API Object - access_tier_local_config

  • Updated on Oct 31, 2023

Access Tier Local Config Metadata

// Unused
type Metadata struct {}

Access Tier Local Config Spec

type Spec struct {
	// Unused by client
	*BaseParameters `json:"base,omitempty"`

	// Parameters related to Netagent logging
	*LoggingParameters `json:"logging,omitempty"`

	// Parameters related to event rate limiting
	*EventParameters `json:"events,omitempty"`

	// Parameters related to hosted web service handling
	*HostedWebServiceParameters `json:"hosted_web_services,omitempty"`

	// Parameters related to infrastructure service handling
	*InfrastructureServiceParameters `json:"infrastructure_services,omitempty"`

	// Parameters related to denial-of-service protection
	*DoSProtectionParameters `json:"dos_protection,omitempty"`

	// Parameters related to debugging and serviceability
	*DebuggingParameters `json:"debugging,omitempty"`

	// ... everything else
	*MiscellaneousParameters `json:"miscellaneous,omitempty"`

	// Parameters related to service discovery
	*ServiceDiscoveryParameters `json:"service_discovery,omitempty"`

	// Unused by client
	// Initial spec for local config is saved
	Spec *string `json:"spec,omitempty"`
}

BaseParameters

Type

type BaseParameters struct {
	// Current access tier's associated shield address
	ShieldAddress *string `json:"shield_address,omitempty"`

	// Current access tier's site address
	SiteAddress *string `json:"site_address,omitempty"`
}

LoggingParameters

Type

type LoggingParameters struct {
	// Controls verbosity of logs to console
	ConsoleLogLevel *string `json:"console_log_level,omitempty" valid:"in(ERR|WARN|INFO|DEBUG)"`

	// Controls verbosity of logs to file
	FileLogLevel *string `json:"file_log_level,omitempty" valid:"in(ERR|WARN|INFO|DEBUG)"`

	// Whether to log to file or not
	FileLog *bool `json:"file_log,omitempty"`

	// For file logs: Number of files to use for log rotation
	LogNum *int `json:"log_num,omitempty"`

	// For file logs: Size of each file for log rotation
	LogSize *int `json:"log_size,omitempty"`

	// Enable or disable StatsD
	StatsD *bool `json:"statsd,omitempty"`

	// StatsD endpoint for use if StatsD is enabled
	StatsDAddress *string `json:"statsd_address,omitempty"`

	// EnableServiceTunnelLog enables sampling for service tunnel access events
	EnableServiceTunnelLog *bool `json:"enable_service_tunnel_log,omitempty"`

	// Packet sampling rate (Nth) controls how many packets are sampled by NGLOG
	// The higher the number, the sparser the sampling and the less volume of
	// packet data logged
	PacketSamplingRate *int `json:"packet_sampling_rate,omitempty"`

	// When packet sampling is enabled, only log L4 policy rejections
	// Disabling this has the effect of also logging L4 policy accepted traffic
	// This data is voluminous so care should be taken when enabling this option
	OnlySampleRejections *bool `json:"only_sample_rejections,omitempty"`
}

Defaults

var DefaultLoggingParameters = LoggingParameters{
	ConsoleLogLevel:        "ERR",
	FileLogLevel:           "INFO",
	FileLog:                true,
	LogNum:                 10,
	LogSize:                50,
	StatsD:                 false,
	StatsDAddress:          "127.0.0.1:8125",
	EnableServiceTunnelLog: false,
	PacketSamplingRate:     10,
	OnlySampleRejections:   true,
}

EventParameters

Type

type EventParameters struct {
	// Enable or disable Netagent access event rate limiting
	CreditsLimiting *bool `json:"access_event_credits_limiting,omitempty"`

	// Number of credits to assign after an interval
	CreditsPerInterval *int `json:"access_event_credits_per_interval,omitempty"`

	// After this interval, assign number of credits per the above
	CreditsInterval *time.Duration `json:"access_event_credits_interval,omitempty"`

	// Maximum number of credits to assign a Netagent
	// One event consumes one credit
	CreditsMax *int `json:"access_event_credits_max,omitempty"`

