chberti commented 3 years ago

Using Dockerized Cortex behind a Proxy with custom CA

Request Type

Bug / Question

Work Environment

Question	Answer
OS version (server)	CentOS
OS version (client)	-
Cortex version / git hash	31.1
Package Type	Docker
Browser type & version	-

Problem Description

I'm trying to setup a cortex instance on a CentOS server. I chose the dockerized version of Cortex and Analyzers. As the instance is behind a proxy, I Setup the right parameters to use it. With 'local' analyzers (MISP), analysis jobs work fine. When I used online analyzers, every one of them I tested so far ends up in a failure : self signed certificate in chain.

I used to have an .RPM installation and everything worked properly. I think it comes from my custom CA which isn't mounted on Cortex container.

Any advice on this ?

Steps to Reproduce

Setup Cortex via docker method
Configure a Proxy Cortex should use (custom CA for HTTPS)
Online analyzers won't trust the domaines they try to reach.

Possible Solutions

I think I should mount my custom CA bundle on Cortex Container. But in my case (according tot he documentation), Cortex itself runs other containers. Does that mean I should also find a way to mount my own CA bundle on those container ?

Complementary information

No screenshot for now, maybe later

mdtro commented 2 years ago

This will be difficult considering Python uses it's own certificate store and not the system level one, so even if you were able to mount/overwrite it in the container -- I'm not sure it would work.

Analyzers and Responders will get the CA certificate as a configuration item if it is configured in the Cortex GUI, but I believe it's up to the author to make sure they obey and use it for any HTTP connections.

It looks like MISP has configuration/respects the CA certificate setting between the analyzer configuration and PyMISP? https://github.com/TheHive-Project/Cortex-Analyzers/blob/bb193a5732dfe0132a9b17b53dfdcb7f56bbfbc4/analyzers/MISP/misp.py#L17

chberti commented 2 years ago

So it means in my Use Case the main Cortex Container should be able to run analyzers containers with CA set up on the fly ? (maybe rebuilding analyzers images would work, but I was looking for easy container images integrations on my platform...)

Seems like my problem is more like a Feature Request than a Bug then ? Will chaneg the tags and title :)

Thank's for your advice

mdtro commented 2 years ago

It actually just occurred to me that you might be able to use an environment variable here, assuming that most of the analyzers use requests for HTTP calls.

REQUESTS_CA_BUNDLE per https://docs.python-requests.org/en/stable/user/advanced/#ssl-cert-verification.

Do you think that might be possible to mount and pass in to the analyzer container?

chberti commented 2 years ago

I think many of them use requests, so this might be a solution.

I tried to do something similar, haven't succeeded yet. One problem I might encounter is that Cortex main container is the one who launches analyzers containers. So to work properly I think Cortex container should mount and pass the REQUESTS_CA_BUNDLE when launching them.

To be tested soon :)

louismaxx commented 1 year ago

I think many of them use requests, so this might be a solution.

I tried to do something similar, haven't succeeded yet. One problem I might encounter is that Cortex main container is the one who launches analyzers containers. So to work properly I think Cortex container should mount and pass the REQUESTS_CA_BUNDLE when launching them.

To be tested soon :)

Hi @chberti , have you been able to resolve your issue ? We are also struggling on this issue and we are running the same setup as you described (Cortex container launching the cortex analyzer containers behind a company proxy) Regards

TheHive-Project / Cortex

[BUG] Dockerized Cortex behind a Proxy with custom CA won't trust online analyzers #376