diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml index 3c520888a..088ba9257 100644 --- a/salt/nginx/defaults.yaml +++ b/salt/nginx/defaults.yaml @@ -1,6 +1,7 @@ nginx: enabled: False - config: + ssl: replace_cert: False + config: throttle_login_burst: 12 throttle_login_rate: 20 diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 93c5e4ebc..fb56674b2 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -7,11 +7,79 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'nginx/map.jinja' import NGINXMERGED %} +{% set ca_server = GLOBALS.minion_id %} include: - nginx.config - nginx.sostatus +{# if the user has selected to replace the crt and key in the ui #} +{% if NGINXMERGED.ssl.replace_cert %} + +managerssl_key: + file.managed: + - name: /etc/pki/managerssl.key + - source: salt://nginx/ssl/ssl.key + - mode: 640 + - group: 939 + - watch_in: + - docker_container: so-nginx + +managerssl_crt: + file.managed: + - name: /etc/pki/managerssl.crt + - source: salt://nginx/ssl/ssl.crt + - mode: 644 + - watch_in: + - docker_container: so-nginx + +{% else %} + +managerssl_key: + x509.private_key_managed: + - name: /etc/pki/managerssl.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} + - prereq: + - x509: /etc/pki/managerssl.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + - watch_in: + - docker_container: so-nginx + +# Create a cert for the reverse proxy +managerssl_crt: + x509.certificate_managed: + - name: /etc/pki/managerssl.crt + - ca_server: {{ ca_server }} + - signing_policy: managerssl + - private_key: /etc/pki/managerssl.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 0 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + - watch_in: + - docker_container: so-nginx + +{% endif %} + +msslkeyperms: + file.managed: + - replace: False + - name: /etc/pki/managerssl.key + - mode: 640 + - group: 939 + make-rule-dir-nginx: file.directory: - name: /nsm/rules @@ -74,12 +142,17 @@ so-nginx: - file: nginxconfdir - require: - file: nginxconf - {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} +{% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} +{% if NGINXMERGED.ssl.replace_cert %} + - file: managerssl_key + - file: managerssl_crt +{% else %} - x509: managerssl_key - x509: managerssl_crt +{% endif%} - file: navigatorconfig - file: navigatordefaultlayer - {% endif %} +{% endif %} delete_so-nginx_so-status.disabled: file.uncomment: diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 8b362a538..924a45ae9 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -3,27 +3,29 @@ nginx: description: You can enable or disable Nginx. advanced: True helpLink: nginx.html - config: + ssl: replace_cert: description: Enable this if you would like to replace the Security Onion Certificate with your own. global: True advanced: True + forcedType: bool title: Replace Default Cert helpLink: nginx.html ssl__key: - description: If you enabled the replace_cert option, paste your .key file here. + description: If you enabled the replace_cert option, paste the contents of your .key file here. file: True - title: SSL Key File + title: SSL/TLS Key File advanced: True global: True helpLink: nginx.html ssl__crt: - description: If you enabled the replace_cert option, paste your .crt file here. + description: If you enabled the replace_cert option, paste the contents of your .crt file here. file: True - title: SSL Cert File + title: SSL/TLS Cert File advanced: True global: True helpLink: nginx.html + config: throttle_login_burst: description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow. global: True diff --git a/salt/nginx/config/ssl.crt b/salt/nginx/ssl/ssl.crt similarity index 100% rename from salt/nginx/config/ssl.crt rename to salt/nginx/ssl/ssl.crt diff --git a/salt/nginx/config/ssl.key b/salt/nginx/ssl/ssl.key similarity index 100% rename from salt/nginx/config/ssl.key rename to salt/nginx/ssl/ssl.key diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 358357459..376900f33 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -76,12 +76,6 @@ influxdb_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -121,12 +115,6 @@ redis_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -169,12 +157,6 @@ etc_elasticfleet_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -250,12 +232,6 @@ etc_elasticfleetlogstash_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -359,12 +335,6 @@ etc_filebeat_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -436,10 +406,6 @@ registry_crt: - days_remaining: 0 - days_valid: 820 - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - timeout: 30 - retry: attempts: 5 @@ -478,12 +444,6 @@ regkeyperms: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -507,48 +467,6 @@ elasticp12perms: - mode: 640 - group: 930 -managerssl_key: - x509.private_key_managed: - - name: /etc/pki/managerssl.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} - - prereq: - - x509: /etc/pki/managerssl.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -# Create a cert for the reverse proxy -managerssl_crt: - x509.certificate_managed: - - name: /etc/pki/managerssl.crt - - ca_server: {{ ca_server }} - - signing_policy: managerssl - - private_key: /etc/pki/managerssl.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -msslkeyperms: - file.managed: - - replace: False - - name: /etc/pki/managerssl.key - - mode: 640 - - group: 939 - {% endif %} @@ -587,12 +505,6 @@ conf_filebeat_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -647,10 +559,6 @@ chownfilebeatp8: - days_remaining: 0 - days_valid: 820 - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - timeout: 30 - retry: attempts: 5