Hello all,
I have been experimenting with a multi-frontend deployment placed behind an internet facing load balancer (with clients configured to report to the single LB URL in Client.server_urls). From what I can tell minion frontends aren't able to handle client enrollments and you must also expose the "master" frontend via the load-balancer to ensure a clean enrollment. Is my understanding correct? The minions don't appear to be running the interrogation/enrollment service by default (
https://github.com/Velocidex/velociraptor/blob/master/services/frontend/frontend.go#L341-L355). Is there a flag I'm missing possibly (other than --minion)?
Have also encountered spurious HTTP 409 errors after a client re-connects (example at end of email) when all minions and the master frontend are behind the LB. They tend to resolve after some amount of time.
Also, it appears that the master/minion relationship at the network layer (internally behind the LB) is pretty much one way - the minions connect to the API port via TLS on the master to participate in the replication service, but the master does not connect to the minions over the network. Please correct me if I'm wrong. I've verified the network path both ways between the minions and the master frontend, but have only observed TCP connection from the minions to the master frontend.
Lastly, it appears all the minions write to the same logs as the master. This complicates troubleshooting a bit. Maybe I misconfigured something?
Running 0.6.3 fwiw.
[INFO] 2022-02-15T01:26:45+02:00 Receiver: Connected to https://<redacted>.net:443/reader
[DEBUG] 2022-02-15T01:26:45+02:00 Connection Info {"IdleTime":0,"LocalAddr":{"IP":"10.0.2.15","Port":49931,"Zone":""},"Reused":true,"WasIdle":true}
[INFO] 2022-02-15T01:26:45+02:00 Compiled all artifacts.
[INFO] 2022-02-15T01:26:45+02:00 Receiver: sent 690 bytes, response with status: 409 Conflict
[INFO] 2022-02-15T01:26:45+02:00 Post to https://<redacted>.net:443/reader returned 409 - advancing
[INFO] 2022-02-15T01:26:45+02:00 Waiting for a reachable server: 1m25s
--
Thanks for your time & guidance!
|
Mario R. De Tore
TechOps Engineer - Global Services Practice
Mobile | +65.8141.5385
Confidentiality Notice: The information contained in this email communication, including without limitation, any attachments, is confidential and may be legally privileged. It is intended solely for the individual(s) or entity named above and others who have been specifically authorized to receive it. If you are not the intended recipient you may not review, copy, use or disclose the contents of this communication (or any attachment hereof) to others. Please notify the sender that you have received this e-mail communication in error by replying to the above e-mail address or telephone and delete all copies of this message and any attachments.