API Object - access_tier_local_config
- Updated on Oct 31, 2023
Access Tier Local Config Metadata
// Unused
type Metadata struct {}
Access Tier Local Config Spec
type Spec struct {
// Unused by client
*BaseParameters `json:"base,omitempty"`
// Parameters related to Netagent logging
*LoggingParameters `json:"logging,omitempty"`
// Parameters related to event rate limiting
*EventParameters `json:"events,omitempty"`
// Parameters related to hosted web service handling
*HostedWebServiceParameters `json:"hosted_web_services,omitempty"`
// Parameters related to infrastructure service handling
*InfrastructureServiceParameters `json:"infrastructure_services,omitempty"`
// Parameters related to denial-of-service protection
*DoSProtectionParameters `json:"dos_protection,omitempty"`
// Parameters related to debugging and serviceability
*DebuggingParameters `json:"debugging,omitempty"`
// ... everything else
*MiscellaneousParameters `json:"miscellaneous,omitempty"`
// Parameters related to service discovery
*ServiceDiscoveryParameters `json:"service_discovery,omitempty"`
// Unused by client
// Initial spec for local config is saved
Spec *string `json:"spec,omitempty"`
}
BaseParameters
Type
type BaseParameters struct {
// Current access tier's associated shield address
ShieldAddress *string `json:"shield_address,omitempty"`
// Current access tier's site address
SiteAddress *string `json:"site_address,omitempty"`
}
LoggingParameters
Type
type LoggingParameters struct {
// Controls verbosity of logs to console
ConsoleLogLevel *string `json:"console_log_level,omitempty" valid:"in(ERR|WARN|INFO|DEBUG)"`
// Controls verbosity of logs to file
FileLogLevel *string `json:"file_log_level,omitempty" valid:"in(ERR|WARN|INFO|DEBUG)"`
// Whether to log to file or not
FileLog *bool `json:"file_log,omitempty"`
// For file logs: Number of files to use for log rotation
LogNum *int `json:"log_num,omitempty"`
// For file logs: Size of each file for log rotation
LogSize *int `json:"log_size,omitempty"`
// Enable or disable StatsD
StatsD *bool `json:"statsd,omitempty"`
// StatsD endpoint for use if StatsD is enabled
StatsDAddress *string `json:"statsd_address,omitempty"`
// EnableServiceTunnelLog enables sampling for service tunnel access events
EnableServiceTunnelLog *bool `json:"enable_service_tunnel_log,omitempty"`
// Packet sampling rate (Nth) controls how many packets are sampled by NGLOG
// The higher the number, the sparser the sampling and the less volume of
// packet data logged
PacketSamplingRate *int `json:"packet_sampling_rate,omitempty"`
// When packet sampling is enabled, only log L4 policy rejections
// Disabling this has the effect of also logging L4 policy accepted traffic
// This data is voluminous so care should be taken when enabling this option
OnlySampleRejections *bool `json:"only_sample_rejections,omitempty"`
}
Defaults
var DefaultLoggingParameters = LoggingParameters{
ConsoleLogLevel: "ERR",
FileLogLevel: "INFO",
FileLog: true,
LogNum: 10,
LogSize: 50,
StatsD: false,
StatsDAddress: "127.0.0.1:8125",
EnableServiceTunnelLog: false,
PacketSamplingRate: 10,
OnlySampleRejections: true,
}
EventParameters
Type
type EventParameters struct {
// Enable or disable Netagent access event rate limiting
CreditsLimiting *bool `json:"access_event_credits_limiting,omitempty"`
// Number of credits to assign after an interval
CreditsPerInterval *int `json:"access_event_credits_per_interval,omitempty"`
// After this interval, assign number of credits per the above
CreditsInterval *time.Duration `json:"access_event_credits_interval,omitempty"`
// Maximum number of credits to assign a Netagent
// One event consumes one credit
CreditsMax *int `json:"access_event_credits_max,omitempty"`
// Enable or disable Netagent access key event rate limiting
KeyLimiting *bool `json:"access_event_key_limiting,omitempty"`
// After this interval, another access key event may be generated
KeyExpiration *time.Duration `json:"access_event_key_expiration,omitempty"`
}
Defaults
var DefaultEventParameters = EventParameters{
CreditsLimiting: true,
CreditsPerInterval: 5,
CreditsInterval: 60 * time.Second,
CreditsMax: 5000, // Docs incorrect: 1k -> 5k
KeyLimiting: true,
KeyExpiration: 540 * time.Second,
}
HostedWebServiceParameters
Type
type HostedWebServiceParameters struct {
// Forward Banyan trust cookie to upstream servers
ForwardTrustCookie *bool `json:"forward_trust_cookie,omitempty"`
// Disable HTTP Strict Transport Security
DisableHSTS *bool `json:"disable_hsts,omitempty"`
// Enable experimental WebSocket duplex handling
EnableWebSocketDuplex *bool `json:"enable_websocket_duplex,omitempty"`
}
Defaults
var DefaultHostedWebServiceParameters = HostedWebServiceParameters{
ForwardTrustCookie: false,
DisableHSTS: false,
EnableWebSocketDuplex: false,
}
InfrastructureServiceParameters
Type
type InfrastructureServiceParameters struct {
// Maximum lifetime for TCP sockets handled by Netagent
MaximumSessionTimeout *time.Duration `json:"maximum_session_timeout,omitempty"`
}
Defaults
var DefaultInfrastructureServiceParameters = InfrastructureServiceParameters{
MaximumSessionTimeout: 43200 * time.Second,
}
DoSProtectionParameters
Type
type DoSProtectionParameters struct {
