Service Configuration
Services are configured by editing various configuration files, as detailed below. Go through this chapter and configure your settings as appropriate.
Summary of relevant configuration files:
/etc/apache2/sites-available/netrounds-ssl.conf/etc/apache2/sites-available/netrounds.conf/etc/environment/etc/netrounds/consolidated.yaml/etc/netrounds/metrics.yaml/etc/netrounds/netrounds.conf/etc/netrounds/plugin.yaml/etc/netrounds/probe-connect.conf/etc/netrounds/restol.conf/etc/netrounds/test-agent-gateway.yaml/etc/netrounds/timescaledb.conf/etc/openvpn/netrounds.conf
Main Settings File
/etc/netrounds/netrounds.conf
This file has inline documentation and examples for all supported settings. The
SITE_URL setting is one that always needs to be modified to get
the correct URL to Control Center, for example in emails and reports.
Summary of settings in this file:
- Unique, secret string used for cryptographic operations
- Control Center web server URL
- User time zone; the default is UTC
- Sender name in outgoing emails
- Contact email address shown to users
- Settings for sending email (backend, host, and more)
- Logging configuration (for details see the section Logging)
- Maximum length of log tags
- Criteria for automatic updating of Test Agent software
- Storage location for time series data
- Storage location for OpenVPN certificates and keys used to authenticate Test Agents
- Number of tasks from the background task queue that can be processed in parallel
SSL Certificate Configuration
/etc/apache2/sites-available/netrounds-ssl.conf
This Apache configuration file contains the following SSL certificate settings, with default values as shown:
SSLCertificateFile "/etc/ssl/certs/ssl-cert-snakeoil.pem" SSLCertificateKeyFile "/etc/ssl/private/ssl-cert-snakeoil.key"
For exhaustive information on this topic, please consult Apache documentation.
/etc/netrounds/test-agent-gateway.yaml
This configuration file contains SSL certificate settings for the Test Agent Application Gateway, which is used by Test Agent Applications to connect to Control Center.
# Test Agent Application config file # Please run the command below to see available settings: # /usr/bin/test-agent-gateway-service --help # SSL certificates used by the web server. Defaults to snakeoil. ssl-cert: /etc/ssl/certs/ssl-cert-snakeoil.pem ssl-key: /etc/ssl/private/ssl-cert-snakeoil.key
By default snakeoil SSL certificates are used in all cases, as seen in the code snippets
above. These are created from the ssl-cert package which is preinstalled in
Ubuntu. However, to ensure an encrypted and secure connection in a production environment,
you are strongly advised to obtain proper, signed SSL certificates instead.
Apache
/etc/apache2/sites-available/netrounds-ssl.conf/etc/apache2/sites-available/netrounds.conf
These files hold Apache settings.
For exhaustive information on this topic, please consult Apache documentation.
It is strongly discouraged to change the Apache configuration files unless you are fully aware of the consequences. Inappropriate changes may break Paragon Active Assurance functionality.
TimescaleDB Configuration
How to configure TimescaleDB is described in the document Querying Metrics in TimescaleDB.
Plugin Service Database Configuration
The plugin service database is configured in
/etc/netrounds/plugin.yaml
Configuration of OpenVPN Keys
The location of the OpenVPN keys is configured in
/etc/openvpn/netrounds.conf
Restart OpenVPN for any changes to take effect.
HSTS Configuration
/etc/netrounds/netrounds.conf
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
A server implements an HSTS policy by supplying a header (Strict-Transport-Security) over an HTTPS connection. The header age is set to one hour.
By default HSTS is disabled in Paragon Active Assurance since the Speedtest page uses HTTP for performance reasons. Uncomment the line below to enable HSTS if you are not using Speedtest.
# STRICT_TRANSPORT_SECURITY_HEADER = "max-age=3600; includeSubDomains"
Another way to allow enabling of HSTS in Control Center is to host Speedtest on a separate web server, as explained in the document Creating a Custom Speedtest Web Page.
Configuring the Lifetime of REST API Tokens
The lifetime of REST API tokens is limited and is 10 years by default. This is governed by
the parameter REST_TOKEN_LIFETIME in the file
/etc/netrounds/netrounds.conf.
If you intend to use the REST API, you might need to change the value of this parameter to whatever is required in your case.
In connection with an upgrade, you need to set the desired lifetime value for existing
tokens prior to running the ncc migrate command.
Limiting the REST API Rate
You can apply REST API rate throttling in the file
-
/etc/netrounds/restol.conf- The settings
RATE_LIMIT_ENABLEDandRATE_LIMIT_DEFAULTare used for throttling REST API requests. To enable throttling, setRATE_LIMIT_ENABLED=True. - Then configure the
RATE_LIMIT_DEFAULTsetting to indicate the maximum frequency of API requests from the same IP address. For example,RATE_LIMIT_DEFAULT=30/secondwill allow up to 30 requests per second from each IP address. The rate limit can be set per second, minute, hour, or day. It is also possible to set multiple limits, as inRATE_LIMIT_DEFAULT=30/second,60/minute. - To disable throttling, set
RATE_LIMIT_ENABLED=False.
- The settings
Configuring Password Strength
The default password strength requirements for Control Center user passwords are as follows: Each password must contain
- at least 8 characters in total
- at least one digit
- at least one uppercase letter
- at least one lowercase letter.
It is possible to switch to a set of stricter requirements. According to these, each password must contain
- at least 12 characters in total
- at least one digit
- at least one uppercase letter
- at least one lowercase letter
- at least one special character
and must also not have any character occurring twice in a row.
To enforce the stricter requirements, make the following setting in the file
/etc/netrounds/netrounds.conf:
USER_PASSWORD_STRENGTH='strong'
(You need to add the variable USER_PASSWORD_STRENGTH itself as it is by
default not present in the configuration file.) This setting applies globally to all new users
created in Control Center.