Skip to content

Commit c3378d1

Browse files
mmguerommguero
committed
Merge branch 'main' of https://github.com/mmguero-dev/Malcolm into staging
2 parents 1aca96a + 888e524 commit c3378d1

9 files changed

+67
-23
lines changed

Dockerfiles/arkime.Dockerfile

+1-1
Original file line numberDiff line numberDiff line change
@@ -146,7 +146,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \
146146
curl -fsSL -o ./arkime.deb "$(echo "${ARKIME_DEB_URL}" | sed "s/XXX/${DEBARCH}/g")" && \
147147
dpkg -i /tmp/arkime.deb && \
148148
rm -f ${ARKIME_DIR}/wiseService/source.* ${ARKIME_DIR}/etc/*.systemd.service && \
149-
mkdir -p "${ARKIME_DIR}"/plugins && \
149+
mkdir -p "${ARKIME_DIR}"/plugins "${ARKIME_DIR}"/rules && \
150150
curl -fsSL -o "${ARKIME_DIR}/plugins/ja4plus.${DEBARCH}.so" "$(echo "${ARKIME_JA4_SO_URL}" | sed "s/XXX/${DEBARCH}/g")" && \
151151
chmod 755 "${ARKIME_DIR}/plugins/ja4plus.${DEBARCH}.so" && \
152152
python3 -m pip install --break-system-packages --no-compile --no-cache-dir beautifulsoup4 pyzmq watchdog==6.0.0 && \

nginx/nginx.conf

+5-22
Original file line numberDiff line numberDiff line change
@@ -59,10 +59,6 @@ http {
5959
server upload:80;
6060
}
6161

62-
upstream htadmin {
63-
server htadmin:80;
64-
}
65-
6662
upstream dashboards {
6763
server dashboards:5601;
6864
}
@@ -71,10 +67,6 @@ http {
7167
server dashboards-helper:28991;
7268
}
7369

74-
upstream opensearch {
75-
server opensearch:9200;
76-
}
77-
7870
upstream logstash-stats {
7971
server logstash:9600;
8072
}
@@ -87,9 +79,9 @@ http {
8779
server file-monitor:8440;
8880
}
8981

90-
upstream keycloak {
91-
server keycloak:8080;
92-
}
82+
include /etc/nginx/nginx_opensearch_upstream_rt.conf;
83+
include /etc/nginx/nginx_htadmin_upstream_rt.conf;
84+
include /etc/nginx/nginx_keycloak_upstream_rt.conf;
9385

9486
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
9587
default $http_x_forwarded_proto;
@@ -280,13 +272,7 @@ http {
280272
}
281273
282274
# passthrough OpenSearch from the Malcolm API
283-
location /mapi/opensearch/ {
284-
include /etc/nginx/nginx_auth_rt.conf;
285-
proxy_pass http://opensearch/;
286-
proxy_redirect off;
287-
client_max_body_size 50m;
288-
include /etc/nginx/nginx_proxy_forward_headers.conf;
289-
}
275+
include /etc/nginx/nginx_opensearch_mapi_rt.conf;
290276
291277
# passthrough NetBox from the Malcolm API
292278
location /mapi/netbox/ {
@@ -337,10 +323,7 @@ http {
337323
include /etc/nginx/nginx_image_aliases.conf;
338324
339325
location / {
340-
proxy_pass http://opensearch;
341-
proxy_redirect off;
342-
client_max_body_size 50m;
343-
include /etc/nginx/nginx_proxy_forward_headers.conf;
326+
include /etc/nginx/nginx_opensearch_api_rt.conf;
344327
}
345328
}
346329

nginx/nginx_htadmin_upstream.conf

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
upstream htadmin {
2+
server htadmin:80;
3+
}

nginx/nginx_keycloak_upstream.conf

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
upstream keycloak {
2+
server keycloak:8080;
3+
}

nginx/nginx_opensearch_api.conf

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
proxy_pass http://opensearch;
2+
proxy_redirect off;
3+
client_max_body_size 50m;
4+
include /etc/nginx/nginx_proxy_forward_headers.conf;

nginx/nginx_opensearch_api_501.conf

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
add_header Content-Type application/json;
2+
return 501 '{"error":{"code":501,"message":"Not Implemented"}}';

nginx/nginx_opensearch_mapi.conf

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
# passthrough OpenSearch from the Malcolm API
2+
location /mapi/opensearch/ {
3+
include /etc/nginx/nginx_auth_rt.conf;
4+
proxy_pass http://opensearch/;
5+
proxy_redirect off;
6+
client_max_body_size 50m;
7+
include /etc/nginx/nginx_proxy_forward_headers.conf;
8+
}

nginx/nginx_opensearch_upstream.conf

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
upstream opensearch {
2+
server opensearch:9200;
3+
}

nginx/scripts/docker_entrypoint.sh

+38
Original file line numberDiff line numberDiff line change
@@ -29,10 +29,18 @@ NGINX_AUTH_LOCATION_LINK=${NGINX_CONF_DIR}/nginx_auth_location.conf
2929
NGINX_KEYCLOAK_LOCATION_LINK=${NGINX_CONF_DIR}/nginx_keycloak_location_rt.conf
3030
NGINX_KEYCLOAK_LOCATION_CONF=${NGINX_CONF_DIR}/nginx_keycloak_location.conf
3131

