diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml index 088ba9257..3e36233e7 100644 --- a/salt/nginx/defaults.yaml +++ b/salt/nginx/defaults.yaml @@ -1,5 +1,6 @@ nginx: enabled: False + external_suricata: False ssl: replace_cert: False config: diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 273fb65be..91ea0fd24 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -130,6 +130,9 @@ so-nginx: - /opt/so/conf/navigator/config.json:/opt/socore/html/navigator/assets/config.json:ro - /nsm/repo:/opt/socore/html/repo:ro - /nsm/rules:/nsm/rules:ro + {% if NGINXMERGED.external_suricata %} + - /opt/so/rules/nids/suri:/surirules:ro + {% endif %} {% endif %} {% if DOCKER.containers[container_config].custom_bind_mounts %} {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %} diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 52ea68daa..72ba07b89 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -116,6 +116,29 @@ http { autoindex_localtime on; } } + {%- if NGINXMERGED.external_suricata %} + server { + listen 7789 ssl http2; + server_name {{ GLOBALS.url_base }}; + root /surirules; + location / { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + } + } + {%- endif %} server { listen 443 ssl http2; @@ -251,20 +274,20 @@ http { proxy_cookie_path /api/ /influxdb/api/; } - location /app/dashboards/ { - auth_request /auth/sessions/whoami; - rewrite /app/dashboards/(.*) /app/dashboards/$1 break; - proxy_pass http://{{ GLOBALS.manager }}:5601/app/; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /app/dashboards/ { + auth_request /auth/sessions/whoami; + rewrite /app/dashboards/(.*) /app/dashboards/$1 break; + proxy_pass http://{{ GLOBALS.manager }}:5601/app/; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/ { + location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ GLOBALS.manager }}:5601/; diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 924a45ae9..56bbd888f 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -3,6 +3,11 @@ nginx: description: You can enable or disable Nginx. advanced: True helpLink: nginx.html + external_suricata: + description: Enable this to allow external access to Suricata Rulesets managed by Detections. + advanced: True + helplink: nginx.html + forcedType: bool ssl: replace_cert: description: Enable this if you would like to replace the Security Onion Certificate with your own.