Splunk SOAR

Web Server location

stevenbo
Explorer

Where is the web server actually installed to and ran from for SOAR in a RHEL environment? Unlike Splunk Web UI where I can modify the web.conf file, for SOAR I only see a massive amount of py files everywhere. I need to figure out where it actually starts and sets it's paths. Specifically where SSL is chosen. Assume I have installed SOAR to /data

 

Thanks for any assistance!

0 Karma
1 Solution

marnall
Motivator

In SOAR, the webserver is nginx. It has a configuration file at: ($SOARDIR$= your soar/phantom install directory. E.g. /opt/phantom or /data) 

$SOARDIR$/usr/nginx/conf/phantom-nginx-server.conf

... which includes the config in conf.d:

$SOARDIR$/usr/nginx/conf/conf.d/phantom-nginx-server.conf

which sets the SSL options:

  ssl_certificate     /opt/phantom/etc/ssl/certs/httpd_cert.crt;
  ssl_certificate_key /opt/phantom/etc/ssl/private/httpd_cert.key;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers         
  ssl_session_cache   shared:TLS:2m;
  ssl_dhparam /opt/phantom/etc/ssl/dhparams.pem;

 

View solution in original post

marnall
Motivator

In SOAR, the webserver is nginx. It has a configuration file at: ($SOARDIR$= your soar/phantom install directory. E.g. /opt/phantom or /data) 

$SOARDIR$/usr/nginx/conf/phantom-nginx-server.conf

... which includes the config in conf.d:

$SOARDIR$/usr/nginx/conf/conf.d/phantom-nginx-server.conf

which sets the SSL options:

  ssl_certificate     /opt/phantom/etc/ssl/certs/httpd_cert.crt;
  ssl_certificate_key /opt/phantom/etc/ssl/private/httpd_cert.key;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers         
  ssl_session_cache   shared:TLS:2m;
  ssl_dhparam /opt/phantom/etc/ssl/dhparams.pem;

 

stevenbo
Explorer

Thank you for the response. After a lot of digging and looking through py files and scripts, I did manage to find those 2 conf files. I was able to successfully disable SSL and access via http, the weird thing is on some machines, I am unable to login, I receive a 403 error (SOAR outputs as "Login Prevented. Please close your browser and try again"), on others, I can log in with no issue. I cannot find anything in the nginx confs that would cause this issue. It is assumably a local issue to those machines, but I would like to track it down so I can ensure it won't be a problem in the environment we intend to use. I know Django and UWSGI are also playing roles in this configuration, but I am not sure what those roles are. 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@stevenbo I am curious why you need to do this tbh. 


You may also find that your current setup will be unsupported after your changes. Always best to get some top cover from Splunk Support, especially if it's going to be a production system. 

0 Karma

stevenbo
Explorer

Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in the meantime am just trying to consider other options in case they can't make it work. 

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...