32+
# "include" file for embedded keycloak upstream
33+
NGINX_KEYCLOAK_UPSTREAM_LINK=${NGINX_CONF_DIR}/nginx_keycloak_upstream_rt.conf
34+
NGINX_KEYCLOAK_UPSTREAM_CONF=${NGINX_CONF_DIR}/nginx_keycloak_upstream.conf
35+
3236
# "include" file for auth_basic, prompt, and htpasswd location
3337
NGINX_BASIC_AUTH_CONF=${NGINX_CONF_DIR}/nginx_auth_basic.conf
3438
NGINX_AUTH_BASIC_LOCATION_CONF=${NGINX_CONF_DIR}/nginx_auth_basic_location.conf
3539

40+
# "include" file for htadmin upstream
41+
NGINX_HTADMIN_UPSTREAM_LINK=${NGINX_CONF_DIR}/nginx_htadmin_upstream_rt.conf
42+
NGINX_HTADMIN_UPSTREAM_CONF=${NGINX_CONF_DIR}/nginx_htadmin_upstream.conf
43+
3644
# "include" file for auth_ldap, prompt, and "auth_ldap_servers" name
3745
NGINX_LDAP_AUTH_CONF=${NGINX_CONF_DIR}/nginx_auth_ldap.conf
3846

@@ -50,6 +58,15 @@ NGINX_LDAP_USER_CONF=${NGINX_CONF_DIR}/nginx_ldap.conf
5058
# runtime "include" file for auth method (link to NGINX_BASIC_AUTH_CONF, NGINX_LDAP_AUTH_CONF, NGINX_KEYCLOAK_AUTH_CONF, or NGINX_NO_AUTH_CONF)
5159
NGINX_RUNTIME_AUTH_LINK=${NGINX_CONF_DIR}/nginx_auth_rt.conf
5260

61+
# "include" files and links for embedded opensearch, if used
62+
NGINX_OPENSEARCH_UPSTREAM_LINK=${NGINX_CONF_DIR}/nginx_opensearch_upstream_rt.conf
63+
NGINX_OPENSEARCH_UPSTREAM_CONF=${NGINX_CONF_DIR}/nginx_opensearch_upstream.conf
64+
NGINX_OPENSEARCH_MAPI_LINK=${NGINX_CONF_DIR}/nginx_opensearch_mapi_rt.conf
65+
NGINX_OPENSEARCH_MAPI_CONF=${NGINX_CONF_DIR}/nginx_opensearch_mapi.conf
66+
NGINX_OPENSEARCH_API_LINK=${NGINX_CONF_DIR}/nginx_opensearch_api_rt.conf
67+
NGINX_OPENSEARCH_API_CONF=${NGINX_CONF_DIR}/nginx_opensearch_api.conf
68+
NGINX_OPENSEARCH_API_501_CONF=${NGINX_CONF_DIR}/nginx_opensearch_api_501.conf
69+
5370
# runtime "include" file for opensearch endpoint auth method (link to NGINX_BASIC_AUTH_CONF, NGINX_LDAP_AUTH_CONF, or NGINX_NO_AUTH_CONF)
5471
NGINX_RUNTIME_AUTH_OPENSEARCH_LINK=${NGINX_CONF_DIR}/nginx_auth_opensearch_rt.conf
5572

@@ -134,6 +151,17 @@ fi
134151
# set logging level for error.log
135152
echo "error_log /var/log/nginx/error.log ${NGINX_ERROR_LOG_LEVEL:-error};" > "${NGINX_LOGGING_CONF}"
136153

154+
# set up config links for whether there's an embedded opensearch instance or not
155+
if [[ "${OPENSEARCH_PRIMARY:-opensearch-local}" == "opensearch-local" ]]; then
156+
ln -sf "$NGINX_OPENSEARCH_UPSTREAM_CONF" "$NGINX_OPENSEARCH_UPSTREAM_LINK"
157+
ln -sf "$NGINX_OPENSEARCH_MAPI_CONF" "$NGINX_OPENSEARCH_MAPI_LINK"
158+
ln -sf "$NGINX_OPENSEARCH_API_CONF" "$NGINX_OPENSEARCH_API_LINK"
159+
else
160+
ln -sf "$NGINX_BLANK_CONF" "$NGINX_OPENSEARCH_UPSTREAM_LINK"
161+
ln -sf "$NGINX_BLANK_CONF" "$NGINX_OPENSEARCH_MAPI_LINK"
162+
ln -sf "$NGINX_OPENSEARCH_API_501_CONF" "$NGINX_OPENSEARCH_API_LINK"
163+
fi
164+
137165
# NGINX_AUTH_MODE basic|ldap|keycloak|keycloak_remote|no_authentication
138166
if [[ -z $NGINX_AUTH_MODE ]] || [[ "$NGINX_AUTH_MODE" == "basic" ]] || [[ "$NGINX_AUTH_MODE" == "true" ]]; then
139167
# doing HTTP basic auth
@@ -147,9 +175,11 @@ if [[ -z $NGINX_AUTH_MODE ]] || [[ "$NGINX_AUTH_MODE" == "basic" ]] || [[ "$NGIN
147175

