Tetra Hub Proxy Settings
Tetra Hubs use two types of customizable proxy settings to allow Tetra Integrations to securely reach AWS services that they otherwise don't have direct access to (for example, Amazon S3):
- Parent proxy settings allow the Hub and any configured Connectors to securely access the internet.
- L7 proxy settings allow Tetra Agents to securely access the internet through the Hub, and any parent proxies if they're configured.
For instructions on how to configure proxy settings when installing a Tetra Hub, see Create and Install a Tetra Hub. To configure Hub parent proxy settings after the Hub is installed, or to troubleshoot Hub proxy connection issues, see Update Hub Parent Proxy Settings.
Hub L7 Proxy Settings
Hubs include the following built-in L7 proxies that can be customized to work with your network configuration requirements:
- L7 Proxy Forward Port is used by the forward proxy that Agents use to connect to AWS endpoints.
- L7 Proxy Reverse HTTP Port is used by the reverse proxy that Agents use to connect to the TetraScience API when using HTTP.
- L7 Proxy Reverse HTTPS Port is used by the reverse proxy that Agents use to connect to the TetraScience API when using HTTPS.
- L7 Proxy Socat Port isn't needed by Agents directly, but is used for intra-Hub proxy traffic. This setting is configurable so that you can avoid collisions with other ports.
- L7 Proxy Maximum Memory (MB) is the maximum memory available to the forward L7 proxy. The default maximum of 2048 MB is generally sufficient.
- L7 Proxy DNS Nameservers (Whitespace delimited) is used for listing private DNS nameservers, if they're required. If not listed, the L7 proxy uses the Hub's own DNS nameservers to resolve AWS endpoints.
- L7 Proxy Local Networks (One per line) is used for listing different local networks, if they're required. The default networks are generally sufficient.
- L7 Proxy Destination Whitelist (One per line) allows only outbound Agent traffic to reach the specified endpoints, and will block all other requests if configured.
NOTE
Changing any L7 proxy settings in the TDP user interface will cause the Hub's proxies to automatically restart with the new settings.
Hub Nginx Proxy Configuration
IMPORTANT
The following Nginx proxy configuration options are not required for normal Tetra Hub operation. Do not update these files on the Hub's host server unless you encounter network or security compatibility issues with the default settings. Before making any changes to these files, make sure that you contact your customer success manager (CSM). They will help you verify that any changes are applied correctly.
On the Hub host server, three files control the behavior of the reverse proxy:
/etc/hub/nginx: Contains basic options for proxy Server Name Identification (SNI) and certificate validation/etc/hub/nginx.conf.override: Contains the base configuration for the Hub's Agent reverse proxy/etc/hub/nginx-stream.conf.override: Contains the base configuration for the Hub's MQTT reverse proxy for IoT Agent device connections
Update Hub Parent Proxy Settings
The following procedure describes how to modify a Hub's parent proxy settings after installation. The parent proxy is your proxy, which the Hub uses to connect to the internet, as opposed to the proxies it provides to downstream Agents.
NOTE
You can also use the following procedure to help troubleshoot Tetra Hub proxy connection issues.
Step 1: Configure Environment Variables
Configure the TetraScience shell environment variables manually by doing the following:
- Open the root user’s profile on the dedicated Linux machine that you’re installing the Tetra Hub on.
- In the root user’s profile, open one of the following files, based on your operating system:
- For Ubuntu, open the
/root/.bashrcfile. - For RedHat, open the
/root/.bash_profilefile. - For CentOS, open the
/root/.bash_profilefile.
- For Ubuntu, open the
- Add the following lines of code to the file:
export http_proxy=http://hostname:port
export https_proxy=http://hostname:port
export no_proxy=169.254.169.254
- (Optional) Add basic authentication settings, if required. To configure basic authentication, add the username and password to the
http_proxyandhttps_proxylines in the example code in step 3. - Make sure that the settings are applied by doing the following:
- Restart the Tetra Hub host machine.
- Then, verify that the proxy settings environment variables are configured by invoking the shell command
env. - In the command response, look for code lines that match the ones you entered in step 3. If the same lines appear, the settings are applied.
NOTE
You can’t configure environment variables temporarily when you create a new session. You must configure the environment variables in the Tetra Hub host machine’s root user’s profile. This is because the AWS Systems Manager Agent (SSM Agent), Amazon Elastic Container Service (Amazon ECS) Agent, and Amazon CloudWatch Agent that the Tetra Hub uses must use the root account on a dedicated Linux machine.
