From 45a3a5294836815e4c803c118b041d7241b17505 Mon Sep 17 00:00:00 2001
From: root <root@srv3.soctools.grena.ge>
Date: Mon, 18 Jul 2022 14:01:41 +0400
Subject: [PATCH] Merge ports branch and configure restrictions by HAProxy ACLs
---
access.ips | 62 +++++++++++++++++
configure.sh | 68 +++++++++++++++++--
generate_haproxy_whitelis_files.sh | 11 +++
roles/build/templates/cassandra/Dockerfile.j2 | 1 -
roles/build/templates/cortex/Dockerfile.j2 | 1 -
.../templates/elasticsearch/Dockerfile.j2 | 1 -
roles/build/templates/keycloak/Dockerfile.j2 | 3 -
roles/build/templates/kibana/Dockerfile.j2 | 1 -
roles/build/templates/misp/Dockerfile.j2 | 3 -
roles/build/templates/mysql/Dockerfile.j2 | 1 -
roles/build/templates/nifi/Dockerfile.j2 | 3 -
.../templates/odfekibana/Dockerfile-kibana.j2 | 1 -
roles/build/templates/thehive/Dockerfile.j2 | 1 -
roles/build/templates/zookeeper/Dockerfile.j2 | 3 -
roles/docker/tasks/haproxy.yml | 11 +--
roles/docker/tasks/keycloak.yml | 2 -
roles/docker/tasks/misp.yml | 2 -
roles/docker/tasks/odfekibana.yml | 2 -
roles/haproxy/tasks/init.yml | 17 +++++
roles/haproxy/tasks/main.yml | 2 +
roles/haproxy/tasks/update-config.yml | 16 +++++
roles/haproxy/templates/haproxy.cfg.j2 | 55 ++++++++-------
22 files changed, 208 insertions(+), 59 deletions(-)
create mode 100644 access.ips
create mode 100755 generate_haproxy_whitelis_files.sh
diff --git a/access.ips b/access.ips
new file mode 100644
index 0000000..0e75ef9
--- /dev/null
+++ b/access.ips
@@ -0,0 +1,62 @@
+### HAProxy Stats - Start ###
+172.22.0.0/16
+### HAProxy Stats - End ###
+
+
+### Nifi Management - Start ###
+172.22.0.0/16
+0.0.0.0/0
+::/0
+### Nifi Management - End ###
+
+
+### Nifi ports - Start ###
+172.22.0.0/16
+0.0.0.0/0
+::/0
+### Nifi ports - End ###
+
+
+### ODFE - Start ###
+172.22.0.0/16
+### ODFE - End ###
+
+
+### KeyCloak - Start ###
+172.22.0.0/16
+0.0.0.0/0
+::/0
+### KeyCloak - End ###
+
+
+### TheHive - Start ###
+172.22.0.0/16
+0.0.0.0/0
+::/0
+### TheHive - End ###
+
+
+### Cortex - Start ###
+172.22.0.0/16
+0.0.0.0/0
+::/0
+### Cortex - End ###
+
+
+### MISP - Start ###
+172.22.0.0/16
+0.0.0.0/0
+::/0
+### MISP - End ###
+
+
+### User Management UI - Start ###
+0.0.0.0/0
+::/0
+### User Management UI - End ###
+
+
+### Kibana - Start ###
+0.0.0.0/0
+::/0
+#### Kibana - End ###
diff --git a/configure.sh b/configure.sh
index 4746181..1533ed6 100755
--- a/configure.sh
+++ b/configure.sh
@@ -1,5 +1,65 @@
#!/bin/bash
set -e
+
+wait () {
+ secs=${1}
+ while [ $secs -gt 0 ]; do
+ echo -ne "$secs\033[0K\r"
+ sleep 1
+ : $((secs--))
+ done
+}
+
+echo "By default, all services except HAProxy stats and ODFE are public! Do you want to modify accesses to the services?"
