-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Proxy
MISP is fully capable of working behind a proxy. To configure a proxy in your MISP instance go to Administration
-> Server Settings & Maintenance
-> Proxy Settings
(https://misp_host/servers/serverSettings/Proxy)
You can check if your proxy configuration is working in the MISP diagnostics page, go to Administration
-> Server Settings & Maintenance
-> Diagnostics
(https://MISP_HOST/servers/serverSettings/diagnostics)
The proxy is not working, I cannot fetch feeds or sync with external MISP instances.
When the diagnostics page shows the "Getting URL via proxy failed" the best is to check the MISP error logs (/var/www/MISP/app/tmp/logs/error.log) to get more details.
Full error log:
2022-03-16 08:39:53 Warning: Warning (2): stream_socket_enable_crypto() [<a href='http://php.net/function.stream-socket-enable-crypto'>function.stream-socket-enable-crypto</a>]: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in [/var/www/MISP/app/Lib/cakephp/lib/Cake/Network/CakeSocket.php, line 504]
Trace:
ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230
stream_socket_enable_crypto - [internal], line ??
CakeSocket::enableCrypto() - APP/Lib/cakephp/lib/Cake/Network/CakeSocket.php, line 504
CakeSocket::connect() - APP/Lib/cakephp/lib/Cake/Network/CakeSocket.php, line 261
HttpSocketExtended::connect() - APP/Lib/Tools/HttpSocketExtended.php, line 147
CakeSocket::write() - APP/Lib/cakephp/lib/Cake/Network/CakeSocket.php, line 400
HttpSocket::request() - APP/Lib/cakephp/lib/Cake/Network/Http/HttpSocket.php, line 377
HttpSocketExtended::request() - APP/Lib/Tools/HttpSocketExtended.php, line 186
HttpSocket::get() - APP/Lib/cakephp/lib/Cake/Network/Http/HttpSocket.php, line 464
Server::proxyDiagnostics() - APP/Model/Server.php, line 3432
ServersController::serverSettings() - APP/Controller/ServersController.php, line 1160
ReflectionMethod::invokeArgs() - [internal], line ??
Controller::invokeAction() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 499
Dispatcher::_invoke() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 193
Dispatcher::dispatch() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 167
[main] - APP/webroot/index.php, line 99
This error means your proxy has a certificate that could not be verified with MISP internal CA bundle. To add your proxy certificate CA to the MISP CA bundle you need to do the following:
-
Export your proxy CA certificate in PEM format, if you only manage to export it in DER format, you can convert it to PEM with the following command:
openssl x509 -inform der -in proxy-cacert.der -out proxy-cacert.pem
-
Copy the proxy CA certificate to your MISP instance.
-
Verify the proxy CA is valid, from the MISP server terminal, run:
$ curl -I --proxy http://[PROXY_HOST]:[PROXY_PORT] \ --cacert proxy-cacert.pem \ --location https://github.com HTTP/1.0 200 Connection established HTTP/2 200 [...]
If your proxy requires authentication, add the following option:
--proxy-user username:password
If the request goes through, follow with the next step. If you get an error such as the following it means the certificate is not valid, revise the previous steps.
HTTP/1.0 200 Connection established curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
-
If the curl request worked, add the proxy CA cert to the MISP internal CA bundle, from the MISP instance terminal, run:
sudo cp /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem /etc/ssl/certs/misp-ca-bundle.pem sudo echo "" >> /etc/ssl/certs/misp-ca-bundle.pem sudo echo "Company Proxy CA" >> /etc/ssl/certs/misp-ca-bundle.pem sudo echo "======================" >> /etc/ssl/certs/misp-ca-bundle.pem sudo cat proxy-cacert.pem >> /etc/ssl/certs/misp-ca-bundle.pem
The contents for the
/etc/ssl/certs/misp-ca-bundle.pem
file should look similar to this:[...] bxJF0WddCajJFdr60qZfE2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyRVJ12AMXDuDjb -----END CERTIFICATE----- Company Proxy CA ====================== -----BEGIN CERTIFICATE----- MIIDpzCCAo+gAwIBAgIEcZkjuzANBgkqhkiG9w0BAQsFADCBijEUMBIGA1UEBhML UG9ydFN3aWdnZXIxFDASBgNVBAgTC1BvcnRTd2lnZ2VyMRQwEgYDVQQHEwtQb3J0 U3dpZ2dlcjEUMBIGA1UEChMLUG9ydFN3aWdnZXIxFzAVBgNVBAsTDlBvcnRTd2ln Z2VyIENBMRcwFQYDVQQDEw5Qb3J0U3dpZ2dlciBDQTAeFw0xNDAxMDMxOTA4NDZa Fw0zMjAxMDMxOTA4NDZaMIGKMRQwEgYDVQQGEwtQb3J0U3dpZ2dlcjEUMBIGA1UE CBMLUG9ydFN3aWdnZXIxFDASBgNVBAcTC1BvcnRTd2lnZ2VyMRQwEgYDVQQKEwtQ b3J0U3dpZ2dlcjEXMBUGA1UECxMOUG9ydFN3aWdnZXIgQ0ExFzAVBgNVBAMTDlBv cnRTd2lnZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy/O9 [...]
-
Update the
MISP.ca_path
setting with the value/etc/ssl/certs/misp-ca-bundle.pem
, run:sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting MISP.ca_path /etc/ssl/certs/misp-ca-bundle.pem Setting "MISP.ca_path" changed to "/etc/ssl/certs/misp-ca-bundle.pem"
-
Check the MISP diagnostics page, go to
Administration
->Server Settings & Maintenance
->Diagnostics
(https://MISP_HOST/servers/serverSettings/diagnostics).
NOTE: If you want to restore MISP original CA bundle file, replace the following file /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem
with this one this and replace