Title
#kolide
grant seltzer

grant seltzer

05/10/2019, 4:04 PM
Hi all, I can't get passed an issue i'm having trying to connect osqueryd to my fleet server. The osqueryd instance is on my laptop and the fleet server is in aws.
I0510 11:58:58.693961 3031053184 tls.cpp:240] TLS/HTTPS POST request to URI: <https://foobar.com/api/v1/osquery/config>
{"node_key":""}
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
zwass

zwass

05/10/2019, 4:46 PM
Do you have some sort of reverse proxy running? This doesn't look like a page that Fleet would serve.
grant seltzer

grant seltzer

05/10/2019, 4:51 PM
Yes I do, although I believe it's configured correctly. What would I need to do to verify that communication can occur between fleet and my node?
4:51 PM
Perhaps another useful question is, what ports does fleet serve on?
zwass

zwass

05/10/2019, 4:59 PM
It serves on whichever port you configure
4:59 PM
What happens when you
curl
this endpoint?
grant seltzer

grant seltzer

05/10/2019, 4:59 PM
for all services?
5:00 PM
lemme try
grant seltzer

grant seltzer

05/10/2019, 5:05 PM
So when I curl the enroll endpopint with a complete request I get a 200 and a node key back
5:06 PM
and the UI will launch an "incoming host" spinner
5:06 PM
curl -vL -X POST <https://fleet-dev.hioscar.com/api/v1/osquery/enroll> -d '{"enroll_secret":"xxxxx","host_identifier":"BD7CBD0A-E602-5045-9D7F-A2D44B13A06A","platform_type":"21","host_details":{"os_version":{"build":"18E226","major":"10","minor":"14","name":"Mac OS X","patch":"4","platform":"darwin","platform_like":"darwin","version":"10.14.4"},"osquery_info":{"build_distro":"10.13","build_platform":"darwin","config_hash":"","config_valid":"0","extensions":"inactive","instance_id":"39ce15cc-94e2-4727-811c-64bf4cfce584","pid":"62819","start_time":"1556902317","uuid":"BD7CBD0A-E602-5045-9D7F-A2D44B13A06A","version":"3.3.2","watcher":"1"},"platform_info":{"address":"0xff98b000","date":"03/10/2019 ","extra":"MBP152.88Z.F000.B00.1903101952; MBP152; 220.250.366.0.0; root@sesame; Sun Mar 10 19:52:08 2019; 220.250.366 (B&I); F000_B00; Official Build, RELEASE; Apple LLVM version 10.0.1 (clang-1001.2.37.14)","revision":"220.250.366 (B&I)","size":"8388608","vendor":"Apple Inc. ","version":"220.250.366.0.0 (iBridge: 16.16.4507.0.0,0) ","volume_size":"2170880"},"system_info":{"computer_name":"foobar","cpu_brand":"Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","cpu_logical_cores":"8","cpu_physical_cores":"4","cpu_subtype":"Intel x86-64h Haswell","cpu_type":"x86_64h","hardware_model":"MacBookPro15,2 ","hardware_serial":"C02XR0DYJHD4","hardware_vendor":"Apple Inc. ","hardware_version":"1.0 ","hostname":"fooobar","local_hostname":"foo","physical_memory":"17179869184","uuid":"BD7CBD0A-E602-5045-9D7F-A2D44B13A06A"}}}'
zwass

zwass

05/10/2019, 5:08 PM
What happens when you
curl
the config endpoint?
<https://foobar.com/api/v1/osquery/config>
grant seltzer

grant seltzer

05/10/2019, 5:10 PM
I don't have a request body handy but I'm getting a response back
5:10 PM
"authentication error: misisng node key"
5:10 PM
401
5:11 PM
So i'm taking this to mean fleet can take incoming and outgoing requests, despite the proxy
5:18 PM
Is fleet always going to be serving their grpc services over https?
zwass

zwass

05/10/2019, 5:33 PM
It's possible (but highly undesirable) to disable HTTPS
5:33 PM
Are you doing these tests from the same machine that is receiving the HTML response?
grant seltzer

grant seltzer

05/10/2019, 5:38 PM
Yes
zwass

zwass

05/10/2019, 5:42 PM
I'm a bit baffled here. You're making (nearly) the same request from the same machine and getting entirely different results.
5:42 PM
Are you definitely hitting the same exact URL?
5:43 PM
Maybe you can pcap the osquery request vs. the curl request and see what is different?
5:43 PM
Certainly at least the user agent would be different.
grant seltzer

grant seltzer

05/10/2019, 5:49 PM
Same URL as the one in osqueryd flags yes
5:50 PM
I'll give pcaping a shot 🙂
6:41 PM
pcaps dont reveal anything useful