Securing gRPC communication
Defguard Core has two main communication endpoints:
gRPC port for communicating with Defguard Gateways,
gRPC port for communicating with Defguard Core.
It is critical that:
Defguard Core's gRPC port is open on a firewall only for IP addresses of Defguard Gateway nodes.
Defguard Proxy's gRPC port is open on a firewall only for the IP address of Defguard Core.
If you want an additional layer of security, then you should create a custom SSL Certificate Authority (CA), and provide Core, Proxy and Gateway Certificates from that CA so any other connections to the gRPC services will not be accepted.
Even if you have secured the network ports/firewall and do not want to create a custom SSL CA, please secure gRPC traffic with SSL and a reverse proxy.
Custom SSL CA and certificates
To secure not only with firewall communication between all Defguard gRPC components, a custom SSL chain of certificates should be used. This way the trust will be ensured on the Transport Layer Security (TLS) level.
It is important to embed a correct domain name into the certificate as X509v3 Subject Alternative Name. The domain name must match the one under which a service is being hosted.
Quick setup
To quickly generate a set of SSL certificates using OpenSSL or LibreSSL, use the following:
Generate Certificate Authority (CA) cerfiticate and key for domain example.local
Generate private key and Certificate Signing Request (CSR)
Generate certificate by signing the CSR, valid for 365 days
Repeat the last two steps for other services (e.g. change core.csr, core.crt, and core.key to gateway.csr, gateway.crt, gateway.key), just change the domain name accordingly.
To display certificate file contents:
Defguard configuration
Defguard Core
Using command line arguments
Using environment variables
Defguard Proxy
Using command line arguments
Using environment variables
Defguard Gateway
Using command line arguments
Using environment variables
Using configuration file
Trusted CA (eg. Let'sEncrypt or others)
Often (like in the standalone package based installation tutorial) gRPC communication can be secured by a reverse proxy (NGINX, Caddy, Traefik, etc.) that handles SSL termination. It's common to use typical trusted CA (that is used for typical HTTPS traffic) like Let'sEncrypt or others.
While this secures the transport layer and encrypts communication between defguard components - it does not provide authorization between gRPC components like Custom CA does.
Thus, this type of SSL termination should only be done if you trust your network and have secured gRPC ports on firewall.
If Defguard Core or Defguard Proxy are using reverse proxy with SSL termination, then only you need to configure CA certificate paths for:
Defguard Gateway – in gateway.toml add path to CA certificate file (in PEM format); for example when using standard Let'sEncrypt installation (Certbot), you configure the CA path like this:
grpc_ca = "/etc/letsencrypt/live/domain.name/chain.pem"
Defguard Core – similarily, you need to configure Proxy CA certificate file using DEFGUARD_PROXY_GRPC_CA environment variable:
DEFGUARD_PROXY_GRPC_CA: /etc/letsencrypt/live/domain.name/chain.pem
Last updated