	// Enable or disable Netagent access key event rate limiting
	KeyLimiting *bool `json:"access_event_key_limiting,omitempty"`

	// After this interval, another access key event may be generated
	KeyExpiration *time.Duration `json:"access_event_key_expiration,omitempty"`
}

Defaults

var DefaultEventParameters = EventParameters{
	CreditsLimiting:     true,
	CreditsPerInterval:  5,
	CreditsInterval:     60 * time.Second,
	CreditsMax:          5000, // Docs incorrect: 1k -> 5k
	KeyLimiting:         true,
	KeyExpiration:       540 * time.Second,
}

HostedWebServiceParameters

Type

type HostedWebServiceParameters struct {
	// Forward Banyan trust cookie to upstream servers
	ForwardTrustCookie *bool `json:"forward_trust_cookie,omitempty"`

	// Disable HTTP Strict Transport Security
	DisableHSTS *bool `json:"disable_hsts,omitempty"`

	// Enable experimental WebSocket duplex handling
	EnableWebSocketDuplex *bool `json:"enable_websocket_duplex,omitempty"`
}

Defaults

var DefaultHostedWebServiceParameters = HostedWebServiceParameters{
	ForwardTrustCookie: 	 false,
	DisableHSTS:        	 false,
	EnableWebSocketDuplex: false,
}

InfrastructureServiceParameters

Type

type InfrastructureServiceParameters struct {
	// Maximum lifetime for TCP sockets handled by Netagent
	MaximumSessionTimeout *time.Duration `json:"maximum_session_timeout,omitempty"`
}

Defaults

var DefaultInfrastructureServiceParameters = InfrastructureServiceParameters{
	MaximumSessionTimeout: 43200 * time.Second,
}

DoSProtectionParameters

Type

type DoSProtectionParameters struct {
	// Enable or disable DoS protection
	BadActor *bool `json:"bad_actor,omitempty"`

	// Number of unauthorized requests before an offending IP address is jailed
	InfractionCount *int `json:"infraction_count,omitempty"`

	// Jail interval after which bad actor is freed
	SentenceTime *time.Duration `json:"sentence_time,omitempty"`
}

Defaults

var DefaultDoSProtectionParameters = DoSProtectionParameters{
	BadActor:         false,
	InfractionCount:  10,
	SentenceTime:     600 * time.Second,
}

DebuggingParameters

Type

type DebuggingParameters struct {
	// Verbose logging for HTTP backend traffic
	HTTPBackendLog *bool `json:"http_backend_log,omitempty"`

	// Enable or disable visibility mode
	// If on, Netagent will not do policy enforcement on inbound traffic
	VisibilityOnly *bool `json:"visibility_only,omitempty"`

	// If Shield is not available, policies will be treated as if they are permissive
	// Zero means this is disabled
	ShieldTimeout *time.Duration `json:"shield_timeout,omitempty"`

	// Enable TCP keepalive messages for TCP sockets handled by Netagent
	KeepAlive *bool `json:"keep_alive,omitempty"`

	// Idle time before sending a TCP keepalive
	KeepIdle *time.Duration `json:"keep_idle,omitempty"`

	// Time between consecutive TCP keepalive messages
	KeepInterval *time.Duration `json:"keep_interval,omitempty"`

	// Number of missing TCP keepalive acknowledgements before closing connection
	KeepCount *int `json:"keep_count,omitempty"`

	// Output file for CPU profiling; may impact performance
	// If empty, this is disabled
	CPUProfile *string `json:"cpu_profile,omitempty"`

	// Output file for memory profiling; may impact performance
	// If empty, this is disabled
	MemProfile *bool `json:"mem_profile,omitempty"`

	// Host only mode
	HostOnly *bool `json:"host_only,omitempty"`

	// Disable Docker monitoring
	DisableDocker *bool `json:"disable_docker,omitempty"`

	// Send all-zero data points to Shield
	SendZeros *bool `json:"send_zeros,omitempty"`

