Setup Reverse Proxy for TheHive

By Adrian | April 24, 2019

This is part 2 of TheHive/Cortex/MISP build. In this part I’ll add a reverse proxy to TheHive. Links to the previous articles are here:

Part I - Building TheHive
Part II - Setup reverse proxy for TheHive
Part III - Building MISP
Part IV - Building Cortex
Part V - Adding analyzers to Cortex
Part VI - Setup reverse proxy for Cortex
Part VII - Integrate TheHive and Cortex
Part VIII - Integrate MISP to TheHive
Part IX - Upgrading TheHive
Part X - Updating MISP
Part XI - Upgrading Cortex
Part XII - Wrapup of TheHive, MISP, Cortex

“Not Secure” is not something I want to be seeing in the browser for anything I setup, especially when there are free tools out there that can enable https, so this post is a follow on for the previous post where I setup an instance of TheHive. Given TheHive has documented issues when running https against the application and the preferred way is to setup a reverse proxy, and there is config for completing this using ngnix, I figure I may as well document the steps that I took. This setup will be completed on the same box as where TheHive was installed.

Install Pre-Reqs

So that we can generate our certificate using LetsEncrypt, we need to install a few items

# Install certbot components
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx

# So we can add in the route53 extension to certbot we need to install python3-pip
sudo apt install python3-pip
sudo pip3 install certbot-dns-route53

Now we need to get the awscli package and configure it. Ensure that you have configured the programatic access for the account you plan to use.

# Get the awscli package
sudo apt-get install awscli

# You can configure the aws credentials with this command.  You will need to create an account in AWS with the correct permissions
sudo aws configure

Generate the certificate

sudo certbot certonly --dns-route53 -d 'thehive.example.com' --server https://acme-v02.api.letsencrypt.org/directory

All going well you should have the .pem files saved out to /etc/letsencrypt/live/thehive.example.com/fullchain.pem

Configure nginx

First start the service and enable on reboot using these commands:

sudo systemctl start nginx
sudo systemctl enable nginx

Setup the folder where the pem file will reside and copy in the required pem files.
NOTE: This will need to be scripted to auto renew and recopy in the files. I’m sure there is another way thats better, such as specifying the the path to the pem files from the letsencrypt folder instead of copying them over. Ill test that out when its time to renew the certificate.

sudo mkdir /etc/nginx/ssl
sudo cp /etc/letsencrypt/live/thehive.example.com/cert.pem /etc/nginx/ssl/thehive_cert.pem
sudo cp /etc/letsencrypt/live/thehive.example.com/privkey.pem /etc/nginx/ssl/thehive_key.pem

Confim that the nginx config is ok

nginx -t

Create /etc/nginx/sites-enabled/thehive.conf with the following config

server {
  listen 443 ssl;
  server_name thehive.example.com;

  ssl on;
  ssl_certificate       ssl/thehive_cert.pem;
  ssl_certificate_key   ssl/thehive_key.pem;

  proxy_connect_timeout   600;
  proxy_send_timeout      600;
  proxy_read_timeout      600;
  send_timeout            600;
  client_max_body_size    2G;
  proxy_buffering off;
  client_header_buffer_size 8k;

  location / {
    add_header              Strict-Transport-Security "max-age=31536000; includeSubDomains";
    proxy_pass              http://127.0.0.1:9000/;
    proxy_http_version      1.1;
  }
}

Reload the nginx config with this command

sudo nginx -s reload

Test that you can access your instance of TheHive via https now. It should be working!