GITBOOK-137: Updated reverse proxy and gRPC security

Author: defguard-community

SUMMARY.md

@@ -86,7 +86,7 @@
 * [Configuration](deployment-strategies/configuration.md)
 * [Running Gateway on OPNsense firewall](deployment-strategies/running-gateway-on-opnsense-firewall.md)
 * [Running Gateway on MikroTik routers](deployment-strategies/running-gateway-on-mikrotik-routers.md)
-* [Reverse Proxy configuration using NGINX](deployment-strategies/reverse-proxy-configuration-using-nginx.md)
+* [Reverse Proxy configuration using Nginx](deployment-strategies/reverse-proxy-configuration-using-nginx.md)
 * [High Availability and Failover](deployment-strategies/high-availability-and-failover.md)
 * [Updating and version compatibility](deployment-strategies/updating-and-version-compatibility.md)
 * [Migration guides](deployment-strategies/upgrading.md)

deployment-strategies/grpc-ssl-communication.md

@@ -1,26 +1,83 @@
 # Securing gRPC communication
 
-Defguard Core has two main communication endpoints:
+Defguard components exchange data over gRPC, which must be properly secured to protect sensitive information and prevent unauthorized access.
 
-1. gRPC port for communicating with Defguard Gateways,
-2. gRPC port for communicating with Defguard Core.
+## Firewall rules
 
-{% hint style="danger" %}
-It is **critical** that:
+Defguard components expose two ports that require firewall-level protection:
 
-1. Defguard Core's gRPC port is open on a firewall only for IP addresses of Defguard Gateway nodes.
-2. Defguard Proxy's gRPC port is open on a firewall only for the IP address of Defguard Core.
-3. If you want an additional layer of security, then you should create a **custom SSL Certificate Authority (CA)**, and provide Core, Proxy and Gateway Certificates from that CA so **any other connections to the gRPC services will not be accepted.**
-4. Even if you have secured the network ports/firewall and do not want to create a custom SSL CA, please secure gRPC traffic with SSL and a reverse proxy.
-{% endhint %}
+* Defguard Core exposes a gRPC port for communication with Defguard Gateways.
+* Defguard Proxy exposes a gRPC port for communication with Defguard Core.
+
+Limit access to gRPC ports:
+
+* Allow Core’s gRPC port only from Gateway IPs.
+* Allow Proxy’s gRPC port only from Core’s IP.
+
+## SSL encryption
+
+Even if you already use [SSL on a reverse proxy](reverse-proxy-configuration-using-nginx.md#obtaining-ssl-certificates), this only protects external traffic. Internal gRPC connections between Proxy, Core, and Gateways occur behind the proxy and must also be encrypted and authenticated. These connections carry sensitive operational data and should never be left unprotected.
+
+You can **choose one** of two approaches:
+
+* [Trusted CA certificates](grpc-ssl-communication.md#trusted-ca-certificates) (simple) – use certificates issued by a recognized Certificate Authority (e.g., Let’s Encrypt). This ensures encrypted traffic and verifies the identity of each component. This approach assumes you're already using [reverse proxy with SSL termination](reverse-proxy-configuration-using-nginx.md#obtaining-ssl-certificates) for Defguard Core or Defguard Proxy.
+* [Custom internal CA](grpc-ssl-communication.md#custom-internal-ca) (recommended) – create your own Certificate Authority and issue certificates for Core, Proxy, and Gateway. This enables mutual TLS (mTLS), so only trusted Defguard components can communicate.
+
+Choose one of these options based on your environment: trusted CA for simplicity, or a custom CA for full Zero Trust mutual authentication.
+
+### Trusted CA certificates
+
+If you followed our [guide on configuring SSL for reverse proxy](reverse-proxy-configuration-using-nginx.md#obtaining-ssl-certificates) your certificates should be located in the following path `/etc/letsencrypt/live/domain.name/`. Use the PEM-formatted CA certificate for configuring Defguard components.           
+
+#### Configure Defguard Core
+
+Add path to CA certificate file using command line arguments:
+
+```bash
+defguard --proxy-grpc-ca /etc/letsencrypt/live/domain.name/chain.pem
+```
 
-## Custom SSL CA and certificates
+or using the service's configuration file:
 
-To secure not only with firewall communication between all Defguard gRPC components, a custom SSL chain of certificates should be used. This way the trust will be ensured on the Transport Layer Security (TLS) level.
+```toml
+proxy_grpc_ca = "/etc/letsencrypt/live/domain.name/chain.pem"
+```
+
+or using environment variable:
+
+```bash
+env DEFGUARD_PROXY_GRPC_CA=/etc/letsencrypt/live/domain.name/chain.pem \
+    defguard
+```
+
+#### Configure Defguard Gateway
 
-It is important to embed a correct domain name into the certificate as _X509v3 Subject Alternative Name_. The domain name must match the one under which a service is being hosted.
+Add path to CA certificate file using command line arguments:
 
