Faraday Advanced Installation with Websockets Notifications¶
Faraday, as a powerful security platform, supports sending notifications through websockets, a crucial feature also utilized by Faraday Agents. To enable and properly configure websockets in an on-premises installation, follow the comprehensive guide below.
Install NGINX:¶
sudo apt install nginx
Configuring NGINX¶
Use the following configuration file:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl;
server_name faraday.local;
client_max_body_size 500M;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/ssl/faraday.crt;
ssl_certificate_key /etc/ssl/faraday.key;
location / {
alias /opt/faraday/lib/python3.10/site-packages/faraday/server/www;
try_files $uri $uri/ /index.html;
}
location /_api/ {
proxy_pass http://127.0.0.1:5985/_api/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /socket.io {
include proxy_params;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://127.0.0.1:5985;# Expires map
map $sent_http_content_type $expires {
default off;
text/html max;
text/css max;
application/javascript max;
~image/ max;
}
server {
server_name replacewithyourip;
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-XSS-Protection "1; mode = block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
client_max_body_size 5G;
ssl on;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/ssl/faraday.crt;
ssl_certificate_key /etc/ssl/faraday.key;
gzip on;
gzip_types application/javascript text/css;
expires $expires;
location / {
alias /opt/faraday/lib/python3.10/site-packages/faraday/server/www/;
try_files $uri $uri/ /index.html;
}
location /_api/ {
proxy_pass http://{faraday-ip}:5985/_api/;
proxy_redirect http:// $scheme://;
proxy_read_timeout 6000;
proxy_connect_timeout 6000;
proxy_send_timeout 6000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_cookie_path / "/; secure";
proxy_set_header X-Forwarded-Proto $scheme;
}
location /websockets {
proxy_http_version 1.1;
proxy_pass http://{faraday-ip}:9000/websockets;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /_api/wsocket/v1/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://{faraday-ip}:5000/_api/wsocket/v1/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
server_name {faraday-ip};
listen 80 ;
listen [::]:80 ;
# https redirect
if ($host = {faraday-ip}) {
return 301 https://$host$request_uri;
}
return 404;
}
Place it in /etc/nginx/sites-available.
Generating Certificates¶
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/faraday.key -out /etc/ssl/faraday.crt
The Common Name should be the same as the FQDN, in our case faraday.
Create an alias inside the file pointing front on location / to the path where the static files are.
Section location inside the nginx file (no need to change it):
location / {
alias /home/faraday/faraday/faraday/frontend/www/;
}
Create symlinks for sites-enabled to sites-available:
sudo ln -s /etc/nginx/sites-available/faraday /etc/nginx/sites-enabled/faraday
Restart NGINX:
sudo systemctl restart nginx
Startup the websockets server:
faraday-websocket-server
After this local configuration, you should see http://faraday.local with websockets up and running.
In case faraday.local is not resolved, check /etc/hosts for the line:
127.0.0.1 faraday.local
We highly recommend you to check our First Steps guide.