Title
#kolide
l

Lee Brotherston

04/14/2020, 6:58 PM
👋 Just wondering if anyone opens their fleet install up to the internet to collect data from laptops on the road, etc? Or do y'all keep it confined to the local network / VPN'd in clients?
s

seph

04/14/2020, 7:00 PM
A frequent topic of conversation is how to do that while having the admin interface protected.
l

Lee Brotherston

04/14/2020, 7:00 PM
Ah right - so I'm not the only one wondering that then 😉
zwass

zwass

04/14/2020, 7:27 PM
IME most folks open it to the internet. Those who are more paranoid use an LB to separate the traffic to the admin interface and allow that only from VPN. Lots of discussion about that in here if you search.
defensivedepth

defensivedepth

04/14/2020, 8:07 PM
@Lee Brotherston I recently wrote a blog about how I did it with nginx, Fleet & Launcher: https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/
j

john

04/15/2020, 1:42 AM
we’ve been in the same situation, so far no easy solution since we run it on AWS using Fargate, behind an ALB and Cloudflare. Neither the ALB nor cloudflare support HTTP/2 or GRPC so the only way to ‘protect’ it is using L3 systems (AWS NLB instead of normal ALB, Cloudflare spectrum instead of WAF)
1:43 AM
we could turn off grpc and go back to plain http and split it out, easy enough, but the grpc benefit has won so far
zwass

zwass

04/15/2020, 2:22 AM
@john what is the perceived benefit of grpc?
j

john

04/15/2020, 10:21 AM
For us it was mostly speed and bandwidth (as far as our metrics can tell), we run many small queries to the point where header sizes start to stick out
l

Lee Brotherston

04/15/2020, 12:25 PM
Thanks @defensivedepth that's really useful! Apologies in the delay in responding!
j

Jason W

04/15/2020, 8:23 PM
I front mine with nginx (which supports grpc) and allow the grpc endpoints from anywhere and all other endpoints only from my identity reverse proxy