asla
04/18/2019, 12:28 PMKOLIDE_SERVER_TLS=false
)
location /api/v1/osquery/ {
grpc_pass <grpc://127.0.0.1:8080;>
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api/v1/kolide/ {
grpc_pass <grpc://127.0.0.1:8080;>
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass <http://127.0.0.1:8080;>
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
}
Jean M
04/18/2019, 12:33 PMasla
04/18/2019, 12:42 PMKolide Fleet implements both the gRPC server as well as the legacy TLS server API, so it presents an easy migration path for existing TLS API users.
Jean M
04/18/2019, 12:47 PMasla
04/18/2019, 1:15 PM[error] 15739#15739: *17 upstream sent too large http2 frame: 4740180 while reading response header from upstream, request: "POST /kolide.agent.Api/RequestConfig HTTP/2.0", upstream: "<grpc://127.0.0.1:8080>"
KOLIDE_SERVER_TLS=true
This now works
launcher -> nginx (let's encrypt cert) -> fleet (self-signed cert)
Jean M
04/18/2019, 2:19 PMasla
04/18/2019, 2:24 PMJean M
04/18/2019, 2:26 PMasla
04/18/2019, 2:27 PMlocation /api/v1/osquery/ {
grpc_pass <grpcs://127.0.0.1:8080;>
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api/v1/kolide/ {
grpc_pass <grpcs://127.0.0.1:8080;>
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
grpc_pass <grpcs://127.0.0.1:8080;>
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
}
Jean M
04/18/2019, 2:35 PMasla
04/18/2019, 2:36 PMmap $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
and then in server block
location /api/v1/kolide/results/ {
proxy_pass <https://127.0.0.1:8080;>
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
Jean M
04/22/2019, 2:43 PMasla
09/06/2019, 8:55 AMgrpcs://
# public kolide launcher api
location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
grpc_pass <grpcs://127.0.0.1:8080;>
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# public kolide launcher api
location /kolide.launcher.QueryTarget/GetTargets {
grpc_pass <grpcs://127.0.0.1:8080;>
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Nick Chappell
02/14/2021, 5:56 PM