Closed Jeroen0494 closed 5 years ago
That is related to Scirius and Moloch set up combined toghether. in SELKS5 we have added config changes for both Scirius and Moloch (config) including adding a new user for the Moloch proxy during the execution of the first time set up script.
Okay, then the NGINX configuration should be changed to redirect /app/moloch to /moloch. That should fix everything. Should I write a patch?
Or you alter the Moloch configuration to listen on /app/moloch instead of /moloch.
A patch for which part? SELKS or KTS6 i dont understand ? This should be working out of the box on SELKS5 - or you are having troubles?
When I visit 'http://[ipadres]/app/moloch' I receive a bad request error. When I visit /moloch I am logged in directly without problems.
yes - that is as expected on SELKS5 - it should work out of the box like this.
But the link in Kibana points to /app/moloch, not /moloch.
ok - what version of Scirius and moloch do you have? (you are on SELKS5 right?)
Moloch version 1.6.1, Scirius version 3.0.1. I am on SELKS5, always the latest commits from SELKS5. I have some customizations for including Bro dashboards in Kibana, but they are on a separate index and do not conflict. The link in Kibana is simply pointing to the wrong location.
If I alter the NGINX configuration to rewrite /app/moloch to /moloch, it works. But that is a ugly hack.
you mean this here - https://github.com/StamusNetworks/SELKS/blob/SELKS5/staging/config/hooks/live/chroot-inside-Debian-Live.hook.chroot#L147 is not correct , right ?
Yes, that's it. There two ways to fix this: 1) Alter the Moloch configuration to listen on /app/moloch instead of /moloch 2) Alter the Kibana dashboards and NGINX configuration to point to /moloch
In hindsight altering the Moloch configuration seems like the simplest solution and more in line with the other apps (evebox on /app/evebox, kibana on /app/kibana). Just change webBasePath to /app/moloch.
-edit- seems evebox is on /evebox, not /app/evebox, and /kibana is redirected to /app/kibana. There is little consistency here... ;)
I think it had to do with the scripted fields in the Kibana dashboards as well.
Have you made any changes to your kibana.yml
? (what is your base path
there look like?)
I made no changes to kibana.yml
I think we made the change due to Kibana changes (one of their versions i think), we also changed the scripted fields in each of the dashboards as well (to point to /moloch
for the FPC of the flow) - so i think if we make a change now we will also need a change in all the dashboards. Could you confirm ?
You are correct, the scripted fields in Dashboards point to /moloch and not /app/moloch. The scripted fields in Discover point to /app/moloch. So you would need to change all the dashboards, but that's a simple find and replace, correct?
I think we did with the purpose of all aps accessed via Scirius/SELKS to be done with https://selks.ip/application
Okay, this command should do it: sed -i s/"app\/moloch"/"moloch"/g index-pattern\:logstash-*.json Then update the NGINX configuration to point to /moloch
I think we purposefully did it by design to be like that and not to follow the traditional way.
Hi,
Moloch can only be reached via http://localhost/moloch and not via http://localhost/app/moloch, despite the NGINX configuration specifying /app/moloch. When visiting /app/moloch you need to provide your credentials again, after which you'll receive the message "Bad Request". When visiting /moloch, everything works well.
In Kibana Discover, the FPC link in a network packet points to /app/moloch instead of /moloch, resulting in this error. Either move Moloch to /app/moloch, or alter the link in Kibana to point to /moloch.
I'm not sure why Moloch even runs on /moloch instead of /app/moloch, maybe that is the real bug, which is why I haven't committed a pull request.
Jeroen