From 40151c88125fcdb60649fb2c309e573b4ee9516b Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 23 Feb 2026 15:02:30 -0800 Subject: [PATCH 1/4] Add instructions for deploying fleet-server behind load balancer --- reference/fleet/add-fleet-server-on-prem.md | 22 +++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/reference/fleet/add-fleet-server-on-prem.md b/reference/fleet/add-fleet-server-on-prem.md index b03cb87093..9040e6eba0 100644 --- a/reference/fleet/add-fleet-server-on-prem.md +++ b/reference/fleet/add-fleet-server-on-prem.md @@ -153,6 +153,28 @@ You can update your {{fleet-server}} configuration in {{kib}} at any time by goi * Specify proxy URLs to use for {{fleet-server}} or {{agent}} outputs. +## {{fleet-server}} setup using a load balancer [fleet-server-setup-using-a-load-balancer] + +When deploying {{fleet-server}} behind a load balancer/reverse proxy the following steps need to be taken: + +1. Create a certificate that contains DNS entries for the agent-facing load balancer (i.e., `fleet.example.com`), and the hostnames it will route to (i.e., `fleet1.example.com`, `fleet2.example.com`). + +2. Configure the load balancer/reverse proxy. + * The load balancer directs traffic to all {{fleet-server}} instances (i.e., `fleet1.example.com`, `fleet2.example.com`). + * Ensure that timeouts for the load balancer have been raised to support the long-polling connections {{agents}} create when checking in to {{fleet-server}}. + The default timeout for long-poll in {{fleet-server}} is 5 minutes, the {{fleet-server}}'s write timeout, and the {{agent}}'s request timeout are set to 10 minutes. The load balancer timeout should be set to 10 minutes. + * It's recommended to configure the load balancer with TLS pass through. + ::::{note} + Starting with {{stack}} v9.4 or later, the {{fleet-server}} status API `GET /api/status` may be used to determine instance health from the load balancer. + :::: + +3. Add the load balancer (i.e., `https://fleet.example.com:8220`) as a {{fleet-server}} host under the **Settings** tab in {{fleet}}. + +4. Install {{fleet-server}} on each host (i.e., `fleet1.example.com`, `fleet2.example.com`) using the in-product instructions which should specify the load balancer as the URL, i.e., `--url=https://fleet.example.com:8220`. + +5. Enroll other {{agent}} instances using the load balancer URL (i.e., `https://fleet.example.com:8220`). + + ## Troubleshooting [add-fleet-server-on-prem-troubleshoot] If you’re unable to add a {{fleet}}-managed agent, click the **Agents** tab and confirm that the agent running {{fleet-server}} is healthy. From 78766e67c4ce8fe3e70b85e3d236f68e375fe1b1 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 23 Feb 2026 15:42:16 -0800 Subject: [PATCH 2/4] Get rid of instances of i.e. --- reference/fleet/add-fleet-server-on-prem.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/reference/fleet/add-fleet-server-on-prem.md b/reference/fleet/add-fleet-server-on-prem.md index 9040e6eba0..8b0993fc16 100644 --- a/reference/fleet/add-fleet-server-on-prem.md +++ b/reference/fleet/add-fleet-server-on-prem.md @@ -157,10 +157,10 @@ You can update your {{fleet-server}} configuration in {{kib}} at any time by goi When deploying {{fleet-server}} behind a load balancer/reverse proxy the following steps need to be taken: -1. Create a certificate that contains DNS entries for the agent-facing load balancer (i.e., `fleet.example.com`), and the hostnames it will route to (i.e., `fleet1.example.com`, `fleet2.example.com`). +1. Create a certificate that contains DNS entries for the agent-facing load balancer, and the hostnames it routes to. For example, the load balancer may be `fleet.example.com` and the hostnames `fleet1.example.com`, and `fleet2.example.com`. 