148176
# /auth location handling for htpasswd
149177
ln -sf "$NGINX_AUTH_BASIC_LOCATION_CONF" "$NGINX_AUTH_LOCATION_LINK"
178+
ln -sf "$NGINX_HTADMIN_UPSTREAM_CONF" "$NGINX_HTADMIN_UPSTREAM_LINK"
150179

151180
# /keycloak location isn't used
152181
ln -sf "$NGINX_BLANK_CONF" "$NGINX_KEYCLOAK_LOCATION_LINK"
182+
ln -sf "$NGINX_BLANK_CONF" "$NGINX_KEYCLOAK_UPSTREAM_LINK"
153183

154184
elif [[ "$NGINX_AUTH_MODE" == "no_authentication" ]] || [[ "$NGINX_AUTH_MODE" == "none" ]] || [[ "$NGINX_AUTH_MODE" == "no" ]]; then
155185
# completely disabling authentication (not recommended)
@@ -163,7 +193,9 @@ elif [[ "$NGINX_AUTH_MODE" == "no_authentication" ]] || [[ "$NGINX_AUTH_MODE" ==
163193

164194
# /auth and /keycloak locations are empty
165195
ln -sf "$NGINX_BLANK_CONF" "$NGINX_AUTH_LOCATION_LINK"
196+
ln -sf "$NGINX_BLANK_CONF" "$NGINX_HTADMIN_UPSTREAM_LINK"
166197
ln -sf "$NGINX_BLANK_CONF" "$NGINX_KEYCLOAK_LOCATION_LINK"
198+
ln -sf "$NGINX_BLANK_CONF" "$NGINX_KEYCLOAK_UPSTREAM_LINK"
167199

168200
elif [[ "$NGINX_AUTH_MODE" == "keycloak_remote" ]]; then
169201
# Keycloak (remote) authentication
@@ -185,9 +217,11 @@ elif [[ "$NGINX_AUTH_MODE" == "keycloak_remote" ]]; then
185217

186218
# /auth location handling for htpasswd
187219
ln -sf "$NGINX_AUTH_BASIC_LOCATION_CONF" "$NGINX_AUTH_LOCATION_LINK"
220+
ln -sf "$NGINX_HTADMIN_UPSTREAM_CONF" "$NGINX_HTADMIN_UPSTREAM_LINK"
188221

189222
# /keycloak location isn't used
190223
ln -sf "$NGINX_BLANK_CONF" "$NGINX_KEYCLOAK_LOCATION_LINK"
224+
ln -sf "$NGINX_BLANK_CONF" "$NGINX_KEYCLOAK_UPSTREAM_LINK"
191225

192226
elif [[ "$NGINX_AUTH_MODE" == "keycloak" ]]; then
193227
# Keycloak (embedded) authentication
@@ -209,9 +243,11 @@ elif [[ "$NGINX_AUTH_MODE" == "keycloak" ]]; then
209243

210244
# /auth location handling for htpasswd
211245
ln -sf "$NGINX_AUTH_BASIC_LOCATION_CONF" "$NGINX_AUTH_LOCATION_LINK"
246+
ln -sf "$NGINX_HTADMIN_UPSTREAM_CONF" "$NGINX_HTADMIN_UPSTREAM_LINK"
212247

213248
# /keycloak location points to embedded keycloak container
214249
ln -sf "$NGINX_KEYCLOAK_LOCATION_CONF" "$NGINX_KEYCLOAK_LOCATION_LINK"
250+
ln -sf "$NGINX_KEYCLOAK_UPSTREAM_CONF" "$NGINX_KEYCLOAK_UPSTREAM_LINK"
215251

216252
elif [[ "$NGINX_AUTH_MODE" == "ldap" ]] || [[ "$NGINX_AUTH_MODE" == "false" ]]; then
217253
# ldap authentication
@@ -222,7 +258,9 @@ elif [[ "$NGINX_AUTH_MODE" == "ldap" ]] || [[ "$NGINX_AUTH_MODE" == "false" ]];
222258

223259
# /auth and /keycloak locations are empty
224260
ln -sf "$NGINX_BLANK_CONF" "$NGINX_AUTH_LOCATION_LINK"
261+
ln -sf "$NGINX_BLANK_CONF" "$NGINX_HTADMIN_UPSTREAM_LINK"
225262
ln -sf "$NGINX_BLANK_CONF" "$NGINX_KEYCLOAK_LOCATION_LINK"
263+
ln -sf "$NGINX_BLANK_CONF" "$NGINX_KEYCLOAK_UPSTREAM_LINK"
226264

227265
# parse URL information out of user ldap configuration
228266
# example:

0 commit comments

Comments
 (0)