Step 2: Configure Connector Proxy Settings
NOTE
Connectors installed on a Tetra Hub that’s configured to use a proxy are also automatically configured to use the hub’s proxy. The hub’s proxy acts as a parent proxy for the Connector’s connections to the TDP and AWS services.
Edit /etc/hub/proxy.env so that it matches the other proxy environment changes being made. Connector parent proxy settings are stored in /etc/hub/proxy.env, which is mounted in the Docker containers for the Connectors.
Make sure that you enter the following code lines for each corresponding setting in your proxy environment (omit lines that don’t have a corresponding setting):
http_proxy=http://${proxyAuthInfo}${httpProxy}http_proxy_redacted=http://${proxyAuthRedacted}${httpProxy}https_proxy=http://${proxyAuthInfo}${httpsProxy}https_proxy_redacted=http://${proxyAuthRedacted}${httpProxy}https_proxy_host=${hub.httpsProxyIp}https_proxy_port=${hub.httpsProxyPort}https_proxy_username=${hub.httpsProxyUsername}no_proxy=localhost,otherNoProxyHosts
IMPORTANT
If you change a Connector’s proxy settings, the settings' associated Docker containers must be restarted manually on the Tetra Hub machine before the new settings are applied. The Connector settings are stored in
/etc/hub/proxy.env.
Step 3: Configure SSM Agent Proxy Settings
To configure AWS Systems Manager Agent (SSM Agent) proxy settings, see Configuring SSM Agent to use a proxy (Linux) in the AWS documentation.
The SSM Agent’s proxy settings are stored in one of the following files, depending on whether the Linux system uses snap or not:
- On Ubuntu Server instances where the SSM Agent is installed by using a snap:
/etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service.d/override.conf
- On other instances:
/etc/systemd/system/amazon-ssm-agent.service.d/override.conf
At either path, TetraScience inserts the following lines to configure the Hub’s proxy:
Environment="http_proxy=http://$proxyAuthInfo$httpProxy"
Environment="https_proxy=http://$proxyAuthInfo$httpsProxy"
Environment="no_proxy=169.254.169.254$noProxy"
The hard-coded no_proxy IPs are used locally by AWS services to retrieve instance metadata and credentials. The hard-coded no_proxy IPs must not be removed.
IMPORTANT
If you change SSM Agent proxy settings, then the SSM Agent must be restarted before the settings are applied. For instructions, see Checking SSM Agent status and starting the agent in the AWS documentation.
Step 4: Configure Amazon ECS Agent Proxy Settings
To configure Amazon ECS Agent proxy settings, see HTTP proxy configuration in the AWS documentation.
The ECS Agent’s proxy settings are stored in the following three files:
/etc/systemd/system/ecs.service.d/http-proxy.confcontains the following proxy settings:
HTTP_PROXY=$proxyAuthInfo$httpProxy
NO_PROXY=169.254.169.254,169.254.170.2,/var/run/docker.sock$noProxy
/etc/systemd/system/ecs.service.d/http-proxy.confcontains the following proxy settings:
Environment="HTTP_PROXY=${proxyAuthInfo}${httpProxy}/"
Environment="NO_PROXY=169.254.169.254,169.254.170.2,/var/run/docker.sock$noProxy"
/etc/systemd/system/docker.service.d/http-proxy.confcontains the following proxy settings:
Environment="HTTP_PROXY=$proxyAuthInfo$httpProxy"
Environment="NO_PROXY=169.254.169.254,169.254.170.2,/var/run/docker.sock$noProxy"
The hard-coded no_proxy IPs are used locally by AWS services to retrieve instance metadata and credentials. The hard-coded no_proxy IPs must not be removed.
IMPORTANT
If you change Amazon ECS Agent proxy settings, then the agent must be restarted before the settings are applied. For instructions, see Installing the Amazon ECS container agent in the AWS documentation.
Step 5: Configure Amazon CloudWatch Agent Proxy Settings
To configure Amazon CloudWatch Agent proxy settings, see Installing and running the CloudWatch agent on your servers in the AWS documentation.
The CloudWatch Agent’s proxy settings are stored in the following file: /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml
The file contains the following proxy settings:
[proxy]
http_proxy="$proxyAuthInfo$httpProxy"
https_proxy="$proxyAuthInfo$httpsProxy"
The hard-coded no_proxy IPs are used locally by AWS services to retrieve instance metadata and credentials. The hard-coded no_proxy IPs must not be removed.
IMPORTANT
If you change Amazon CloudWatch Agent proxy settings, then the agent must be restarted before the settings are applied. For instructions, see Stopping and restarting the CloudWatch agent in the AWS documentation.
Updated 9 months ago