Skip to main content
Version: v43

PrivX API Proxy Configuration

Enabling Proxy Protocol Support

Enabling proxy protocol causes API Proxy to parse proxy-protocol headers and use the client IP address communicated through the protocol as the TCP connection's true origin instead of the TCP connection's remote IP address. This can be useful in HA deployments with a non-transparent load balancer such as HAProxy.

To enable proxy-protocol support:

  1. Configure your load balancer to relay API-Proxy connections in TCP mode. For a HAProxy configuration example, see the frontend privx_lb_api_proxy and backend privx_api_proxy sections in the Example HAProxy Configuration

  2. Enable proxy-protocol support on your PrivX Servers.

    On each PrivX Server in /opt/privx/etc/api-proxy.toml, set use_proxy_protocol = true enables API Proxy to parse the proxy protocol header sent over the incoming TCP connections.

    If your network environment isn't configured to prevent potentially malicious access to PrivX Servers, you should set your load balancer's internal address or subnet in proxy_protocol_trusted_source_addresses. This way API Proxy will only accept incoming proxy-protocol connections from the load balancer.

API proxy supports proxy protocol versions 1 and 2. The proxy-protocol version is automatically detected when parsing the protocol header. API Proxy continues to also accept incoming connections that don't use proxy protocol.

API Proxy Settings

General

  • HTTP Proxy Public Addresses: These addresses are displayed as the "HTTP proxy address" in PrivX GUI, in Connections→API Targets. If empty, PrivX will use the PrivX front end's FQDN as the HTTP proxy address. The addresses may need to be explicitly defined if the network load balancer address is different from the application load balancer address.
  • Reauthorization Interval (Seconds): Interval for re-checking user's access to the API target.
  • Metadata Update Interval (Seconds): Interval for updating API session data to connection-manager.
  • Maximum Session Lifetime (Seconds): Maximum lifetime of any API session.
  • Idle Session Timeout (Seconds): API sessions that remain idle for this period are closed.
  • Session Cool Down Margin (Seconds): Terminated API sessions start the cool-down margin. When in cool down all requests mapped to the API session are rejected.
  • Allow Role IP Restrictions: Controls if API proxy uses client's IP address when resolving the user's roles. This should be enabled unless API Proxy cannot determine the client's true remote IP address.
  • Maximum Client Credential Validity (Days): Maximum validity period for API proxy credentials.
  • Expired Client Credential Deletion Delay (Hours): API Proxy credentials are automatically deleted from PrivX after they have expired. This setting defines how long the expired credentials are kept before deletion.

API Proxy Certificates

API Proxy certificate settings control the generation and caching of dynamically generated TLS server certificates API Proxy presents to the client applications.

  • RSA Key Size: Key size of ephemeral API proxy RSA private key.
  • ECDSA Key Size: Key size of ephemeral API proxy ECDSA private key.
  • Cache Size: Least recently used cache size for dynamically generated TLS server certificates

API Certificate Trust Anchors

Global API Proxy trust-anchor certificates are specified here.

The trust-anchor certificates can also be specified at OS level and at API target level. When API Proxy validates the target TLS server certificate, it gathers trust-anchor certicates from all these sources.