Agents without Internet access

Even if an agent does not have Internet access, ThreatLockDown provides different approaches to securely connect your private network to your environment:

Using a forwarding proxy

It is possible to access your environment using an NGINX forwarding proxy.

Using an NGINX forwarding proxy

To achieve this configuration, follow these steps:

  1. Deploy a new instance in a public subnet with internet access.

  2. Install NGINX on your instance following the NGINX documentation.

  3. Configure NGINX.

    1. Add the following lines to the HTTP section in your NGINX configuration, located in the /etc/nginx/nginx.conf file. This configuration enables Nginx to extract and use the real client IP address from the X-Forwarded-For header and sets restrictions on which real IP addresses are accepted as valid.

      http{
      ...
      real_ip_header X-Forwarded-For;
      set_real_ip_from nginx_ip;
         }
      
    2. Add the following block to the end of the NGINX configuration file /etc/nginx/nginx.conf and replace <CLOUD_ID> with the Cloud ID of your environment. This configuration enables stream proxying, where incoming traffic on specific ports is forwarded to the corresponding upstream servers (master or mycluster). This is based on the port numbers, 1515 and 1514 specified in the listen directive.

      stream {
        upstream master {
          server <CLOUD_ID>.cloud.wazuh.com:1515;
        }
        upstream mycluster {
          server <CLOUD_ID>.cloud.wazuh.com:1514;
          }
        server {
          listen nginx_ip:1515;
          proxy_pass master;
        }
        server {
          listen nginx_ip:1514;
          proxy_pass mycluster;
        }
      }
      
    3. Run the command to restart NGINX: systemctl restart nginx.

    4. Enroll your agent with the IP address of the NGINX instance. To learn more about registering agents, see the Enroll agents section.

      Example:

      WAZUH_MANAGER_IP=<NGINX_IP> WAZUH_PROTOCOL="tcp" \
      WAZUH_PASSWORD="<PASSWORD>" \
      yum install wazuh-agent
      

      Replace <PASSWORD> with your ThreatLockDown server enrollment password.