Tetra Hub v2 Proxy Settings
There are two ways to configure Tetra Hub v2 proxy settings:
- The Tetra Data Platform (TDP) user interface (during Hub installation)
-or- - Manually (after Hub installation)
Configure Proxy Settings by Using the TDP
IMPORTANT
Updating proxy settings through the TDP user interface after you install a Tetra Hub v2 doesn’t modify the settings on the installed Hub. To edit the proxy settings of an installed Hub, see Configure Proxy Settings Manually.
When you create a new Tetra Hub v2 in the TDP, do the following:
- On the Create Hub page, move the Show parent proxy settings toggle to the right. A list of fields for proxy settings appears.
- Enter the following information based on the proxy settings required for your use case:
- For PARENT HTTP PROXY IP, enter the HTTP proxy IP address.
- For PARENT HTTP PROXY PORT, enter the HTTP proxy port.
- For PARENT HTTPS PROXY IP, enter the HTTPS proxy IP address.
- For PARENT HTTPS PROXY PORT, enter the HTTPS proxy port.
- For PARENT NO PROXY, enter hostnames for which Tetra Hubs and Connectors should bypass the proxy.
- For HTTPS PROXY USERNAME, enter the HTTPS proxy username.
- Choose Create. Then, complete the rest of the steps required for installing the Hub. For instructions, see Create and Install a Tetra Hub v2.
NOTE
If your proxy server uses basic authentication and you specify an HTTPS PROXY USERNAME, the installation script will prompt you for a password. The script uses the password that you provide in the local configuration.
Layer 7 (Application Layer) Proxy Settings
Tetra Hub v2 has built-in Layer 7 (Application Layer) proxies that can be used by Tetra Agents to access the TDP and AWS services. If a Hub is configured to use a proxy for its own connections, then these default L7 proxies are also configured to use that proxy as a parent proxy.
To view or edit the L7 proxy settings, go to the Create Hub page in the TDP. Then, move the Show L7 proxy settings toggle to the right. A list of the default L7 proxy settings appears.
NOTE
If you edit the default L7 proxy settings in the TDP, the settings' associated Docker containers are restarted automatically.
Configure Proxy Settings Manually
NOTE
To modify a Tetra Hub v2's proxy settings after it’s installed, you must configure the new proxy settings manually. You can also use the following manual procedure to help troubleshoot Hub v2 proxy connections.
To configure Tetra Hub v2 proxy settings manually, do the following.
Step 1: Configure Environment Variables
Configure the TetraScience shell environment variables manually by doing the following:
- Open the root user’s profile on the dedicated Linux machine that you’re installing the Hub on.
- In the root user’s profile, open one of the following files, based on your operating system:
- For Ubuntu, open the
/root/.bashrcfile. - For RedHat, open the
/root/.bash_profilefile. - For CentOS, open the
/root/.bash_profilefile.
- For Ubuntu, open the
- Add the following lines of code to the file:
export http_proxy=http://hostname:port
export https_proxy=http://hostname:port
export no_proxy=169.254.169.254
- (Optional) Add basic authentication settings, if required. To configure basic authentication, add the username and password to the
http_proxyandhttps_proxylines in the example code in step 3. - Make sure that the settings are applied by doing the following:
- Restart the Hub host machine.
- Then, verify that the proxy settings environment variables are configured by invoking the shell command
env. - In the command response, look for code lines that match the ones you entered in step 3. If the same lines appear, the settings are applied.
NOTE
You can’t configure environment variables temporarily when you create a new session. You must configure the environment variables in the Tetra Hub host machine’s root user’s profile. This is because the AWS Systems Manager Agent (SSM Agent), Amazon Elastic Container Service (Amazon ECS) Agent, and Amazon CloudWatch Agent that the Hub uses must use the root account on a dedicated Linux machine.
Step 2: Configure Connector Proxy Settings
NOTE
Connectors installed on a Tetra Hub v2 that’s configured to use a proxy are also automatically configured to use the hub’s proxy. The Hub’s proxy acts as a parent proxy for the Connector’s connections to the TDP and AWS services.
Edit /etc/hub/proxy.env so that it matches the other proxy environment changes being made. Connector parent proxy settings are stored in /etc/hub/proxy.env, which is mounted in the Docker containers for the Connectors.