+read -p "(yes|no) [no] : " MODIFY
+MODIFY=${MODIFY:-no}
+case $MODIFY in
+ yes|Yes|YES )
+ echo modify
+ echo "please enter(command) which editor want to use for modification(it should be installed already and you should be able to use it)"
+ read -p "[vi] : " EDITOR
+ EDITOR=${EDITOR:-vi}
+ if [[ ( $EDITOR = "vi" ) || $EDITOR = "vim" ]]; then
+ if `which $EDITOR > /dev/null 2>&1`; then
+ echo "Instruction: "
+ echo -e "\t 1. press i to edit file"
+ echo -e "\t 2. modify file based on your needs"
+ echo -e "\t 3. to save changes use followng sequence: 'Esc : wq' and press enter"
+ echo "to discurd changes, use: 'Esc : q!' and press enter"
+ wait 15
+ $EDITOR access.ips
+ else
+ echo "$EDITOR not found. install it and start over"
+ exit 1
+ fi
+ else
+ if `which $EDITOR > /dev/null 2>&1`; then
+ $EDITOR access.ips
+ else
+ echo "$EDITOR not found. install it and start over"
+ exit 1
+ fi
+ fi
+ ;;
+ no|No|NO )
+ echo no
+ ;;
+ * )
+ echo "Unknown answer, not modifing access rules!"
+ wait 5
+ ;;
+esac
+
+./generate_haproxy_whitelis_files.sh
+if [ $? -gt 0 ]; then
+ echo "error occured, please check access.ips file structure. lines starting with '###' should not be modified"
+ exit 1
+else
+ echo "access restrictions configured successfully"
+ wait 5
+fi
+
+
if [ -f group_vars/all/variables.yml ]; then
echo "Variables file (group_vars/all/variables.yml) is configure manually. please take a look if everything is correct and move to next step"
cat group_vars/all/variables.yml
@@ -27,7 +87,7 @@ else
echo "DN - Distinguished Name of the user, for user certificate"
echo "CN - Common Name of the user, for user certificate"
echo "Email will be generated automatically in Username@Domain format becouse of format restrictions in some services"
- sleep 10
+ wait 10
for i in firstname lastname username; do
read -p "${i}: " $i
if [ -z $i ]; then
@@ -41,7 +101,7 @@ else
echo
echo
echo
- sleep 2
+ wait 2
echo "Please check the gethered variables and type 'yes' if everything is correct: "
echo "soctoolsproxy: $soctoolsproxy"
echo "domain: $domain"
@@ -52,7 +112,7 @@ else
echo "CN: $CN"
echo
echo
- sleep 10
+ wait 10
read -p "Correct? type 'yes' or 'no': " ANSWER
if [ $ANSWER = "yes" ]; then
if ! [ -f group_vars/all/variables.template ]; then
@@ -72,7 +132,7 @@ else
echo
echo
echo "variables file generated (group_vars/all/variables.yml)"
- sleep 2
+ wait 2
echo "move to next command to deploy the soctools cluster."
echo 'Thank You!'
fi
diff --git a/generate_haproxy_whitelis_files.sh b/generate_haproxy_whitelis_files.sh
new file mode 100755
index 0000000..1ddb6da
--- /dev/null
+++ b/generate_haproxy_whitelis_files.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+awk '/HAProxy Stats - Start/{flag=1; next} /HAProxy Stats - End/{flag=0} flag' access.ips > roles/haproxy/files/stats_whitelist.lst
+awk '/Nifi Management - Start/{flag=1; next} /Nifi Management - End/{flag=0} flag' access.ips > roles/haproxy/files/nifi_whitelist.lst
+awk '/Nifi ports - Start/{flag=1; next} /Nifi ports - End/{flag=0} flag' access.ips > roles/haproxy/files/nifiports_whitelist.lst
+awk '/ODFE - Start/{flag=1; next} /ODFE - End/{flag=0} flag' access.ips > roles/haproxy/files/odfe_whitelist.lst
+awk '/KeyCloak - Start/{flag=1; next} /KeyCloak - End/{flag=0} flag' access.ips > roles/haproxy/files/keycloak_whitelist.lst
+awk '/TheHive - Start/{flag=1; next} /TheHive - End/{flag=0} flag' access.ips > roles/haproxy/files/thehive_whitelist.lst
