Carrier and Web Proxy Configuration
Allowing HTTP/HTTPS Targets at Unusual Ports
This section describes modifying the allowed target ports for PrivX Web Proxies. These instructions assume you to have some familiarity with Squid configuration.
By default PrivX only allows access to HTTP/HTTPS targets running on certain ports. The allowed ports are available toward the start of your Squid configuration file.
To allow access to targets at nonstandard ports:
-
Verify and set the allowed target ports on your Web-Proxy machines in
/opt/privx/etc/squid.conf
:-
For HTTP and HTTPS targets, ensure the target port is included in the
Safe_ports
list. You can add the target port by adding a similar line immediately after other acl Safe_ports
directives (replace <target_port>
with the port of your HTTP/HTTPS service):acl Safe_ports port <target_port>
-
Additionally for HTTPS targets, ensure the target port is included in the
SSL_ports
list. You can add the target port by adding a similar line immediately after otheracl SSL_ports
directives (replace <target_port>
with the port of your HTTPS service):acl SSL_ports port <target_port>
For example, to allow access to HTTPS target running on port 9443, you would need to add the port to SSL_ports:
acl SSL_ports port 443 acl SSL_ports port 9443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT
Port 9443 is already included in Safe_ports by default.
-
-
Restart the squid service to apply the changes:
# systemctl restart squid
Access Restrictions for Web Connections
You can control access to specific websites for specific PrivX roles. With this you can prevent users from accessing arbitrary websites by entering URLs, and via links on web targets.
You can also configure host specific domain restrictions (since PrivX 16). See Customizing the PrivX Carrier browser for more information.
Role-based access control is configured via Squid on PrivX Web Proxies. These instructions assume you have some familiarity with Squid configuration. This section provides some basic examples about access control. For more comprehensive descriptions about Squid's access-control settings, see their vendor documentation at https://wiki.squid-cache.org/SquidFaq/SquidAcl
To control access for a PrivX role, you will typically need to specify the following in the Squid configuration:
-
Define an acl matching the members of the PrivX role. You can determine PrivX users' roles from their User-Agent header.
-
Define acls for the restricted address(es).
-
Define rules allowing/denying matching members to access restricted address(es).
For example, to only allow privx-admin members to access while denying all other PrivX users access to www.example.com, perform the following on all your PrivX Web Proxies:
-
Add rules like the following to the Squid configuration at
/opt/privx/etc/squid.conf
:# Match all PrivX users belonging to the privx-admin role acl is_privx_admin req_header User-Agent Role\=privx-admin # Define restricted address(es) acl restricted_to_certain_privx_roles ssl::server_name www.example.com # Allow privx-admins to access restricted address(es) http_access allow is_privx_admin restricted_to_certain_privx_roles # Deny others access to restricted address(es) http_access deny restricted_to_certain_privx_roles
-
Restart the squid service to apply the changes:
# systemctl restart squid
Trusting Sites with Self-Signed Certificates
Configure trust for any web targets that use self-signed certificates, for the following benefits:
-
PrivX users connecting to web targets no longer receive security warnings about insecure server certificates.
-
Support websocket connections from the web target.
Note
We recommend setting up web targets before configuring trust for them. For more information about setting up targets in PrivX, see Setting up Hosts.
To trust a web target:
-
On your PrivX Web Proxy, add the CA-certificate chain of the web target to the system trust anchors: Save the CA-certificate-chain file under
/etc/pki/ca-trust/source/anchors/
.Then run:
# update-ca-trust extract
Restart the Squid service to apply the changes:
# systemctl restart squid
-
(Optional) Perform this step if you need to enable websocket connections from the web target.
On your PrivX Carrier, add the CA-certificate chain of the web target to your PrivX-Carrier configuration at
/opt/privx/etc/carrier-config.toml
.Then restart the Carrier and Docker services to apply the changes:
# systemctl restart privx-carrier # systemctl restart docker
Changing Web Proxy Port Numbers
To change the Web Proxy ports, you need to edit the following:
Note
In the following examples, replace the port numbers 18080, 18443, and 18444 with the ports you want to use.
