In some environments, access to the Internet must go through a proxy. Twistlock can be configured to route requests through your proxy. Proxy settings are applied to both Console and Defender containers.
Proxy settings are configured in the UI after Console is installed. Console immediately starts using your settings after saving them. Any Defenders deployed after saving your settings will use your proxy settings. Any Defenders deployed before saving your settings must be redeployed.
Console has a number of connections that might traverse a proxy.
Retrieving Intelligence Stream updates.
Connecting to services, such as Slack and JIRA, to push alerts.
Defender has a number of connections that might traverse a proxy.
Connecting to Console. If you deploy Defenders in a remote region, they might need to connect to Console through a proxy.
Connecting to external systems, such as Docker Hub or Google Container Registry, for scanning.
Connecting to your secrets store to retrieve secrets for injection into your containers.
A number of settings let you specify how Twistlock interfaces with your proxy.
You can provide a list of addresses that Twistlock can contact directly without connecting through the proxy. Specify DNS names, IP addresses, or a combination of both. Specifying a block of IP addresses in CIDR notation is currently not supported.
Console verifies server certificates for all TLS connections. With TLS intercept proxies, the connection from Console to the Internet passes through a proxy, which may be transparent. To facilitate traffic inspection, the proxy terminates the TLS connection and establishes a new one between to the final destination.
If you have a TLS intercept proxy, it will break the Console’s ability to connect to external services, because Console won’t be able to verify the proxy’s certificate. To get Console to trust the proxy, provide the CA certificates for Console to trust.
If egress connections through your proxy require authentication, you can provide the credentials in Twistlock’s proxy settings. Twistlock supports Basic authentication for the Proxy-Authenticate challenge-response framework defined in RFC 7235. When you provide a username and password, Twistlock submits the credentials in the request’s Proxy-Authorization header.
Open Console, and go to Manage > System > Proxy.
In HTTP Proxy, enter the address of the web proxy. Specify the address in the following format: <PROTOCOL>://<IP_ADDR|DNS_NAME>:<PORT>, such as http://proxyserver.company.com:8080.
(Optional) In No Proxy, enter addresses that Twistlock can access directly without connecting to the proxy. Enter a list of individual IP addresses and fully-qualified domain names. IP blocks in CIDR notation are not supported.
(Optional) For TLS intercept proxies, enter the root trusted authority certificate, in PEM format, that Console should trust.
(Optional) If your proxy requires authentication, enter a username and password.
Click Save.
Redeploy your Defenders to propagate updated proxy settings to them.
Console does not need to be restarted. After proxy settings are saved, Console automatically uses the settings the next time it establishes a connection.
Any newly deployed Defenders will use your proxy settings.
Any already deployed Defenders must be redeployed. For single Container Defenders, uninstall then reinstall. For Defender DaemonSets, regenerate the DaemonSet YAML, then redeploy.
$ kubectl apply -f defender.yaml