Solved: Web Server location

stevenbo

Where is the web server actually installed to and ran from for SOAR in a RHEL environment? Unlike Splunk Web UI where I can modify the web.conf file, for SOAR I only see a massive amount of py files everywhere. I need to figure out where it actually starts and sets it's paths. Specifically where SSL is chosen. Assume I have installed SOAR to /data

Thanks for any assistance!

marnall

In SOAR, the webserver is nginx. It has a configuration file at: ($SOARDIR$= your soar/phantom install directory. E.g. /opt/phantom or /data)

$SOARDIR$/usr/nginx/conf/phantom-nginx-server.conf

... which includes the config in conf.d:

$SOARDIR$/usr/nginx/conf/conf.d/phantom-nginx-server.conf

which sets the SSL options:

  ssl_certificate     /opt/phantom/etc/ssl/certs/httpd_cert.crt;
  ssl_certificate_key /opt/phantom/etc/ssl/private/httpd_cert.key;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers         
  ssl_session_cache   shared:TLS:2m;
  ssl_dhparam /opt/phantom/etc/ssl/dhparams.pem;

View solution in original post

marnall

In SOAR, the webserver is nginx. It has a configuration file at: ($SOARDIR$= your soar/phantom install directory. E.g. /opt/phantom or /data)

$SOARDIR$/usr/nginx/conf/phantom-nginx-server.conf

... which includes the config in conf.d:

$SOARDIR$/usr/nginx/conf/conf.d/phantom-nginx-server.conf

which sets the SSL options:

  ssl_certificate     /opt/phantom/etc/ssl/certs/httpd_cert.crt;
  ssl_certificate_key /opt/phantom/etc/ssl/private/httpd_cert.key;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers         
  ssl_session_cache   shared:TLS:2m;
  ssl_dhparam /opt/phantom/etc/ssl/dhparams.pem;

stevenbo

Thank you for the response. After a lot of digging and looking through py files and scripts, I did manage to find those 2 conf files. I was able to successfully disable SSL and access via http, the weird thing is on some machines, I am unable to login, I receive a 403 error (SOAR outputs as "Login Prevented. Please close your browser and try again"), on others, I can log in with no issue. I cannot find anything in the nginx confs that would cause this issue. It is assumably a local issue to those machines, but I would like to track it down so I can ensure it won't be a problem in the environment we intend to use. I know Django and UWSGI are also playing roles in this configuration, but I am not sure what those roles are.

phanTom

@stevenbo I am curious why you need to do this tbh.

You may also find that your current setup will be unsupported after your changes. Always best to get some top cover from Splunk Support, especially if it's going to be a production system.

stevenbo

Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in the meantime am just trying to consider other options in case they can't make it work.

Web Server location

administration

configuration

using SOAR ⁄ Phantom

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...