Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an NGINX reverse proxy to have a unique ip for registration and reporting. #966

Closed
wants to merge 2 commits into from
Closed

Add an NGINX reverse proxy to have a unique ip for registration and reporting. #966

wants to merge 2 commits into from

Conversation

zakkg3
Copy link

@zakkg3 zakkg3 commented Jan 24, 2025
edited
Loading

Fixes the #308 #547 #961

The problem is:

Deployments exposes the master service on port 1515 for registration and the workers on port 1514 for agent events:

workers svc (Lets say IP 1.1.1.1)

    - name: agents-events
      port: 1514
      targetPort: 1514

Master svc: (lets say IP 2.2.2.2)

    - name: registration
      port: 1515
      targetPort: 1515

So far so good.
problem is an agent with this configuration:

  <client>
    <server>
      <address>1.1.1.1</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
...
    <enrollment>
      <enabled>yes</enabled>
      <manager_address>2.2.2.2</manager_address>
...
    </enrollment>
  </client>

ends up trying to connect to 1.1.1.1:1515
So it tries the agent IP with the master port:

wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[1.1.1.1]:1515'

Even with failover config . So multiple client blocks with the respective port configured (1414 for the worker IP svc and 1515 for the master)...

    <server>
      <address>1.1.1.1</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    <server>
      <address>2.2.2.2</address>
      <port>1515</port>
      <protocol>tcp</protocol>
    </server>

The client tries to enroll to the first client defined (1.1.1.1) on port 1515 even when this client block has only 1414 ports configured. It ends up failing over the workers to register and vice versa for reporting. So this is not ideal.

I've modified the worker svc also to expose 1515 and configure the agent to use just the worker ip. (no enrollment configuration). And they can register and report all good. But it leads to other problems...

Ive also found a comment there it modifies the master to also expose 1414 and use that IP for all agent communications. but I believe this is not the idea of master/worker .

The problem is this leads to other issues: source IPs are the Kubernetes nodes. I believe the worker is forwarding to the master and after k8s SNAT the outgoing IP is the node IP that messes things up.

@zakkg3 zakkg3 changed the title Adds an NGINX reverse proxy to have a unique ip for registration and reporting. Add an NGINX reverse proxy to have a unique ip for registration and reporting. Jan 24, 2025
@zakkg3 zakkg3 mentioned this pull request Jan 24, 2025
Open
@lgromanowski
Copy link

+1 for adding this. Also, with nginx service router, wazuh-master-svc (wazuh) & wazuh-workers-svc (wazuh-manager) don't need to be exposed and they can be changed from LoadBalancer to ClusterIP.

@c-bordon c-bordon deleted the branch wazuh:master February 11, 2025 15:55
@c-bordon c-bordon closed this Feb 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zakkg3 @lgromanowski @c-bordon