Gunicorn¶
Starting from v0.0.6, Burp-UI supports Gunicorn in order to handle multiple users simultaneously because some operations (like the online restoration) may take some time and thus may block any further requests. With Gunicorn, you have several workers that can proceed the requests so you can handle more users.
You need to install gunicorn
:
pip install "burp-ui[gunicorn]"
Gunicorn is an application server that will work similarly to php-fpm and the like. That is, it will fork several processes to handle the load. Due to this, you may need to enable advanced Burp-UI features so those processes can talk to each other (and share resources). Here is what settings can be changed in the configuration as an illustration:
[Production]
# storage backend for session and cache
# may be either 'default' or 'redis'
storage = redis
# redis server to connect to
redis = localhost:6379
# session database to use
# may also be a backend url like: redis://localhost:6379/0
# if set to 'redis', the backend url defaults to:
# redis://<redis_host>:<redis_port>/0
# where <redis_host> is the host part, and <redis_port> is the port part of
# the below "redis" setting
session = redis
# cache database to use
# may also be a backend url like: redis://localhost:6379/0
# if set to 'redis', the backend url defaults to:
# redis://<redis_host>:<redis_port>/1
# where <redis_host> is the host part, and <redis_port> is the port part of
# the below "redis" setting
cache = redis
You will then be able to launch Burp-UI this way:
gunicorn -w 4 'burpui:create_app(conf="/path/to/burpui.cfg")'
Note
If you decide to use gunicorn AND the embedded websocket server,
you’ll need to use the geventwebsocket.gunicorn.workers.GeventWebSocketWorker
worker name (ie. -k geventwebsocket.gunicorn.workers.GeventWebSocketWorker
).
For this worker to be available, you need to install the gevent-websocket
pip package.
This will listen to 127.0.0.1:8000 by default. See the gunicorn
documentation for
details.
You will need to add the -b 0.0.0.0:5000
option in order to listen on all
interfaces on port 5000 for instance.
When using gunicorn
, the command line options are not available. Instead,
you run the Burp-UI create_app
method directly. Here are the parameters
you can play with:
conf: Path to the Burp-UI configuration file
verbose: Verbosity level between 0 and 4
logfile: Path to a logfile in order to log Burp-UI internal messages
reverse_proxy: Whether we are behind a reverse-proxy or not (defaults to True)
Warning
You MUST set the appsecret option in your configuration file when using gunicorn. The default magic value ‘random’ cannot be used. If you don’t change the settings the default value will be ‘none’ and your cookies won’t be secured.
Advanced usage¶
Gunicorn supports further settings (see its documentation for details).
For instance, you would probably like to use the -c
flag with the sample
configuration file bundled with Burp-UI in contrib/gunicorn/burpui_gunicorn.py.
Usage example:
gunicorn -c burpui_gunicorn.py 'burpui:create_app(conf="/etc/burp/burpui.cfg",logfile="/var/log/gunicorn/burp-ui_info.log")'
Daemon¶
If you wish to run Burp-UI as a daemon process, the recommended way is to use Gunicorn.
Requirements¶
First of all, you’ll need a dedicated user.
# create the burpui user
useradd -m -r -d /var/lib/burpui -c 'Burp-UI daemon user' burpui
mkdir /etc/burp
# copy the burp-ui sample configuration file
cp /usr/local/share/burpui/etc/burpui.sample.cfg /etc/burp/burpui.cfg
mkdir -p /var/log/gunicorn
chown -R burpui: /var/log/gunicorn
You will also need a custom client configuration and you will have to create the certificates accordingly:
# create the configuration file used by burp-ui
cat >/var/lib/burpui/burp.conf<<EOF
mode = client
port = 4971
status_port = 4972
server = 127.0.0.1
password = abcdefgh
cname = bui-agent1
pidfile = /var/lib/burpui/bui-agent1.client.pid
syslog = 0
stdout = 1
progress_counter = 1
ca_burp_ca = /usr/sbin/burp_ca
ca_csr_dir = /var/lib/burpui/CA-client
ssl_cert_ca = /var/lib/burpui/ssl_cert_ca-client.pem
ssl_cert = /var/lib/burpui/ssl_cert-client.pem
ssl_key = /var/lib/burpui/ssl_cert-client.key
ssl_peer_cn = burpserver
EOF
# generate the certificates
burp_ca --name bui-agent1 --ca burpCA --key --request --sign --batch
cp /etc/burp/ssl_cert_ca.pem /var/lib/burpui/ssl_cert_ca-client.pem
cp -a /etc/burp/CA/bui-agent1.crt /var/lib/burpui/ssl_cert-client.pem
cp -a /etc/burp/CA/bui-agent1.key /var/lib/burpui/ssl_cert-client.key
chown -R burpui: /var/lib/burpui/
Now you need to add the bui-agent1 client to the authorized clients:
echo "password = abcdefgh" >/etc/burp/clientconfdir/bui-agent1
echo "restore_client = bui-agent1" >>/etc/burp/burp-server.conf
You will also need to increase the number of status clients by setting
max_status_children
to 15:
echo "max_status_children = 15" >>/etc/burp/burp-server.conf
Finally, make sure you set bconfcli: /var/lib/burpui/burp.conf
in your
Burp-UI configuration file (/etc/burp/burpui.cfg).
