Securing gRPC communication
Defguard Core has two main communication endpoints:
gRPC port for communicating with Defguard Gateways,
gRPC port for communicating with Defguard Core.
It is critical that:
Defguard Core's gRPC port is open on a firewall only for IP addresses of Defguard Gateway nodes.
Defguard Proxy's gRPC port is open on a firewall only for the IP address of Defguard Core.
If you want an additional layer of security, then you should create a custom SSL Certificate Authority (CA), and provide Core, Proxy and Gateway Certificates from that CA so any other connections to the gRPC services will not be accepted.
Even if you have secured the network ports/firewall and do not want to create a custom SSL CA, please secure gRPC traffic with SSL and a reverse proxy.
Custom SSL CA and certificates
To secure not only with firewall communication between all Defguard gRPC components, a custom SSL chain of certificates should be used. This way the trust will be ensured on the Transport Layer Security (TLS) level.
It is important to embed a correct domain name into the certificate as X509v3 Subject Alternative Name. The domain name must match the one under which a service is being hosted.
Quick setup
To quickly generate a set of SSL certificates using OpenSSL or LibreSSL, use the following:
Generate Certificate Authority (CA) cerfiticate and key for domain example.local
openssl req -x509 -noenc -subj '/CN=example.local' -newkey rsa:4096 -keyout ca.key -out ca.crtGenerate private key and Certificate Signing Request (CSR)
openssl req -noenc -newkey rsa:4096 -keyout core.key -out core.csr -subj '/CN=example.local' -addext subjectAltName=DNS:example.localGenerate certificate by signing the CSR, valid for 365 days
openssl x509 -req -in core.csr -CA ca.crt -CAkey ca.key -days 365 -out core.crt -copy_extensions copyTo display certificate file contents:
openssl x509 -noout -text -in core.crtDefguard configuration
Defguard Core
Using command line arguments
defguard --grpc-cert path/to/core.crt \
--grpc-key path/to/core.key \
--proxy-grpc-ca path/to/ca.crtUsing environment variables
env DEFGUARD_GRPC_CERT=path/to/core.crt \
DEFGUARD_GRPC_KEY=path/to/core.key \
DEFGUARD_PROXY_GRPC_CA=path/to/ca.crt \
defguardDefguard Proxy
Using command line arguments
defguard-proxy --grpc-cert path/to/proxy.crt \
--grpc-key path/to/proxy.keyUsing environment variables
env DEFGUARD_PROXY_GRPC_CERT=path/to/proxy.crt \
DEFGUARD_PROXY_GRPC_KEY=path/to/proxy.key
defguard-proxyDefguard Gateway
Using command line arguments
defguard-gateway --grpc-ca path/to/ca.crtUsing environment variables
env DEFGUARD_GRPC_CA=path/to/ca.crt \
defguard-gatewayUsing configuration file
grpc_ca = "path/to/ca.crt"Trusted CA (eg. Let'sEncrypt or others)
Often (like in the standalone package based installation tutorial) gRPC communication can be secured by a reverse proxy (NGINX, Caddy, Traefik, etc.) that handles SSL termination. It's common to use typical trusted CA (that is used for typical HTTPS traffic) like Let'sEncrypt or others.
While this secures the transport layer and encrypts communication between defguard components - it does not provide authorization between gRPC components like Custom CA does.
Thus, this type of SSL termination should only be done if you trust your network and have secured gRPC ports on firewall.
If Defguard Core or Defguard Proxy are using reverse proxy with SSL termination, then only you need to configure CA certificate paths for:
Defguard Gateway – in gateway.toml add path to CA certificate file (in PEM format); for example when using standard Let'sEncrypt installation (Certbot), you configure the CA path like this:
grpc_ca = "/etc/letsencrypt/live/domain.name/chain.pem"
Defguard Core – similarily, you need to configure Proxy CA certificate file using DEFGUARD_PROXY_GRPC_CA environment variable:
DEFGUARD_PROXY_GRPC_CA: /etc/letsencrypt/live/domain.name/chain.pem
Last updated
Was this helpful?