Hi guys looking for some assistance We went ahead and stood osquery #fleet

Hi guys, looking for some assistance. We went ahea...

Mark Noonan

04/29/2021, 5:19 PM

Hi guys, looking for some assistance. We went ahead and stood up an nginx proxy in front of our fleetdm. Since standing it up we can hit the ui, but we can't enroll. Was wondering if anyone here has used a proxy and sees what we're missing.

Copy code

echo "-----------------------------------"
echo "NGINX Config"
echo "-----------------------------------"
cat >/etc/nginx/nginx.conf <<EOF
# the following is for v1.12, prior version, keeping here just in case we need it again
#load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log info;
events {
    worker_connections  4096;
}
http {
    log_format  main  '\$remote_addr - \$remote_user [\$time_local] "\$request" '
                      '\$status \$body_bytes_sent "\$http_referer" '
                      '"\$http_user_agent" "\$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    server {
           listen       8443 ssl http2 default_server;
           server_name  _;
           #root         /opt/socore/html/packages;
           #index        index.html;

           ssl_certificate "xxxx";
           ssl_certificate_key "xxxxxx";
           ssl_session_cache shared:SSL:1m;
           ssl_session_timeout  10m;
           ssl_ciphers HIGH:!aNULL:!MD5;
           ssl_prefer_server_ciphers on;

           location / {
             proxy_pass <https://127.0.0.1:8090>;
             proxy_read_timeout    90;
             proxy_connect_timeout 90;
             proxy_set_header      Host \$host;
             proxy_set_header      X-Real-IP \$remote_addr;
             proxy_set_header      X-Forwarded-For \$proxy_add_x_forwarded_for;
             proxy_set_header      Proxy "";
           }
           location /api/vi/fleet {
             proxy_pass <https://127.0.0.1:8090>;
             proxy_read_timeout    90;
             proxy_connect_timeout 90;
             proxy_set_header      Host \$host;
             proxy_set_header      X-Real-IP \$remote_addr;
             proxy_set_header      X-Forwarded-For \$proxy_add_x_forwarded_for;
             proxy_set_header      Proxy "";
           }
           location /api/vi/kolide {
             proxy_pass <https://127.0.0.1:8090>;
             proxy_read_timeout    90;
             proxy_connect_timeout 90;
             proxy_set_header      Host \$host;
             proxy_set_header      X-Real-IP \$remote_addr;
             proxy_set_header      X-Forwarded-For \$proxy_add_x_forwarded_for;
             proxy_set_header      Proxy "";
           }
        }
    server {
        listen       8080 ssl http2 default_server;
        server_name  _;
        #root         /opt/socore/html;
        #index        blank.html;

        ssl_certificate "xxxxx";
        ssl_certificate_key "xxxxx";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        location /api/v1/osquery {
            grpc_pass  <grpcs://127.0.0.1:8090>;
            grpc_set_header Host \$host;
            grpc_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            proxy_buffering off;
        }
    }
}
EOF

[1:16 PM] When trying to enroll we get an

curl: (52) Empty reply from server

error

zwass

04/29/2021, 5:32 PM

Are you able to

curl -X POST https://<fleet_url>/api/v1/enroll -d '{}'

? Might help to just verify independently from osquery that the nginx proxy is working as expected. That should return an error about invalid node key.

Mark Noonan

04/29/2021, 5:34 PM

Copy code

[root@visibility99 osquery]# curl -X POST <https://xxxxxxxxxxxx:8080/api/v1/enroll> -d '{}'
curl: (52) Empty reply from server

zwass

04/29/2021, 6:30 PM

Does it work if you

curl

the Fleet server directly? If so, you'll need to debug your nginx config.

Dan Achin

04/29/2021, 6:44 PM

I haven't broken out the apis like this yet via nginx, but shouldn't the locations you have as /vi/ be /v1/? Also, unless you need to route different api endpoint to different places, it's a lot simpler to just a single location

Mark Noonan

04/29/2021, 6:45 PM

you're correct that was a problem from an old paste

Mark Noonan

04/29/2021, 6:45 PM

but good catch

Dan Achin

04/29/2021, 6:49 PM

I'm able to curl mine directly as Zach mentioned...but we only have a very simple config - single location, for now

Copy code

location / {
    proxy_pass            <http://127.0.0.1:8080>;
    proxy_read_timeout    900;
    proxy_connect_timeout 90;
    proxy_redirect        <http://127.0.0.1:8080> <https://redacted>;
    proxy_http_version    1.1;
    proxy_set_header      Upgrade $http_upgrade;
    proxy_set_header      Connection "upgrade";
    proxy_set_header      Host $host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      X-Forwarded-Proto $scheme;
    proxy_set_header      Proxy "";

Jocelyn Bothe

04/29/2021, 6:55 PM

NEVERMIND, we were missing an entry in our security group

🎉 1

Jocelyn Bothe

04/29/2021, 6:55 PM

thanks for the help, everyone

Mark Noonan

04/29/2021, 6:56 PM

Thanks guys

🍻 1

Dan Achin

04/29/2021, 6:59 PM

🙂

35 Views

Open in Slack

Previous Next