Closed BiscyberA closed 6 months ago
Since you're using containers already, my recommendation is to set up an HTTPS haproxy or nginx reverse proxy w/ the cert and then have that talk HTTP to opencti. This has the added benefit of allowing you to run multiple opencti instances and have the reverse-proxy distribute clients among them as a load balancer.
Hi @ckane , thank you for the quick response and recommendation. Do you have any documentation on how I can go about this please?
Here's an example using HAProxy:
Remove the ports:
section from opencti
. Make sure OpenCTI is configured to listen on port 8080
(or whatever you want, just adjust configs below):
Then, Add the following (and adjust as needed to your environment) to the docker-compose.yml
:
haproxy:
image: bitnami/haproxy:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./haproxy.cfg:/bitnami/haproxy/conf/haproxy.cfg
- ./your.crt:/etc/ssl/your.crt
- ./your.key:/etc/ssl/your.key
restart: always
depends_on:
- opencti
Then add the following to haproxy.cfg
:
global
log 127.0.0.1 local0 debug
user root
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option logasap
timeout connect 10000
timeout client 50000
timeout server 100000
maxconn 3000
#errorfile 400 /etc/haproxy/errors/400.http
#errorfile 403 /etc/haproxy/errors/403.http
#errorfile 408 /etc/haproxy/errors/408.http
#errorfile 500 /etc/haproxy/errors/500.http
#errorfile 502 /etc/haproxy/errors/502.http
#errorfile 503 /etc/haproxy/errors/503.http
#errorfile 504 /etc/haproxy/errors/504.http
frontend http
bind *:80
redirect scheme https if !{ ssl_fc }
frontend https
bind *:443 ssl crt /etc/ssl/your.crt
http-request add-header X-Forwarded-Port 443
http-request add-header X-Forwarded-Proto https
http-request add-header X-Forwarded-Scheme https
default_backend docker
resolvers dockerdns
nameserver ns1 127.0.0.11:53
parse-resolv-conf
hold valid 60s
hold nx 1s
hold timeout 1s
hold refused 1s
hold obsolete 1s
timeout retry 1s
timeout resolve 1s
backend docker
http-request add-header X-Forwarded-Host opencti.yourdomain.com
server opencti opencti.:8080 check resolvers dockerdns
Then generate your.key
and your.crt
- make sure the base your
part of the name is identical across the two. If you look at my example haproxy.cfg
then you'll see I only reference the crt
file - HAProxy will automatically resolve the key
filename from the crt
filename. You will need to remove any encryption from the key
file.
The above allows you to use replicas
under deploy
(example under the worker
service now) to scale more opencti
instances. I recently learned that the NodeJS process can't use more than one CPU, so replicas
on opencti
is a way to better help balance many users across multiple CPUs.
Hi @ckane, thank you for the help. Even though when I try using HAProxy, I run into issues and it wasn't working so I switched to nginx reverse proxy and that worked out. I now have opencti running on https. I really appreciate your help.
Thanks @BiscyberA would you mind posting an example of your nginx config & docker-compose edits here in case someone comes across this issue via search results in the future?
Thanks @BiscyberA would you mind posting an example of your nginx config & docker-compose edits here in case someone comes across this issue via search results in the future?
Sure @ckane. Here are the steps I took:
Step 1: Install Nginx if Nginx is not already installed on your host machine Step 2: Configure SSL Certificates Assuming you have SSL certificates (privkey.pem and fullchain.pem) located in /etc/ssl/path, you'll need to reference these certificates in your Nginx configuration. Step 3: Create an Nginx Configuration Create an Nginx configuration file for your OpenCTI service. For this purpose, create a new configuration file inside Nginx's sites-available directory: sudo nano /etc/nginx/sites-available/opencti
Add the following configuration to the file:
server { listen 443 ssl; server_name your-domain.com;
ssl_certificate /etc/ssl/your.cert
ssl_certificate_key /etc/ssl/your.key
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server { listen 80; server_name your-domain.com; return 301 https://$host$request_uri; }
Step 4: Enable the Nginx Configuration Create a symbolic link to enable the new configuration: sudo ln -s /etc/nginx/sites-available/opencti /etc/nginx/sites-enabled/
Step 5: Test Nginx Configuration and Restart Test the Nginx configuration for syntax errors: sudo nginx -t
If the test is successful, restart Nginx to apply the changes: sudo systemctl restart nginx
Step 6: Update OpenCTI Configuration Since your OpenCTI service is now accessed via HTTPS through Nginx, update the APP__BASE_URL environment variable in your OpenCTI service configuration to use https:
After completing these steps, Nginx will handle SSL termination for your OpenCTI service and proxy requests to http://localhost:8080 internally. Access your OpenCTI service securely via https://your-domain.com.
Hi guys, when I deployed opencti on portainer, I was able to login to the platform on port 8080 with no issues. I have generated letsencypt ssl cert and linked it to portainer running on https. I have tried to add the letsencrypt ssl cert to opencti but I cannot access the platform anymore. I get error message: secure connection failed. Here is how I have mounted the certs paths in the opencti docker-compose configuration and the opencti logs am getting:
Opencti Logs: ERR Engine unhandled rejection | category=APP errors=[{"attributes":{"genre":"TECHNICAL","http_status":500,"promise":{},"reason":{}},"message":"Engine unhandled rejection","name":"UNKNOWN_ERROR","stack":"UNKNOWN_ERROR: Engine unhandled rejection\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at UnknownError (/opt/opencti/build/src/config/errors.js:76:47)\n at process. (/opt/opencti/build/src/boot.js:66:16)\n at process.emit (node:events:518:28)\n at process.ZKa.process.emit (/opt/opencti/build/node_modules/source-map-support/source-map-support.js:516:21)\n at emit (node:internal/process/promises:150:20)\n at processPromiseRejections (node:internal/process/promises:284:27)\n at processTicksAndRejections (node:internal/process/task_queues:96:32)"}] timestamp=2024-04-23T01:40:05.907Z version=6.0.9
*Here is the Opencti docker configuration with mounted ssl cert:opencti: image: opencti/platform:6.0.9 environment:
Slack Message