Setup a Reverse Proxy with NGINX to support SSL

[AntoninHL]

Hello

as many of us, I want to setup SSL connectivity for my OpenCTI platform.

I use NGINX to do it. But it's not working. Seems the redirection to /dashboard is working... but I have a blank and empty (nothing in the source code) page.

Here is the reverse-proxy.conf file that I have created.

Do you have any idea about "why"?

#Redirect all HTTP to HTTPS
server{
    listen 80;
    server_name my-server.domain.com;
    return 301 https://my-server.domain.com$request_uri;
}

#HTTPS and REDIRECT configuration
server {

    listen 443;
    server_name my-server.domain.com;

    #SSL Configuration
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    # Set the access log location
    access_log            /var/log/nginx/my-server.access.log;

    location / {

    # Set the proxy headers
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Configure which address the request is proxied to
      proxy_pass          http://localhost:8080;
      proxy_read_timeout  90;
    #  proxy_redirect      http://localhost:8080 https://my-server.domain.com;

      # Set the security headers
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; #HSTS
      add_header X-Frame-Options DENY; #Prevents clickjacking
      add_header X-Content-Type-Options nosniff; #Prevents mime sniffing
      add_header X-XSS-Protection "1; mode=block"; #Prevents cross-site scripting attacks
      add_header Referrer-Policy "origin"; #Idk what this actually does";
    }
}

Environment

1. OS Ubuntu 20.04
2. OpenCTI 5.1.4
3. OpenCTI client: python
4. Other environment details: docker

Many thanks for your help

[nor3th]

Hey @AntoninHL

I am using the jwilder nginx docker container for this purpose which works flawlessly. Here's the config the setup generates automatically.

# opencti.local
upstream opencti.local-upstream {
        # opencti4_opencti_1
        server 172.X.X.X:80;
}
server {
        server_name opencti.local;                     
        listen 80 ;                                                        
        access_log /var/log/nginx/access.log vhost;         
        # Do not HTTPS redirect Let'sEncrypt ACME challenge
        location ^~ /.well-known/acme-challenge/ {   
                auth_basic off;                      
                auth_request off;                    
                allow all;                             
                root /usr/share/nginx/html;                   
                try_files $uri =404;
                break;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}
server {
        server_name opencti.local;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/local.crt;
        ssl_certificate_key /etc/nginx/certs/local.key;
        add_header Strict-Transport-Security "max-age=31536000" always;
        location / {
                proxy_pass http://opencti.local-upstream;
        }
}   

Regards

[AntoninHL]

Hi @nor3th

Many thanks for the time you took to help me. I'm not sure about what to do with what you provide me with. I'm not a developer or a Docker specialist. I'm a CTI expert... But I will try to do something.

Thanks.

[dank07]

Do you have a specific requirement to use NGINX for the reverse proxy? If not, you could try to use Caddy to solve your requirement.

This has been already documented in their site if you want to take a look. https://www.notion.so/Using-Docker-03d5c0592b9d4547800cc9f4ff7be2b8#9f4f3285f51d4c4cb212764a3d9304ba

To take things a little futher you can integrate the docker-compose.yml of Caddy into the opencti file to generate the reverse proxy in the moment opencti is getting started. If you need more help, let me know.

[AntoninHL]

Hi @dank07

Many thanks for your help.

So I installed Caddy and create the Caddyfile config file:

opencti.mydomain.com {
        root * /usr/share/caddy
        file_server
        reverse_proxy http://xx.xx.xx.xx:8080
}

And I added some lines in my OpenCTI docker-compose.yml file:

version: '3.8'
services:

  caddy:
    image: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config

  redis:
    image: redis:6.2.6
    ...
    ...
networks:
  default:
    external: true
    name: opencti

volumes:
  ...
  caddy_data:
  caddy_config:

I restarted but I have this error:

root@opencti:/opt/opencti/docker# docker-compose up -d
[+] Running 6/6
 ⠿ caddy Pulled                                                                                                                                        6.5s
   ⠿ 97518928ae5f Already exists                                                                                                                       0.0s
   ⠿ 23ccae726125 Pull complete                                                                                                                        0.9s
   ⠿ 3de6a61c89ac Pull complete                                                                                                                        1.4s
   ⠿ 39ed957bdc00 Pull complete                                                                                                                        2.0s
   ⠿ 0ae44c2d42dd Pull complete                                                                                                                        2.3s
network opencti declared as external, but could not be found

In fact, I'm sure that the conf in network section is wrong, but I don't really understand the name: <your OpenCTI network name>

So I changed the conf in docker-compose.yml to adapt with the exisiting docker networks:

networks:
  default:
    external: true
    name: host

I restarted. And new error: Error response from daemon: network-scoped alias is supported only for containers in user defined networks

I'm a little bit "lost"...

Many thanks again for your help

[dank07]

try removing all the declared values from the original Caddy docker-compose file related to network from the modified version of the docker-compose file you're going to use.

As you are using the same .yml the caddy docker-compose network will be added to the opencti network by default. The result should be something like this:

services:

  caddy:
    image: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config

  redis:
    image: redis:6.2.6
    ...
    ...

volumes:
  ...
  caddy_data:
  caddy_config:

Best Regards

[AntoninHL]

Thanks @dank07

Now, I have this:

Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/opt/opencti/docker/Caddyfile" to rootfs at "/etc/caddy/Caddyfile" caused: mount through procfd: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

[gritty-Kitty]

Do you have a specific requirement to use NGINX for the reverse proxy? If not, you could try to use Caddy to solve your requirement.

This has been already documented in their site if you want to take a look. https://www.notion.so/Using-Docker-03d5c0592b9d4547800cc9f4ff7be2b8#9f4f3285f51d4c4cb212764a3d9304ba

To take things a little futher you can integrate the docker-compose.yml of Caddy into the opencti file to generate the reverse proxy in the moment opencti is getting started. If you need more help, let me know.

Dead link.