Skip to main content
Version: v42

PrivX API Proxy Configuration

Enabling Proxy Protocol Support

Enabling proxy protocol causes API Proxy to parse proxy-procotol headers and use the client IP address communicated through the protocol as the TCP connection's true origin instead of the TCP connection's remote IP address. This can be useful in HA deployments with a non-transparent load balancer (such as when using a HAProxy load balancer).

Proxy protocol support for the PrivX API Proxy is enabled separately for each PrivX Server via the /opt/privx/etc/api-proxy.toml configuration file. Setting use_proxy_protocol = true enables API Proxy to parse the proxy protocol header sent over the incoming TCP connections. API proxy supports proxy protocol versions 1 and 2. The proxy-protocol version is automatically detected when parsing the protocol header. API Proxy continues to also accept incoming connections that don't use proxy protocol.

If your network environment isn't configured to prevent potentially malicious access to PrivX Servers, we recommended hardening the deployment by specifying the load balancer's internal IP address or subnet in the toml variable proxy_protocol_trusted_source_addresses. This way API Proxy will only accept incoming proxy-protocol connections from the specified addresses.

API Proxy Settings

General

  • HTTP Proxy Public Addresses: These addresses are displayed as the "HTTP proxy address" in PrivX GUI, in Connections→API Targets. If empty, PrivX will use the PrivX front end's FQDN as the HTTP proxy address. The addresses may need to be explicitly defined if the network load balancer address is different from the application load balancer address.
  • Reauthorization Interval (Seconds): Interval for re-checking user's access to the API target.
  • Metadata Update Interval (Seconds): Interval for updating API session data to connection-manager.
  • Maximum Session Lifetime (Seconds): Maximum lifetime of any API session.
  • Idle Session Timeout (Seconds): API sessions that remain idle for this period are closed.
  • Session Cool Down Margin (Seconds): Terminated API sessions start the cool-down margin. When in cool down all requests mapped to the API session are rejected.
  • Allow Role IP Restrictions: Controls if API proxy uses client's IP address when resolving the user's roles. This should be enabled unless API Proxy cannot determine the client's true remote IP address.
  • Maximum Client Credential Validity (Days): Maximum validity period for API proxy credentials.
  • Expired Client Credential Deletion Delay (Hours): API Proxy credentials are automatically deleted from PrivX after they have expired. This setting defines how long the expired credentials are kept before deletion.

API Proxy Certificates

API Proxy certificate settings control the generation and caching of dynamically generated TLS server certificates API Proxy presents to the client applications.

  • RSA Key Size: Key size of ephemeral API proxy RSA private key.
  • ECDSA Key Size: Key size of ephemeral API proxy ECDSA private key.
  • Cache Size: Least recently used cache size for dynamically generated TLS server certificates

API Certificate Trust Anchors

Global API Proxy trust-anchor certificates are specified here.

The trust-anchor certificates can also be specified at OS level and at API target level. When API Proxy validates the target TLS server certificate, it gathers trust-anchor certicates from all these sources.