Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

external-header-nav

Paragon Active Assurance Upgrade Guide

keyboard_arrow_up
list Table of Contents
file_download PDF
keyboard_arrow_right

Service Configuration

Services are configured by editing various configuration files, as detailed below. Go through this chapter and configure your settings as appropriate.

Summary of relevant configuration files:

  • /etc/apache2/sites-available/netrounds-ssl.conf
  • /etc/apache2/sites-available/netrounds.conf
  • /etc/environment
  • /etc/netrounds/consolidated.yaml
  • /etc/netrounds/metrics.yaml
  • /etc/netrounds/netrounds.conf
  • /etc/netrounds/plugin.yaml
  • /etc/netrounds/probe-connect.conf
  • /etc/netrounds/restol.conf
  • /etc/netrounds/test-agent-gateway.yaml
  • /etc/netrounds/timescaledb.conf
  • /etc/openvpn/netrounds.conf

Main Settings File

  • /etc/netrounds/netrounds.conf

This file has inline documentation and examples for all supported settings. The SITE_URL setting is one that always needs to be modified to get the correct URL to Control Center, for example in emails and reports.

Summary of settings in this file:

  • Unique, secret string used for cryptographic operations
  • Control Center web server URL
  • User time zone; the default is UTC
  • Sender name in outgoing emails
  • Contact email address shown to users
  • Settings for sending email (backend, host, and more)
  • Logging configuration (for details see the section Logging)
  • Maximum length of log tags
  • Criteria for automatic updating of Test Agent software
  • Storage location for time series data
  • Storage location for OpenVPN certificates and keys used to authenticate Test Agents
  • Number of tasks from the background task queue that can be processed in parallel

SSL Certificate Configuration

  • /etc/apache2/sites-available/netrounds-ssl.conf

This Apache configuration file contains the following SSL certificate settings, with default values as shown:

content_copy zoom_out_map
SSLCertificateFile      "/etc/ssl/certs/ssl-cert-snakeoil.pem"
SSLCertificateKeyFile   "/etc/ssl/private/ssl-cert-snakeoil.key"

For exhaustive information on this topic, please consult Apache documentation.

  • /etc/netrounds/test-agent-gateway.yaml

This configuration file contains SSL certificate settings for the Test Agent Application Gateway, which is used by Test Agent Applications to connect to Control Center.

content_copy zoom_out_map
# Test Agent Application config file
# Please run the command below to see available settings:
#   /usr/bin/test-agent-gateway-service --help
# SSL certificates used by the web server. Defaults to snakeoil.
ssl-cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl-key: /etc/ssl/private/ssl-cert-snakeoil.key

By default snakeoil SSL certificates are used in all cases, as seen in the code snippets above. These are created from the ssl-cert package which is preinstalled in Ubuntu. However, to ensure an encrypted and secure connection in a production environment, you are strongly advised to obtain proper, signed SSL certificates instead.

Apache

  • /etc/apache2/sites-available/netrounds-ssl.conf
  • /etc/apache2/sites-available/netrounds.conf

These files hold Apache settings.

For exhaustive information on this topic, please consult Apache documentation.

Note:

It is strongly discouraged to change the Apache configuration files unless you are fully aware of the consequences. Inappropriate changes may break Paragon Active Assurance functionality.

TimescaleDB Configuration

How to configure TimescaleDB is described in the document Querying Metrics in TimescaleDB.

Plugin Service Database Configuration

The plugin service database is configured in

  • /etc/netrounds/plugin.yaml

Configuration of OpenVPN Keys

The location of the OpenVPN keys is configured in

  • /etc/openvpn/netrounds.conf

Restart OpenVPN for any changes to take effect.

HSTS Configuration

  • /etc/netrounds/netrounds.conf

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

A server implements an HSTS policy by supplying a header (Strict-Transport-Security) over an HTTPS connection. The header age is set to one hour.

Note:

By default HSTS is disabled in Paragon Active Assurance since the Speedtest page uses HTTP for performance reasons. Uncomment the line below to enable HSTS if you are not using Speedtest.

content_copy zoom_out_map
# STRICT_TRANSPORT_SECURITY_HEADER = "max-age=3600; includeSubDomains"

Another way to allow enabling of HSTS in Control Center is to host Speedtest on a separate web server, as explained in the document Creating a Custom Speedtest Web Page.

Configuring the Lifetime of REST API Tokens

The lifetime of REST API tokens is limited and is 10 years by default. This is governed by the parameter REST_TOKEN_LIFETIME in the file /etc/netrounds/netrounds.conf.

If you intend to use the REST API, you might need to change the value of this parameter to whatever is required in your case.

Note:

In connection with an upgrade, you need to set the desired lifetime value for existing tokens prior to running the ncc migrate command.

Limiting the REST API Rate

You can apply REST API rate throttling in the file

  • /etc/netrounds/restol.conf

    • The settings RATE_LIMIT_ENABLED and RATE_LIMIT_DEFAULT are used for throttling REST API requests. To enable throttling, set RATE_LIMIT_ENABLED=True.
    • Then configure the RATE_LIMIT_DEFAULT setting to indicate the maximum frequency of API requests from the same IP address. For example, RATE_LIMIT_DEFAULT=30/second will allow up to 30 requests per second from each IP address. The rate limit can be set per second, minute, hour, or day. It is also possible to set multiple limits, as in RATE_LIMIT_DEFAULT=30/second,60/minute.
    • To disable throttling, set RATE_LIMIT_ENABLED=False.

Configuring Password Strength

The default password strength requirements for Control Center user passwords are as follows: Each password must contain

  • at least 8 characters in total
  • at least one digit
  • at least one uppercase letter
  • at least one lowercase letter.

It is possible to switch to a set of stricter requirements. According to these, each password must contain

  • at least 12 characters in total
  • at least one digit
  • at least one uppercase letter
  • at least one lowercase letter
  • at least one special character

and must also not have any character occurring twice in a row.

To enforce the stricter requirements, make the following setting in the file /etc/netrounds/netrounds.conf:

content_copy zoom_out_map
USER_PASSWORD_STRENGTH='strong'

(You need to add the variable USER_PASSWORD_STRENGTH itself as it is by default not present in the configuration file.) This setting applies globally to all new users created in Control Center.

external-footer-nav