Wazuh-manager outbound HTTP proxy, how to?

[GliderSnipping]

Is it possible to configure an outbound proxy for the Wazuh-manager?

The wazuh-manager seemingly only connects to the internet for the vulnerability manager, but I'm unsure where to put the environment variables, or could they be configured through the web-app somehow?

[Manuel Pedro Gomez Castro]

Hello! Thank you for reaching out to us!

There are several workarounds that can be used to force the Wazuh Manager to use a proxy, although none make use of the web-app

You could use the Offline Update feature, by downloading vulnerability feeds yourself the manager will be able to be updated using those files, you can read more about it in our documentation https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html

Another alternative would be to modify the environment directly from the manager service file. By editting the file in /etc/systemd/system/wazuh-manager.service you may set a proxy url
As an example

[Service]

Type=forking

EnvironmentFile=/etc/ossec-init.conf

Environment="https_proxy=http://<IP:port>"

Environment="http_proxy="http://<IP:port>"

LimitNOFILE=65536

Lastly, since the requests are made based on the curl package, you could set up environment variables to force a proxy connection as described in this article https://medium.com/@johan.ekenlycka/setting-up-wazuh-behind-a-proxy-64b31ef3ac2d
But this last method hasn't been tested by the Wazuh team directly

I hope this helps!

[GliderSnipping]

That seems to have worked. I didn't find the `wazuh-manager.service` file in `/etc/systemd/system/`, rather in `/usr/lib/systemd/system`.

I expect the default systemd unit to change, so I made a folder, `wazuh-manager.service.d`, and placed my overrides there.

All in all, thank you Manuel!