Deployment Overview of Wazuh on Server¶

Prerequisites and Basic Requirements¶

The server must meet the following criteria to successfully host the Wazuh application:

Operating System: Ubuntu (supported for APT package management).
Privileges: Root access is required to install Docker, execute installation scripts, and configure system services.
Domain: The deployment is configured for the hostkey.in domain.
Ports:
Internal application port: 8080.
External HTTPS port: 443.
Network: Docker service must be installed and running.

The application is accessible via the following Fully Qualified Domain Name (FQDN): wazuh<Server ID>.hostkey.in

The service listens on port 443 for external connections, routed through the Nginx proxy.

The following directories and files constitute the core structure of the installation:

Main Data Directory: /opt/wazuh
Contains the installation script wazuh-install.sh.
Contains the configuration file config.yml.
Contains the generated configuration archive wazuh-install-files.tar.
Contains the credentials file password (stores the admin username and password).
Nginx Configuration:
Proxy container configuration: /root/nginx/compose.yml.
SSL certificates and secrets: /etc/letsencrypt (mounted volume).
User-specific Nginx configuration: /data/nginx/user_conf.d/wazuh<Server ID>.hostkey.in.conf.
System Package Lists:
Wazuh repository list: /etc/apt/sources.list.d/wazuh.list.

The application is deployed using the official Wazuh installation script provided by the developer. The process follows these sequential steps:

Environment Preparation:
APT packages are updated and upgraded.
The directory /opt/wazuh is created.
Script and Configuration Setup:
The installation script wazuh-install.sh is downloaded from https://packages.wazuh.com/4.11/wazuh-install.sh to /opt/wazuh.
A config.yml file is placed in /opt/wazuh to define the deployment parameters.
Configuration files are generated by executing:
```
./wazuh-install.sh --generate-config-files
```
Component Installation:

Wazuh Indexer: Installed using the command:

./wazuh-install.sh --wazuh-indexer node-1

Indexer Cluster: Started using the command:
```
./wazuh-install.sh --start-cluster
```

Wazuh Server: Installed using the command:

./wazuh-install.sh --wazuh-server wazuh-1

Wazuh Dashboard: Installed and configured to listen on port 8080 using the command:
```
./wazuh-install.sh --wazuh-dashboard dashboard -p 8080
```
Post-Installation:
The Wazuh updating repository is disabled in /etc/apt/sources.list.d/wazuh.list to prevent automatic updates from the official source.
The admin password is extracted from the generated archive and stored in /opt/wazuh/password.

User Permissions: The installation and management of Wazuh components require root privileges.
File Permissions:
The config.yml and password files are set to mode 0600 to restrict access to the root user only.
The main directory /opt/wazuh is set to mode 0755.
The Nginx directory /root/nginx is owned by root with mode 0755.
Firewall: The Nginx proxy handles external traffic on port 443. Internal services communicate over port 8080.

Wazuh utilizes a Wazuh Indexer for data storage and management.

Connection Method: Internal communication occurs within the host environment.
Health Check Endpoint: https://127.0.0.1:9200/_cluster/health.
Authentication:
Username: admin.
Password: Stored in the file /opt/wazuh/password.
Storage Location: Data is managed by the Wazuh Indexer service installed via the wazuh-install.sh script.

The proxy layer for SSL termination and domain routing is implemented using Docker.

Container Image: jonasal/nginx-certbot:latest.
Deployment Method: Docker Compose.
Compose File Location: /root/nginx/compose.yml.
Volumes:
nginx_secrets: Mounted to /etc/letsencrypt for SSL certificates.
/data/nginx/user_conf.d: Mounted to /etc/nginx/user_conf.d for custom configuration.
Network Mode: host.
Startup Command:
```
docker compose up -d
```
This command is executed from the directory /root/nginx.

Access to the Wazuh Dashboard is proxied through an Nginx container with automatic SSL certificate management via Certbot.

Proxy Server: Nginx.
SSL Management: Certbot (included in the jonasal/nginx-certbot image).
Configuration Details:
The proxy forwards requests to the internal Wazuh Dashboard service.
Target URL: https://wazuh<Server ID>.hostkey.in:8080.
The configuration is stored in /data/nginx/user_conf.d/wazuh<Server ID>.hostkey.in.conf.
Email for Certbot: [email protected].

Wazuh Configuration: /opt/wazuh/config.yml.
Wazuh Installation Script: /opt/wazuh/wazuh-install.sh.
Admin Credentials: /opt/wazuh/password (format: admin:<password>).
Docker Compose (Proxy): /root/nginx/compose.yml.
Nginx Custom Config: /data/nginx/user_conf.d/wazuh<Server ID>.hostkey.in.conf.
Wazuh Repository List: /etc/apt/sources.list.d/wazuh.list.

Port	Protocol	Service	Description
443	HTTPS	Nginx Proxy	External access to Wazuh Dashboard
8080	HTTPS	Wazuh Dashboard	Internal access to the dashboard
9200	HTTPS	Wazuh Indexer	Internal API for indexer health and data

Starting the Proxy: To start the Nginx proxy container with SSL:
```
docker compose up -d
```
This command must be run from the directory /root/nginx.
Managing Wazuh Services: The Wazuh components (Indexer, Server, Dashboard) are managed via the wazuh-install.sh script located in /opt/wazuh.
Start Cluster: ./wazuh-install.sh --start-cluster
Note: The Wazuh repository for automatic updates has been disabled in /etc/apt/sources.list.d/wazuh.list. Manual updates require re-enabling the repository or using the installation script with specific flags, though the current configuration restricts automatic updates.