Advanced Deployment Topics
We assume that the THREATGET server was successfully deployed and is started.
Proxy Server
THREATGET needs to establish outgoing connections to license.threatget.com for license verification and updates of elements and rules. If outgoing connections require a proxy server it can be configured as follows in the docker-compose.yml
:
services:
threatget:
environment:
- HTTPS_PROXY_HOST=10.0.2.2
- HTTPS_PROXY_PORT=8888
- HTTPS_PIN_CERT=MIIDsjCCApqgAwI...pxpX/Ic=
- HTTPS_IGNORE_CERTS=false
THREATGET respects environment variables HTTPS_PROXY_HOST
and HTTPS_PROXY_PORT
to specific the proxy server and port.
Further some proxy servers open TLS connections and reencrypt the connection using their own root certificate.
The variable HTTPS_PIN_CERT
can be used to supply the root certificate. THREATGET will then only accept this certificate as a root certificate. The value of the variable is a base64 encoded DER certificate without newline. This can be obtained using cat rootCA.cer| base64 -w 0
, where rootCA.cer is a DER encoded certifacte. A PAM encoded certificate can be encoded to DER using openssl x509 -in rootCA.pem -outform DER -out rootCA.cer
.
If a root certificate cannot be specified it is possible to completely disable certificate checking by specifying HTTPS_IGNORE_CERTS=true
. Note that HTTPS_IGNORE_CERTS
is ignored when HTTPS_PIN_CERT
is set. HTTPS_IGNORE_CERTS
is dangerous as it allows the connection to be manipulated by a man-in-the-middle attack. Setting HTTPS_IGNORE_CERTS
is not recommended.
The container then needs to be restarted:
sudo docker-compose down
sudo docker-compose up -d
HTTPS connectivity
Our Deployment Guide ensures that THREATGET is reachable on port 80 via HTTP. To support secure HTTPS connectivity an HTTPS terminator needs to be introduced. Please note that the customer's IT department is responsible for configuring this. We provide the below instructions for convenience.
To allow access to the website via HTTPS you will need a certificate for the desired domain. HTTPS certificates are sold by certification authorities. If the website is reachable from the Internet (as opposed to being firewalled) Let's Encrypt can be used to obtain a free certificate.
The recommended setup is to have the THREATGET administration interface only available from the company network and use a commercial certificate.
To this end the following lines in the docker-compose.yml
file above need to be adjusted:
ports:
- "80:8080"
to
ports:
- "8080:8080"
As well as adjusting PROTOCOL=http
to PROTOCOL=https
in the .env
file.
After that the containers need to be restarted:
cd ~/threatget
sudo docker-compose down
sudo docker-compose up -d
Reverse proxy
Any reverse proxy that can terminate HTTPS is suitable. We will demonstrate the configuration using apache2. Apache2 can be installed using
sudo apt-get install apache2
sudo a2enmod proxy_http ssl rewrite
We will then create a file /etc/apache2/sites-available/threatget.conf
with the following content. Note that /etc/ssl/certificate.pem
and /etc/ssl/privkey.pem
are provided by your SSL certificate vendor and must be installed prior.
Also the hostname threatget.mycompany.com
needs to be adjusted to your domain name.
<VirtualHost *:80>
ServerName threatget.mycompany.com
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName threatget.mycompany.com
ProxyPass "/" "http://localhost:8080/"
ProxyPassReverse "/" "http://localhost:8080/"
SSLCertificateFile /etc/ssl/certificate.pem
SSLCertificateKeyFile /etc/ssl/privkey.pem
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
</VirtualHost>
Finally you can enable the site and reload the apache config:
sudo a2ensite threatget
sudo systemctl reload apache2
Your THREATGET instance will subsequently be available under https and http requests are automatically redirected to https.