Hii
Since a week now we struggle to setup the docker version of Wazuh, especialy all its ports behind Traefik.
The dashboard was simple enough but exposing the remaining ports for the indexer and manager...not so.
Since our eyes are burning from reading forums and figuring out the documentations i kindly must ask the community here if ANYONE managed to setup Wazuh, with traefik?
I would greatly appreciate if i could have a copy of your working:
- wazuh docker-compose.yml
- Traefik: Dynamic & Static configuration files
- and any information that could help us solve this.
So far our wazuh docker-compose.yml looks like this:
version: '3.7'
services:
wazuh.manager:
image: wazuh/wazuh-manager:4.7.1
hostname: wazuh.manager
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 655360
hard: 655360
networks:
- proxy
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=uxxxDb%!
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
labels:
- traefik.enable=true
- traefik.http.routers.wz514.rule=Host(`wazuh.xxx.webredirect.org`)
- traefik.http.routers.wz514.entrypoints=ep1
- traefik.http.routers.wz514.service=svc_wz514
- traefik.http.services.wz514.loadbalancer.server.port=514
- traefik.http.routers.wz1514.rule=Host(`wazuh.xxx.webredirect.org`)
- traefik.http.routers.wz1514.entrypoints=ep2
- traefik.http.routers.wz1514.service=svc_wz1514
- traefik.http.services.wz1514.loadbalancer.server.port=1514
- traefik.http.routers.wz1515.rule=Host(`wazuh.xxx.webredirect.org`)
- traefik.http.routers.wz1515.entrypoints=ep3
- traefik.http.routers.wz1515.service=svc_wz1515
- traefik.http.services.wz1515.loadbalancer.server.port=1515
- traefik.http.routers.wz55000.rule=Host(`wazuh.xxx.webredirect.org`)
- traefik.http.routers.wz55000.entrypoints=ep4
- traefik.http.routers.wz55000.service=svc_wz55000
- traefik.http.services.wz55000.loadbalancer.server.port=55000
wazuh.indexer:
image: wazuh/wazuh-indexer:4.7.1
hostname: wazuh.indexer
restart: always
networks:
- proxy
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
- ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
labels:
- traefik.enable=true
- traefik.http.routers.wazuhindexer.rule=Host(`wazuh.xxx.webredirect.org`)
- traefik.http.services.wazuhindexer.loadbalancer.server.port=9200
- traefik.http.routers.wazuhindexer.tls.certresolver=letsencrypt
- traefik.http.routers.wazuhindexer.tls.domains[0].main=wazuh.xxx.webredirect.org
- traefik.http.routers.wazuhindexer.tls.domains[0].sans=*.wazuh.xxx.webredirect.org
wazuh.dashboard:
image: wazuh/wazuh-dashboard:4.7.1
hostname: wazuh.dashboard
restart: always
networks:
- proxy
ports:
- 5601:5601
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=uM0cxxxj7Db%!
- WAZUH_API_URL=https://wazuh.manager
- DASHBOARD_USERNAME=kibanaserver
- DASHBOARD_PASSWORD=kibanaserver
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
- wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
- wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
labels:
- traefik.enable=true
- traefik.http.routers.wazuhdash.rule=Host(`wazuh.xxx.webredirect.org`)
- traefik.http.services.wazuhdash.loadbalancer.server.port=5601
- traefik.http.routers.wazuhdash.tls.certresolver=letsencrypt
- traefik.http.routers.wazuhdash.tls.domains[0].main=wazuh.xxx.webredirect.org
- traefik.http.routers.wazuhdash.tls.domains[0].sans=*.wazuh.xxx.webredirect.org
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:
wazuh-indexer-data:
wazuh-dashboard-config:
wazuh-dashboard-custom:
networks:
proxy:
external: true
The static configuration for traefik is:
api:
insecure: true
providers:
docker:
exposedbydefault: false
network: proxy
file:
filename: /etc/traefik/config.yml
watch: true
entryPoints:
web:
address: ":80"
http:
redirections:
entrypoint:
to: websecure
scheme: https
middlewares:
- crowdsec-bouncer@file
websecure:
address: ":443"
http:
middlewares:
- crowdsec-bouncer@file
tls:
certResolver: letsencrypt
domains:
- main: xxx.webredirect.org
sans:
- '*.xxx.webredirect.org'
ping: true
certificatesResolvers:
letsencrypt:
acme:
email: xxx@protonmail.com
storage: /letsencrypt/acme.json
dnsChallenge:
provider: dynu
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
The dynamic configuration - config.yml
http:
middlewares:
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
routers:
wazuh-manager:
rule: "Host(`wazuh.otthon.webredirect.org`)"
service: wazuhmanager
services:
wazuhmanager:
loadbalancer:
serversTransport: wazuhtransport
servers:
- url: "https://192.168.0.219:5601"
serversTransports:
wazuhtransport:
insecureSkipVerify: true
Please help us to figure out how to route incoming traffic to the ports and services, on 514,1514,1515,9200 and 55000 for the domain. TY