Title
#fleet
Mo Zhu

Mo Zhu

05/10/2022, 12:41 AM
Does the
FLEET_SERVER_CERT
config only accept paths to the cert? Does it also accept the full cert itself set in the ENV var? Heroku does not allow persist files in their directory I think, so it is not possible to put it into a path.
zwass

zwass

05/10/2022, 12:43 AM
It expects the path to the cert. For deploying on Heroku, I'd think you might want to have Heroku terminate TLS and run Fleet with
FLEET_SERVER_TLS=FALSE
.
12:44 AM
Alternatively, maybe you could do something like
echo $CERT_VALUE > cert.pem && fleet serve
?
Mo Zhu

Mo Zhu

05/10/2022, 12:46 AM
If I do FLEET_SERVER_TLS=FALSE, then i’ll lose the security between the osqueryd and the fleet back-end?
12:46 AM
If I do the echo approach, that would go in the Procfile?
zwass

zwass

05/10/2022, 12:46 AM
echo approach would go in the procfile, yeah
12:47 AM
Turning off TLS on the Fleet server would only work if Heroku can terminate TLS (which is very common to do with a load balancer).
12:48 AM
It's a bit hard to tell from the Heroku docs, but I think you'd just be able to turn on SSL on Heroku and leave it off on the Fleet server. This would effectively have Heroku terminating TLS like a load balancer.
Mo Zhu

Mo Zhu

05/10/2022, 12:51 AM
yeah I think all requests to a heroku server gets put through their load balancer.
12:51 AM
cool I will try that…
zwass

zwass

05/10/2022, 12:51 AM
I suspect their load balancer would then send plain HTTP requests to the Fleet server. If that's the case, you can turn off the TLS termination in Fleet.
Mo Zhu

Mo Zhu

05/10/2022, 12:52 AM
yup that’s exactly it.
zwass

zwass

05/10/2022, 12:52 AM
That's how most of our reference implementations work.