GSAD Nginx reverse proxy

gsa: Greenbone Security Assistant 8.0.0
gvm: Greenbone Vulnerability Manager 8.0.0 - Manager DB revision 205
openvas-scanner: OpenVAS Scanner 6.0.0

Operating system: Ubuntu 18.04
Kernel: Linux ubuntu64 4.15.0-51-generic #55-Ubuntu SMP Wed May 15 14:27:21 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Installation method / source: Ubuntu ppa:mrazavi/gvm

Install went fine but can’t manage to get the webui through a Ngnix location, say /gvm .
Could anyone please point me to a valid example/guide?

Also, why do I get

main: Unknown option --allow-header-host=my.server.com

if I uncomment ALLOW_HEADER_HOST in /etc/default/gsad ?

Thanks

Because this is a bug in you packages. The allow-header-host option was never part of gsad 8. It’s only required for gsad 7

Thanks, I’ll leave it alone.

How do I deal with the

MHD: Error: received handshake message out of context

messages then? Is the whole reverse proxy scenario workable at this point?

Thanks again

First of all it’s just a warning despite logged as an error. Usually it’s being issued when accessing the https port of gsad via http.

I tried with HTTP_ONLY=0 and ran into the same kind of problems Nginix-wise.

Any lead at all about reverse proxying gsad? Conf examples related to previous versions don’t seem to work.

Yes because the webpage (GSA) is re-written in JavaScript as a Single-Page-Application.

You didn’t mention your problems yet.

I’m wandering in the dark trying to find a working Nginx location conf for my server block.

Suppose my location is defined as

    location /gvm {
    proxy_pass https://127.0.0.1:4000/;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

I get

2019/06/18 15:12:50 [error] 3596#3596: *14180 open() “/var/www/html/gvm” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: “GET /gvm HTTP/2.0”, host: “my,server,com”

2019/06/18 15:12:50 [error] 3596#3596: *14180 open() “/var/www/html/favicon.ico” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: “GET /favicon.ico HTTP/2.0”, host: “my,server,com”, referrer: “https://my,server,com/gvm”

and a most obvious

404 Not Found nginx/1.14.0 (Ubuntu)

browser-side.

(edited urls to bypass freaky spam filter)

Also, a bunch of 404

2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/config.js” failed (2: No such file or directory), client: 1.2.3.4, server: ve, request: “GET /config.js HTTP/2.0”, ho$
2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/static/css/2.954d3bba.chunk.css”
failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: "GET /s$
2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/static/js/2.57da7522.chunk.js” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: "GET /sta$
2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/static/js/main.49a4a29c.chunk.js” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: "GET /$
2019/06/18 15:42:45 [error] 21767#21767: *12 open() “/var/www/html/img/favicon.gif” failed (2: No such file or directory), client: 1.2.3.4, server: my,server,com, request: "GET /img/favicon.gif H$

For me it seems ngnix still tries to resolve the requests locally from files instead forwarding the request. But the whole nginx setup is outside of my knowledge.

Why do you wanna run a NGINX in front of a GSA ? Is a direct connection not better and simpler to setup ?

Simpler, yes.

But I need to have a single publication point for all webservices running on that particular host: one FQDN, one open port (443), so I aim for a " https://my.server.com/servicename " for each service.

Smaller attack surface, same SSL certificate and the like.

OK you need to install a TLS aware proxy with header re-writing. A simple TCP proxy will not work.

E.g.:

backend {
    server some-ip:443;
}

server {
    listen 443;


    location / {
        proxy_ssl_certificate        certs/client.crt;
        proxy_ssl_certificate_key    certs/client.key;


        proxy_pass https://backend;
    }
}

Thank you guys for your time and patience.

How would that change if I had to use a different location, say /gvm instead of / : does GSAD need to be aware (reconfigured) that its base path has changed from / to /gvm ?

I’m trying Lukas’ example right away and let you know.

We don’t support this use case and I really have doubts that it will work with GVM 10/GSA 8.

1 Like

With a nginx rewrite rule, but this is the wrong forum for that. Please google how to do that.

I tried to have Nginx generally rewriting the base path but always ended up with 404s, that’s why I came here to ask which application specific paths need rewriting.

I take from bricks’ last reply that it would be wasted time.

Thank you for the clarification.

This is not static content, you need to rewrite any OBJECT REQUEST RESPONSE and PDU and request in the middle with your reverse proxy. I would suggest you look with burp fist how the communication runs, and then plan you rewriting.

I will look into that, thanks again.

Hi,

Do you have any solution for nginx and gsad integration?

Thanks,