Duo Network Gateway & Kubernetes?


#1

I’m currently using DAG for securing applications in my environment, and am interested in the Duo Network Gateway but the documentation is a little hard to parse and I have a special case in which I’m using it.

I have re-written the docker-compose files as Kubernetes services and deployments but have run into a few issues. Even if this wasn’t a Kubernetes deployment, I still believe I would have similar questions to the below.

DNG is 3 containers - admin, portal, and a redis container. The admin was the easy one, that’s the site where the config is done, I ended up pointing redis at an AWS elasticache because the .rdb file was being overwritten every time I re-launched a new pod, that leads me to my final problem.

What is the “portal” pod for?? It’s given me some errors that the Nginx services isn’t able to start, and it doesn’t seem to be listening on any port, (HTTP? HTTPS?), it seems the admin port is the only one listening.


#2

Hi seth.

The “portal” container is how end users access the Duo Network Gateway (it handles the redirect to the SAML IdP for primary auth, etc.). It should be listening on 80 and 443, while “Admin” listens on 8443.


#3

@DuoKristina Hi, is it possible to have the portal container not listen on port 80 and just 443? We are trying to avoid opening port 80 if it can be avoided.

We have been able to configure the admin site, set the password, upload certificates, etc. But, unable to get NGINX working as a reverse proxy.

We mount the /opt/duo/chroot/nginx/certs directory from the admin container onto the host and then point those certs in the NGINX conf file.

Is this the correct way to get NGINX working?


#4

Hey there @anshuman_bh,

You do not have to open port 80 for the Duo Network Gateway to work but port 80 is a requirement to use Let’s Encrypt because of the way it does verification. Having port 80 open also has the added benefit of automatically redirecting users that don’t type “https://” to https.

You shouldn’t need to mount any directories or do any additional docker work regarding the certificates? They should be uploaded via the Admin UI.

What is the issue that you’re trying to solve with mounting the directories?


#5

We are trying to mount the directories so that we can reuse the redis.rdb file and the NGINX certs that we upload via the UI for future redeployments so that we don’t have to go through the manual steps again. I think its working now.


#6

Hey @anshuman_bh,

Within the last few weeks we actually just released an update to the Duo Network Gateway which allows you to do scripted backup and restore. This way you can use the CLI to backup and restore your Duo Network Gateway without needing to go to the Admin UI.