = /50x.html {
-#        }
-#    }
-
 }

salt/firewall/init.sls

@@ -88,6 +88,15 @@ enable_docker_user_established:
 
 # Rules if you are a Master
 {% if grains['role'] == 'so-master' %}
+#This should be more granular
+iptables_allow_master_docker:
+  iptables.insert:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - source: 172.17.0.0/24
+    - position: 1
+    - save: True
 
 {% for ip in pillar.get('masterfw')  %}
 # Allow Redis
@@ -216,6 +225,17 @@ enable_storagenode_redis_6379_{{ip}}:
     - position: 1
     - save: True
 
+enable_storagenode_ES_9300_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 9300
+    - position: 1
+    - save: True
+
 {% endfor %}
 
 # Allow Beats Endpoints to send their beats traffic

salt/kibana/init.sls

@@ -64,7 +64,7 @@ so-kibana:
     - user: kibana
     - environment:
       - KIBANA_DEFAULTAPPID=dashboard/94b52620-342a-11e7-9d52-4f090484f59e
-      - ELASTICSEARCH_HOST=172.17.0.7
+      - ELASTICSEARCH_HOST={{ master }}
       - ELASTICSEARCH_PORT=9200
       - MASTER={{ master }}
     - binds:

salt/ssl/init.sls

@@ -63,6 +63,20 @@ fbcrtlink:
         bits: 4096
         backup: True
 
+# Create a cert for the reverse proxy
+/etc/pki/master.crt:
+  x509.certificate_managed:
+    - ca_server: {{ master }}
+    - signing_policy: master
+    - public_key: /etc/pki/master.key
+    - CN: {{ master }}
+    - days_remaining: 3000
+    - backup: True
+    - managed_private_key:
+        name: /etc/pki/master.key
+        bits: 4096
+        backup: True
+
 {% endif %}
 {% if grains['role'] == 'so-SENSOR' %}