Manage the PingAccess agent for NGINX's configuration through the $NGINX/paa/http.conf and agent.properties configuration files.
The $NGINX/paa/http.conf file contains the configuration options defined in the following table.
$NGINX/paa/http.conf configuration optionsParameter | Definition | Default Value |
---|---|---|
paa_property_files |
Properties file that stores configuration data used to connect the agent to the PingAccess engine nodes. |
|
paa_enabled |
Determines whether the agent is enabled or disabled for a
specific server configuration. Valid values are
To control which blocks that the agent protects, you can set the paa_enabled parameter on:
For example, if you want to set up an unprotected passthrough
resource that PingAccess
should always allow access to, you can set
paa_enabled to Note:
You can apply this parameter globally to the
If you set the paa_enabled parameter to
|
|
paa_upstream |
Defines the upstream that the PingAccess agent uses to route policy decision requests to PingAccess policy servers. |
|
paa_upstream_max_response_header_size |
Defines the maximum size of the response header, in bytes, that the PingAccess agent can receive from a PingAccess policy server. |
|
paa_thread_pool |
Defines the thread pool to use for blocking operations performed by the agent. Note:
This only includes policy cache lookup operations when using the ZeroMQ multiprocess policy cache. |
|
- You do not have to make any changes to http.conf if you followed the PingAccess agent for NGINX Installation steps.
- Changes to the paa_upstream parameter will impact how the agent communicates with PingAccess. Incorrect changes might lead to a non-functional agent.
- The
upstream pingaccess-policy-server
contains the directivepingaccess_servers
. This directive indicates that the servers for the containing upstream are defined by the agent.properties file. The agent only allows this directive to be specified for a single upstream.
The configured agent.properties files can contain the following parameters.
agent.properties file parametersParameter | Definition | Default Value |
---|---|---|
agent.engine.configuration.scheme |
The URI scheme used to connect to
the engine node. Valid values are |
|
agent.engine.configuration.host |
The PingAccess host name. |
The value in the agent node's |
agent.engine.configuration.port |
The port that the agent connects to on the PingAccess host. This value is
defined in the PingAccess
|
Defined in the PingAccess Admin UI |
agent.engine.configuration.username |
The unique agent name that identifies the agent in PingAccess. |
Defined in the PingAccess Admin UI |
agent.engine.configuration.shared.secret |
The password used to authenticate the agent to the engine. |
Defined in the PingAccess Admin UI |
agent.engine.configuration.bootstrap.truststore |
The base64-encoded public certificate used to establish HTTPS trust by the agent to the PingAccess engine. Note:
If you're having difficulty connecting an agent to the PingAccess engine, verify that the Agent Trusted Certificate is configured correctly in Agent Management. |
Generated by PingAccess |
agent.engine.configuration.maxConnections |
The number of connections that a single web server worker process maintains to the PingAccess engine that's defined in the agent.engine.configuration.host parameter. |
|
agent.engine.configuration.timeout |
The maximum amount of time (in milliseconds) that a request to PingAccess can take from the agent. If this time is exceeded, the client receives a generic 500 Server Error response. |
|
agent.engine.configuration.connectTimeout |
The maximum amount of time (in milliseconds) that the agent can take to connect to the PingAccess engine. If this time is exceeded, the client receives a generic 500 Server Error response. |
|
agent.cache.missInitialTimeout |
The maximum amount of time (in milliseconds) that a web server worker process waits for a response to a policy cache request sent to other web server worker processes. |
|
agent.cache.broker.publisherPort |
The network port web server processes use to publish policy cache requests to other web server worker processes. This port is bound to the localhost network only. |
|
agent.cache.broker.subscriberPort |
The network port that web server processes use to receive policy cache requests from other web server worker processes. This port is bound to the localhost network only. |
|
agent.cache.maxTokens |
The maximum number of tokens stored in the policy cache for a
single web server worker process. A value of |
|
agent.cache.disabled |
Determines whether policy decision caching is enabled or
disabled. A value of Warning:
Disabling caching has a significant impact on the scalability of the PingAccess policy servers because the policy server must process every rule evaluation. Only use this option as a last resort because of the performance penalty. |
|
agent.engine.configuration.failover.hosts |
The host name and port of the PingAccess server where the agent should send requests in the event of a failover from the PingAccess host. Note:
If this parameter is set, the upstream block name in
For example, if your PingAccess certificate
contains the name |
Defined in the PingAccess Admin UI |
agent.engine.configuration.failover.failedRetryTimeout |
The number of seconds to wait before the agent should retry connecting to a failed PingAccess server. |
|
agent.engine.configuration.failover.MaxRetries |
The number of times to retry a connection to a PingAccess server after an unsuccessful attempt. If all retries fail, the agent marks the PingAccess server as failed for the duration of the agent.engine.configuration.failover.failedRetryTimeout value and tries another PingAccess server if one is available. |
|
agent.cache.type |
Controls the type of policy cache used by the agent. There are three valid values for this property:
|
|
agent.send.inventory |
Determines whether the This header contains the following fields:
For more information, see Agent inventory logging. |
|
agent.inventory |
Specifies additional values to include in the
This parameter uses the following syntax:
Note:
The specified header fields are case-sensitive. |
Not present by default. |
Add comments to the agent.properties files if necessary.
Lines beginning with the #
or !
characters are
ignored by the agent.
Changes to the agent.properties file require a restart of the web server.
For more information on how to improve agent performance, see Agent Tuning in the PingAccess Performance tuning reference guide.