GSAD Nginx reverse proxy

dcj2webit · June 18, 2019, 9:30am

gsa: Greenbone Security Assistant 8.0.0
gvm: Greenbone Vulnerability Manager 8.0.0 - Manager DB revision 205
openvas-scanner: OpenVAS Scanner 6.0.0

Operating system: Ubuntu 18.04
Kernel: Linux ubuntu64 4.15.0-51-generic #55-Ubuntu SMP Wed May 15 14:27:21 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Installation method / source: Ubuntu ppa:mrazavi/gvm

Install went fine but can’t manage to get the webui through a Ngnix location, say /gvm .
Could anyone please point me to a valid example/guide?

Also, why do I get

main: Unknown option --allow-header-host=my.server.com

if I uncomment ALLOW_HEADER_HOST in /etc/default/gsad ?

Thanks

bricks · June 18, 2019, 9:52am

Because this is a bug in you packages. The allow-header-host option was never part of gsad 8. It’s only required for gsad 7

dcj2webit · June 18, 2019, 10:16am

Thanks, I’ll leave it alone.

How do I deal with the

MHD: Error: received handshake message out of context

messages then? Is the whole reverse proxy scenario workable at this point?

Thanks again

bricks · June 18, 2019, 11:30am

First of all it’s just a warning despite logged as an error. Usually it’s being issued when accessing the https port of gsad via http.

dcj2webit · June 18, 2019, 12:51pm

I tried with HTTP_ONLY=0 and ran into the same kind of problems Nginix-wise.

Any lead at all about reverse proxying gsad? Conf examples related to previous versions don’t seem to work.

bricks · June 18, 2019, 1:02pm

Yes because the webpage (GSA) is re-written in JavaScript as a Single-Page-Application.

You didn’t mention your problems yet.

dcj2webit · June 18, 2019, 1:33pm

I’m wandering in the dark trying to find a working Nginx location conf for my server block.

Suppose my location is defined as

    location /gvm {
    proxy_pass https://127.0.0.1:4000/;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

I get

2019/06/18 15:12:50 [error] 3596#3596: *14180 open() “/var/www/html/gvm” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: “GET /gvm HTTP/2.0”, host: “my,server,com”

2019/06/18 15:12:50 [error] 3596#3596: *14180 open() “/var/www/html/favicon.ico” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: “GET /favicon.ico HTTP/2.0”, host: “my,server,com”, referrer: “https://my,server,com/gvm”

and a most obvious

404 Not Found nginx/1.14.0 (Ubuntu)

browser-side.

(edited urls to bypass freaky spam filter)

dcj2webit · June 18, 2019, 1:46pm

Also, a bunch of 404

2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/config.js” failed (2: No such file or directory), client: 1.2.3.4, server: ve, request: “GET /config.js HTTP/2.0”, ho$
2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/static/css/2.954d3bba.chunk.css”
failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: "GET /s$
2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/static/js/2.57da7522.chunk.js” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: "GET /sta$
2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/static/js/main.49a4a29c.chunk.js” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: "GET /$
2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/img/favicon.gif” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: "GET /img/favicon.gif H$

bricks · June 19, 2019, 7:44am

For me it seems ngnix still tries to resolve the requests locally from files instead forwarding the request. But the whole nginx setup is outside of my knowledge.

Lukas · June 19, 2019, 8:13am

Why do you wanna run a NGINX in front of a GSA ? Is a direct connection not better and simpler to setup ?

dcj2webit · June 19, 2019, 8:19am

Simpler, yes.

But I need to have a single publication point for all webservices running on that particular host: one FQDN, one open port (443), so I aim for a " https://my.server.com/servicename " for each service.

Smaller attack surface, same SSL certificate and the like.

Lukas · June 19, 2019, 9:27am

OK you need to install a TLS aware proxy with header re-writing. A simple TCP proxy will not work.

E.g.:

backend {
    server some-ip:443;
}

server {
    listen 443;


    location / {
        proxy_ssl_certificate        certs/client.crt;
        proxy_ssl_certificate_key    certs/client.key;


        proxy_pass https://backend;
    }
}

dcj2webit · June 19, 2019, 9:32am

Thank you guys for your time and patience.

How would that change if I had to use a different location, say /gvm instead of / : does GSAD need to be aware (reconfigured) that its base path has changed from / to /gvm ?

I’m trying Lukas’ example right away and let you know.

bricks · June 19, 2019, 9:36am

We don’t support this use case and I really have doubts that it will work with GVM 10/GSA 8.

Lukas · June 19, 2019, 9:37am

With a nginx rewrite rule, but this is the wrong forum for that. Please google how to do that.

dcj2webit · June 19, 2019, 9:43am

I tried to have Nginx generally rewriting the base path but always ended up with 404s, that’s why I came here to ask which application specific paths need rewriting.

I take from bricks’ last reply that it would be wasted time.

Thank you for the clarification.

Lukas · June 19, 2019, 9:45am

This is not static content, you need to rewrite any OBJECT REQUEST RESPONSE and PDU and request in the middle with your reverse proxy. I would suggest you look with burp fist how the communication runs, and then plan you rewriting.

dcj2webit · June 19, 2019, 9:47am

I will look into that, thanks again.

C1ph3R-s · February 20, 2021, 10:07am

Hi,

Do you have any solution for nginx and gsad integration?

Thanks,