Make sure that you enter the following code lines for each corresponding setting in your proxy environment (omit lines that don’t have a corresponding setting):
http_proxy=http://${proxyAuthInfo}${httpProxy}http_proxy_redacted=http://${proxyAuthRedacted}${httpProxy}https_proxy=http://${proxyAuthInfo}${httpsProxy}https_proxy_redacted=http://${proxyAuthRedacted}${httpProxy}https_proxy_host=${hub.httpsProxyIp}https_proxy_port=${hub.httpsProxyPort}https_proxy_username=${hub.httpsProxyUsername}no_proxy=localhost,otherNoProxyHosts
IMPORTANT
If you manually change a Connector’s proxy settings, the settings' associated Docker containers must be restarted manually on the Hub machine before the new settings are applied. The Connector settings are stored in
/etc/hub/proxy.env.
Step 3: Configure SSM Agent Proxy Settings
To configure AWS Systems Manager Agent (SSM Agent) proxy settings, see Configuring SSM Agent to use a proxy (Linux) in the AWS documentation.
The SSM Agent’s proxy settings are stored in one of the following files, depending on whether the Linux system uses snap or not:
- On Ubuntu Server instances where SSM Agent is installed by using a snap:
/etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service.d/override.conf
- On Amazon Linux 2 and Amazon Linux 2023 instances:
/etc/systemd/system/amazon-ssm-agent.service.d/override.conf
At either path, TetraScience inserts the following lines to configure the Hub’s proxy:
Environment="http_proxy=http://$proxyAuthInfo$httpProxy"
Environment="https_proxy=http://$proxyAuthInfo$httpsProxy"
Environment="no_proxy=169.254.169.254$noProxy"
The hard-coded no_proxy IPs are used locally by AWS services to retrieve instance metadata and credentials. The hard-coded no_proxy IPs must not be removed.
IMPORTANT
If you manually change SSM Agent proxy settings, then the SSM Agent must be restarted before the settings are applied. For instructions, see Checking SSM Agent status and starting the agent in the AWS documentation.
Step 4: Configure Amazon ECS Agent Proxy Settings
To configure Amazon ECS Agent proxy settings, see HTTP proxy configuration in the AWS documentation.
The ECS Agent’s proxy settings are stored in the following three files:
/etc/systemd/system/ecs.service.d/http-proxy.confcontains the following proxy settings:
HTTP_PROXY=$proxyAuthInfo$httpProxy
NO_PROXY=169.254.169.254,169.254.170.2,/var/run/docker.sock$noProxy
/etc/systemd/system/ecs.service.d/http-proxy.confcontains the following proxy settings:
Environment="HTTP_PROXY=${proxyAuthInfo}${httpProxy}/"
Environment="NO_PROXY=169.254.169.254,169.254.170.2,/var/run/docker.sock$noProxy"
/etc/systemd/system/docker.service.d/http-proxy.confcontains the following proxy settings:
Environment="HTTP_PROXY=$proxyAuthInfo$httpProxy"
Environment="NO_PROXY=169.254.169.254,169.254.170.2,/var/run/docker.sock$noProxy"
The hard-coded no_proxy IPs are used locally by AWS services to retrieve instance metadata and credentials. The hard-coded no_proxy IPs must not be removed.
IMPORTANT
If you manually change Amazon ECS Agent proxy settings, then the agent must be restarted before the settings are applied. For instructions, see Installing the Amazon ECS container agent in the AWS documentation.
Step 5: Configure Amazon CloudWatch Agent Proxy Settings
To configure Amazon CloudWatch Agent proxy settings, see Installing and running the CloudWatch agent on your servers in the AWS documentation.
The CloudWatch Agent’s proxy settings are stored in the following file: /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml
The file contains the following proxy settings:
[proxy]
http_proxy="$proxyAuthInfo$httpProxy"
https_proxy="$proxyAuthInfo$httpsProxy"
The hard-coded no_proxy IPs are used locally by AWS services to retrieve instance metadata and credentials. The hard-coded no_proxy IPs must not be removed.
IMPORTANT
If you manually change Amazon CloudWatch Agent proxy settings, then the agent must be restarted before the settings are applied. For instructions, see Stopping and restarting the CloudWatch agent in the AWS documentation.
Updated about 1 year ago