Title
#fleet
m

Mark Noonan

04/29/2021, 5:19 PM
Hi guys, looking for some assistance. We went ahead and stood up an nginx proxy in front of our fleetdm. Since standing it up we can hit the ui, but we can't enroll. Was wondering if anyone here has used a proxy and sees what we're missing.
echo "-----------------------------------"
echo "NGINX Config"
echo "-----------------------------------"
cat >/etc/nginx/nginx.conf <<EOF
# the following is for v1.12, prior version, keeping here just in case we need it again
#load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log info;
events {
    worker_connections  4096;
}
http {
    log_format  main  '\$remote_addr - \$remote_user [\$time_local] "\$request" '
                      '\$status \$body_bytes_sent "\$http_referer" '
                      '"\$http_user_agent" "\$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    server {
           listen       8443 ssl http2 default_server;
           server_name  _;
           #root         /opt/socore/html/packages;
           #index        index.html;

           ssl_certificate "xxxx";
           ssl_certificate_key "xxxxxx";
           ssl_session_cache shared:SSL:1m;
           ssl_session_timeout  10m;
           ssl_ciphers HIGH:!aNULL:!MD5;
           ssl_prefer_server_ciphers on;

           location / {
             proxy_pass <https://127.0.0.1:8090>;
             proxy_read_timeout    90;
             proxy_connect_timeout 90;
             proxy_set_header      Host \$host;
             proxy_set_header      X-Real-IP \$remote_addr;
             proxy_set_header      X-Forwarded-For \$proxy_add_x_forwarded_for;
             proxy_set_header      Proxy "";
           }
           location /api/vi/fleet {
             proxy_pass <https://127.0.0.1:8090>;
             proxy_read_timeout    90;
             proxy_connect_timeout 90;
             proxy_set_header      Host \$host;
             proxy_set_header      X-Real-IP \$remote_addr;
             proxy_set_header      X-Forwarded-For \$proxy_add_x_forwarded_for;
             proxy_set_header      Proxy "";
           }
           location /api/vi/kolide {
             proxy_pass <https://127.0.0.1:8090>;
             proxy_read_timeout    90;
             proxy_connect_timeout 90;
             proxy_set_header      Host \$host;
             proxy_set_header      X-Real-IP \$remote_addr;
             proxy_set_header      X-Forwarded-For \$proxy_add_x_forwarded_for;
             proxy_set_header      Proxy "";
           }
        }
    server {
        listen       8080 ssl http2 default_server;
        server_name  _;
        #root         /opt/socore/html;
        #index        blank.html;

        ssl_certificate "xxxxx";
        ssl_certificate_key "xxxxx";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        location /api/v1/osquery {
            grpc_pass  <grpcs://127.0.0.1:8090>;
            grpc_set_header Host \$host;
            grpc_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            proxy_buffering off;
        }
    }
}
EOF
[1:16 PM] When trying to enroll we get an 
curl: (52) Empty reply from server
 error
zwass

zwass

04/29/2021, 5:32 PM
Are you able to
curl -X POST https://<fleet_url>/api/v1/enroll -d '{}'
? Might help to just verify independently from osquery that the nginx proxy is working as expected. That should return an error about invalid node key.
m

Mark Noonan

04/29/2021, 5:34 PM
[root@visibility99 osquery]# curl -X POST <https://xxxxxxxxxxxx:8080/api/v1/enroll> -d '{}'
curl: (52) Empty reply from server
zwass

zwass

04/29/2021, 6:30 PM
Does it work if you
curl
the Fleet server directly? If so, you'll need to debug your nginx config.
Dan Achin

Dan Achin

04/29/2021, 6:44 PM
I haven't broken out the apis like this yet via nginx, but shouldn't the locations you have as /vi/ be /v1/? Also, unless you need to route different api endpoint to different places, it's a lot simpler to just a single location
m

Mark Noonan

04/29/2021, 6:45 PM
you're correct that was a problem from an old paste
6:45 PM
but good catch
Dan Achin

Dan Achin

04/29/2021, 6:49 PM
I'm able to curl mine directly as Zach mentioned...but we only have a very simple config - single location, for now
location / {
    proxy_pass            <http://127.0.0.1:8080>;
    proxy_read_timeout    900;
    proxy_connect_timeout 90;
    proxy_redirect        <http://127.0.0.1:8080> <https://redacted>;
    proxy_http_version    1.1;
    proxy_set_header      Upgrade $http_upgrade;
    proxy_set_header      Connection "upgrade";
    proxy_set_header      Host $host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      X-Forwarded-Proto $scheme;
    proxy_set_header      Proxy "";
Jocelyn Bothe

Jocelyn Bothe

04/29/2021, 6:55 PM
NEVERMIND, we were missing an entry in our security group
6:55 PM
thanks for the help, everyone
m

Mark Noonan

04/29/2021, 6:56 PM
Thanks guys
Dan Achin

Dan Achin

04/29/2021, 6:59 PM
🙂