Apache is going to proxy from /elsa-query/ to port 3154

debian/changelog

@@ -1,3 +1,9 @@
+securityonion-web-page (20141015-0ubuntu0securityonion39) trusty; urgency=medium
+
+  * Apache is going to proxy from /elsa-query/ to port 3154 
+
+ -- Doug Burks <doug.burks@gmail.com>  Mon, 26 Oct 2015 12:57:14 -0400
+
 securityonion-web-page (20141015-0ubuntu0securityonion38) trusty; urgency=medium
 
   * add more htmlspecialchars 

debian/install

@@ -1,3 +1,4 @@
 index.php var/www/so
 securityonion_logo.jpg var/www/so
 elsa var/www/so
+sites-available etc/apache2

debian/patches/Apache-is-going-to-proxy-from-elsa-query-to-port-3154

@@ -0,0 +1,213 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-web-page (20141015-0ubuntu0securityonion39) trusty; urgency=medium
+ .
+   * Apache is going to proxy from /elsa-query/ to port 3154
+Author: Doug Burks <doug.burks@gmail.com>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-web-page-20141015.orig/elsa/index.php
++++ securityonion-web-page-20141015/elsa/index.php
+@@ -3,7 +3,7 @@
+ <title>ELSA</title>
+ <FRAMESET cols="15%,85%">
+    <FRAME name="fixed" src="menu.php">
+-   <FRAME name="dynamic" src="https://<?php echo htmlspecialchars("{$_SERVER['HTTP_HOST']}"); ?>:3154">
++   <FRAME name="dynamic" src="/elsa-query/">
+ </FRAMESET>
+ </head>
+ </body>
+--- securityonion-web-page-20141015.orig/elsa/local.php.empty
++++ securityonion-web-page-20141015/elsa/local.php.empty
+@@ -5,4 +5,4 @@ The query links above can be used as a s
+ <i>/var/www/elsa/menu.php</i><br>
+ <br>
+ Here's a sample query link to get you started:<br>
+-<a href="https://<?php echo htmlspecialchars("{$_SERVER['HTTP_HOST']}"); ?>:3154/?query_string=class=BRO_CONN &quot;-&quot; groupby:resp_country_code" target="dynamic" onclick="turnBackBold (this);">Conn Groupby Country</a><br>
++<a href="/elsa-query/?query_string=class=BRO_CONN &quot;-&quot; groupby:resp_country_code" target="dynamic" onclick="turnBackBold (this);">Conn Groupby Country</a><br>
+--- securityonion-web-page-20141015.orig/elsa/menu.php
++++ securityonion-web-page-20141015/elsa/menu.php
+@@ -65,7 +65,7 @@ function showhide(tspan, tri) {
+ 
+ <?php
+ 	/* Define href variables */
+-	$h1 = "https://" . htmlspecialchars("{$_SERVER['HTTP_HOST']}") . ":3154/?query_string=";
++	$h1 = "/elsa-query/?query_string=";
+ 	$h2 = " class=\"tab\" target=\"dynamic\" onclick=\"turnBackBold (this);\"";
+ ?>
+ 
+--- securityonion-web-page-20141015.orig/index.php
++++ securityonion-web-page-20141015/index.php
+@@ -19,10 +19,9 @@ Security Onion is a Linux distro for int
+ Please follow the <a href="https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation">Installation guides</a> on our <a href="https://github.com/Security-Onion-Solutions/security-onion/wiki">Wiki</a>.<br>
+ <br>
+ <b>Local Server</b><br>
+-Links to quickly access your local Squert, ELSA, and Xplico instances:<br>
++Links to quickly access your local Squert and ELSA instances:<br>
+ * <a href="/squert/">Squert</a>: View NIDS/HIDS alerts and HTTP logs<br>
+ * <a href="/elsa/">ELSA</a>: Search logs (IDS, Bro, and syslog)<br>
+-* <a href="https://<?php echo htmlspecialchars("{$_SERVER['HTTP_HOST']}"); ?>:9876">Xplico</a>: Carve PCAP files (please note that <a href="https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall">port 9876 is not open to the outside world by default</a>)<br>
+ <br>
+ <b>Useful Links</b><br>
+ Links to useful Security Onion information:<br>
+--- /dev/null
++++ securityonion-web-page-20141015/sites-available/securityonion.conf
+@@ -0,0 +1,141 @@
++<IfModule mod_ssl.c>
++	<VirtualHost _default_:443>
++		ServerAdmin webmaster@localhost
++
++		DocumentRoot /var/www/html
++
++		ProxyPass /elsa-query http://127.0.0.1:3154/
++		ProxyPassReverse /elsa-query http://127.0.0.1:3154/
++		ProxyPass /inc http://127.0.0.1:3154/
++		ProxyPassReverse /inc http://127.0.0.1:3154/
++
++		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
++		# error, crit, alert, emerg.
++		# It is also possible to configure the loglevel for particular
++		# modules, e.g.
++		#LogLevel info ssl:warn
++
++		ErrorLog ${APACHE_LOG_DIR}/error.log
++		CustomLog ${APACHE_LOG_DIR}/access.log combined
++
++		# For most configuration files from conf-available/, which are
++		# enabled or disabled at a global level, it is possible to
++		# include a line for only one particular virtual host. For example the
++		# following line enables the CGI configuration for this host only
++		# after it has been globally disabled with "a2disconf".
++		#Include conf-available/serve-cgi-bin.conf
++
++		#   SSL Engine Switch:
++		#   Enable/Disable SSL for this virtual host.
++		SSLEngine on
++
++		#   A self-signed (snakeoil) certificate can be created by installing
++		#   the ssl-cert package. See
++		#   /usr/share/doc/apache2/README.Debian.gz for more info.
++		#   If both key and certificate are stored in the same file, only the
++		#   SSLCertificateFile directive is needed.
++		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
++		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++
++		#   Server Certificate Chain:
++		#   Point SSLCertificateChainFile at a file containing the
++		#   concatenation of PEM encoded CA certificates which form the
++		#   certificate chain for the server certificate. Alternatively
++		#   the referenced file can be the same as SSLCertificateFile
++		#   when the CA certificates are directly appended to the server
++		#   certificate for convinience.
++		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
++
++		#   Certificate Authority (CA):
++		#   Set the CA certificate verification path where to find CA
++		#   certificates for client authentication or alternatively one
++		#   huge file containing all of them (file must be PEM encoded)
++		#   Note: Inside SSLCACertificatePath you need hash symlinks
++		#		 to point to the certificate files. Use the provided
++		#		 Makefile to update the hash symlinks after changes.
++		#SSLCACertificatePath /etc/ssl/certs/
++		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
++
++		#   Certificate Revocation Lists (CRL):
++		#   Set the CA revocation path where to find CA CRLs for client
++		#   authentication or alternatively one huge file containing all
++		#   of them (file must be PEM encoded)
++		#   Note: Inside SSLCARevocationPath you need hash symlinks
++		#		 to point to the certificate files. Use the provided
++		#		 Makefile to update the hash symlinks after changes.
++		#SSLCARevocationPath /etc/apache2/ssl.crl/
++		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
++
++		#   Client Authentication (Type):
++		#   Client certificate verification type and depth.  Types are
++		#   none, optional, require and optional_no_ca.  Depth is a
++		#   number which specifies how deeply to verify the certificate
++		#   issuer chain before deciding the certificate is not valid.
++		#SSLVerifyClient require
++		#SSLVerifyDepth  10
++
++		#   SSL Engine Options:
++		#   Set various options for the SSL engine.
++		#   o FakeBasicAuth:
++		#	 Translate the client X.509 into a Basic Authorisation.  This means that
++		#	 the standard Auth/DBMAuth methods can be used for access control.  The
++		#	 user name is the `one line' version of the client's X.509 certificate.
++		#	 Note that no password is obtained from the user. Every entry in the user
++		#	 file needs this password: `xxj31ZMTZzkVA'.
++		#   o ExportCertData:
++		#	 This exports two additional environment variables: SSL_CLIENT_CERT and
++		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
++		#	 server (always existing) and the client (only existing when client
++		#	 authentication is used). This can be used to import the certificates
++		#	 into CGI scripts.
++		#   o StdEnvVars:
++		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
++		#	 Per default this exportation is switched off for performance reasons,
++		#	 because the extraction step is an expensive operation and is usually
++		#	 useless for serving static content. So one usually enables the
++		#	 exportation for CGI and SSI requests only.
++		#   o OptRenegotiate:
++		#	 This enables optimized SSL connection renegotiation handling when SSL
++		#	 directives are used in per-directory context.
++		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
++		<FilesMatch "\.(cgi|shtml|phtml|php)$">
++				SSLOptions +StdEnvVars
++		</FilesMatch>
++		<Directory /usr/lib/cgi-bin>
++				SSLOptions +StdEnvVars
++		</Directory>
++
++		#   SSL Protocol Adjustments:
++		#   The safe and default but still SSL/TLS standard compliant shutdown
++		#   approach is that mod_ssl sends the close notify alert but doesn't wait for
++		#   the close notify alert from client. When you need a different shutdown
++		#   approach you can use one of the following variables:
++		#   o ssl-unclean-shutdown:
++		#	 This forces an unclean shutdown when the connection is closed, i.e. no
++		#	 SSL close notify alert is send or allowed to received.  This violates
++		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
++		#	 this when you receive I/O errors because of the standard approach where
++		#	 mod_ssl sends the close notify alert.
++		#   o ssl-accurate-shutdown:
++		#	 This forces an accurate shutdown when the connection is closed, i.e. a
++		#	 SSL close notify alert is send and mod_ssl waits for the close notify
++		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
++		#	 practice often causes hanging connections with brain-dead browsers. Use
++		#	 this only for browsers where you know that their SSL implementation
++		#	 works correctly.
++		#   Notice: Most problems of broken clients are also related to the HTTP
++		#   keep-alive facility, so you usually additionally want to disable
++		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
++		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
++		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
++		#   "force-response-1.0" for this.
++		BrowserMatch "MSIE [2-6]" \
++				nokeepalive ssl-unclean-shutdown \
++				downgrade-1.0 force-response-1.0
++		# MSIE 7 and newer should be able to use keepalive
++		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
++
++	</VirtualHost>
++</IfModule>
++
++# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