+awk '/Cortex - Start/{flag=1; next} /Cortex - End/{flag=0} flag' access.ips > roles/haproxy/files/cortex_whitelist.lst
+awk '/MISP - Start/{flag=1; next} /MISP - End/{flag=0} flag' access.ips > roles/haproxy/files/misp_whitelist.lst
+awk '/User Management UI - Start/{flag=1; next} /User Management UI - End/{flag=0} flag' access.ips > roles/haproxy/files/user-mgmt-ui_whitelist.lst
+awk '/Kibana - Start/{flag=1; next} /Kibana - End/{flag=0} flag' access.ips > roles/haproxy/files/kibana_whitelist.lst
diff --git a/roles/build/templates/cassandra/Dockerfile.j2 b/roles/build/templates/cassandra/Dockerfile.j2
index f5d2a60..1be98c2 100644
--- a/roles/build/templates/cassandra/Dockerfile.j2
+++ b/roles/build/templates/cassandra/Dockerfile.j2
@@ -16,5 +16,4 @@ RUN echo "[cassandra]" > /etc/yum.repos.d/cassandra.repo && \
sed -i -e 's,/etc/cassandra,/usr/share/cassandra,g' /usr/share/cassandra/cassandra.in.sh && \
yum -y clean all
COPY cassandrasupervisord.conf /etc/supervisord.conf
-EXPOSE 7000 9042
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/cortex/Dockerfile.j2 b/roles/build/templates/cortex/Dockerfile.j2
index a6488ad..7d6de8f 100644
--- a/roles/build/templates/cortex/Dockerfile.j2
+++ b/roles/build/templates/cortex/Dockerfile.j2
@@ -23,6 +23,5 @@ RUN echo "[thehive-project]" > /etc/yum.repos.d/thehive.repo && \
for I in analyzers/*/requirements.txt; do LC_ALL=en_US.UTF-8 pip3 install --no-cache-dir -U -r $I || true; done && \
for I in responders/*/requirements.txt; do LC_ALL=en_US.UTF-8 pip3 install --no-cache-dir -U -r $I || true; done && \
yum -y clean all
-EXPOSE 9001
COPY cortexsupervisord.conf /etc/supervisord.conf
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/elasticsearch/Dockerfile.j2 b/roles/build/templates/elasticsearch/Dockerfile.j2
index 6f273d6..7947f24 100644
--- a/roles/build/templates/elasticsearch/Dockerfile.j2
+++ b/roles/build/templates/elasticsearch/Dockerfile.j2
@@ -17,6 +17,5 @@ RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
RUN echo 'elasticsearch ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
-EXPOSE 9200 9300
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/keycloak/Dockerfile.j2 b/roles/build/templates/keycloak/Dockerfile.j2
index 561a646..1b1d181 100644
--- a/roles/build/templates/keycloak/Dockerfile.j2
+++ b/roles/build/templates/keycloak/Dockerfile.j2
@@ -34,9 +34,6 @@ ENV PATH="/opt/jboss/keycloak/bin:${PATH}"
WORKDIR /opt/jboss/keycloak
-EXPOSE 8080
-EXPOSE 8443
-
RUN echo 'jboss ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
COPY keycloaksupervisord.conf /etc/supervisord.conf
diff --git a/roles/build/templates/kibana/Dockerfile.j2 b/roles/build/templates/kibana/Dockerfile.j2
index ef2a476..db7d064 100644
--- a/roles/build/templates/kibana/Dockerfile.j2
+++ b/roles/build/templates/kibana/Dockerfile.j2
@@ -17,7 +17,6 @@ RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
RUN echo 'kibana ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
-EXPOSE 5601
COPY kibanasupervisord.conf /etc/supervisord.conf
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/misp/Dockerfile.j2 b/roles/build/templates/misp/Dockerfile.j2
index 4f7518b..f5e6557 100644
--- a/roles/build/templates/misp/Dockerfile.j2
+++ b/roles/build/templates/misp/Dockerfile.j2
@@ -80,9 +80,6 @@ RUN chown -R apache:apache /var/www/MISP ; \
COPY misp_rh-php72-php-fpm /etc/logrotate.d/rh-php72-php-fpm
-# 80/443 - MISP web server, 3306 - mysql, 6379 - redis, 6666 - MISP modules, 50000 - MISP ZeroMQ
