Extender Configuration

Configuring Extender Log Location

By default PrivX Extender logs info and errors to ​/var/log/privx/privx-extender.log​​

If you want to enable logging to syslog, specify the rsyslog address and protocol in ​/opt/privx/etc/extender-config.toml​​, similar to the following:

syslog_protocol="tcp"
syslog_address="localhost:514"

Restart PrivX Extender to apply the changes. In addition make sure rsyslog is enabled on the extender host:

# systemctl restart privx-extender
# systemctl restart rsyslog

Proxying Native-Client Connections

To allow proxying native-client connections via PrivX Extenders:

  1. On all your PrivX servers, enable the ​forwarder_enabled​ setting in ​/opt/privx/etc/ssh-proxy.toml​​.

    Restart PrivX services to apply the changes:

    # systemctl restart privx
    

    🚧

    Caution

    The forwarder relays all the data it receives (not just the native-client connections), and should not be enabled in high-security networks.

  2. Session recording must be disabled on hosts that are to be accessed using proxied native-client connections. For more detailed instructions about toggling session recording, see Session-Recording Setup.

  3. ​​(Optional)​ To simplify native-client commands, specify the required connection parameters in the users' client configuration (typically at ​/etc/ssh/ssh_config​ or ​~/.ssh/config​​). You can do this using ​Host​​ blocks that at least specify:

    • The target ​HostName​ in ​extender-name/target-host-address​​ format.

    • The ​ProxyCommand​​: ​privx-nc -x $PRIVX_AGENT_PROXY %h %p​​

    For example:

    Host ​bilberry​​
        HostName ​example-extender/bilberry.example.com​​
        ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p
    

After setup, you can connect to target hosts as follows:

  1. As the native-client user, start the PrivX agent (if not already started) and use it to log into PrivX.

  2. If you have specified the required parameters in your SSH-client configuration, you can connect simply using the appropriate ​Host​​ block. For example:

    $ ssh ​[email protected]​​
    
    $ sftp ​[email protected]​​
    
    $ scp ​source/file/path [email protected]:/target/file/path​​
    

Otherwise, you must additionally provide the ProxyCommand and the name of the PrivX Extender, similar to the following:

$ ssh -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
​​[email protected]/bilberry.example.com​​
$ sftp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
​​[email protected]/bilberry.example.com​​
$ scp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY example-extender/%h %p" \
​​source/file/path​​​[email protected]:/target/file/path​​

Custom Load-Balancer Support

If you are using a custom load balancer, ensure that its session-affinity cookie (also known as a sticky-session cookie) is accepted by all your PrivX Extenders:

  1. Add the name of the session-affinity cookie to the ​known_lb_cookies​​ setting. The setting is in the Extender at ​​/opt/privx/etc/extender-config.toml​​.

  2. Restart the Extender with:

    # systemctl restart privx-extender
    

See PrivX high availability deployment for more information.

📘 Note
If your PrivX HA deployment also includes PrivX Carriers and PrivX Web Proxies, configure those to accept your session-affinity cookie as well.


Did this page help you?