CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-09 18:52:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reverse Proxy - The Big Commit

Browse Source
This commit is contained in:
Mike Reeves
2018-10-10 21:24:24 -04:00
parent 2760012741
commit 8a25da1ee9
6 changed files with 107 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
salt/ca/files/signing_policies.conf
View File

@@ -25,3 +25,16 @@ x509_signing_policies:
- authorityKeyIdentifier: keyid,issuer:always - authorityKeyIdentifier: keyid,issuer:always
- days_valid: 3000 - days_valid: 3000
- copypath: /etc/pki/issued_certs/ - copypath: /etc/pki/issued_certs/
master:
- minions: '*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "critical keyEncipherment"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 3000
- copypath: /etc/pki/issued_certs/

5
salt/common/init.sls
View File

@@ -112,7 +112,7 @@ nginxtmp:
# Start the core docker # Start the core docker
so-core: so-core:
docker_container.running: docker_container.running:
- image: toosmooth/so-core:test2 - image: toosmooth/so-core:techpreview
- hostname: so-core - hostname: so-core
- user: socore - user: socore
- binds: - binds:
@@ -121,6 +121,9 @@ so-core:
- /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/log/nginx/:/var/log/nginx:rw
- /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw
- /opt/so/tmp/nginx/:/run:rw - /opt/so/tmp/nginx/:/run:rw
- /etc/pki/master.crt:/etc/pki/nginx/server.crt:ro
- /etc/pki/master.key:/etc/pki/nginx/server.key:ro
- cap_add: NET_BIND_SERVICE - cap_add: NET_BIND_SERVICE
- port_bindings: - port_bindings:
- 80:80 - 80:80

91
salt/common/nginx/nginx.conf.so-master
View File

@@ -1,3 +1,4 @@
{%- set masterip = salt['pillar.get']('master:mainip', '') %}
# For more information on configuration, see: # For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/ # * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -35,16 +36,64 @@ http {
# for more information. # for more information.
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;
server { #server {
listen 80 default_server; # listen 80 default_server;
listen [::]:80 default_server; # listen [::]:80 default_server;
server_name _; # server_name _;
root /usr/share/nginx/html; # root /opt/socore/html;
# index index.html;
# Load configuration files for the default server block. # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf; #include /etc/nginx/default.d/*.conf;
# location / {
# }
# error_page 404 /404.html;
# location = /40x.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
#}
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# Settings for a TLS enabled server.
server {
listen 443 ssl http2 default_server;
#listen [::]:443 ssl http2 default_server;
server_name _;
root /opt/socore/html;
index index.html;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
#include /etc/nginx/default.d/*.conf;
location / { location / {
try_files $uri $uri.html index.html;
}
location /app/kibana {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_pass http://{{ masterip }}:5601/;
} }
error_page 404 /404.html; error_page 404 /404.html;
@@ -56,34 +105,4 @@ http {
} }
} }
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
} }

20
salt/firewall/init.sls
View File

@@ -88,6 +88,15 @@ enable_docker_user_established:
# Rules if you are a Master # Rules if you are a Master
{% if grains['role'] == 'so-master' %} {% if grains['role'] == 'so-master' %}
#This should be more granular
iptables_allow_master_docker:
iptables.insert:
- table: filter
- chain: INPUT
- jump: ACCEPT
- source: 172.17.0.0/24
- position: 1
- save: True
{% for ip in pillar.get('masterfw') %} {% for ip in pillar.get('masterfw') %}
# Allow Redis # Allow Redis
@@ -216,6 +225,17 @@ enable_storagenode_redis_6379_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_storagenode_ES_9300_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 9300
- position: 1
- save: True
{% endfor %} {% endfor %}
# Allow Beats Endpoints to send their beats traffic # Allow Beats Endpoints to send their beats traffic

2
salt/kibana/init.sls
View File

@@ -64,7 +64,7 @@ so-kibana:
- user: kibana - user: kibana
- environment: - environment:
- KIBANA_DEFAULTAPPID=dashboard/94b52620-342a-11e7-9d52-4f090484f59e - KIBANA_DEFAULTAPPID=dashboard/94b52620-342a-11e7-9d52-4f090484f59e
- ELASTICSEARCH_HOST=172.17.0.7 - ELASTICSEARCH_HOST={{ master }}
- ELASTICSEARCH_PORT=9200 - ELASTICSEARCH_PORT=9200
- MASTER={{ master }} - MASTER={{ master }}
- binds: - binds:

14
salt/ssl/init.sls
View File

@@ -63,6 +63,20 @@ fbcrtlink:
bits: 4096 bits: 4096
backup: True backup: True
# Create a cert for the reverse proxy
/etc/pki/master.crt:
x509.certificate_managed:
- ca_server: {{ master }}
- signing_policy: master
- public_key: /etc/pki/master.key
- CN: {{ master }}
- days_remaining: 3000
- backup: True
- managed_private_key:
name: /etc/pki/master.key
bits: 4096
backup: True
{% endif %} {% endif %}
{% if grains['role'] == 'so-SENSOR' %} {% if grains['role'] == 'so-SENSOR' %}