Hi Folks. When deploying Fleet behind a load balan...
# kolidee
Erich Stoekl
04/08/2020, 6:30 PMHi Folks. When deploying Fleet behind a load balancer, does each Fleet server need to use its own CRT and KEY files? I'm thinking the TLS Termination will be done at the load balancer, then just forward unencrypted traffic to the Fleet server
s
sundsta
04/08/2020, 6:38 PMDepends how you configure the LB. It can either pass through or terminate and then connect.
sundsta
04/08/2020, 6:39 PMOf course, if you have the LB terminate the TLS you need to set Fleet’s server_tls=false (see https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md#server_tls)
s
SK
04/08/2020, 6:45 PMIf you do not terminate on the LB you will need the same cert files on all the servers.
z
zwass
04/08/2020, 7:35 PM
You actually might not need the same cert on each server, as long as each cert can be validated by osquery. That said, I would typically use the same cert on each server. Or do as @sundsta says and terminate at the LB.
e
Erich Stoekl
04/08/2020, 7:52 PMThanks all!
Erich Stoekl
04/24/2020, 11:25 PM@zwass Another question on this topic -- how do you have osquery validate multiple certs? I now have a situation where my fleet server uses self-signed certs, and my LB uses its own certs
s
sundsta
04/25/2020, 12:01 AM@Erich Stoekl osquery would only talk to the LB, so it only needs the LB’s certs
e
Erich Stoekl
04/27/2020, 2:35 AM@sun-77 thanks for your reply. I have fleet set up with its own certs, and the LB with its own certs. I can access the web portal for fleet, and my osquery nodes connect, but I am unable to schedule queries against the osquery nodes. That's why I'm wondering if it's possible to tell osquery that there are multiple certs involved
s
sundsta
04/27/2020, 3:14 AMIf the LB is terminating TLS as you described, that is the only cert osquery needs to know about. If the LB initiates another TLS connection to the Fleet nodes, that is between the LB and the nodes and the osquery agent isn't involved in that at all. With all of that said, if the agents are connecting and enrolling there isn't a certificate issue.
e
Erich Stoekl
04/28/2020, 12:43 AM@sundsta thanks. They're enrolling (at least I think they are, the agents show up as green in the web UI for fleet), but I cannot run queries against them. Is there a way to debug this situation?
Erich Stoekl
04/28/2020, 12:45 AMThe osquery nodes enroll when they have the public key that the LB is using. So it kind of makes sense to me that Fleet can't run queries against the osquery nodes... the Fleet server can't tell that they are using the correct certs, because the fleet server doesn't know about the LB cert
s
sundsta
04/28/2020, 1:12 AMThis is a pull, not push, scenario.
osquerydsundsta
04/28/2020, 1:16 AMIf I remember correctly, you are filtering out some API routes in order to ensure the admin panel is not accessible from the internet. You will want to double check that is not blocking requests to the config API
sundsta
04/28/2020, 1:16 AMAlso, your load balancer logs should indicate what is happening when it receives the connections from osqueryd
e
Erich Stoekl
04/28/2020, 4:23 PMThanks, I'll check that
2 Views