Extender Configuration
Configuring Extender Log Location
By default PrivX Extender logs info and errors to /var/log/privx/privx-extender.log
If you want to enable logging to syslog, specify the rsyslog address and protocol in /opt/privx/etc/extender-config.toml
, similar to the following:
syslog_protocol="tcp"
syslog_address="localhost:514"
Restart PrivX Extender to apply the changes. In addition make sure rsyslog is enabled on the extender host:
# systemctl restart privx-extender
# systemctl restart rsyslog
Proxying Native-Client Connections
To allow proxying native-client connections via PrivX Extenders:
-
On all your PrivX servers, enable the
forwarder_enabled
setting in/opt/privx/etc/ssh-proxy.toml
.Restart PrivX services to apply the changes:
# systemctl restart privx
Caution
The forwarder relays all the data it receives (not just the native-client connections), and should not be enabled in high-security networks.
-
Session recording must be disabled on hosts that are to be accessed using proxied native-client connections. For more detailed instructions about toggling session recording, see Session-Recording Setup.
-
(Optional) To simplify native-client commands, specify the required connection parameters in the users' client configuration (typically at
/etc/ssh/ssh_config
or~/.ssh/config
). You can do this using Host
blocks that at least specify:-
The target HostName in
extender-name/target-host-address
format. -
The ProxyCommand:
privx-nc -x $PRIVX_AGENT_PROXY %h %p
For example:
Host bilberry HostName example-extender/bilberry.example.com ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p
-
After setup, you can connect to target hosts as follows:
-
As the native-client user, start the PrivX agent (if not already started) and use it to log into PrivX.
-
If you have specified the required parameters in your SSH-client configuration, you can connect simply using the appropriate Host block. For example:
$ ssh [email protected]
$ sftp [email protected]
$ scp source/file/path [email protected]:/target/file/path
Otherwise, you must additionally provide the ProxyCommand and the name of the PrivX Extender, similar to the following:
$ ssh -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
[email protected]/bilberry.example.com
$ sftp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
[email protected]/bilberry.example.com
$ scp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY example-extender/%h %p" \
source/file/path[email protected]:/target/file/path
Custom Load-Balancer Support
If you are using a custom load balancer, ensure that its session-affinity cookie (also known as a sticky-session cookie) is accepted by all your PrivX Extenders:
-
Add the name of the session-affinity cookie to the
known_lb_cookies
setting. The setting is in the Extender at/opt/privx/etc/extender-config.toml
. -
Restart the Extender with:
# systemctl restart privx-extender
See PrivX high availability deployment for more information.
Note
If your PrivX HA deployment also includes PrivX Carriers and PrivX Web Proxies, configure those to accept your session-affinity cookie as well.
Updated over 2 years ago