Hello. In my local setup I have nginx proxy (which terminates TLS) before Kolide Fleet and use Kolide launchers. After reading the docs and messages here on slack, I am still not sure where grpc is used. Could someone please clarify which endpoints use grpc? What about the https:// front-end dashboard? Thanks. My current nginx config (where 127.0.0.1:8080 is the fleet server with

KOLIDE_SERVER_TLS=false

)

location /api/v1/osquery/ {
        grpc_pass  <grpc://127.0.0.1:8080;>    
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /api/v1/kolide/ {
        grpc_pass  <grpc://127.0.0.1:8080;>   
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
        proxy_pass  <http://127.0.0.1:8080;>    
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_buffering off;
    }

I also have this doubt, if you find an answer, could you please share

Yes, it's a little confusing because

Kolide Fleet implements both the gRPC server as well as the legacy TLS server API, so it presents an easy migration path for existing TLS API users.

for example, I’m seeing the launcher using /kolide.agent.Api/ endpoint while osquery seems to use /api/v1/…

I see nginx errors like these, which is related to grpc I assume.

[error] 15739#15739: *17 upstream sent too large http2 frame: 4740180 while reading response header from upstream, request: "POST /kolide.agent.Api/RequestConfig HTTP/2.0", upstream: "<grpc://127.0.0.1:8080>"

indeed I saw exact same errors. Thanks for the reply, I’ll test on my side

Now I am still unclear on which endpoints do what. 🙂 I wanted to expose the fleet server to the Internet but restrict requests to only the endpoints that are needed for communication with launchers.

I’m doing the same. btw you used a grpcs_pass in a specific /kolide.agent.Api/ location in nginx?

This is what I have right now. Launchers work, and front-end UI requests work too.

location /api/v1/osquery/ {
        grpc_pass  <grpcs://127.0.0.1:8080;>
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /api/v1/kolide/ {
        grpc_pass  <grpcs://127.0.0.1:8080;>       
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
        grpc_pass  <grpcs://127.0.0.1:8080;>
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_buffering off;
    }

Thanks!

You might also have to proxy websocket requests to results endpoint (used in web UI). See https://www.nginx.com/blog/websocket-nginx/

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

and then in server block

    location /api/v1/kolide/results/ {
        proxy_pass <https://127.0.0.1:8080;>
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

I’ve reached this stage and tried to filter based on for example “/kolide.agent.Api/” but if I do a GET on it I get the index page so I’m not sure this is the best method..

Additional locations. Note that backend fleet server must have a cert (even self-signed) and proxy via

grpcs://

# public kolide launcher api
    location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
        grpc_pass  <grpcs://127.0.0.1:8080;>
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # public kolide launcher api
    location /kolide.launcher.QueryTarget/GetTargets {
        grpc_pass  <grpcs://127.0.0.1:8080;>
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

came across this via some Googling. 🙂 what's the complete Nginx config you have for this setup? (I haven't mixed HTTP and gRPC in an Nginx config before)