-EXPOSE 80 443 6443 6379 6666 50000
-
ENV PATH "$PATH:/opt/rh/rh-php72/root/bin/"
COPY mispsupervisord.conf /etc/supervisord.conf
diff --git a/roles/build/templates/mysql/Dockerfile.j2 b/roles/build/templates/mysql/Dockerfile.j2
index 393eb3f..6ce391e 100644
--- a/roles/build/templates/mysql/Dockerfile.j2
+++ b/roles/build/templates/mysql/Dockerfile.j2
@@ -6,7 +6,6 @@ RUN yum -y update && yum install -y epel-release centos-release-scl scl-utils &&
/usr/bin/scl enable rh-mariadb103 -- /opt/rh/rh-mariadb103/root/usr/libexec/mysql-prepare-db-dir /var/opt/rh/rh-mariadb103/lib/mysql
RUN yum clean all
-EXPOSE 3306
COPY mysqlsupervisord.conf /etc/supervisord.conf
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/nifi/Dockerfile.j2 b/roles/build/templates/nifi/Dockerfile.j2
index f85cf47..1216169 100644
--- a/roles/build/templates/nifi/Dockerfile.j2
+++ b/roles/build/templates/nifi/Dockerfile.j2
@@ -82,9 +82,6 @@ RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-${
# Clear nifi-env.sh in favour of configuring all environment variables in the Dockerfile
RUN echo "#!/bin/sh\n" > $NIFI_HOME/bin/nifi-env.sh
-# Web HTTP(s) & Socket Site-to-Site Ports
-EXPOSE 8080 8443 10000 8000
-
WORKDIR ${NIFI_HOME}
# Apply configuration and start NiFi
diff --git a/roles/build/templates/odfekibana/Dockerfile-kibana.j2 b/roles/build/templates/odfekibana/Dockerfile-kibana.j2
index 05a1c40..e61707f 100644
--- a/roles/build/templates/odfekibana/Dockerfile-kibana.j2
+++ b/roles/build/templates/odfekibana/Dockerfile-kibana.j2
@@ -17,7 +17,6 @@ RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
RUN echo 'kibana ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
-EXPOSE 5601
COPY kibanasupervisord.conf /etc/supervisord.conf
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/thehive/Dockerfile.j2 b/roles/build/templates/thehive/Dockerfile.j2
index c1df6fa..fa330f3 100644
--- a/roles/build/templates/thehive/Dockerfile.j2
+++ b/roles/build/templates/thehive/Dockerfile.j2
@@ -15,6 +15,5 @@ RUN echo "[thehive-project]" > /etc/yum.repos.d/thehive.repo && \
mkdir -p /home/thehive && \
chown -R thehive:thehive /home/thehive /etc/thehive && \
yum -y clean all
-EXPOSE 9000
COPY thehivesupervisord.conf /etc/supervisord.conf
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/roles/build/templates/zookeeper/Dockerfile.j2 b/roles/build/templates/zookeeper/Dockerfile.j2
index 19ae977..7215fb6 100644
--- a/roles/build/templates/zookeeper/Dockerfile.j2
+++ b/roles/build/templates/zookeeper/Dockerfile.j2
@@ -24,9 +24,6 @@ RUN curl -fSL ${MIRROR_BASE_URL}/${ZOOKEEPER_BINARY_PATH} -o ${ZOOKEEPER_BASE_DI
&& rm ${ZOOKEEPER_BASE_DIR}/apache-zookeeper-${ZOOKEEPER_VERSION}-bin.tar.gz \
&& cp ${ZOOKEEPER_BASE_DIR}/zookeeper/conf/zoo_sample.cfg ${ZOOKEEPER_BASE_DIR}/zookeeper/conf/zoo.cfg
-# Web HTTP(s) & Socket Site-to-Site Ports
-EXPOSE 2181 2888 3888
-
WORKDIR ${ZOOKEEPER_BASE_DIR}/zookeeper
#ENTRYPOINT ["/opt/zookeeper/bin/zkServer.sh"]
diff --git a/roles/docker/tasks/haproxy.yml b/roles/docker/tasks/haproxy.yml
index 4eca955..6353030 100644
--- a/roles/docker/tasks/haproxy.yml
+++ b/roles/docker/tasks/haproxy.yml
@@ -9,17 +9,18 @@
- name: "{{ soctools_netname}}"
networks_cli_compatible: yes
published_ports:
- - "443:443"
- - "5443:5443"
- "8888:8888"
- - "8443:8443"
- "9443:9443"
- "9200:9200"
- "7750:7750"
- - "5000-5099:5000-5099"
- - "6000-6099:6000-6099"
- "9000:9000"
- "9001:9001"
+ - "12443:12443"
+ - "5601:5601"