If you want to take advantage of advanced features such as client add/removal and configuration files edition, you should set the permissions accordingly Burp-side.
First of all, add the following lines in your /etc/burp/burp-server.conf:
user = burpui
group = burpui
Then you need to fix some permissions:
chown -R burpui: /etc/burp/{burp-server.conf,burpui.cfg,CA,CA.cnf,clientconfdir,dhfile.pem,ssl_cert_ca.pem,ssl_cert-server.key,ssl_cert-server.pem} /var/spool/burp
chgrp burpui /etc/burp
chmod g+rwx /etc/burp
Finally you can restart your burp-server
.
Note
The above commands are meant for default setup. You may need to adapt the paths.
Systemd¶
You will have to create your own service. We can do this for systemd for example:
# copy the gunicorn configuration file
cp /usr/local/share/contrib/gunicorn/burpui_gunicorn.py /etc/burp/
# create the service file
cat >/etc/systemd/service/bui-gunicorn.service<<EOF
[Unit]
Description=Burp-UI gunicorn service
After=network.target
[Service]
User=burpui
Group=burpui
ExecStart=/usr/local/bin/gunicorn -c /etc/burp/burpui_gunicorn.py 'burpui:create_app(conf="/etc/burp/burpui.cfg",logfile="/var/log/gunicorn/burp-ui_info.log")'
[Install]
WantedBy=multi-user.target
EOF
# enable the new service
systemctl enable bui-gunicorn.service
# start the service
systemctl start bui-gunicorn.service
Reverse-Proxy¶
You may want to add a reverse-proxy so Burp-UI can be accessed on port 80 (or 443) along with other applications.
Here is a sample configuration for Nginx:
server {
listen 80;
server_name burpui.example.com;
access_log /var/log/nginx/burpui.access.log;
error_log /var/log/nginx/burpui.error.log;
location / {
# you need to change this to "https", if you set "ssl" directive to "on"
proxy_set_header X-FORWARDED_PROTO http;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_pass http://localhost:5000;
}
}
Sub-root path¶
You can host Burp-UI behind a sub-root path. For instance /burpui
.
To accomplish this, you can either setup your reverse-proxy to announce the
desired prefix, or you can use the prefix
option in your Burp-UI
configuration file (see usage for details).
If you want to configure this reverse-proxy side, you need to announce the HTTP
Header X-Script-Name
. Alternatively, you can use the X_Forwarded_Prefix
.
Here is a sample configuration for Nginx:
server {
listen 80;
server_name example.com;
access_log /var/log/nginx/burpui.access.log;
error_log /var/log/nginx/burpui.error.log;
location /burpui {
# you need to change this to "https", if you set "ssl" directive to "on"
proxy_set_header X-FORWARDED_PROTO http;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
# Our service is hosted behind the "/burpui" prefix
# Alternatively you can use the "X_FORWARDED_PREFIX" instead
proxy_set_header X-Script-Name /burpui;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_pass http://localhost:5000;
}
}
Apache sample:
ProxyPass /burp/ http://localhost:5000/burp/
ProxyPassReverse /burp/ http://localhost:5000/burp/
<Location /burp/>
SetOutputFilter proxy-html
ProxyPassReverse /burp/
ProxyHTMLURLMap http://localhost:5000/ /
Require all granted
</Location>
Warning
If your prefix does not start with a ‘/’, it will be ignored.
Production¶
We can consider the demo as a production example of what you can setup/expect in your environment. It is using Gunicorn along with Nginx as described above.
In order to improve performances, Redis can be used to cache sessions and various API calls. You can also enable the celery worker for asynchronous jobs. Additionally, you can enable the SQL storage.
The FAQ answers these questions:
See the production section of the usage page.