-### Quick setup
+```bash
+defguard-gateway --grpc-ca /etc/letsencrypt/live/domain.name/chain.pem
+```
+
+or using the service's configuration file:
+
+```toml
+grpc_ca = "/etc/letsencrypt/live/domain.name/chain.pem"
+```
+
+or using environment variable:
+
+```bash
+env DEFGUARD_GRPC_CA=/etc/letsencrypt/live/domain.name/chain.pem \
+    defguard-gateway
+```
+
+### Custom internal CA
+
+{% hint style="warning" %}
+It is important to embed a correct domain name into the certificate as _X509v3 Subject Alternative Name_. The domain name must match the one **under which a service is being hosted**.
+{% endhint %}
+
+#### Generate certificates
 
 To quickly generate a set of SSL certificates using [OpenSSL](https://openssl-library.org) or [LibreSSL](https://www.libressl.org), use the following:
 
@@ -52,19 +109,25 @@ To display certificate file contents:
 openssl x509 -noout -text -in core.crt
 ```
 
-### Defguard configuration
-
-#### Defguard Core
+#### Configure Defguard Core
 
-Using command line arguments
+Add paths to certificate files using command line arguments:
 
 ```sh
 defguard --grpc-cert path/to/core.crt \
          --grpc-key path/to/core.key \
          --proxy-grpc-ca path/to/ca.crt
 ```
 
-Using environment variables
+or using the service's configuration file:
+
+```toml
+grpc_cert = "path/to/core.crt"
+grpc_key = "path/to/core.key"
+proxy_grpc_ca = "path/to/ca.crt"
+```
+
+or using environment variables:
 
 ```sh
 env DEFGUARD_GRPC_CERT=path/to/core.crt \
@@ -73,57 +136,50 @@ env DEFGUARD_GRPC_CERT=path/to/core.crt \
     defguard
 ```
 
-#### Defguard Proxy
+#### Configure Defguard Proxy
 
-Using command line arguments
+Add paths to certificate files using command line arguments:
 
 ```sh
 defguard-proxy --grpc-cert path/to/proxy.crt \
                --grpc-key path/to/proxy.key
 ```
 
-Using environment variables
+or using the service's configuration file:
+
+```toml
+grpc_cert = "path/to/core.crt"
+grpc_key = "path/to/core.key"
+```
+
+or using environment variables:
 
 ```sh
 env DEFGUARD_PROXY_GRPC_CERT=path/to/proxy.crt \
     DEFGUARD_PROXY_GRPC_KEY=path/to/proxy.key
     defguard-proxy
 ```
 
-### Defguard Gateway
+#### Configure Defguard Gateway
 
-Using command line arguments
+Add paths to certificate files using command line arguments:
 
 ```sh
 defguard-gateway --grpc-ca path/to/ca.crt
 ```
 
-Using environment variables
-
-```sh
-env DEFGUARD_GRPC_CA=path/to/ca.crt \
-    defguard-gateway
-```
-
-Using configuration file
+or using the service's configuration file:
 
 ```toml
 grpc_ca = "path/to/ca.crt"
 ```
 
-## Trusted CA (eg. Let'sEncrypt or others)
+or using environment variables:
 
-Often (like in the standalone package based installation tutorial) gRPC communication can be secured by a reverse proxy (NGINX, Caddy, Traefik, etc.) that handles SSL termination. It's common to use typical trusted CA (that is used for typical HTTPS traffic) like Let'sEncrypt or others.
-
-{% hint style="danger" %}
-While this secures the transport layer and encrypts communication between Defguard components - it does not provide authorization between gRPC components like Custom CA does.
+```sh
+env DEFGUARD_GRPC_CA=path/to/ca.crt \
+    defguard-gateway
+```
 
-Thus, this type of SSL termination should only be done if you trust your network and have secured gRPC ports on firewall.
-{% endhint %}
 
-If Defguard Core or Defguard Proxy are using reverse proxy with SSL termination, then only you need to configure CA certificate paths for:
 
-* Defguard Gateway – in _gateway.toml_ add path to CA certificate file (in PEM format); for example, when using standard Let'sEncrypt installation ([Certbot](https://certbot.eff.org)), you configure the CA path like this:
-  * `grpc_ca = "/etc/letsencrypt/live/domain.name/chain.pem"`
-* Defguard Core – similarily, you need to configure Proxy CA certificate file using **DEFGUARD\_PROXY\_GRPC\_CA** environment variable:
-  * `DEFGUARD_PROXY_GRPC_CA: /etc/letsencrypt/live/domain.name/chain.pem`

deployment-strategies/reverse-proxy-configuration-using-nginx.md

@@ -1,55 +1,84 @@
-# Reverse Proxy configuration using NGINX
+# Reverse Proxy configuration using Nginx
 
 ## Introduction
 
 This guide explains how to configure [NGINX](https://nginx.org/) as a reverse proxy for Defguard's components (Core and Proxy). The reverse proxy acts as an intermediary between users and Defguard services, handling HTTPS requests, routing internal gRPC communication, and ensuring encrypted connections between all components.
 
 To provide HTTPS encryption, this guide also uses [Certbot](https://certbot.eff.org/), a free, open-source tool from the [Let’s Encrypt](https://letsencrypt.org/) project. Certbot automatically issues and renews SSL/TLS certificates, allowing you to secure your Defguard domains without manual certificate management.
 
-### Installing NGINX and Certbot
+{% hint style="info" %}
+We assume in this guide that you run your Core and Proxy services on separate servers, and you run Certbot and Nginx on each one of them.
+{% endhint %}
 
-To install and prepare NGINX with Let’s Encrypt certificates:
+## Installing Nginx and Certbot
+
+Run the followign command to install Nginx and Certbot.
 
