Run MineMeld over HTTP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Run MineMeld over HTTP

L0 Member

I'm in the process of running multiple MineMeld behind a server load balancer. I want the backend MineMeld servers to run the application over HTTP. The reason for this is I want to offload SSL from the servers. Currently, nginx redirects HTTP to HTTPS.

 

What would I need to do within the nginx configuration file to stop the https daemon and have the server only serve requests over HTTP?

 

 

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @nopsled,

you should change the config /etc/nginx/sites-available/minemeld-web.conf to listen on port 80 instead of port 443:

 

# the original redirect should be commented out
# server { # listen 80; # server_name ~(.+)$; # return 301 https://$1$request_uri; # } server {
# listen on port 80 with no SSL listen 80; [...]

View solution in original post

8 REPLIES 8

L7 Applicator

Hi @nopsled,

you should change the config /etc/nginx/sites-available/minemeld-web.conf to listen on port 80 instead of port 443:

 

# the original redirect should be commented out
# server { # listen 80; # server_name ~(.+)$; # return 301 https://$1$request_uri; # } server {
# listen on port 80 with no SSL listen 80; [...]

Thank you!

Hi Community,

 

My Minemeld config file is different from above. It looks like below. I've tried follow above solution by comment (#) all redirect part, but it doesn't work. Any help and guide..

 

 

***********************************

upstream app_server {

    server 127.0.0.1:5000 fail_timeout=0;

}

 

#server {

 # listen 80;

 #  server_name ~(.+)$;

#   return 301 https://$1$request_uri;

#}

 

server {

 listen 80;

 

}

server {

    listen 443 ssl;

 

    server_name _;

    ssl_certificate /etc/nginx/minemeld.cer;

    ssl_certificate_key /etc/nginx/minemeld.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:10m;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH

E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-

SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-

ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DH

E-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GC

M-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:

!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

 

    keepalive_timeout 5;

 

    # path for static files

    root /opt/minemeld/www/current;

 

    location = / {

        index index.html;

        expires off;

    }

 

    # first files then proxy to flask app

    location / {

        try_files $uri @proxy_to_app;

    }

 

    location ~* \.html$ {

        try_files $uri @proxy_to_app;

        expires -1;

    }

 

    # for SSE

    location /status/events {

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header Host $http_host;

        proxy_set_header Connection '';

        proxy_http_version 1.1;

        proxy_redirect off;

        proxy_buffering off;

        chunked_transfer_encoding off;

        proxy_cache off;

        proxy_read_timeout 120s;

 

        expires -1;

 

        proxy_pass   http://app_server;        

    }

 

    # for content that should be handled by mw flask app

    location @proxy_to_app {

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header Host $http_host;

        proxy_redirect http://$http_host/ https://$http_host/;

 

        proxy_pass   http://app_server;

    }

}

It works now. just comment like below;

 

upstream app_server {

    server 127.0.0.1:5000 fail_timeout=0;

}

 

#server {

#    listen 80;

#    server_name ~(.+)$;

#    return 301 https://$1$request_uri;

#}

 

server {

#    listen 443 ssl;

listen 80;

 

    server_name _;

ssl off;

#    ssl_certificate /etc/nginx/minemeld.cer;

#    ssl_certificate_key /etc/nginx/minemeld.pem;

#    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#    ssl_prefer_server_ciphers on;

#    ssl_session_cache shared:SSL:10m;

#    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

 

#    keepalive_timeout 5;


wrote:

Hi Community,

 

My Minemeld config file is different from above. It looks like below. I've tried follow above solution by comment (#) all redirect part, but it doesn't work. Any help and guide..

 

 

***********************************

upstream app_server {

    server 127.0.0.1:5000 fail_timeout=0;

}

 

#server {

 # listen 80;

 #  server_name ~(.+)$;

#   return 301 https://$1$request_uri;

#}

 

server {

 listen 80;

 

}

server {

    listen 443 ssl;

 

    server_name _;

    ssl_certificate /etc/nginx/minemeld.cer;

    ssl_certificate_key /etc/nginx/minemeld.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:10m;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH

E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-

SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-

ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DH

E-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GC

M-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:

!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

 

    keepalive_timeout 5;

 

    # path for static files

    root /opt/minemeld/www/current;

 

    location = / {

        index index.html;

        expires off;

    }

 

    # first files then proxy to flask app

    location / {

        @TRY_files $uri @proxy_to_app;

    }

 

    location ~* \.html$ {

        @TRY_files $uri @proxy_to_app;

        expires -1;

    }

 

    # for SSE

    location /status/events {

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header Host $http_host;

        proxy_set_header Connection '';

        proxy_http_version 1.1;

        proxy_redirect off;

        proxy_buffering off;

        chunked_transfer_encoding off;

        proxy_cache off;

        proxy_read_timeout 120s;

 

        expires -1;

 

        proxy_pass   http://app_server;        

    }

 

    # for content that should be handled by mw flask app

    @location @proxy_to_app {

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header Host $http_host;

        proxy_redirect http://$http_host/ https://$http_host/;

 

        proxy_pass   http://app_server;

    }

}


 

This is my config and it is not working... any suggestions??

 

/etc/nginx/sites-enabled/minemeld-web

 

 

upstream app_server {
server 127.0.0.1:5000 fail_timeout=0;
}

#server {
# listen 80;
# server_name ~(.+)$;
# return 301 https://$1$request_uri;
#}

server {
listen 80;
# listen 443 ssl;
#
server_name _;
ssl off;
# ssl_certificate /etc/nginx/minemeld.cer;
# ssl_certificate_key /etc/nginx/minemeld.pem;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_session_cache shared:SSL:10m;
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GC
M-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:EC
DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AE
S256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNU
LL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

# keepalive_timeout 5;

# path for static files
root /opt/minemeld/www/current;

location = / {
index index.html;
}

location ~* \.html$ {
try_files $uri @proxy_to_app;
expires -1;
}

# first files then proxy to flask app
location / {
try_files $uri @proxy_to_app;
expires off;
}

# for SSE
location /status/events {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Connection '';
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
chunked_transfer_encoding off;
proxy_cache off;
proxy_read_timeout 120s;

expires -1;

proxy_pass http://app_server;
}

# for content that should be handled by mw flask app
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;

proxy_pass http://app_server;
}
}

Ok after i rebooted the azure vm it is now working on http with the above config.  Just restarting the service for minemeld wasn't working for me.

 

Dear Imori

 

 

It crashed my application after this change. Even i tried restored my old config backup file and restarted. Now the nodes tab is empty  and the engine is keep on restarting. Any fix for this.

 

Thanks,
Ram

 

 

L2 Linker

I do not have situation that nopsled has, but there is valid use case for use Minemeld over HTTP. From security perspective HTTP is definately not an option, but when you want to ensure the availability of Minemeld list in your firewall in EDL then Minemeld has to be up and running all the time. If Minemeld machine and thus Minemeld list for EDL is not available over HTTPS then EDL list seems to get emptyed. To avoid this situation and to make sure that firewall uses last successfully retrieved list HTTP has to be used. Here is exact information on this: "If the web server is unreachable, the firewall will use the last successfully retrieved list for enforcing policy until the connection is restored with the web server, but only if the list is not secured with SSL."

Link for the resource is here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-...

  • 1 accepted solution
  • 10135 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!