hello everyone, I installed fleet via docker compose and would like to ask an info: at the moment fleet is configured with port 8443 and i have an apache virtualhost(not dockerized) that receives requests ulla port 443 and redirects to internal port 8443. I tried to restrict access to the GUI by putting a rewrite rule on the virtual host that blocks access to the login page from the external network, so that from the outside the server remains reachable from the endpoints but the management GUI remains reachable on 443 only from the internal network, but it didn't work. can you tell me how to use fleet with 2 different ports (one for gui and one for endpoints) or how to fix the rewrite rule on the virtual host? below are the files: apache vhost:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName <http://it-asset.acme.it|it-asset.acme.it>
    ServerAdmin <mailto:postmaster@acme.it|postmaster@acme.it>

    #SSLProxyEngine on
    ProxyPass / <http://localhost:8443/>
    ProxyPassReverse / <http://localhost:8443/>


#    <Files ^.\login>
#        Order Deny,Allow
#        deny from all
#        allow from 10.0.63.0
#        allow from 10.0.59.0
#    </Files>


# only allow acces to these urls from white listed IPs
Options +FollowSymlinks
RewriteEngine on
#the urls that should be checked
RewriteCond %{REQUEST_URI} ^(/login|/dashboard).*$
RewriteCond %{REMOTE_ADDR} !=10\.0\.63\.
# or this ip
RewriteCond %{REMOTE_ADDR} !=10\.0\.59\.
# if not fail
RewriteRule ^.*$ / [F]
#  RewriteRule ^.*$ [G,NC]


    ErrorLog ${APACHE_LOG_DIR}/fleet-dc-error.log
    CustomLog ${APACHE_LOG_DIR}/fleet-dc-access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/it-asset.acme.it/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/it-asset.acme.it/privkey.pem
</VirtualHost>
</IfModule>

Docker compose:

version: '2'
services:
  mysql:
    restart: always
    image: mysql:5.7
    volumes:
      - /fleet/data:/data
    command: mysqld --datadir=/data/mysqldata --slow_query_log=0 --log_output=TABLE --log-queries-not-using-indexes --event-scheduler=ON
    environment:
      MYSQL_ROOT_PASSWORD: *****************
      MYSQL_DATABASE: fleet_db
      MYSQL_USER: fleet_user
      MYSQL_PASSWORD: ************************
    ports:
      - "3306:3306"

  mailhog:
    restart: always
    image: mailhog/mailhog:latest
    ports:
      - "8025:8025"
      - "1025:1025"

  redis:
    restart: always
    image: redis:5
    ports:
      - "6379:6379"

  fleet:
    restart: always
    image: fleetdm/fleet:v4.17.0
    volumes:
      - /fleet/fleet:/fleet
    command: sh -c "echo '\n' | /usr/bin/fleet prepare db && /usr/bin/fleet serve"
    environment:
      FLEET_MYSQL_ADDRESS: mysql:3306
      FLEET_MYSQL_DATABASE: fleet_db
      FLEET_MYSQL_USERNAME: fleet_user
      FLEET_MYSQL_PASSWORD: *****************
      FLEET_REDIS_ADDRESS: redis:6379
      FLEET_SERVER_CERT: /etc/letsencrypt/live/it-asset.acme.it/fullchain.pem
      FLEET_SERVER_KEY: /etc/letsencrypt/live/it-asset.acme.it/privkey.pem
      FLEET_LOGGING_JSON: "true"
      FLEET_AUTH_JWT_KEY:
      FLEET_SERVER_TLS: 'false'
      FLEET_OSQUERY_LABEL_UPDATE_INTERVAL: 5m
      FLEET_VULNERABILITIES_PERIODICITY: 60m
    ports:
      - "8443:8080"

Here's a blog post by @defensivedepth that sounds like what you want https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/

@Keith Swagler thanks in the post however it uses nginx and kolide, could you translate the rules you used instead? i think it is the same thing i want to do i.e. if after acme.it there is /login deny access if the ip is different from the one specified in the rule.

In what way isn't it working? Are you not able to access the GUI internally, or not able to make API requests externally?

Hi @Kathy Satterlee currently endpoints running on osquery connect to the server with fqdn it-asset.domain.com on port 443, the same port used by the gui. for security reasons I would like to make the gui reachable only internally, but since it uses the same port as the API calls, this is not possible at the firewall (watchguard) level. so i would like to understand if there is a way to use 2 different ports or if it is possible to make a change to the apache virtualhost or docker compose to make the gui it-asset.domain.com/login or /dashboard reachable only internally. if you look at my virtual host, i already tried but it doesn't work.

Thanks for the clarification there! It sounds like what you're trying to do should work, but it's hard to say what needs to change without knowing what is/isn't happening. What happens with the current setup?

currently like it doesn't recognize the redirect, i.e. doing it-asset.domain.com automatically redirects me to the login page and I see it both internally and externally. instead directly typing it-asset.domain.com/login into the browser uri gives me error

Forbidden 
You don't have permission to access this resource.

Apache/2.4.52 (Ubuntu) Server at <http://it-asset.domain.com|it-asset.domain.com> Port 443

as if it doesn't recognize the forward from it-asset.domain.com to it-asset.domain.com/login

What happens if you change

!=

to

!^

in the IP conditions?

same result

Worth a try! This seems like the right approach and there's likely an issue somewhere with the settings. If you haven't already, this is definitely something I'd recommend posting somewhere where you're likely to get to the Apache experts just in case no one here is able to get you pointed in the right direction.

thx! @Kathy Satterlee