	// Interval for reporting statistics
	Period *int `json:"period,omitempty"`

	// Generate access events at the request level
	RequestLevelEvents *bool `json:"request_level_events,omitempty"`

	// Provide client address transparency
	AddressTransparency *bool `json:"address_transparency,omitempty"`

	// Netagent will generate RSA instead of ECDSA keys
	UseRSA *bool `json:"use_rsa,omitempty"`

	// Include non-root (intermediate) CA certs during TLS handshakes
	FullServerCertChain *bool `json:"full_server_cert_chain,omitempty"`

	// Enable or disable OpenID Connect
	CodeFlow *bool `json:"code_flow,omitempty"`

	// HTTP inactivity timeout
	InactivityTimeout *time.Duration `json:"inactivity_timeout,omitempty"`

	// Client identification timeout
	ClientTimeout *time.Duration `json:"client_timeout,omitempty"`
}

Defaults

var DefaultDebuggingParameters = DebuggingParameters{
	HTTPBackendLog:        false,
	VisibilityOnly:        false,
	ShieldTimeout:         0 * time.Second,
	KeepAlive:             true,
	KeepIdle:              59 * time.Second,
	KeepInterval:          59,
	KeepCount:             3,
	CPUProfile:            "",
	MemProfile:            false,
	HostOnly:              true,
	DisableDocker:         false,
	SendZeros:             false,
	Period:                20,
	RequestLevelEvents:    true,
	AddressTransparency:   true,
	UseRSA:                false,
	FullServerCertChain:   true,
	CodeFlow:              false,
	InactivityTimeout:     3600 * time.Second,
	ClientTimeout:         20 * time.Second,
}

MiscellaneousParameters

Type

type MiscellaneousParameters struct {
	// Enable or disable access tier mode
	// If disabled, then uses host agent mode
	AccessTier *bool `json:"access_tier,omitempty"`

	// Arbitrary key-value pairs used for attribute matching on Netagent
	HostTags map[string]string `json:"host_tags,omitempty"`

	// TCP listen port on Netagent host for proxying incoming connections
	ListenPort *int `json:"listen_port,omitempty" valid:"range(1024|65535)"`

	// TCP listen port on Netagent host for health checks
	ListenPortHealth *int `json:"listen_port_health,omitempty" valid:"range(1024|65535)"`

	// Configures how Netagent will determine its public IP
	PublicIPSource *string `json:"public_ip_source,omitempty" valid:"in(AWS|GCE|default|none)"`

	// Max percentage of CPU core usage
	CPULimit *int `json:"cpu_limit,omitempty" valid:"range(1|100)"`

	// Whether WireGuard should use a userspace or kernel space module
	UserModeTunnel *bool `json:"user_mode_tunnel,omitempty"`

	// Whether to persist a cookie or not
	// false	= Session
	// true		= Use token expiration from upstream IDP
	PersistCookie *bool `json:"persist_cookie,omitempty"`
}

Defaults

var DefaultMiscellaneousParameters = MiscellaneousParameters{
	AccessTier:       true,
	HostTags:         nil,
	ListenPort:       9999,
	ListenPortHealth: 9998,
	PublicIPSource:   "default",
	CPULimit:         100,
	UserModeTunnel:   false,
	PersistCookie:    false,
}

ServiceDiscoveryParameters

Type

type ServiceDiscoveryParameters struct {
	// Enable or disable DNS and conntrack logging
	ServiceDiscoveryEnable *bool `json:"service_discovery_enable,omitempty"`

	// Message threshold for batch processing
	ServiceDiscoveryMsgLimit *int `json:"service_discovery_msg_limit,omitempty" valid:"in(100|1000|5000)"`

	// Timeout value for batch
	ServiceDiscoveryMsgTimeout *time.Duration `json:"service_discovery_msg_timeout,omitempty"`
}

Defaults

var DefaultServiceDiscoveryParameters = ServiceDiscoveryParameters{
	ServiceDiscoveryEnable:     false,
	ServiceDiscoveryMsgLimit:   100,
	ServiceDiscoveryMsgTimeout: 10 * time.Second,
}