debian/patches/series

@@ -25,3 +25,4 @@ remove-12.04
 Issue-824:-securityonion-web-page:-htmlspecialchars
 securityonion-web-page:-move-SSH-Logins-query-to-Host-Logs-category-#810
 add-more-htmlspecialchars
+Apache-is-going-to-proxy-from-elsa-query-to-port-3154

debian/postinst

@@ -30,22 +30,6 @@ case "$1" in
 		cp $FILE.empty $FILE || echo "Error copying $FILE.empty to $FILE."
 	fi
 
-	# Copy default Apache site to new site called securityonion
-	FILE="/etc/apache2/sites-available/securityonion.conf"
-	cp /etc/apache2/sites-available/default-ssl.conf $FILE || echo "Unable to create $FILE."
-
-	# Update DocumentRoot to /var/www/so
-	sed -i 's|DocumentRoot /var/www/html|DocumentRoot /var/www/so|g' $FILE || echo "Error updating DocumentRoot in $FILE."
-
-	# Enable new securityonion site
-	a2ensite securityonion || echo "Error enabling Apache2 site $FILE."
-
-	# Disable old default-ssl site
-	a2dissite default-ssl || echo "Error disabling Apache2 site default-ssl."
-
-	# Restart Apache2
-	service apache2 restart || echo "Error restarting Apache2."
-
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

elsa/index.php

@@ -3,7 +3,7 @@
 <title>ELSA</title>
 <FRAMESET cols="15%,85%">
    <FRAME name="fixed" src="menu.php">
-   <FRAME name="dynamic" src="https://<?php echo htmlspecialchars("{$_SERVER['HTTP_HOST']}"); ?>:3154">
+   <FRAME name="dynamic" src="/elsa-query/">
 </FRAMESET>
 </head>
 </body>

elsa/local.php.empty

@@ -5,4 +5,4 @@ The query links above can be used as a starting point and are stored in:<br>
 <i>/var/www/elsa/menu.php</i><br>
 <br>
 Here's a sample query link to get you started:<br>
-<a href="https://<?php echo htmlspecialchars("{$_SERVER['HTTP_HOST']}"); ?>:3154/?query_string=class=BRO_CONN &quot;-&quot; groupby:resp_country_code" target="dynamic" onclick="turnBackBold (this);">Conn Groupby Country</a><br>
+<a href="/elsa-query/?query_string=class=BRO_CONN &quot;-&quot; groupby:resp_country_code" target="dynamic" onclick="turnBackBold (this);">Conn Groupby Country</a><br>

elsa/menu.php

@@ -65,7 +65,7 @@ function showhide(tspan, tri) {
 
 <?php
 	/* Define href variables */
-	$h1 = "https://" . htmlspecialchars("{$_SERVER['HTTP_HOST']}") . ":3154/?query_string=";
+	$h1 = "/elsa-query/?query_string=";
 	$h2 = " class=\"tab\" target=\"dynamic\" onclick=\"turnBackBold (this);\"";
 ?>
 

index.php

@@ -19,10 +19,9 @@
 Please follow the <a href="https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation">Installation guides</a> on our <a href="https://github.com/Security-Onion-Solutions/security-onion/wiki">Wiki</a>.<br>
 <br>
 <b>Local Server</b><br>
-Links to quickly access your local Squert, ELSA, and Xplico instances:<br>
+Links to quickly access your local Squert and ELSA instances:<br>
 * <a href="/squert/">Squert</a>: View NIDS/HIDS alerts and HTTP logs<br>
 * <a href="/elsa/">ELSA</a>: Search logs (IDS, Bro, and syslog)<br>
-* <a href="https://<?php echo htmlspecialchars("{$_SERVER['HTTP_HOST']}"); ?>:9876">Xplico</a>: Carve PCAP files (please note that <a href="https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall">port 9876 is not open to the outside world by default</a>)<br>
 <br>
 <b>Useful Links</b><br>
 Links to useful Security Onion information:<br>