Mark Noonan
04/29/2021, 5:19 PMecho "-----------------------------------"
echo "NGINX Config"
echo "-----------------------------------"
cat >/etc/nginx/nginx.conf <<EOF
# the following is for v1.12, prior version, keeping here just in case we need it again
#load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log info;
events {
worker_connections 4096;
}
http {
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server {
listen 8443 ssl http2 default_server;
server_name _;
#root /opt/socore/html/packages;
#index index.html;
ssl_certificate "xxxx";
ssl_certificate_key "xxxxxx";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass <https://127.0.0.1:8090>;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /api/vi/fleet {
proxy_pass <https://127.0.0.1:8090>;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /api/vi/kolide {
proxy_pass <https://127.0.0.1:8090>;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
}
server {
listen 8080 ssl http2 default_server;
server_name _;
#root /opt/socore/html;
#index blank.html;
ssl_certificate "xxxxx";
ssl_certificate_key "xxxxx";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /api/v1/osquery {
grpc_pass <grpcs://127.0.0.1:8090>;
grpc_set_header Host \$host;
grpc_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_buffering off;
}
}
}
EOF
[1:16 PM] When trying to enroll we get an curl: (52) Empty reply from server
errorzwass
04/29/2021, 5:32 PMcurl -X POST https://<fleet_url>/api/v1/enroll -d '{}'
? Might help to just verify independently from osquery that the nginx proxy is working as expected. That should return an error about invalid node key.Mark Noonan
04/29/2021, 5:34 PM[root@visibility99 osquery]# curl -X POST <https://xxxxxxxxxxxx:8080/api/v1/enroll> -d '{}'
curl: (52) Empty reply from server
zwass
04/29/2021, 6:30 PMcurl
the Fleet server directly? If so, you'll need to debug your nginx config.Dan Achin
04/29/2021, 6:44 PMMark Noonan
04/29/2021, 6:45 PMDan Achin
04/29/2021, 6:49 PMlocation / {
proxy_pass <http://127.0.0.1:8080>;
proxy_read_timeout 900;
proxy_connect_timeout 90;
proxy_redirect <http://127.0.0.1:8080> <https://redacted>;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
Jocelyn Bothe
04/29/2021, 6:55 PMMark Noonan
04/29/2021, 6:56 PMDan Achin
04/29/2021, 6:59 PM