Splunk SOAR

Web Server location

stevenbo
Explorer

Where is the web server actually installed to and ran from for SOAR in a RHEL environment? Unlike Splunk Web UI where I can modify the web.conf file, for SOAR I only see a massive amount of py files everywhere. I need to figure out where it actually starts and sets it's paths. Specifically where SSL is chosen. Assume I have installed SOAR to /data

 

Thanks for any assistance!

0 Karma
1 Solution

marnall
Motivator

In SOAR, the webserver is nginx. It has a configuration file at: ($SOARDIR$= your soar/phantom install directory. E.g. /opt/phantom or /data) 

$SOARDIR$/usr/nginx/conf/phantom-nginx-server.conf

... which includes the config in conf.d:

$SOARDIR$/usr/nginx/conf/conf.d/phantom-nginx-server.conf

which sets the SSL options:

  ssl_certificate     /opt/phantom/etc/ssl/certs/httpd_cert.crt;
  ssl_certificate_key /opt/phantom/etc/ssl/private/httpd_cert.key;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers         
  ssl_session_cache   shared:TLS:2m;
  ssl_dhparam /opt/phantom/etc/ssl/dhparams.pem;

 

View solution in original post

marnall
Motivator

In SOAR, the webserver is nginx. It has a configuration file at: ($SOARDIR$= your soar/phantom install directory. E.g. /opt/phantom or /data) 

$SOARDIR$/usr/nginx/conf/phantom-nginx-server.conf

... which includes the config in conf.d:

$SOARDIR$/usr/nginx/conf/conf.d/phantom-nginx-server.conf

which sets the SSL options:

  ssl_certificate     /opt/phantom/etc/ssl/certs/httpd_cert.crt;
  ssl_certificate_key /opt/phantom/etc/ssl/private/httpd_cert.key;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers         
  ssl_session_cache   shared:TLS:2m;
  ssl_dhparam /opt/phantom/etc/ssl/dhparams.pem;

 

stevenbo
Explorer

Thank you for the response. After a lot of digging and looking through py files and scripts, I did manage to find those 2 conf files. I was able to successfully disable SSL and access via http, the weird thing is on some machines, I am unable to login, I receive a 403 error (SOAR outputs as "Login Prevented. Please close your browser and try again"), on others, I can log in with no issue. I cannot find anything in the nginx confs that would cause this issue. It is assumably a local issue to those machines, but I would like to track it down so I can ensure it won't be a problem in the environment we intend to use. I know Django and UWSGI are also playing roles in this configuration, but I am not sure what those roles are. 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@stevenbo I am curious why you need to do this tbh. 


You may also find that your current setup will be unsupported after your changes. Always best to get some top cover from Splunk Support, especially if it's going to be a production system. 

0 Karma

stevenbo
Explorer

Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in the meantime am just trying to consider other options in case they can't make it work. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...