CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 18:22:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

NGINX fun

Browse Source
This commit is contained in:
Mike Reeves
2022-09-19 16:11:49 -04:00
parent 22e8c7ef3e
commit cb2e46f275
6 changed files with 37 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/nginx/config/ssl.crt Normal file
View File

@@ -0,0 +1 @@
# Replace this text with the text from the .crt

1
salt/nginx/config/ssl.key Normal file
View File

@@ -0,0 +1 @@
# Replace this text with the text from the .crt

3
salt/nginx/defaults.yaml Normal file
View File

@@ -0,0 +1,3 @@
nginx:
config:
replace_cert: False

34
salt/nginx/etc/nginx.conf
View File

@@ -1,11 +1,5 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- set role = grains.id.split('_') | last %} {%- set role = grains.id.split('_') | last %}
{%- set manager_ip = salt['pillar.get']('global:managerip', '') %}
{%- set url_base = salt['pillar.get']('global:url_base') %}
{%- set airgap = salt['pillar.get']('global:airgap', 'False') %}
worker_processes auto; worker_processes auto;
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log;
pid /run/nginx.pid; pid /run/nginx.pid;
@@ -42,13 +36,13 @@ http {
server { server {
listen 80 default_server; listen 80 default_server;
server_name _; server_name _;
return 307 https://{{ url_base }}$request_uri; return 307 https://{{ GLOBALS.url_base }}$request_uri;
} }
server { server {
listen 443 ssl http2 default_server; listen 443 ssl http2 default_server;
server_name _; server_name _;
return 307 https://{{ url_base }}$request_uri; return 307 https://{{ GLOBALS.url_base }}$request_uri;
ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_certificate_key "/etc/pki/nginx/server.key";
@@ -66,7 +60,7 @@ http {
server { server {
listen 7788; listen 7788;
server_name {{ url_base }}; server_name {{ GLOBALS.url_base }};
root /opt/socore/html/repo; root /opt/socore/html/repo;
location /rules/ { location /rules/ {
allow all; allow all;
@@ -81,7 +75,7 @@ http {
server { server {
listen 443 ssl http2; listen 443 ssl http2;
server_name {{ url_base }}; server_name {{ GLOBALS.url_base }};
root /opt/socore/html; root /opt/socore/html;
index index.html; index index.html;
@@ -100,7 +94,7 @@ http {
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) {
proxy_pass http://{{ manager_ip }}:9822; proxy_pass http://{{ GLOBALS.manager_ip }}:9822;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header x-user-id ""; proxy_set_header x-user-id "";
@@ -117,7 +111,7 @@ http {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
auth_request_set $userid $upstream_http_x_kratos_authenticated_identity_id; auth_request_set $userid $upstream_http_x_kratos_authenticated_identity_id;
proxy_set_header x-user-id $userid; proxy_set_header x-user-id $userid;
proxy_pass http://{{ manager_ip }}:9822/; proxy_pass http://{{ GLOBALS.manager_ip }}:9822/;
proxy_read_timeout 300; proxy_read_timeout 300;
proxy_connect_timeout 300; proxy_connect_timeout 300;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -131,7 +125,7 @@ http {
location ~ ^/auth/.*?(whoami|login|logout|settings) { location ~ ^/auth/.*?(whoami|login|logout|settings) {
rewrite /auth/(.*) /$1 break; rewrite /auth/(.*) /$1 break;
proxy_pass http://{{ manager_ip }}:4433; proxy_pass http://{{ GLOBALS.manager_ip }}:4433;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -188,7 +182,7 @@ http {
location /grafana/ { location /grafana/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
rewrite /grafana/(.*) /$1 break; rewrite /grafana/(.*) /$1 break;
proxy_pass http://{{ manager_ip }}:3000/; proxy_pass http://{{ GLOBALS.manager_ip }}:3000/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -201,7 +195,7 @@ http {
location /kibana/ { location /kibana/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
rewrite /kibana/(.*) /$1 break; rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ manager_ip }}:5601/; proxy_pass http://{{ GLOBALS.manager_ip }}:5601/;
proxy_read_timeout 300; proxy_read_timeout 300;
proxy_connect_timeout 300; proxy_connect_timeout 300;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -213,7 +207,7 @@ http {
location /nodered/ { location /nodered/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
proxy_pass http://{{ manager_ip }}:1880/; proxy_pass http://{{ GLOBALS.manager_ip }}:1880/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -227,7 +221,7 @@ http {
location /playbook/ { location /playbook/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
proxy_pass http://{{ manager_ip }}:3200/playbook/; proxy_pass http://{{ GLOBALS.manager_ip }}:3200/playbook/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -240,7 +234,7 @@ http {
location /soctopus/ { location /soctopus/ {
auth_request /auth/sessions/whoami; auth_request /auth/sessions/whoami;
proxy_pass http://{{ manager_ip }}:7000/; proxy_pass http://{{ GLOBALS.manager_ip }}:7000/;
proxy_read_timeout 300; proxy_read_timeout 300;
proxy_connect_timeout 300; proxy_connect_timeout 300;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -262,7 +256,7 @@ http {
if ($http_authorization = "") { if ($http_authorization = "") {
return 403; return 403;
} }
proxy_pass http://{{ manager_ip }}:9822/; proxy_pass http://{{ GLOBALS.manager_ip }}:9822/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header x-user-id ""; proxy_set_header x-user-id "";

11
salt/nginx/init.sls
View File

@@ -1,11 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% set MANAGER = salt['grains.get']('master') %}
{% set VERSION = salt['pillar.get']('global:soversion') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set ISAIRGAP = salt['pillar.get']('global:airgap') %}
include: include:
- ssl - ssl
@@ -85,7 +81,7 @@ navigatorenterpriseattack:
so-nginx: so-nginx:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-nginx:{{ VERSION }} - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }}
- hostname: so-nginx - hostname: so-nginx
- binds: - binds:
- /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
@@ -108,9 +104,6 @@ so-nginx:
- port_bindings: - port_bindings:
- 80:80 - 80:80
- 443:443 - 443:443
{% if ISAIRGAP is sameas true %}
- 7788:7788
{% endif %}
- watch: - watch:
- file: nginxconf - file: nginxconf
- file: nginxconfdir - file: nginxconfdir

16
salt/nginx/soc_nginx.yaml Normal file
View File

@@ -0,0 +1,16 @@
nginx:
config:
replace_cert:
description: Replace the Security Onion Certigicate with your own?
global: True
advanced: True
ssl__key:
description: Paste your .key file here
file: True
title: SSL Key File
advanced: True
ssl__crt:
description: Paste your .crt file here
file: True
title: SSL Cert File
advanced: True