HomeDocumentationAPI Reference
Log In
These docs are for v16. Click to read the latest docs for v33.

Extender Configuration

Configuring Extender Log Location

By default PrivX Extender logs info and errors to ​/var/log/privx/privx-extender.log​​

If you want to enable logging to syslog, specify the rsyslog address and protocol in ​/opt/privx/etc/extender-config.toml​​, similar to the following:

syslog_protocol="tcp"
syslog_address="localhost:514"

Restart PrivX Extender to apply the changes. In addition make sure rsyslog is enabled on the extender host:

# systemctl restart privx-extender
# systemctl restart rsyslog

Proxying Native-Client Connections

To allow proxying native-client connections via PrivX Extenders:

  1. On all your PrivX servers, enable the ​forwarder_enabled​ setting in ​/opt/privx/etc/ssh-proxy.toml​​.

    Restart PrivX services to apply the changes:

    # systemctl restart privx
    

    🚧

    Caution

    The forwarder relays all the data it receives (not just the native-client connections), and should not be enabled in high-security networks.

  2. Session recording must be disabled on hosts that are to be accessed using proxied native-client connections. For more detailed instructions about toggling session recording, see Session-Recording Setup.

  3. ​​(Optional)​ To simplify native-client commands, specify the required connection parameters in the users' client configuration (typically at ​/etc/ssh/ssh_config​ or ​~/.ssh/config​​). You can do this using ​Host​​ blocks that at least specify:

    • The target ​HostName​ in ​extender-name/target-host-address​​ format.

    • The ​ProxyCommand​​: ​privx-nc -x $PRIVX_AGENT_PROXY %h %p​​

    For example:

    Host ​bilberry​​
        HostName ​example-extender/bilberry.example.com​​
        ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p
    

After setup, you can connect to target hosts as follows:

  1. As the native-client user, start the PrivX agent (if not already started) and use it to log into PrivX.

  2. If you have specified the required parameters in your SSH-client configuration, you can connect simply using the appropriate ​Host​​ block. For example:

    $ ssh ​target-user@bilberry​​
    
    $ sftp ​target-user@bilberry​​
    
    $ scp ​source/file/path target-user@bilberry:/target/file/path​​
    

Otherwise, you must additionally provide the ProxyCommand and the name of the PrivX Extender, similar to the following:

$ ssh -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
​​target-user@example-extender/bilberry.example.com​​
$ sftp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
​​target-user@example-extender/bilberry.example.com​​
$ scp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY example-extender/%h %p" \
​​source/file/path​​​[email protected]:/target/file/path​​

Custom Load-Balancer Support

If you are using a custom load balancer, ensure that its session-affinity cookie (also known as a sticky-session cookie) is accepted by all your PrivX Extenders:

  1. Add the name of the session-affinity cookie to the ​known_lb_cookies​​ setting. The setting is in the Extender at ​​/opt/privx/etc/extender-config.toml​​.

  2. Restart the Extender with:

    # systemctl restart privx-extender
    

See PrivX high availability deployment for more information.

📘

Note

If your PrivX HA deployment also includes PrivX Carriers and PrivX Web Proxies, configure those to accept your session-affinity cookie as well.