Install a collector
The collector is the on-prem half of kilasec. It runs on a LAN host (a small Linux box, VM, NUC, or Pi) and does three things:
- mitmproxy on
:8080— TLS-decrypts AI traffic from clients that route through it. - Policy engine (PDP) on
127.0.0.1:8000— evaluates every request against your rules and emits a verdict. - PAC server on
:9443— serves the proxy auto-config so DHCP can hand it to clients automatically.
No raw payloads leave the customer's network. The cloud only sees the decision (with redaction already applied at the collector).
Requirements
| Minimum | |
|---|---|
| OS | Linux with systemd (amd64 or arm64). The installer is systemd-based — macOS is not supported as a collector host. |
| Docker | 24+ |
| Network | outbound HTTPS to kilasec.com; inbound 8080/9443 from the LAN |
| Memory | 512 MB free |
| Storage | 2 GB for image + ~50 MB/day for local audit logs |
One-liner
The simplest path — paste this into a fresh shell on the collector host:
bash
curl -fsSL https://kilasec.com/install | sh -s -- --enroll <enrollment-code>What that does, in order:
- Reads
--enroll <code>, POSTs it to/api/v1/collectors/enroll. - Receives a per-collector token + the registry creds for the docker image.
- Writes
/etc/kilasec/collector.env(mode 600). docker loginto GHCR, thendocker pull ghcr.io/blox-24/kilasec-collector.- Installs
kilasec-collector.serviceas a systemd unit, enables, starts. - Polls
/api/v1/collectors/{id}/statusuntil the cloud sees its first heartbeat (or 60s).
You'll see something like:
✓ enrolled with cloud (collector_id=col_4f81…)
✓ pulled image kilasec-collector:latest
✓ wrote /etc/systemd/system/kilasec-collector.service
✓ collector reachable at http://localhost:8080
✓ cloud sees the collector — you're online.Manual install (no curl-to-shell)
If you don't want to pipe a shell script:
bash
# 1. Enroll manually.
curl -X POST https://kilasec.com/api/v1/collectors/enroll \
-H "Content-Type: application/json" \
-d '{"code": "<enrollment-code>", "hostname": "'$(hostname)'", "platform": "linux"}'
# → {token, collector_id, registry: {user, password}, image}
# 2. Save the token (mode 600, root-only).
sudo install -d -m 700 /etc/kilasec
echo "AGENTFW_CLOUD_URL=https://kilasec.com/api" | sudo tee /etc/kilasec/collector.env >/dev/null
echo "AGENTFW_CLOUD_TOKEN=<token-from-response>" | sudo tee -a /etc/kilasec/collector.env >/dev/null
sudo chmod 600 /etc/kilasec/collector.env
# 3. Pull the image.
echo "<password>" | docker login ghcr.io -u <user> --password-stdin
docker pull ghcr.io/blox-24/kilasec-collector:latest
# 4. Run.
docker run -d --name kilasec-collector --restart always \
--env-file /etc/kilasec/collector.env \
-p 8080:8080 -p 9443:9443 \
-v /var/lib/kilasec:/var/lib/kilasec \
ghcr.io/blox-24/kilasec-collector:latestVerify
bash
# Reach the PDP locally (should be loopback-only):
curl http://127.0.0.1:8000/healthz
# {"ok": true, ...}
# Reach the proxy port from another LAN host:
curl --proxy http://<collector-ip>:8080 https://api.openai.com -o /dev/null -w "%{http_code}\n"
# 200 (or whatever; the point is the connection works)The collector should now appear on the cloud dashboard under Collectors with a fresh last_seen_at.
Screenshot: Collectors page with new collector onlinedocs/public/screenshots/collectors-online.png
Where the collector keeps state
/var/lib/kilasec/mitmproxy/— the auto-generated mitmproxy CA. Mount this volume so the CA survives container restarts; otherwise every restart breaks every client that trusted the old CA./var/lib/kilasec/audit.log.jsonl— local audit log. Cloud has the canonical copy via ingest; this is just a tail.
Common installer flags
--enroll <code>— one-time enrollment code from your kilasec admin.--token <api_token>— skip enrollment; use a pre-issued token directly (rare).--registry-user / --registry-pass— override GHCR creds.--image <ref>— pull a specific tag (e.g.:v0.7.2) instead of:latest.--no-systemd— skip the systemd unit; you'll start the container manually.
→ Once the collector is up, point traffic at it and watch Live Traffic.