fleet
fleet copied to clipboard
[Feature request] support configurable ports for administrative access to Fleet application and endpoints TLS connection
Currently, Fleet application only uses one port both for admin/users to login in the Fleet web UI and endpoint connections to Fleet server via TLS. Due to this limitation, we can not separate the access control between administrative access and endpoint TLS connections.
We would like to harden our administrative access that only allow user/admin login to Fleet server from corporation network.
This request may be similar to #1687
You can do this yourself by using a proxy in front of fleet.
I'm working on setting up a proof of concept for my team and also want to lock down GUI access. I wanted to share my proxy config for anyone else who is doing the same.
In what little testing I've done, it seems to work correctly, but I am very open to suggestions or improvements.
Notes:
- I'm using
docker-compose
to manage both fleet and nginx, so the "fleet_gui" address in the upstream is resolved by Docker. But it can be any IP or valid DNS name.- nginx must be able to resolve the DNS name in the upstream field. So if using
docker-compose
usedepends_on
to make sure that the nginx container starts after the fleet container.
- nginx must be able to resolve the DNS name in the upstream field. So if using
- The referenced
server.cert
andserver.key
are the same that I generated and am using for the Fleet web GUI.
nginx.conf snippet:
upstream web_gui {
fleet_gui:8080;
}
server {
#osqueryd check-ins
listen 8080 ssl;
ssl_certificate /etc/nginx/server.cert;
ssl_certificate_key /etc/nginx/server.key;
location / {
deny all;
}
location /api/v1/osquery/ {
proxy_pass https://web_gui;
}
}
server {
# Admin GUI Access
listen 8081 ssl;
ssl_certificate /etc/nginx/server.cert;
ssl_certificate_key /etc/nginx/server.key;
location / {
allow x.x.x.x;
deny all;
proxy_pass https://web_gui;
}
}