- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-01-2017 10:43 AM
I'm in the process of running multiple MineMeld behind a server load balancer. I want the backend MineMeld servers to run the application over HTTP. The reason for this is I want to offload SSL from the servers. Currently, nginx redirects HTTP to HTTPS.
What would I need to do within the nginx configuration file to stop the https daemon and have the server only serve requests over HTTP?
05-02-2017 03:35 PM
Hi @nopsled,
you should change the config /etc/nginx/sites-available/minemeld-web.conf to listen on port 80 instead of port 443:
# the original redirect should be commented out
# server { # listen 80; # server_name ~(.+)$; # return 301 https://$1$request_uri; # } server {
# listen on port 80 with no SSL listen 80; [...]
05-02-2017 03:35 PM
Hi @nopsled,
you should change the config /etc/nginx/sites-available/minemeld-web.conf to listen on port 80 instead of port 443:
# the original redirect should be commented out
# server { # listen 80; # server_name ~(.+)$; # return 301 https://$1$request_uri; # } server {
# listen on port 80 with no SSL listen 80; [...]
02-01-2018 06:25 AM
Hi Community,
My Minemeld config file is different from above. It looks like below. I've tried follow above solution by comment (#) all redirect part, but it doesn't work. Any help and guide..
***********************************
upstream app_server {
server 127.0.0.1:5000 fail_timeout=0;
}
#server {
# listen 80;
# server_name ~(.+)$;
# return 301 https://$1$request_uri;
#}
server {
listen 80;
}
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/minemeld.cer;
ssl_certificate_key /etc/nginx/minemeld.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DH
E-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GC
M-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:
!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
keepalive_timeout 5;
# path for static files
root /opt/minemeld/www/current;
location = / {
index index.html;
expires off;
}
# first files then proxy to flask app
location / {
try_files $uri @proxy_to_app;
}
location ~* \.html$ {
try_files $uri @proxy_to_app;
expires -1;
}
# for SSE
location /status/events {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Connection '';
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
chunked_transfer_encoding off;
proxy_cache off;
proxy_read_timeout 120s;
expires -1;
proxy_pass http://app_server;
}
# for content that should be handled by mw flask app
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect http://$http_host/ https://$http_host/;
proxy_pass http://app_server;
}
}
02-02-2018 08:14 AM
It works now. just comment like below;
upstream app_server {
server 127.0.0.1:5000 fail_timeout=0;
}
#server {
# listen 80;
# server_name ~(.+)$;
# return 301 https://$1$request_uri;
#}
server {
# listen 443 ssl;
listen 80;
server_name _;
ssl off;
# ssl_certificate /etc/nginx/minemeld.cer;
# ssl_certificate_key /etc/nginx/minemeld.pem;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_session_cache shared:SSL:10m;
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# keepalive_timeout 5;
wrote:Hi Community,
My Minemeld config file is different from above. It looks like below. I've tried follow above solution by comment (#) all redirect part, but it doesn't work. Any help and guide..
***********************************
upstream app_server {
server 127.0.0.1:5000 fail_timeout=0;
}
#server {
# listen 80;
# server_name ~(.+)$;
# return 301 https://$1$request_uri;
#}
server {
listen 80;
}
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/minemeld.cer;
ssl_certificate_key /etc/nginx/minemeld.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DH
E-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GC
M-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:
!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
keepalive_timeout 5;
# path for static files
root /opt/minemeld/www/current;
location = / {
index index.html;
expires off;
}
# first files then proxy to flask app
location / {
@TreasuryNetwork_files $uri @proxy_to_app;
}
location ~* \.html$ {
@TreasuryNetwork_files $uri @proxy_to_app;
expires -1;
}
# for SSE
location /status/events {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Connection '';
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
chunked_transfer_encoding off;
proxy_cache off;
proxy_read_timeout 120s;
expires -1;
proxy_pass http://app_server;
}
# for content that should be handled by mw flask app
@location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect http://$http_host/ https://$http_host/;
proxy_pass http://app_server;
}
}
02-05-2018 03:41 PM
This is my config and it is not working... any suggestions??
/etc/nginx/sites-enabled/minemeld-web
upstream app_server {
server 127.0.0.1:5000 fail_timeout=0;
}
#server {
# listen 80;
# server_name ~(.+)$;
# return 301 https://$1$request_uri;
#}
server {
listen 80;
# listen 443 ssl;
#
server_name _;
ssl off;
# ssl_certificate /etc/nginx/minemeld.cer;
# ssl_certificate_key /etc/nginx/minemeld.pem;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_session_cache shared:SSL:10m;
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GC
M-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:EC
DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-
AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AE
S256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNU
LL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# keepalive_timeout 5;
# path for static files
root /opt/minemeld/www/current;
location = / {
index index.html;
}
location ~* \.html$ {
try_files $uri @proxy_to_app;
expires -1;
}
# first files then proxy to flask app
location / {
try_files $uri @proxy_to_app;
expires off;
}
# for SSE
location /status/events {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Connection '';
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
chunked_transfer_encoding off;
proxy_cache off;
proxy_read_timeout 120s;
expires -1;
proxy_pass http://app_server;
}
# for content that should be handled by mw flask app
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
}
02-06-2018 06:11 AM
Ok after i rebooted the azure vm it is now working on http with the above config. Just restarting the service for minemeld wasn't working for me.
03-05-2018 07:17 AM
Dear Imori
It crashed my application after this change. Even i tried restored my old config backup file and restarted. Now the nodes tab is empty and the engine is keep on restarting. Any fix for this.
Thanks,
Ram
05-21-2018 05:14 AM
I do not have situation that nopsled has, but there is valid use case for use Minemeld over HTTP. From security perspective HTTP is definately not an option, but when you want to ensure the availability of Minemeld list in your firewall in EDL then Minemeld has to be up and running all the time. If Minemeld machine and thus Minemeld list for EDL is not available over HTTPS then EDL list seems to get emptyed. To avoid this situation and to make sure that firewall uses last successfully retrieved list HTTP has to be used. Here is exact information on this: "If the web server is unreachable, the firewall will use the last successfully retrieved list for enforcing policy until the connection is restored with the web server, but only if the list is not secured with SSL."
Link for the resource is here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!