-
On the Carrier host, change the ports in the
/opt/privx/etc/carrier-container.toml
file:[web_container] # Web proxy ports for HTTP and HTTPS. The port numbers and Carrier host IP \ address should match the Squid configuration file in /opt/privx/etc/squid.conf # Proxy server IP address is configured via PrivX UI. http_proxy_port = 18080 https_proxy_port = 18443 websocket_proxy_port = 18444
After editing the file, restart the Carrier service:
# systemctl restart privx-carrier
On the Web Proxy host, edit the Squid configuration file in
/opt/privx/etc/squid.conf
to match the port numbers you entered previously:http_port 18080 http_port 18443 ssl-bump cert=/opt/privx/squid_cert/squid.crt \ key=/opt/privx/squid_cert/squid.key generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB http_port 18444 ssl-bump cert=/opt/privx/squid_cert/squid.crt key=/opt/privx/squid_cert/squid.key generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
After editing the file, restart the Web Proxy and Squid services:
# systemctl restart privx-web-proxy squid
The Web Proxy host's firewall should allow access to the ports you have specified. Run:
# firewall-cmd --permanent --add-port=18080/tcp # firewall-cmd --permanent --add-port=18443/tcp # firewall-cmd --permanent --add-port=18444/tcp # firewall-cmd --reload
Change Browser for Web Connections
To change the browser for web connections:
-
Pull the appropriate browser image(s) from ECR Public Gallery to the Carrier machine. You may find the browser images by searching for sshprivx/privx_browser.
-
Specify the active browser in the Carrier configuration at
/opt/privx/etc/carrier-config.toml
, with thecontainer_image
setting.The possible alternatives are:
privx_browser_firefox
- Firefox with Asian-font support.privx_browser_firefox_lite
- Firefox lite version.privx_browser_chromium_lite
- Chromium lite version.privx_browser
- Same asprivx_browser_firefox
, default.
For example, to use Chromium Lite, first pull the image from ECR repo and tag it:
docker pull public.ecr.aws/sshprivx/privx_browser_chromium_lite:26.0
docker tag public.ecr.aws/sshprivx/privx_browser_chromium_lite:26.0 privx_browser_chromium_lite
and then add the setting to carrier-container.toml:
container_image = "privx_browser_chromium_lite"
alternatively, you can use the full name of container without tagging it first
container_image = "public.ecr.aws/sshprivx/privx_browser_chromium_lite:26.0"
-
Restart the Carrier to apply the changes:
sudo systemctl restart privx-carrier
Subsequent web connections via this carrier are provided using the new browser.
Note
Chromium does not support password manager.
Custom Load-Balancer Support
If you are using PrivX Components (Extender, Carrier or Web-Proxy) in HA configuration, your load balancer must support sticky-session cookies (affinity cookies).
To properly resolve HA services behind the load balancer, the affinity cookie set by load balancer needs to be added to PrivX components' configuration files.
By default, configuration includes support for AWS, Azure, Google Cloud and Kubernetes Ingress default cookie names. For Nginx load-balancer support, see Example Nginx load balancer configuration.
If your PrivX HA deployment uses a custom load balancer, ensure that its session-affinity cookie (also known as a sticky-session cookie) is accepted by all your PrivX Carriers and PrivX Web-Proxies:
-
Add the name of the session-affinity cookie to the known_lb_cookies setting. The setting is located in the following configuration files, for Carriers and Web-Proxies respectively:
-
/opt/privx/etc/carrier-config.toml
-
/opt/privx/etc/web-proxy-config.toml
-
-
Restart the Carrier and Web-Proxy services. On your Carriers, run:
# systemctl restart privx-carrier
And on your Web-Proxies, run:
# systemctl restart privx-web-proxy
Note
If your PrivX HA deployment also includes Extenders, configure those to accept your session-affinity cookie as well, according to the instructions at High-Availability Deployment.
For more information, see Websockets and the PrivX Carrier browser and Customizing the PrivX Carrier browser
Display Carrier and Web Proxy Host IP on Status Page
When a Carrier or Web Proxy is registered to PrivX via a load balancer, the IP of the load balancer is displayed in the PrivX status page for this component. To display the host IP instead, perform the following on all PrivX servers:
-
Edit
/opt/privx/etc/shared-config.toml
and setstrip_how_many_x_forwarded_for_client_ips = 1
. -
Restart PrivX
systemctl restart privx
Allowing Popups
By default the web browser for HTTP/HTTPS targets disallows all popups.
To enable popups, perform the following on your Carrier machines:
-
Enable the
enable_popups
option in the Carrier configuration file /opt/privx/etc/carrier-config.toml
. -
Restart the carrier service to apply your settings:
systemctl restart privx-carrier
Updated over 1 year ago