Configuring Elastic Agent to access artifacts repository via proxy

Hi there. I am currently working on deploying Elastic Agent in our environment, where Elastic Agent hosts and Elastic Stack servers can be assumed to be directly accessible from each other, but internet access requires a proxy. Therefore, my proxy settings need to be as follows:

  • Agent-to-Artifacts repo: Internet gateway proxy
  • Agent-to-Elasticsearch: No proxy
  • Agent-to-Fleet server: No proxy
  • Kibana to Elastic Package Registry: Internet gateway proxy
  • Fleet server-to-Elasticsearch: No proxy

I am currently trying to figure out how to configure this setup, if it is at all possible. Simply specifying the xpack.fleet.registryProxyUrl setting does not account for the agents, who still try to download packages directly from the internet.

My current understanding is that per-policy proxy setting is not yet available, and the settings for different proxy types are set up as follows:

I am a bit confused about which proxy settings, if any, supersede which. I was thinking that maybe I could set up the proxy for artifacts access in HTTP_PROXY, EPR proxy in xpack.fleet.registryProxyUrl, and explicitly disable it in all other places, but the wording for --proxy-disabled and proxy_disable suggests that it disables HTTP_PROXY as well - in this case my intended setup does not seem to be possible.

What do you think? Am I perhaps better off setting up an internal artifacts registry? I would like to avoid that if possible, as that would give us an extra endpoint to manage, compared to using a proxy server that we already have.

Hi,

It may be easiest to set up an internal artifacts registry.
We have an open issue in our documentation to clear this up: [Request] Fix and enhance several issues with the Fleet/Agent proxy doc · Issue #2160 · elastic/observability-docs · GitHub

We are working to develop a way to setup proxies on a per-policy basis. That would give you control over your data plane (agent->elasticsearch) & control plane (agent->fleet server) traffic to go over a proxy. This however is not what you want.

We recently introduced a way for the user to define an alternate http server to host the artifacts. that is what Michel is referring to. The easiest solution would be to setup a artifacts repo locally. or set the proxy to be a forward proxy and use this facility to point to that proxy. Requests from the agent should then be forwarded to the artifactory via the proxy you configure.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.