Skip to content

Advanced Deployment Topics

We assume that the THREATGET server was successfully deployed and is started.

Proxy Server

THREATGET needs to establish outgoing connections to license.threatget.com for license verification and updates of elements and rules. If outgoing connections require a proxy server it can be configured as follows in the docker-compose.yml:


services:
  threatget:
    environment:
        - HTTPS_PROXY_HOST=10.0.2.2
        - HTTPS_PROXY_PORT=8888
        - HTTPS_PIN_CERT=MIIDsjCCApqgAwI...pxpX/Ic=
        - HTTPS_IGNORE_CERTS=false

THREATGET respects environment variables HTTPS_PROXY_HOST and HTTPS_PROXY_PORT to specific the proxy server and port.

Further some proxy servers open TLS connections and reencrypt the connection using their own root certificate. The variable HTTPS_PIN_CERT can be used to supply the root certificate. THREATGET will then only accept this certificate as a root certificate. The value of the variable is a base64 encoded DER certificate without newline. This can be obtained using cat rootCA.cer| base64 -w 0, where rootCA.cer is a DER encoded certifacte. A PAM encoded certificate can be encoded to DER using openssl x509 -in rootCA.pem -outform DER -out rootCA.cer. If a root certificate cannot be specified it is possible to completely disable certificate checking by specifying HTTPS_IGNORE_CERTS=true. Note that HTTPS_IGNORE_CERTS is ignored when HTTPS_PIN_CERT is set. HTTPS_IGNORE_CERTS is dangerous as it allows the connection to be manipulated by a man-in-the-middle attack. Setting HTTPS_IGNORE_CERTS is not recommended.

The container then needs to be restarted:

sudo docker-compose down
sudo docker-compose up -d

HTTPS connectivity

Our Deployment Guide ensures that THREATGET is reachable on port 80 via HTTP. To support secure HTTPS connectivity an HTTPS terminator needs to be introduced. Please note that the customer's IT department is responsible for configuring this. We provide the below instructions for convenience.

To allow access to the website via HTTPS you will need a certificate for the desired domain. HTTPS certificates are sold by certification authorities. If the website is reachable from the Internet (as opposed to being firewalled) Let's Encrypt can be used to obtain a free certificate.

The recommended setup is to have the THREATGET administration interface only available from the company network and use a commercial certificate.

To this end the following lines in the docker-compose.yml file above need to be adjusted:

    ports:
      - "80:8080"

to

    ports:
      - "8080:8080"

As well as adjusting PROTOCOL=http to PROTOCOL=https in the .env file.

After that the containers need to be restarted:

cd ~/threatget
sudo docker-compose down
sudo docker-compose up -d

Reverse proxy

Any reverse proxy that can terminate HTTPS is suitable. We will demonstrate the configuration using apache2. Apache2 can be installed using

sudo apt-get install apache2
sudo a2enmod proxy_http ssl rewrite

We will then create a file /etc/apache2/sites-available/threatget.conf with the following content. Note that /etc/ssl/certificate.pem and /etc/ssl/privkey.pem are provided by your SSL certificate vendor and must be installed prior. Also the hostname threatget.mycompany.com needs to be adjusted to your domain name.

<VirtualHost *:80>
ServerName threatget.mycompany.com

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
ServerName threatget.mycompany.com

ProxyPass "/"  "http://localhost:8080/"
ProxyPassReverse "/"  "http://localhost:8080/"

SSLCertificateFile /etc/ssl/certificate.pem
SSLCertificateKeyFile /etc/ssl/privkey.pem

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire
</VirtualHost>

Finally you can enable the site and reload the apache config:

sudo a2ensite threatget
sudo systemctl reload apache2

Your THREATGET instance will subsequently be available under https and http requests are automatically redirected to https.