Hi there. I am currently working on deploying Elastic Agent in our environment, where Elastic Agent hosts and Elastic Stack servers can be assumed to be directly accessible from each other, but internet access requires a proxy. Therefore, my proxy settings need to be as follows:
- Agent-to-Artifacts repo: Internet gateway proxy
- Agent-to-Elasticsearch: No proxy
- Agent-to-Fleet server: No proxy
- Kibana to Elastic Package Registry: Internet gateway proxy
- Fleet server-to-Elasticsearch: No proxy
I am currently trying to figure out how to configure this setup, if it is at all possible. Simply specifying the xpack.fleet.registryProxyUrl setting does not account for the agents, who still try to download packages directly from the internet.
My current understanding is that per-policy proxy setting is not yet available, and the settings for different proxy types are set up as follows:
- Agent-to-Artifacts repo: Global proxy settings only (HTTP_PROXY environment variable or proxy_url/proxy_disable in standalone agent policy)
- Agent-to-Elasticsearch: Agent policy -> proxy_url / proxy_disable
- Agent-to-Fleet server: Agent enroll/install options -> --proxy-url / --proxy-disabled
- Kibana to Elastic Package Registry: kibana.yml -> xpack.fleet.registryProxyUrl
- Fleet server-to-Elasticsearch: presumably same as agent-to-elasticsearch
I am a bit confused about which proxy settings, if any, supersede which. I was thinking that maybe I could set up the proxy for artifacts access in HTTP_PROXY, EPR proxy in xpack.fleet.registryProxyUrl, and explicitly disable it in all other places, but the wording for --proxy-disabled and proxy_disable suggests that it disables HTTP_PROXY as well - in this case my intended setup does not seem to be possible.
What do you think? Am I perhaps better off setting up an internal artifacts registry? I would like to avoid that if possible, as that would give us an extra endpoint to manage, compared to using a proxy server that we already have.