Unable to Access SOC Web Interface in Security Onion – Timeout/DNS Resolution Issues

[Mezz21]

Version

2.4.170

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

24

Storage for /

200 GB

Storage for /nsm

125G

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hello Security Onion Community,

I’ve run into an issue where I cannot open the SOC web interface. Instead of a certificate warning, I always get:

DNS address could not be found. Diagnosing the problem

I already have a host override configured in pfSense, so DNS resolution itself should not be the problem.

Logs & Symptoms

Nginx error log shows repeated upstream failures:

connect() failed (111: Connection refused) while connecting to upstream,
client: 10.0.50.55, server: ,
upstream: "http://10.0.50.55:9822/api/node"

SOC container is listening on 9822:

0.0.0.0:9822->9822/tcp so-soc

Curl directly to port 9822 fails with TLS if using https://:

curl -vk https://127.0.0.1:9822
error: SSL routines::packet length too long

But using plain HTTP works:

curl -v http://127.0.0.1:9822
< HTTP/1.1 200 OK

This makes me think nginx is not proxying HTTPS correctly to SOC.

nginx default.conf (inside so-nginx container) only serves localhost on port 80 — no mention of 9822 or SOC proxy config.

What I’ve Tried

Verified so-status (all services green).

Verified host override in pfSense.

Confirmed SOC container is running and exposing port 9822.

Confirmed curl works against http://127.0.0.1:9822.

Tried adding manual nginx configs, but container doesn’t persist changes.

Possible Issues

nginx container missing proxy rules to forward traffic from 443 → so-soc:9822.

SSL/TLS mismatch between nginx and soc service (nginx expecting HTTPS, SOC only serving HTTP).

Configuration may have been lost/not applied during setup.

Question

What is the correct way to make SOC accessible over HTTPS?
Should nginx be proxying plain HTTP from SOC (9822) and wrapping it in SSL, or should SOC itself be handling HTTPS?

Any guidance would be helpful.

Thanks in advance!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

https://docs.securityonion.net/en/2.4/proxy.html#proxy Did you set your proxy according to this?