Extender Configuration

Configuring Extender Log Location

By default PrivX Extender logs info and errors to /var/log/privx/privx-extender.log

If you want to enable logging to syslog, specify the rsyslog address and protocol in /opt/privx/etc/extender-config.toml, similar to the following:

syslog_protocol="tcp"
syslog_address="localhost:514"

Restart PrivX Extender to apply the changes. In addition make sure rsyslog is enabled on the extender host:

# systemctl restart privx-extender
# systemctl restart rsyslog

Proxying Native-Client Connections

To allow proxying native-client connections via PrivX Extenders:

  1. On all your PrivX servers, enable the forwarder_enabled setting in /opt/privx/etc/ssh-proxy.toml.

    Restart PrivX services to apply the changes:

    # systemctl restart privx

🚧 Caution

The forwarder relays all the data it receives (not just the native-client connections), and should not be enabled in high-security networks.

  1. Session recording must be disabled on hosts that are to be accessed using proxied native-client connections. For more detailed instructions about toggling session recording, see Session-Recording Setup.

  2. (Optional) To simplify native-client commands, specify the required connection parameters in the users' client configuration (typically at /etc/ssh/ssh_config or ~/.ssh/config). You can do this using Host blocks that at least specify:

    • The target HostName in extender-name/target-host-address format.

    • The ProxyCommand: privx-nc -x $PRIVX_AGENT_PROXY %h %p

    For example:

    Host bilberry
    HostName example-extender/bilberry.example.com
    ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p

After setup, you can connect to target hosts as follows:

  1. As the native-client user, start the PrivX agent (if not already started) and use it to log into PrivX.

  2. If you have specified the required parameters in your SSH-client configuration, you can connect simply using the appropriate Host block. For example:

    $ ssh target-user@bilberry
    $ sftp target-user@bilberry
    $ scp source/file/path target-user@bilberry:/target/file/path

Otherwise, you must additionally provide the ProxyCommand and the name of the PrivX Extender, similar to the following:

$ ssh -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
target-user@example-extender/bilberry.example.com
$ sftp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
target-user@example-extender/bilberry.example.com
$ scp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY example-extender/%h %p" \
source/file/pathtarget-user@bilberry.example.com:/target/file/path

Custom Load-Balancer Support

If you are using a custom load balancer, ensure that its session-affinity cookie (also known as a sticky-session cookie) is accepted by all your PrivX Extenders:

  1. Add the name of the session-affinity cookie to the known_lb_cookies setting. The setting is in the Extender at /opt/privx/etc/extender-config.toml.

  2. Restart the Extender with:

    # systemctl restart privx-extender

See PrivX high availability deployment for more information.

If your PrivX HA deployment also includes PrivX Carriers and PrivX Web Proxies, configure those to accept your session-affinity cookie as well.

Was this page helpful?

On this page