By Adrian | April 24, 2019
This is part 2 of TheHive/Cortex/MISP build. In this part I’ll add a reverse proxy to TheHive. Links to the previous articles are here:
Part I - Building TheHive
Part II - Setup reverse proxy for TheHive
Part III - Building MISP
Part IV - Building Cortex
Part V - Adding analyzers to Cortex
Part VI - Setup reverse proxy for Cortex
Part VII - Integrate TheHive and Cortex
Part VIII - Integrate MISP to TheHive
Part IX - Upgrading TheHive
Part X - Updating MISP
Part XI - Upgrading Cortex
Part XII - Wrapup of TheHive, MISP, Cortex
“Not Secure” is not something I want to be seeing in the browser for anything I setup, especially when there are free tools out there that can enable https, so this post is a follow on for the previous post where I setup an instance of TheHive. Given TheHive has documented issues when running https against the application and the preferred way is to setup a reverse proxy, and there is config for completing this using ngnix, I figure I may as well document the steps that I took. This setup will be completed on the same box as where TheHive was installed.
Install Pre-Reqs
So that we can generate our certificate using LetsEncrypt, we need to install a few items
# Install certbot components
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx
# So we can add in the route53 extension to certbot we need to install python3-pip
sudo apt install python3-pip
sudo pip3 install certbot-dns-route53
Now we need to get the awscli package and configure it. Ensure that you have configured the programatic access for the account you plan to use.
# Get the awscli package
sudo apt-get install awscli
# You can configure the aws credentials with this command. You will need to create an account in AWS with the correct permissions
sudo aws configure
Generate the certificate
sudo certbot certonly --dns-route53 -d 'thehive.example.com' --server https://acme-v02.api.letsencrypt.org/directory
All going well you should have the .pem files saved out to /etc/letsencrypt/live/thehive.example.com/fullchain.pem
Configure nginx
First start the service and enable on reboot using these commands:
sudo systemctl start nginx
sudo systemctl enable nginx
Setup the folder where the pem file will reside and copy in the required pem files.
NOTE: This will need to be scripted to auto renew and recopy in the files. I’m sure there is another way thats better, such as specifying the the path to the pem files from the letsencrypt folder instead of copying them over. Ill test that out when its time to renew the certificate.
sudo mkdir /etc/nginx/ssl
sudo cp /etc/letsencrypt/live/thehive.example.com/cert.pem /etc/nginx/ssl/thehive_cert.pem
sudo cp /etc/letsencrypt/live/thehive.example.com/privkey.pem /etc/nginx/ssl/thehive_key.pem
Confim that the nginx config is ok
nginx -t
Create /etc/nginx/sites-enabled/thehive.conf with the following config
server {
listen 443 ssl;
server_name thehive.example.com;
ssl on;
ssl_certificate ssl/thehive_cert.pem;
ssl_certificate_key ssl/thehive_key.pem;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
client_max_body_size 2G;
proxy_buffering off;
client_header_buffer_size 8k;
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
proxy_pass http://127.0.0.1:9000/;
proxy_http_version 1.1;
}
}
Reload the nginx config with this command
sudo nginx -s reload
Test that you can access your instance of TheHive via https now. It should be working!