2. Configure the load balancer/reverse proxy. - * The load balancer directs traffic to all {{fleet-server}} instances (i.e., `fleet1.example.com`, `fleet2.example.com`). + * The load balancer directs traffic to all {{fleet-server}} instances. * Ensure that timeouts for the load balancer have been raised to support the long-polling connections {{agents}} create when checking in to {{fleet-server}}. The default timeout for long-poll in {{fleet-server}} is 5 minutes, the {{fleet-server}}'s write timeout, and the {{agent}}'s request timeout are set to 10 minutes. The load balancer timeout should be set to 10 minutes. * It's recommended to configure the load balancer with TLS pass through. @@ -168,11 +168,11 @@ When deploying {{fleet-server}} behind a load balancer/reverse proxy the followi Starting with {{stack}} v9.4 or later, the {{fleet-server}} status API `GET /api/status` may be used to determine instance health from the load balancer. :::: -3. Add the load balancer (i.e., `https://fleet.example.com:8220`) as a {{fleet-server}} host under the **Settings** tab in {{fleet}}. +3. Add the load balancer (example: `https://fleet.example.com:8220`) as a {{fleet-server}} host under the **Settings** tab in {{fleet}}. -4. Install {{fleet-server}} on each host (i.e., `fleet1.example.com`, `fleet2.example.com`) using the in-product instructions which should specify the load balancer as the URL, i.e., `--url=https://fleet.example.com:8220`. +4. Install {{fleet-server}} on each backing host using the in-product instructions which should specify the load balancer as the URL. -5. Enroll other {{agent}} instances using the load balancer URL (i.e., `https://fleet.example.com:8220`). +5. Enroll other {{agent}} instances using the load balancer URL. ## Troubleshooting [add-fleet-server-on-prem-troubleshoot] From 1beafdc9201c4737085fe642c459d0acb9e20519 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 23 Feb 2026 16:06:28 -0800 Subject: [PATCH 3/4] change example wording --- reference/fleet/add-fleet-server-on-prem.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/add-fleet-server-on-prem.md b/reference/fleet/add-fleet-server-on-prem.md index 8b0993fc16..001697645b 100644 --- a/reference/fleet/add-fleet-server-on-prem.md +++ b/reference/fleet/add-fleet-server-on-prem.md @@ -157,7 +157,7 @@ You can update your {{fleet-server}} configuration in {{kib}} at any time by goi When deploying {{fleet-server}} behind a load balancer/reverse proxy the following steps need to be taken: -1. Create a certificate that contains DNS entries for the agent-facing load balancer, and the hostnames it routes to. For example, the load balancer may be `fleet.example.com` and the hostnames `fleet1.example.com`, and `fleet2.example.com`. +1. Create a certificate that contains DNS entries for the agent-facing load balancer, and the hostnames it routes to. For example, the load balancer `fleet.example.com` will route to hostnames `fleet1.example.com`, and `fleet2.example.com`. 2. Configure the load balancer/reverse proxy. * The load balancer directs traffic to all {{fleet-server}} instances. From 5cd3f3ba64b62675a8b258cdcd8c2c7e4b36fdc0 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Tue, 24 Feb 2026 09:39:53 -0800 Subject: [PATCH 4/4] Fix note formatting --- reference/fleet/add-fleet-server-on-prem.md | 1 + 1 file changed, 1 insertion(+) diff --git a/reference/fleet/add-fleet-server-on-prem.md b/reference/fleet/add-fleet-server-on-prem.md index 001697645b..cc44a23394 100644 --- a/reference/fleet/add-fleet-server-on-prem.md +++ b/reference/fleet/add-fleet-server-on-prem.md @@ -164,6 +164,7 @@ When deploying {{fleet-server}} behind a load balancer/reverse proxy the followi * Ensure that timeouts for the load balancer have been raised to support the long-polling connections {{agents}} create when checking in to {{fleet-server}}. The default timeout for long-poll in {{fleet-server}} is 5 minutes, the {{fleet-server}}'s write timeout, and the {{agent}}'s request timeout are set to 10 minutes. The load balancer timeout should be set to 10 minutes. * It's recommended to configure the load balancer with TLS pass through. + ::::{note} Starting with {{stack}} v9.4 or later, the {{fleet-server}} status API `GET /api/status` may be used to determine instance health from the load balancer. ::::