Title
#kolide
a

asla

04/18/2019, 12:28 PM
Hello. In my local setup I have nginx proxy (which terminates TLS) before Kolide Fleet and use Kolide launchers. After reading the docs and messages here on slack, I am still not sure where grpc is used. Could someone please clarify which endpoints use grpc? What about the https:// front-end dashboard? Thanks. My current nginx config (where 127.0.0.1:8080 is the fleet server with
KOLIDE_SERVER_TLS=false
)
location /api/v1/osquery/ {
        grpc_pass  <grpc://127.0.0.1:8080;>    
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /api/v1/kolide/ {
        grpc_pass  <grpc://127.0.0.1:8080;>   
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
        proxy_pass  <http://127.0.0.1:8080;>    
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_buffering off;
    }
j

Jean M

04/18/2019, 12:33 PM
I also have this doubt, if you find an answer, could you please share
a

asla

04/18/2019, 12:42 PM
Yes, it's a little confusing because
Kolide Fleet implements both the gRPC server as well as the legacy TLS server API, so it presents an easy migration path for existing TLS API users.
j

Jean M

04/18/2019, 12:47 PM
for example, I’m seeing the launcher using /kolide.agent.Api/ endpoint while osquery seems to use /api/v1/…
a

asla

04/18/2019, 1:15 PM
I see nginx errors like these, which is related to grpc I assume.
[error] 15739#15739: *17 upstream sent too large http2 frame: 4740180 while reading response header from upstream, request: "POST /kolide.agent.Api/RequestConfig HTTP/2.0", upstream: "<grpc://127.0.0.1:8080>"
2:16 PM
@Jean M I resolved my problem. It seems that grpcs😕/ is required in the setup if you want to proxy with nginx. I restarted fleet with a self-signed certificate and set
KOLIDE_SERVER_TLS=true
This now works
launcher -> nginx (let's encrypt cert) -> fleet (self-signed cert)
j

Jean M

04/18/2019, 2:19 PM
indeed I saw exact same errors. Thanks for the reply, I’ll test on my side
2:20 PM
so using fleet without tls is not possible I suppose
a

asla

04/18/2019, 2:24 PM
Now I am still unclear on which endpoints do what. 🙂 I wanted to expose the fleet server to the Internet but restrict requests to only the endpoints that are needed for communication with launchers.
j

Jean M

04/18/2019, 2:26 PM
I’m doing the same. btw you used a grpcs_pass in a specific /kolide.agent.Api/ location in nginx?
2:26 PM
or set it for / ?
a

asla

04/18/2019, 2:27 PM
This is what I have right now. Launchers work, and front-end UI requests work too.
location /api/v1/osquery/ {
        grpc_pass  <grpcs://127.0.0.1:8080;>
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /api/v1/kolide/ {
        grpc_pass  <grpcs://127.0.0.1:8080;>       
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
        grpc_pass  <grpcs://127.0.0.1:8080;>
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_buffering off;
    }
j

Jean M

04/18/2019, 2:35 PM
Thanks!
a

asla

04/18/2019, 2:36 PM
You might also have to proxy websocket requests to results endpoint (used in web UI). See https://www.nginx.com/blog/websocket-nginx/
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

and then in server block

    location /api/v1/kolide/results/ {
        proxy_pass <https://127.0.0.1:8080;>
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
j

Jean M

04/22/2019, 2:43 PM
I’ve reached this stage and tried to filter based on for example “/kolide.agent.Api/” but if I do a GET on it I get the index page so I’m not sure this is the best method..
a

asla

09/06/2019, 8:55 AM
Additional locations. Note that backend fleet server must have a cert (even self-signed) and proxy via
grpcs://
# public kolide launcher api
    location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
        grpc_pass  <grpcs://127.0.0.1:8080;>
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # public kolide launcher api
    location /kolide.launcher.QueryTarget/GetTargets {
        grpc_pass  <grpcs://127.0.0.1:8080;>
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
n

Nick Chappell

02/14/2021, 5:56 PM
came across this via some Googling. 🙂 what's the complete Nginx config you have for this setup? (I haven't mixed HTTP and gRPC in an Nginx config before)