Skip to content

Single Sign-On on TheHive with X.509 Certificates#

Abstract#

SSL managed by TheHive is known to have some stability problem. It is advise to not enable it in production and configure SSL on a reverse proxy, in front of TheHive. This make X509 certificate authentication non applicable.

In order to do x509 authentication it is recommended to do it in the reverse proxy and then forward user identity to TheHive in a HTTP header. This feature has been added in version 3.2.

WARNING This setup is valid only if nobody except the reverse proxy can connect to TheHive. Users must have to use the reverse proxy. Otherwise, an user would be able to choose his identity on TheHive.

Setup a reverse proxy#

If you use nginx, the site configuration file should look like:

  server {
      listen 443 ssl;
      server_name thehive.example.com;

      ssl on;
      ssl_certificate         ssl/thehive_cert.pem;
      ssl_certificate_key     ssl/thehive_key.pem;

      # Force client to have a certificate
      ssl_verify_client       on;

      proxy_connect_timeout   600;
      proxy_send_timeout      600;
      proxy_read_timeout      600;
      send_timeout            600;
      client_max_body_size    2G;
      proxy_buffering off;
      client_header_buffer_size 8k;

      # Map certificate DN to user login stored in TheHive
      map $ssl_client_s_dn $thehive_user
      {
        default "";
        /C=FR/O=TheHive-Project/CN=Thomas toom;
        /C=FR/O=TheHive-Project/CN=Georges bofh;
      };

      # Redirect all request to local TheHive
      location / {
          add_header              Strict-Transport-Security "max-age=31536000; includeSubDomains";
          # Send the mapped user login to TheHive, in THEHIVE_USER HTTP header
          proxy_set_header        THEHIVE_USER $thehive_user;
          proxy_pass              http://127.0.0.1:9000/;
          proxy_http_version      1.1;
      }
  }

Enable authentication delegation in TheHive#

Setup TheHive to identify user by the configured HTTP header (THEHIVE_USER):

auth {
  method.header = true
  header.name = THEHIVE_USER
}

# Listen only on localhost to prevent direct access to TheHive
http.address=127.0.0.1


Last update: March 2, 2021 12:39:03