 ```bash
 apt install nginx certbot
-systemctl enable nginx.service
-systemctl start nginx.service
 ```
 
-Disable the default configuration to avoid conflicts:
+Disable the default Nginx configuration to avoid conflicts:
 
 ```bash
 unlink /etc/nginx/sites-enabled/default
 ```
 
-### Obtaining SSL Certificates
+## Obtaining SSL certificates
+
+Use Certbot to generate SSL certificates. 
+
+For each service (Core, Proxy), run the following command on the server that your domain’s DNS records resolve to. Ensure that inbound traffic on port 80 is allowed by the firewall and that no other process is using this port.
+
+{% hint style="info" %}
+Certbot verifies domain ownership using the HTTP-01 challenge, where it temporarily serves a validation file over port 80 for the exact domain you are requesting a certificate for. 
+
+If the request fails with a timeout or connection error, Let’s Encrypt could not reach this temporary server. This usually means the DNS record for that domain does not point to the correct public IP of the machine running Certbot, port 80 is blocked (firewall or Security Group), an IPv6 (AAAA) record is published but not supported on the server, or another service is already using port 80. 
 
-Before configuring NGINX, issue valid SSL certificates for your domains.\
-In this example we use:
+Ensure the domain’s DNS resolves to this server’s public IP, inbound port 80 is open, and no other service is binding the port before trying again.
+{% endhint %}
 
-* Core: **my-server.defguard.net**
-* Enrollment (Proxy): **enroll.defguard.net**
+### Obtaining SSL certificate for Core service
 
-Generate certificates with Certbot:
+Use the following command to generate certificate with Certbot. Replace the example domain for the Core service (my-server.defguard.net) with your own.
 
 ```bash
 certbot certonly \
     --non-interactive \
     --agree-tos \
     --standalone \
     --email [email protected] \
-    -d my-server.defguard.net \
-    -d enroll.defguard.net
+    -d my-server.defguard.net
 ```
 
-Certbot will generate certificate in fullchain.pem and privkey.pem in the following paths:
+Certbot will generate certificate in fullchain.pem and privkey.pem in the following path:
 
 ```
 /etc/letsencrypt/live/my-server.defguard.net
+```
+
+### Obtaining SSL certificate for Proxy service
+
+Use the following command to generate certificate with Certbot. Replace the example domain for the Proxy service (enroll.defguard.net) with your own.
+
+```bash
+certbot certonly \
+    --non-interactive \
+    --agree-tos \
+    --standalone \
+    --email [email protected] \
+    -d enroll.defguard.net
+```
+
+Certbot will generate certificate in fullchain.pem and privkey.pem in the following path:
+
+```
 /etc/letsencrypt/live/enroll.defguard.net
 ```
 
-### Defguard Core NGINX configuration
+## Configuring and starting Nginx
+
+### Configuring and starting Nginx for Core service
 
 Create a new configuration file for the Core service:
 
@@ -104,13 +133,12 @@ server {
 }
 ```
 
-Enable the configuration and reload NGINX:
+Enable the configuration and start Nginx:
 
-```bash
-ln -s /etc/nginx/sites-available/my-server.defguard.net.conf /etc/nginx/sites-enabled/my-server.defguard.net.conf
-
-systemctl reload nginx.service
-```
+<pre class="language-bash"><code class="lang-bash"><strong>ln -s /etc/nginx/sites-available/my-server.defguard.net.conf /etc/nginx/sites-enabled/my-server.defguard.net.conf
+</strong>
+systemctl start nginx.service
+</code></pre>
 
 To verify, run:
 
@@ -124,7 +152,7 @@ alive
 If you use this simple setup and run all services on one server, you can use [NGINX access restrictions](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-tcp/) for securing core and allowing to access the _my-server.defguard.net_ only to selected networks - blocking the direct access from the Internet.
 {% endhint %}
 
-### Defguard Proxy (Enrollment Service) NGINX configuration
+### Configuring and starting Nginx for Proxy service
 
 The Proxy service exposes APIs for enrollment, remote onboarding, and desktop client configuration.\
 Create its NGINX configuration file:
@@ -206,12 +234,12 @@ ln -s /etc/nginx/sites-available/enroll.defguard.net.conf /etc/nginx/sites-enabl
 systemctl restart nginx.service
 ```
 
-### Security Recommendations
+## Security Recommendations
 
 * Only expose **HTTPS ports (443)** for web access.
 * Do **not** expose internal **gRPC ports** (444, 50051, 50055) directly to the Internet.
 
-### Summary
+## Summary
 
 After completing the configuration: