Hello everyone! I have a few questions, I hope you can clarify some of them. Right now we are running Fleet in our private network and Fleet hostname is something like https://osquery.private.tech/, and we are using certificate from our private CA. We want to expose Fleet to the internet via load-balancer with different name in order to hide our company’s private naming, let’s say https://osquery.public.com. Load balancer proxies traffiс with public cert from Global Sign. Is is possible? And if yes what certificate and tls hostname should we pass to --tls_server_certs and --tls-hostname flags? Or we expose Fleet only with original hostname and we can’t change it on proxy side? Thanks!

Put fleet behind reverse proxy like nginx and you can give it as many domain names as you want

IMO trying to keep a naming convention private is what I would classify as security by obscurity, and is rarely worth the effort. Now with that said, it would probably just be easier to have the same hostname and certificate for both internal and external. The Fleet server behind the proxy can have whatever certificate the proxy trusts (or configured to not do secure checking from proxy to Fleet server)

@Mystery Incorporatedthe problem is that I can specify only one name in --tls-hostname flag for my agents. So if I’m using different names and the proxy scheme is like https://osquery.public.com>https://osquery.private.tech/ and if --tls-hostname is https://osquery.public.com agent would’t be able to contact private internal server.

You only need to give osquery one hostname. As long as that hostname routes to the server (which could be via a load balancer that only routes the

/api/osquery

routes, then things should work.

@zwass the probles is when i’m passing in config Fleet’s public name and public cert I got an error “Request error: certificate verify failed”. However if I’m using Fleet’s publiс name and private сука from our CA I got the same error. So mmain question is whether we can publish Fleet with different names, because in the tls name and tls certificate parameters we can write only one value.

Let's say you want to expose the web UI at private.example.com (only accessible behind the VPN) and the osquery API at public.example.com. You should have the load balancer(s) terminating TLS for each of those hostnames with a different certificate, and that certificate needs to match the hostname. Then you'd configure the LB target for public.example.com to only allow requests for routes that start with

/api/osquery

.

In terms of ‘hiding’ private naming I agree, feels not very worthwhile, but for the technical, I expose fleet from an AWS private subnet with AWS ALB and a cert from ACM. AFAIK (works for me) you do not need to have any cert specified on clients if you’re using a valid cert from a CA.

--tls_hostname=<http://fleet.example.com|fleet.example.com>

should be all you need in the client configs.