Proxy support in On-Premises installations

This article has been moved. 

Please see:
https://sysdigdocs.atlassian.net/wiki/spaces/Platform/pages/227573777/Pre-Install+Consider+Architecture+Sizing+Requirements

 

Deprecated

Summary

In release #760 and newer of the Sysdig platform back-end, an option is available to configure outgoing HTTP/HTTPS connections to be made via proxy. This has been tested and supports outgoing web connections that are necessary to support the following features:

  • Notification Channels
    • PagerDuty
    • Slack
    • Amazon SNS
    • VictorOps
    • OpsGenie
    • WebHook
  • Gathering of AWS CloudWatch data
  • Capture storage to an AWS S3 bucket

Proxied web connectivity to support authentication mechanisms (SAML. OpenID Connect, OAuth) are not supported at this time.

Configuration

The proxy settings are configured via the JVM options passed to the Sysdig software components. If you already have JVM options configured, append these to your existing settings.

In a Replicated on-premises install, the JVM settings are in the admin console under the Settings tab. At the bottom of the screen, check the box to Show Advanced Settings to reveal the configuration option:

In a K8S-based on-premises install, set the sysdigcloud.jvm.options in the config.yaml used to set the ConfigMap:

# Optional: Sysdig Cloud application JVM options. For heavy load environments you'll need to tweak 
# the memory or garbage collection settings
sysdigcloud.jvm.options: ""

 

The following example JVM options string will forward all HTTP and HTTPS traffic via outgoing port 8888 on a proxy at hostname proxy.example.com. IP address may be specified instead of hostname.

-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=8888 -Dhttps.proxyPort=8888 -Dhttps.proxyHost=proxy.example.com

 

Exclusions

By default, HTTP/HTTPS requests to localhost or 127.0.0.1 will not be directed by the back-end toward any configured proxy, which is necessary for the functioning of some web components internal to the Sysdig platform containers.

Additionally, if you deploy your Sysdig platform in Amazon Web Services (AWS), the back-end will occasionally make HTTP requests to a special instance metadata address 169.254.169.254. If you configure a proxyHost as described in this article, these requests would also be directed via the proxy, which would be undesirable. In a future release of the Sysdig platform back-end, this IP address will be excluded from proxying by default. In the interim, you can work around the issue by appending another JVM option:

-Dhttp.nonProxyHosts=169.254.169.254

If you have additional proxy exclusions you wish to specify that are unique to your environment, these can also be added using the pipe separator. For example, assume your deployment was in AWS and you also had a webhook target 192.168.1.2 that was not reachable via your proxy. To exclude both, in a Replicated configuration, your complete string to enter into the console for Sysdig Cloud application JVM options would be:

-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=8888 -Dhttps.proxyPort=8888 -Dhttps.proxyHost=proxy.example.com -Dhttp.nonProxyHosts=169.254.169.254|192.168.1.2

In a K8S-based install, when setting the sysdigcloud.jvm.options in the config.yaml for the ConfigMap, the pipe separator must be double-escaped, such as:

# Optional: Sysdig Cloud application JVM options. For heavy load environments you'll need to tweak 
# the memory or garbage collection settings
  sysdigcloud.jvm.options: "-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=8888 -Dhttps.proxyPort=8888 -Dhttps.proxyHost=proxy.example.com -Dhttp.nonProxyHosts=169.254.169.254\\|192.168.1.2"

 

Have more questions? Submit a request