Enable HTTP Proxy for Agents
You can configure the agent to allow it to communicate with the Sysdig collector through an HTTP proxy. HTTP proxy is usually configured to offer greater visibility and better management of the network.
The agent can connect to the collector through an HTTP proxy by sending an HTTP CONNECT message and receiving a response. The proxy then initiates a TCP connection to the collector. These two connections form a tunnel that acts like one logical connection.
By default, the agent will encrypt all messages sent through this
tunnel. This means that after the initial CONNECT message and response,
all the communication on that tunnel is encrypted by SSL end-to-end.
This encryption is controlled by the top-level
ssl parameter in the
Optionally, the agent can add a second layer of encryption, securing the
CONNECT message and response. This second layer of encryption may be
desired in the case of HTTP authentication if there is a concern that
network packet sniffing could be used to determine the user’s
credentials. This second layer of encryption is enabled by setting the
ssl parameter to true in the
http_proxy section of the agent
You specify the following parameters at the same level as
dragent.yaml file. These existing configuration options affect
the communication between the agent and collector (both with and without
ssl: If set to true, the metrics sent from the agent to the collector are encrypted.
ssl_verify_certificate: Determines whether the agent verifies the SSL certificate sent from the collector.
The following configuration options affect the behavior of the HTTP
Proxy setting. You specify them under the
http_proxy heading in the
proxy_host: Indicates the hostname of the proxy server. The default is an empty string, which implies communication through an HTTP proxy is disabled.
proxy_port: Specifies the port on the proxy server the agent should connect to. The default is 0, which indicates that the HTTP proxy is disabled.
proxy_user: Required if HTTP authentication is configured. This option specifies the username for the HTTP authentication. The default is an empty string, which indicates that authentication is not configured.
proxy_password: Required if HTTP authentication is configured. This option specifies the password for the HTTP authentication. The default is an empty string. Specifying
ssl: If set to true, the connection between the agent and the proxy server is encrypted.
Note that this parameter requires the top-level
sslparameter to be enabled, as the agent does not support SSL to the proxy but unencrypted traffic to the collector. This additional security prevents you from misconfiguring the agent assuming the metrics are as well encrypted end-to-end when they are not.
ssl_verify_certificate: Determines whether the agent will verify the certificate presented by the proxy.
This option is configured independently of the top-level
ssl_verify_certificateparameter. This option is enabled by default. If the provided certificate is not correct, this option can cause the connection to the proxy server to fail.
ca_certificate: The path to the CA certificate for the proxy server. If
ssl_verify_certificateis enabled, the CA certificate must be signed appropriately.
The following example shows no SSL connection between the agent and the proxy server as well as between the proxy server and the collector.
collector_port: 6667 ssl: false http_proxy: proxy_host: squid.yourdomain.com proxy_port: 3128 ssl: false
SSL Between Proxy and Collector
In this example, SSL is enabled only between the proxy server and the collector.
collector_port: 6443 ssl: true ssl_verify_certificate: true http_proxy: proxy_host: squid.yourdomain.com proxy_port: 3128
The following example shows SSL is enabled between the agent and the proxy server as well as between the proxy server and the collector.
collector_port: 6443 ssl: true http_proxy: proxy_host: squid.yourdomain.com proxy_port: 3129 ssl: true ssl_verify_certificate: true ca_certificate: /usr/proxy/proxy.crt
SSL with Username and Password
The following configuration instructs the agent to connect to a proxy
server located at
squid.yourdomain.com on port
3128. The agent will
request the proxy server to establish an HTTP tunnel to the Sysdig
collector-your.sysdigcloud.com on port 6443. The agent
will authenticate with the proxy server using the given user and
collector: collector-your.sysdigcloud.com collector_port: 6443 http_proxy: proxy_host: squid.yourdomain.com proxy_port: 3128 proxy_user: sysdig_customer proxy_password: 12345 ssl: true ssl_verify_certificate: true ca_certificate: /usr/proxy/proxy_cert.crt
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.