+ - "5443:5443"
+ - "6443:6443"
+ - "5000-5099:5000-5099"
+ - "6000-6099:6000-6099"
interactive: "yes"
tags:
- start-docker-containers
diff --git a/roles/docker/tasks/keycloak.yml b/roles/docker/tasks/keycloak.yml
index dfc073c..7193449 100644
--- a/roles/docker/tasks/keycloak.yml
+++ b/roles/docker/tasks/keycloak.yml
@@ -8,8 +8,6 @@
networks:
- name: "{{ soctools_netname }}"
networks_cli_compatible: yes
- published_ports:
- - "12443:8443"
interactive: "yes"
with_items: "{{ groups['keycloakcontainers'] }}"
tags:
diff --git a/roles/docker/tasks/misp.yml b/roles/docker/tasks/misp.yml
index 953f386..acba5ea 100644
--- a/roles/docker/tasks/misp.yml
+++ b/roles/docker/tasks/misp.yml
@@ -9,8 +9,6 @@
- name: "{{ soctools_netname}}"
interactive: "yes"
networks_cli_compatible: yes
- published_ports:
- - "6443:6443"
tags:
- start-docker-containers
diff --git a/roles/docker/tasks/odfekibana.yml b/roles/docker/tasks/odfekibana.yml
index af56622..8426ce6 100644
--- a/roles/docker/tasks/odfekibana.yml
+++ b/roles/docker/tasks/odfekibana.yml
@@ -8,8 +8,6 @@
networks:
- name: "{{ soctools_netname }}"
networks_cli_compatible: yes
- published_ports:
- - "5601:5601"
interactive: "yes"
with_items: "{{ groups['odfekibanacontainers'] }}"
tags:
diff --git a/roles/haproxy/tasks/init.yml b/roles/haproxy/tasks/init.yml
index a64cc79..aaf8aa3 100644
--- a/roles/haproxy/tasks/init.yml
+++ b/roles/haproxy/tasks/init.yml
@@ -6,6 +6,23 @@
src: haproxy.cfg.j2
dest: /usr/local/etc/haproxy/haproxy.cfg
+- name: Copy acl files
+ ansible.builtin.copy:
+ src: "{{ item }}_whitelist.lst"
+ dest: /usr/local/etc/haproxy/
+ mode: '0644'
+ with_items:
+ - stats
+ - nifi
+ - nifiports
+ - odfe
+ - keycloak
+ - thehive
+ - cortex
+ - misp
+ - user-mgmt-ui
+ - kibana
+
- name: Create required directories
file:
path: "{{ item }}"
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index d0fb7ab..22c71d3 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -20,3 +20,5 @@
tags:
- restart
- restart-haproxy
+ - update-config
+ - update-haproxy-config
diff --git a/roles/haproxy/tasks/update-config.yml b/roles/haproxy/tasks/update-config.yml
index dc5cb8b..58506a4 100644
--- a/roles/haproxy/tasks/update-config.yml
+++ b/roles/haproxy/tasks/update-config.yml
@@ -6,3 +6,19 @@
src: haproxy.cfg.j2
dest: /usr/local/etc/haproxy/haproxy.cfg
+- name: Copy acl files
+ ansible.builtin.copy:
+ src: "{{ item }}_whitelist.lst"
+ dest: /usr/local/etc/haproxy/
+ mode: '0644'
+ with_items:
+ - stats
+ - nifi
+ - nifiports
+ - odfe
+ - keycloak
+ - thehive
+ - cortex
+ - misp
+ - user-mgmt-ui
+ - kibana
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index 3166247..8a92792 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -23,6 +23,7 @@ listen stats
stats uri /
stats realm HAProxy Statistics
stats auth haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats')}}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/stats_whitelist.lst }
listen nifiserv
bind *:9443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
@@ -35,6 +36,7 @@ listen nifiserv
{% for nifihost in groups['nificontainers'] %}
server {{nifihost}} {{nifihost}}:9443 ssl check verify none
{% endfor %}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/nifi_whitelist.lst }
listen odfeserv
bind *:9200 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
@@ -47,9 +49,10 @@ listen odfeserv
{% for odfehost in groups['odfeescontainers'] %}
server {{odfehost}} {{odfehost}}:9200 ssl check verify none
{% endfor %}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/odfe_whitelist.lst }
listen keycloakserv
- bind *:10443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+ bind *:12443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
mode http
maxconn 5000
fullconn 5000
@@ -59,6 +62,7 @@ listen keycloakserv
{% for keycloakhost in groups['keycloakcontainers'] %}
server {{keycloakhost}} {{keycloakhost}}:8443 ssl check verify none
{% endfor %}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/keycloak_whitelist.lst }
listen thehiveserv
bind *:9000 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
@@ -72,6 +76,7 @@ listen thehiveserv
{% for thehivehost in groups['thehive'] %}
server {{thehivehost}} {{thehivehost}}:9000 check verify none
{% endfor %}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/thehive_whitelist.lst }
listen cortexserv
bind *:9001 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
@@ -85,9 +90,10 @@ listen cortexserv
{% for cortexhost in groups['cortex'] %}
server {{cortexhost}} {{cortexhost}}:9001 check verify none
{% endfor %}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/cortex_whitelist.lst }
-listen user-mgmt-ui
- bind *:5443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+listen kibanaserv
+ bind *:5601 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
mode http
maxconn 5000
fullconn 5000
@@ -95,39 +101,36 @@ listen user-mgmt-ui
option tcpka
option forwardfor
option httplog
- server soctools_server {{ soctools_network_gw }}:8050
+{% for kibanahost in groups['odfekibanacontainers'] %}
+ server {{kibanahost}} {{kibanahost}}:5601 ssl check verify none
+{% endfor %}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/kibana_whitelist.lst }
-{% for port in range(50, 60) %}
-listen nifiservtcp77{{port}}
- bind *:77{{port}}
- mode tcp
+listen mispserv
+ bind *:6443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+ mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
- option tcp-check
- option tcplog
- tcp-check connect port 77{{port}}
-{% for nifihost in groups['nificontainers'] %}
- server {{nifihost}} {{nifihost}}:77{{port}} check
-
-{% endfor %}
+ option forwardfor
+ option httplog
+{% for misphost in groups['mispcontainers'] %}
+ server {{misphost}} {{misphost}}:6443 ssl check verify none
{% endfor %}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/misp_whitelist.lst }
-
-listen nifiservtcp7771
- bind *:7771
- mode tcp
+listen user-mgmt-ui
+ bind *:5443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+ mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
- option tcp-check
- option tcplog
- tcp-check connect port 7771
-{% for nifihost in groups['nificontainers'] %}
- server {{nifihost}} {{nifihost}}:7771 check
-{% endfor %}
+ option forwardfor
+ option httplog
+ server soctools_server {{ soctools_network_gw }}:8050
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/user-mgmt-ui_whitelist.lst }
{% for port in range(5000, 5020) %}
@@ -142,6 +145,7 @@ listen nifiservhttp{{port}}
{% for nifihost in groups['nificontainers'] %}
server {{nifihost}} {{nifihost}}:{{port}} check
{% endfor %}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/nifiports_whitelist.lst }
{% endfor %}
@@ -160,5 +164,6 @@ listen nifiservtcp{{port}}
{% for nifihost in groups['nificontainers'] %}
server {{nifihost}} {{nifihost}}:{{port}} check
{% endfor %}
+ tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/nifiports_whitelist.lst }
{% endfor %}
--
GitLab