Skip to content

External Proxy


If your network configuration restricts outbound traffic from where you have installed the collectors, you can route all collectors traffic through a proxy. For instance, you may set up haproxy on another host and route all collectors traffic through that instance of haproxy.

Note that this proxy method only works for collectors running in the default sp_collector mode.

Instructions for setting up haproxy follow below.


Assume you have haproxy installed on another host. We can call it my.haproxy.internal for the purpose of these instructions. Configure your /etc/haproxy/haproxy.cfg as following. Make sure to provide the ${AOC_HOST} variable as instructed:

# Basic configuration
    log local0
    maxconn 4096
    stats socket /tmp/haproxy

# Some sane defaults
    log     global
    option  dontlognull
    retries 3
    option  redispatch
    timeout client 5s
    timeout server 5s
    timeout connect 5s

# This declares a view into HAProxy statistics, on port 3835
# You do not need credentials to view this page and you can
# turn it off once you are done with setup.
listen stats :3835
    mode http
    stats enable
    stats uri /

# Collectors will connect at the below endpoints.
frontend forwarder
    bind *:443 # DTDG
    mode tcp
    default_backend aoc-stats

# Any TCP request coming to the forwarder or watcher frontend defined above
# will be proxied to the AOC backends below.
# Replace ${AOC_HOST} with your AOC endpoint.

backend aoc-stats
    balance roundrobin
    mode tcp
    option tcplog
    server mothership ${AOC_HOST}:443 check port 443

Now, restart haproxy with sudo service haproxy restart.

Next, when installing your collectors, pass in my.haproxy.internal for your EPOCH_AOC_HOST variable. E.g.

docker run -td \
       --name=epoch_collectors \
       --net=host \
       -v /var/run/docker.sock:/var/run/docker.sock:ro \
       -v /proc/:/host/proc/:ro \
       -v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
       --cap-add=NET_RAW \
       --cap-add=NET_ADMIN \
       -e EPOCH_AOC_HOST=my.haproxy.internal \
       -e DEPLOY_ENV="docker" \
       -e SD_BACKEND="docker" \

That's it! The collectors should now be talking to the AOC through haproxy.