Redirect on landing page

[Pete]

I have a VPN client installed on Security Onion 2.2 RC3 so that I am able to access it from an alternative location.  However, when I browse to the landing page using the VPN's endpoint IP address, it immediately redirects to the login url using the native administrative interface's IP address.

How can I avoid that?

--

Pete

[Wes Lambert]

Pete,

Have you tried using hostname/FQDN instead?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/e8eb35b1-5e9c-4ca4-a6ee-001d95c99121n%40googlegroups.com.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Pete]

No.  the IP address of the sensor does not have a DNS-resolvable FQDN.

Is there another solution you can suggest?

--

Pete

[Doug Burks]

Hi Pete,

Have you considered using a local hosts entry to resolve the hostname/FQDN?

Alternatively, have you considered using the OTHER option and specifying the alternative IP address?

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/c4d20de1-23c6-44c8-a399-41937df999c3n%40googlegroups.com.

--

Doug Burks
Founder and CEO
Security Onion Solutions, LLC

[Pete]

Thanks, Doug.

Adding an entry to the local hosts file is not feasible, as that's managed by IT for my users.  It's also now discouraged by Mircosoft, FWIW, at least for their telemetry servers: https://betanews.com/2020/08/04/windows-10-telemetry-hosts-file-hijack-warning/

Selecting "other" during install would work IF I didn't want the service to be available at both native and VPN IPs, but I do.  Incidentally, is there a way to change that after install without requiring a full OS reinstall?

I could run squid to proxy the original IP via the VPN IP and add the original IP to my browser's PAC file, but that seems like a bigger hack than adding the entry to hosts.

Security Onion v2.x seriously uses only absolute URLs?  Is there an argument I'm not aware of that doing so makes it more secure?  Absolute URLs are historically reserved for cases where you're linking to a different server or port.  When moving around between pages on a single server, as the R2 is, the natural and more portable solution is a relative URL.

--

Pete

[Doug Burks]

Hi Pete,

Security Onion 2 uses strict cookie enforcement with the Kratos Identity Management system.  You can read more about that here:

https://www.ory.sh/kratos/docs/quickstart/

Hope that helps!

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/3b48f9a1-7337-4dd9-9614-ccd425566eafn%40googlegroups.com.

[Pete]

Doug,

What do you mean by "strict cookie enforcement?"  I've googled that phrase and don't get any obvious hits other than SameSite=strict, which is a browser setting, not something configured server-side.  If I understand it right, visiting the same site at two different IPs with SameSite set to strict would just result in two different sets of the same cookies, one for each site.  IOW, you would have to login to each IP separately, and logging out of one would not logout the other. 

That said, it appears Kratos requires full (absolute) URLs including the protocol://host/ portion in the selfservice: flows: settings described at https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion.  That's unfortunate.

BTW, I've managed to change the base URL without needing to reinstall the OS by editing all files under /opt/so/saltstack containing the old IP, changing the MySql root user's host manually, and rebuilding all the configs via salt.  If the base URL is set during install, I'd highly recommend a supported way of changing that post-install.

Thanks

--

Pete

[Doug Burks]

Hi Pete,

Replies inline.

On Fri, Oct 9, 2020 at 5:44 PM Pete <peti...@gmail.com> wrote:

Doug,

What do you mean by "strict cookie enforcement?"  I've googled that phrase and don't get any obvious hits other than SameSite=strict, which is a browser setting, not something configured server-side.  If I understand it right, visiting the same site at two different IPs with SameSite set to strict would just result in two different sets of the same cookies, one for each site.  IOW, you would have to login to each IP separately, and logging out of one would not logout the other. 

I was simply copying the verbiage from the screenshot:

I believe our engineers used that verbiage in reference to the following snippet from https://www.ory.sh/kratos/docs/quickstart/:

"ORY Kratos is not just an API: it uses cookies, HTTP redirects, anti-CSRF tokens and more so you don't have to.

Because our SecureApp and ORY Kratos need to share cookies, in order for anti-CSRF tokens and login sessions to work, we will set up a path which forwards requests to ORY Kratos' Public API so that both SecureApp and ORY Kratos have the same hostname."

 

That said, it appears Kratos requires full (absolute) URLs including the protocol://host/ portion in the selfservice: flows: settings described at https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion.  That's unfortunate.

BTW, I've managed to change the base URL without needing to reinstall the OS by editing all files under /opt/so/saltstack containing the old IP, changing the MySql root user's host manually, and rebuilding all the configs via salt.  If the base URL is set during install, I'd highly recommend a supported way of changing that post-install.

Yes, we have an open issue for that:

https://github.com/Security-Onion-Solutions/securityonion/issues/67

 

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/0bf21d8c-c917-4fc7-b203-e863076aa742n%40googlegroups.com.