// Enable or disable DoS protection
BadActor *bool `json:"bad_actor,omitempty"`
// Number of unauthorized requests before an offending IP address is jailed
InfractionCount *int `json:"infraction_count,omitempty"`
// Jail interval after which bad actor is freed
SentenceTime *time.Duration `json:"sentence_time,omitempty"`
}
Defaults
var DefaultDoSProtectionParameters = DoSProtectionParameters{
BadActor: false,
InfractionCount: 10,
SentenceTime: 600 * time.Second,
}
DebuggingParameters
Type
type DebuggingParameters struct {
// Verbose logging for HTTP backend traffic
HTTPBackendLog *bool `json:"http_backend_log,omitempty"`
// Enable or disable visibility mode
// If on, Netagent will not do policy enforcement on inbound traffic
VisibilityOnly *bool `json:"visibility_only,omitempty"`
// If Shield is not available, policies will be treated as if they are permissive
// Zero means this is disabled
ShieldTimeout *time.Duration `json:"shield_timeout,omitempty"`
// Enable TCP keepalive messages for TCP sockets handled by Netagent
KeepAlive *bool `json:"keep_alive,omitempty"`
// Idle time before sending a TCP keepalive
KeepIdle *time.Duration `json:"keep_idle,omitempty"`
// Time between consecutive TCP keepalive messages
KeepInterval *time.Duration `json:"keep_interval,omitempty"`
// Number of missing TCP keepalive acknowledgements before closing connection
KeepCount *int `json:"keep_count,omitempty"`
// Output file for CPU profiling; may impact performance
// If empty, this is disabled
CPUProfile *string `json:"cpu_profile,omitempty"`
// Output file for memory profiling; may impact performance
// If empty, this is disabled
MemProfile *bool `json:"mem_profile,omitempty"`
// Host only mode
HostOnly *bool `json:"host_only,omitempty"`
// Disable Docker monitoring
DisableDocker *bool `json:"disable_docker,omitempty"`
// Send all-zero data points to Shield
SendZeros *bool `json:"send_zeros,omitempty"`
// Interval for reporting statistics
Period *int `json:"period,omitempty"`
// Generate access events at the request level
RequestLevelEvents *bool `json:"request_level_events,omitempty"`
// Provide client address transparency
AddressTransparency *bool `json:"address_transparency,omitempty"`
// Netagent will generate RSA instead of ECDSA keys
UseRSA *bool `json:"use_rsa,omitempty"`
// Include non-root (intermediate) CA certs during TLS handshakes
FullServerCertChain *bool `json:"full_server_cert_chain,omitempty"`
// Enable or disable OpenID Connect
CodeFlow *bool `json:"code_flow,omitempty"`
// HTTP inactivity timeout
InactivityTimeout *time.Duration `json:"inactivity_timeout,omitempty"`
// Client identification timeout
ClientTimeout *time.Duration `json:"client_timeout,omitempty"`
}
Defaults
var DefaultDebuggingParameters = DebuggingParameters{
HTTPBackendLog: false,
VisibilityOnly: false,
ShieldTimeout: 0 * time.Second,
KeepAlive: true,
KeepIdle: 59 * time.Second,
KeepInterval: 59,
KeepCount: 3,
CPUProfile: "",
MemProfile: false,
HostOnly: true,
DisableDocker: false,
SendZeros: false,
Period: 20,
RequestLevelEvents: true,
AddressTransparency: true,
UseRSA: false,
FullServerCertChain: true,
CodeFlow: false,
InactivityTimeout: 3600 * time.Second,
ClientTimeout: 20 * time.Second,
}
MiscellaneousParameters
Type
type MiscellaneousParameters struct {
// Enable or disable access tier mode
// If disabled, then uses host agent mode
AccessTier *bool `json:"access_tier,omitempty"`
// Arbitrary key-value pairs used for attribute matching on Netagent
HostTags map[string]string `json:"host_tags,omitempty"`
// TCP listen port on Netagent host for proxying incoming connections
ListenPort *int `json:"listen_port,omitempty" valid:"range(1024|65535)"`
// TCP listen port on Netagent host for health checks
ListenPortHealth *int `json:"listen_port_health,omitempty" valid:"range(1024|65535)"`
// Configures how Netagent will determine its public IP
PublicIPSource *string `json:"public_ip_source,omitempty" valid:"in(AWS|GCE|default|none)"`
// Max percentage of CPU core usage
CPULimit *int `json:"cpu_limit,omitempty" valid:"range(1|100)"`
// Whether WireGuard should use a userspace or kernel space module
UserModeTunnel *bool `json:"user_mode_tunnel,omitempty"`
// Whether to persist a cookie or not
// false = Session
// true = Use token expiration from upstream IDP
PersistCookie *bool `json:"persist_cookie,omitempty"`
}
Defaults
var DefaultMiscellaneousParameters = MiscellaneousParameters{
AccessTier: true,
HostTags: nil,
ListenPort: 9999,
ListenPortHealth: 9998,
PublicIPSource: "default",
CPULimit: 100,
UserModeTunnel: false,
PersistCookie: false,
}
ServiceDiscoveryParameters
Type
type ServiceDiscoveryParameters struct {
// Enable or disable DNS and conntrack logging
ServiceDiscoveryEnable *bool `json:"service_discovery_enable,omitempty"`
// Message threshold for batch processing
ServiceDiscoveryMsgLimit *int `json:"service_discovery_msg_limit,omitempty" valid:"in(100|1000|5000)"`
// Timeout value for batch
ServiceDiscoveryMsgTimeout *time.Duration `json:"service_discovery_msg_timeout,omitempty"`
}
Defaults
var DefaultServiceDiscoveryParameters = ServiceDiscoveryParameters{
ServiceDiscoveryEnable: false,
ServiceDiscoveryMsgLimit: 100,
ServiceDiscoveryMsgTimeout: 10 * time.Second,
}