Formatting and add setting

2026-01-31 04:13:29 +01:00 · 2024-09-09 18:39:19 -04:00
parent e7a7a8609a
commit eab7828bfe
4 changed files with 45 additions and 13 deletions
--- a/salt/nginx/defaults.yaml
+++ b/salt/nginx/defaults.yaml
@@ -1,5 +1,6 @@
 nginx:
  enabled: False
+  external_suricata: False
  ssl:
    replace_cert: False
  config:
--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -130,6 +130,9 @@ so-nginx:
      - /opt/so/conf/navigator/config.json:/opt/socore/html/navigator/assets/config.json:ro
      - /nsm/repo:/opt/socore/html/repo:ro
      - /nsm/rules:/nsm/rules:ro
+      {%   if NGINXMERGED.external_suricata %}
+      - /opt/so/rules/nids/suri:/surirules:ro
+      {%   endif %}
      {% endif %}
      {% if DOCKER.containers[container_config].custom_bind_mounts %}
        {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -116,6 +116,29 @@ http {
 			autoindex_localtime on;
 		}
 	}
+	{%-   if NGINXMERGED.external_suricata %}
+    server {
+        listen 7789 ssl http2;
+        server_name {{ GLOBALS.url_base }};
+        root /surirules;
+        location / {
+        allow all;
+        sendfile on;
+        sendfile_max_chunk 1m;
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_format html;
+        autoindex_localtime on;
+		ssl_certificate "/etc/pki/nginx/server.crt";
+		ssl_certificate_key "/etc/pki/nginx/server.key";
+		ssl_session_cache shared:SSL:1m;
+		ssl_session_timeout  10m;
+		ssl_ciphers HIGH:!aNULL:!MD5;
+		ssl_prefer_server_ciphers on;
+		ssl_protocols TLSv1.2;
+        }
+    }
+    {%-   endif %}

 	server {
 		listen       443 ssl http2;
@@ -251,20 +274,20 @@ http {
 			proxy_cookie_path     /api/ /influxdb/api/;
 		}

-                location /app/dashboards/ {
-                         auth_request          /auth/sessions/whoami;
-                         rewrite               /app/dashboards/(.*) /app/dashboards/$1 break;
-                         proxy_pass            http://{{ GLOBALS.manager }}:5601/app/;
-                         proxy_read_timeout    300;
-                         proxy_connect_timeout 300;
-                         proxy_set_header      Host $host;
-                         proxy_set_header      X-Real-IP $remote_addr;
-                         proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-                         proxy_set_header      Proxy "";
-                         proxy_set_header      X-Forwarded-Proto $scheme;
-                } 
+        location /app/dashboards/ {
+            auth_request          /auth/sessions/whoami;
+            rewrite               /app/dashboards/(.*) /app/dashboards/$1 break;
+            proxy_pass            http://{{ GLOBALS.manager }}:5601/app/;
+            proxy_read_timeout    300;
+            proxy_connect_timeout 300;
+            proxy_set_header      Host $host;
+            proxy_set_header      X-Real-IP $remote_addr;
+            proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header      Proxy "";
+            proxy_set_header      X-Forwarded-Proto $scheme;
+        } 
               
-                location /kibana/ {
+        location /kibana/ {
 			auth_request          /auth/sessions/whoami;
 			rewrite               /kibana/(.*) /$1 break;
 			proxy_pass            http://{{ GLOBALS.manager }}:5601/;
--- a/salt/nginx/soc_nginx.yaml
+++ b/salt/nginx/soc_nginx.yaml
@@ -3,6 +3,11 @@ nginx:
    description: You can enable or disable Nginx.
    advanced: True
    helpLink: nginx.html
+  external_suricata:
+    description: Enable this to allow external access to Suricata Rulesets managed by Detections.
+    advanced: True
+    helplink: nginx.html
+    forcedType: bool
  ssl:
    replace_cert:
      description: Enable this if you would like to replace the Security Onion Certificate with your own.