👋 Just wondering if anyone opens their fleet install up to the internet to collect data from laptops on the road, etc? Or do y'all keep it confined to the local network / VPN'd in clients?

A frequent topic of conversation is how to do that while having the admin interface protected.

Ah right - so I'm not the only one wondering that then 😉

IME most folks open it to the internet. Those who are more paranoid use an LB to separate the traffic to the admin interface and allow that only from VPN. Lots of discussion about that in here if you search.

@Lee Brotherston I recently wrote a blog about how I did it with nginx, Fleet & Launcher: https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/

we’ve been in the same situation, so far no easy solution since we run it on AWS using Fargate, behind an ALB and Cloudflare. Neither the ALB nor cloudflare support HTTP/2 or GRPC so the only way to ‘protect’ it is using L3 systems (AWS NLB instead of normal ALB, Cloudflare spectrum instead of WAF)

@john what is the perceived benefit of grpc?

For us it was mostly speed and bandwidth (as far as our metrics can tell), we run many small queries to the point where header sizes start to stick out

Thanks @defensivedepth that's really useful! Apologies in the delay in responding!

I front mine with nginx (which supports grpc) and allow the grpc endpoints from anywhere and all other endpoints only from my identity reverse proxy