https://github.com/osquery/osquery logo
Title
g

grant seltzer

05/10/2019, 4:04 PM
Hi all, I can't get passed an issue i'm having trying to connect osqueryd to my fleet server. The osqueryd instance is on my laptop and the fleet server is in aws.
I0510 11:58:58.693961 3031053184 tls.cpp:240] TLS/HTTPS POST request to URI: <https://foobar.com/api/v1/osquery/config>
{"node_key":""}
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
z

zwass

05/10/2019, 4:46 PM
Do you have some sort of reverse proxy running? This doesn't look like a page that Fleet would serve.
g

grant seltzer

05/10/2019, 4:51 PM
Yes I do, although I believe it's configured correctly. What would I need to do to verify that communication can occur between fleet and my node?
Perhaps another useful question is, what ports does fleet serve on?
z

zwass

05/10/2019, 4:59 PM
It serves on whichever port you configure
What happens when you
curl
this endpoint?
g

grant seltzer

05/10/2019, 4:59 PM
for all services?
lemme try
g

grant seltzer

05/10/2019, 5:05 PM
So when I curl the enroll endpopint with a complete request I get a 200 and a node key back
and the UI will launch an "incoming host" spinner
curl -vL -X POST <https://fleet-dev.hioscar.com/api/v1/osquery/enroll> -d '{"enroll_secret":"xxxxx","host_identifier":"BD7CBD0A-E602-5045-9D7F-A2D44B13A06A","platform_type":"21","host_details":{"os_version":{"build":"18E226","major":"10","minor":"14","name":"Mac OS X","patch":"4","platform":"darwin","platform_like":"darwin","version":"10.14.4"},"osquery_info":{"build_distro":"10.13","build_platform":"darwin","config_hash":"","config_valid":"0","extensions":"inactive","instance_id":"39ce15cc-94e2-4727-811c-64bf4cfce584","pid":"62819","start_time":"1556902317","uuid":"BD7CBD0A-E602-5045-9D7F-A2D44B13A06A","version":"3.3.2","watcher":"1"},"platform_info":{"address":"0xff98b000","date":"03/10/2019 ","extra":"MBP152.88Z.F000.B00.1903101952; MBP152; 220.250.366.0.0; root@sesame; Sun Mar 10 19:52:08 2019; 220.250.366 (B&I); F000_B00; Official Build, RELEASE; Apple LLVM version 10.0.1 (clang-1001.2.37.14)","revision":"220.250.366 (B&I)","size":"8388608","vendor":"Apple Inc. ","version":"220.250.366.0.0 (iBridge: 16.16.4507.0.0,0) ","volume_size":"2170880"},"system_info":{"computer_name":"foobar","cpu_brand":"Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","cpu_logical_cores":"8","cpu_physical_cores":"4","cpu_subtype":"Intel x86-64h Haswell","cpu_type":"x86_64h","hardware_model":"MacBookPro15,2 ","hardware_serial":"C02XR0DYJHD4","hardware_vendor":"Apple Inc. ","hardware_version":"1.0 ","hostname":"fooobar","local_hostname":"foo","physical_memory":"17179869184","uuid":"BD7CBD0A-E602-5045-9D7F-A2D44B13A06A"}}}'
z

zwass

05/10/2019, 5:08 PM
What happens when you
curl
the config endpoint?
<https://foobar.com/api/v1/osquery/config>
g

grant seltzer

05/10/2019, 5:10 PM
I don't have a request body handy but I'm getting a response back
"authentication error: misisng node key"
401
So i'm taking this to mean fleet can take incoming and outgoing requests, despite the proxy
Is fleet always going to be serving their grpc services over https?
z

zwass

05/10/2019, 5:33 PM
It's possible (but highly undesirable) to disable HTTPS
Are you doing these tests from the same machine that is receiving the HTML response?
g

grant seltzer

05/10/2019, 5:38 PM
Yes
z

zwass

05/10/2019, 5:42 PM
I'm a bit baffled here. You're making (nearly) the same request from the same machine and getting entirely different results.
Are you definitely hitting the same exact URL?
Maybe you can pcap the osquery request vs. the curl request and see what is different?
Certainly at least the user agent would be different.
g

grant seltzer

05/10/2019, 5:49 PM
Same URL as the one in osqueryd flags yes
I'll give pcaping a shot 🙂
pcaps dont reveal anything useful