Title
#fleet
Rafael

Rafael

07/07/2022, 1:53 PM
Hello everyone! I have a few questions, I hope you can clarify some of them. Right now we are running Fleet in our private network and Fleet hostname is something like https://osquery.private.tech/, and we are using certificate from our private CA. We want to expose Fleet to the internet via load-balancer with different name in order to hide our company’s private naming, let’s say https://osquery.public.com. Load balancer proxies traffiс with public cert from Global Sign. Is is possible? And if yes what certificate and tls hostname should we pass to --tls_server_certs and --tls-hostname flags? Or we expose Fleet only with original hostname and we can’t change it on proxy side? Thanks!
Mystery Incorporated

Mystery Incorporated

07/07/2022, 2:58 PM
Put fleet behind reverse proxy like nginx and you can give it as many domain names as you want
Keith Swagler

Keith Swagler

07/07/2022, 3:03 PM
IMO trying to keep a naming convention private is what I would classify as security by obscurity, and is rarely worth the effort. Now with that said, it would probably just be easier to have the same hostname and certificate for both internal and external. The Fleet server behind the proxy can have whatever certificate the proxy trusts (or configured to not do secure checking from proxy to Fleet server)
Rafael

Rafael

07/07/2022, 6:50 PM
@Mystery Incorporatedthe problem is that I can specify only one name in --tls-hostname flag for my agents. So if I’m using different names and the proxy scheme is like https://osquery.public.com
https://osquery.private.tech/ and if --tls-hostname is https://osquery.public.com agent would’t be able to contact private internal server.
zwass

zwass

07/07/2022, 7:11 PM
You only need to give osquery one hostname. As long as that hostname routes to the server (which could be via a load balancer that only routes the
/api/osquery
routes, then things should work.
Rafael

Rafael

07/07/2022, 7:55 PM
@zwass the probles is when i’m passing in config Fleet’s public name and public cert I got an error “Request error: certificate verify failed”. However if I’m using Fleet’s publiс name and private сука from our CA I got the same error. So mmain question is whether we can publish Fleet with different names, because in the tls name and tls certificate parameters we can write only one value.
zwass

zwass

07/07/2022, 7:58 PM
Let's say you want to expose the web UI at private.example.com (only accessible behind the VPN) and the osquery API at public.example.com. You should have the load balancer(s) terminating TLS for each of those hostnames with a different certificate, and that certificate needs to match the hostname. Then you'd configure the LB target for public.example.com to only allow requests for routes that start with
/api/osquery
.
d

Daniel Cross

07/08/2022, 12:53 AM
In terms of ‘hiding’ private naming I agree, feels not very worthwhile, but for the technical, I expose fleet from an AWS private subnet with AWS ALB and a cert from ACM. AFAIK (works for me) you do not need to have any cert specified on clients if you’re using a valid cert from a CA.
--tls_hostname=<http://fleet.example.com|fleet.example.com>
should be all you need in the client configs.
12:56 AM
You’d also change “Fleet web address” in settings to the public LB name
<http://fleet.example.com|fleet.example.com>
This assumes you’re going to use both API (clients) and web UI via the load balancer.