https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi all, I can't get passed an issue i'm having try...
# kolide
g
Hi all, I can't get passed an issue i'm having trying to connect osqueryd to my fleet server. The osqueryd instance is on my laptop and the fleet server is in aws.
Copy code
I0510 11:58:58.693961 3031053184 tls.cpp:240] TLS/HTTPS POST request to URI: <https://foobar.com/api/v1/osquery/config>
{"node_key":""}
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
z
Do you have some sort of reverse proxy running? This doesn't look like a page that Fleet would serve.
g
Yes I do, although I believe it's configured correctly. What would I need to do to verify that communication can occur between fleet and my node?
Perhaps another useful question is, what ports does fleet serve on?
z
It serves on whichever port you configure
What happens when you 
curl
this endpoint?
g
for all services?
lemme try
z
g
So when I curl the enroll endpopint with a complete request I get a 200 and a node key back
and the UI will launch an "incoming host" spinner
Copy code
curl -vL -X POST <https://fleet-dev.hioscar.com/api/v1/osquery/enroll> -d '{"enroll_secret":"xxxxx","host_identifier":"BD7CBD0A-E602-5045-9D7F-A2D44B13A06A","platform_type":"21","host_details":{"os_version":{"build":"18E226","major":"10","minor":"14","name":"Mac OS X","patch":"4","platform":"darwin","platform_like":"darwin","version":"10.14.4"},"osquery_info":{"build_distro":"10.13","build_platform":"darwin","config_hash":"","config_valid":"0","extensions":"inactive","instance_id":"39ce15cc-94e2-4727-811c-64bf4cfce584","pid":"62819","start_time":"1556902317","uuid":"BD7CBD0A-E602-5045-9D7F-A2D44B13A06A","version":"3.3.2","watcher":"1"},"platform_info":{"address":"0xff98b000","date":"03/10/2019 ","extra":"MBP152.88Z.F000.B00.1903101952; MBP152; 220.250.366.0.0; root@sesame; Sun Mar 10 19:52:08 2019; 220.250.366 (B&I); F000_B00; Official Build, RELEASE; Apple LLVM version 10.0.1 (clang-1001.2.37.14)","revision":"220.250.366 (B&I)","size":"8388608","vendor":"Apple Inc. ","version":"220.250.366.0.0 (iBridge: 16.16.4507.0.0,0) ","volume_size":"2170880"},"system_info":{"computer_name":"foobar","cpu_brand":"Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","cpu_logical_cores":"8","cpu_physical_cores":"4","cpu_subtype":"Intel x86-64h Haswell","cpu_type":"x86_64h","hardware_model":"MacBookPro15,2 ","hardware_serial":"C02XR0DYJHD4","hardware_vendor":"Apple Inc. ","hardware_version":"1.0 ","hostname":"fooobar","local_hostname":"foo","physical_memory":"17179869184","uuid":"BD7CBD0A-E602-5045-9D7F-A2D44B13A06A"}}}'
z
What happens when you 
curl
the config endpoint? 
<https://foobar.com/api/v1/osquery/config>
g
I don't have a request body handy but I'm getting a response back
"authentication error: misisng node key"
401
So i'm taking this to mean fleet can take incoming and outgoing requests, despite the proxy
Is fleet always going to be serving their grpc services over https?
z
It's possible (but highly undesirable) to disable HTTPS
Are you doing these tests from the same machine that is receiving the HTML response?
g
Yes
z
I'm a bit baffled here. You're making (nearly) the same request from the same machine and getting entirely different results.
Are you definitely hitting the same exact URL?
Maybe you can pcap the osquery request vs. the curl request and see what is different?
Certainly at least the user agent would be different.
g
Same URL as the one in osqueryd flags yes
I'll give pcaping a shot 🙂
pcaps dont reveal anything useful
5 Views
Open in Slack
PreviousNext
Powered by