topic Re: Run MineMeld over HTTP in General Topics

Run MineMeld over HTTP

nopsled — Mon, 01 May 2017 17:43:11 GMT

I'm in the process of running multiple MineMeld behind a server load balancer. I want the backend MineMeld servers to run the application over HTTP. The reason for this is I want to offload SSL from the servers. Currently, nginx redirects HTTP to HTTPS.

What would I need to do within the nginx configuration file to stop the https daemon and have the server only serve requests over HTTP?

Re: Run MineMeld over HTTP

lmori — Tue, 02 May 2017 22:35:23 GMT

Hi @nopsled,

you should change the config /etc/nginx/sites-available/minemeld-web.conf to listen on port 80 instead of port 443:

# the original redirect should be commented out
# server {
#    listen 80;
#    server_name ~(.+)$;
#    return 301 https://$1$request_uri;
# }

server {
    # listen on port 80 with no SSL
    listen 80; 

[...]

Re: Run MineMeld over HTTP

nopsled — Wed, 03 May 2017 01:36:09 GMT

Thank you!

Re: Run MineMeld over HTTP

Woranon — Thu, 01 Feb 2018 14:25:05 GMT

Hi Community,

My Minemeld config file is different from above. It looks like below. I've tried follow above solution by comment (#) all redirect part, but it doesn't work. Any help and guide..

***********************************

upstream app_server {

server 127.0.0.1:5000 fail_timeout=0;

}

#server {

# listen 80;

# server_name ~(.+)$;

# return 301 https://$1$request_uri;

server {

listen 80;

}

server {

listen 443 ssl;

server_name _;

ssl_certificate /etc/nginx/minemeld.cer;

ssl_certificate_key /etc/nginx/minemeld.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:10m;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH

E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-

SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-

ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DH

E-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GC

M-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:

!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

keepalive_timeout 5;

# path for static files

root /opt/minemeld/www/current;

location = / {

index index.html;

expires off;

}

# first files then proxy to flask app

location / {

try_files $uri @proxy_to_app;

}

location ~* \.html$ {

try_files $uri @proxy_to_app;

expires -1;

}

# for SSE

location /status/events {

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $http_host;

proxy_set_header Connection '';

proxy_http_version 1.1;

proxy_redirect off;

proxy_buffering off;

chunked_transfer_encoding off;

proxy_cache off;

proxy_read_timeout 120s;

expires -1;

proxy_pass http://app_server;

}

# for content that should be handled by mw flask app

location @proxy_to_app {

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $http_host;

proxy_redirect http://$http_host/ https://$http_host/;

proxy_pass http://app_server;

}

Re: Run MineMeld over HTTP

Woranon — Fri, 02 Feb 2018 16:14:37 GMT

It works now. just comment like below;

upstream app_server {

server 127.0.0.1:5000 fail_timeout=0;

}

#server {

# listen 80;

# server_name ~(.+)$;

# return 301 https://$1$request_uri;

server {

# listen 443 ssl;

listen 80;

server_name _;

ssl off;

# ssl_certificate /etc/nginx/minemeld.cer;

# ssl_certificate_key /etc/nginx/minemeld.pem;

# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# ssl_prefer_server_ciphers on;

# ssl_session_cache shared:SSL:10m;

# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

# keepalive_timeout 5;

wrote:
Hi Community,

My Minemeld config file is different from above. It looks like below. I've tried follow above solution by comment (#) all redirect part, but it doesn't work. Any help and guide..

***********************************
upstream app_server {
server 127.0.0.1:5000 fail_timeout=0;
}

#server {
# listen 80;
# server_name ~(.+)$;
# return 301 https://$1$request_uri;
#}

server {
listen 80;

}
server {
listen 443 ssl;

server_name _;
ssl_certificate /etc/nginx/minemeld.cer;
ssl_certificate_key /etc/nginx/minemeld.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DH
E-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GC
M-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:
!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

keepalive_timeout 5;

# path for static files
root /opt/minemeld/www/current;

location = / {
index index.html;
expires off;
}

# first files then proxy to flask app
location / {
@TreasuryNetwork_files $uri @proxy_to_app;
}

location ~* \.html$ {
@TreasuryNetwork_files $uri @proxy_to_app;
expires -1;
}

# for SSE
location /status/events {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Connection '';
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
chunked_transfer_encoding off;
proxy_cache off;
proxy_read_timeout 120s;

expires -1;

proxy_pass http://app_server;
}

# for content that should be handled by mw flask app
@location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect http://$http_host/ https://$http_host/;

proxy_pass http://app_server;
}
}

Re: Run MineMeld over HTTP

BKerstiens — Mon, 05 Feb 2018 23:41:09 GMT

This is my config and it is not working... any suggestions??

/etc/nginx/sites-enabled/minemeld-web

upstream app_server {
server 127.0.0.1:5000 fail_timeout=0;
}

#server {
# listen 80;
# server_name ~(.+)$;
# return 301 https://$1$request_uri;
#}

server {
listen 80;
# listen 443 ssl;
#
server_name _;
ssl off;
# ssl_certificate /etc/nginx/minemeld.cer;
# ssl_certificate_key /etc/nginx/minemeld.pem;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_session_cache shared:SSL:10m;
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GC
M-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:EC
DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AE
S256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNU
LL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

# keepalive_timeout 5;

# path for static files
root /opt/minemeld/www/current;

location = / {
index index.html;
}

location ~* \.html$ {
try_files $uri @proxy_to_app;
expires -1;
}

# first files then proxy to flask app
location / {
try_files $uri @proxy_to_app;
expires off;
}

# for SSE
location /status/events {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Connection '';
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
chunked_transfer_encoding off;
proxy_cache off;
proxy_read_timeout 120s;

expires -1;

proxy_pass http://app_server;
}

# for content that should be handled by mw flask app
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;

proxy_pass http://app_server;
}
}

Re: Run MineMeld over HTTP

BKerstiens — Tue, 06 Feb 2018 14:11:28 GMT

Ok after i rebooted the azure vm it is now working on http with the above config. Just restarting the service for minemeld wasn't working for me.

Re: Run MineMeld over HTTP

Nocturnalknight — Mon, 05 Mar 2018 15:17:55 GMT

Dear Imori

It crashed my application after this change. Even i tried restored my old config backup file and restarted. Now the nodes tab is empty and the engine is keep on restarting. Any fix for this.

Thanks,
Ram

Re: Run MineMeld over HTTP

mart_e — Mon, 21 May 2018 12:14:10 GMT

I do not have situation that nopsled has, but there is valid use case for use Minemeld over HTTP. From security perspective HTTP is definately not an option, but when you want to ensure the availability of Minemeld list in your firewall in EDL then Minemeld has to be up and running all the time. If Minemeld machine and thus Minemeld list for EDL is not available over HTTPS then EDL list seems to get emptyed. To avoid this situation and to make sure that firewall uses last successfully retrieved list HTTP has to be used. Here is exact information on this: "If the web server is unreachable, the firewall will use the last successfully retrieved list for enforcing policy until the connection is restored with the web server, but only if the list is not secured with SSL."

Link for the resource is here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list