topic Re: Web Server location in Splunk SOAR

Web Server location

stevenbo — Tue, 09 Apr 2024 14:36:22 GMT

Where is the web server actually installed to and ran from for SOAR in a RHEL environment? Unlike Splunk Web UI where I can modify the web.conf file, for SOAR I only see a massive amount of py files everywhere. I need to figure out where it actually starts and sets it's paths. Specifically where SSL is chosen. Assume I have installed SOAR to /data

Thanks for any assistance!

Re: Web Server location

marnall — Tue, 09 Apr 2024 20:12:50 GMT

In SOAR, the webserver is nginx. It has a configuration file at: ($SOARDIR$= your soar/phantom install directory. E.g. /opt/phantom or /data)

$SOARDIR$/usr/nginx/conf/phantom-nginx-server.conf

... which includes the config in conf.d:

$SOARDIR$/usr/nginx/conf/conf.d/phantom-nginx-server.conf

which sets the SSL options:

ssl_certificate /opt/phantom/etc/ssl/certs/httpd_cert.crt; ssl_certificate_key /opt/phantom/etc/ssl/private/httpd_cert.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ssl_session_cache shared:TLS:2m; ssl_dhparam /opt/phantom/etc/ssl/dhparams.pem;

Re: Web Server location

stevenbo — Wed, 10 Apr 2024 17:10:49 GMT

Thank you for the response. After a lot of digging and looking through py files and scripts, I did manage to find those 2 conf files. I was able to successfully disable SSL and access via http, the weird thing is on some machines, I am unable to login, I receive a 403 error (SOAR outputs as "Login Prevented. Please close your browser and try again"), on others, I can log in with no issue. I cannot find anything in the nginx confs that would cause this issue. It is assumably a local issue to those machines, but I would like to track it down so I can ensure it won't be a problem in the environment we intend to use. I know Django and UWSGI are also playing roles in this configuration, but I am not sure what those roles are.

Re: Web Server location

phanTom — Thu, 11 Apr 2024 08:36:04 GMT

@stevenbo I am curious why you need to do this tbh.

You may also find that your current setup will be unsupported after your changes. Always best to get some top cover from Splunk Support, especially if it's going to be a production system.

Re: Web Server location

stevenbo — Thu, 11 Apr 2024 17:38:59 GMT

Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in the meantime am just trying to consider other options in case they can't make it work.