Manage the PingAccess agent for NGINX configuration through the $NGINX/paa/http.conf and agent.properties configuration files.
The $NGINX/paa/http.conf file contains the configuration options defined in the following table.
$NGINX/paa/http.conf configuration options- You do not have to make any changes to http.conf if you followed the PingAccess agent for NGINX Installation steps.
- Changes to the paa_upstream parameter will impact how the agent communicates with PingAccess. Incorrect changes might lead to a non-functional agent.
- The
upstream pingaccess-policy-server
contains the directivepingaccess_servers
. This directive indicates that the servers for the containing upstream are defined by the agent.properties file. The agent only allows this directive to be specified for a single upstream.
agent.properties
The configured agent.properties files can contain the following properties:
Property | Definition | Default Value |
---|---|---|
|
The URI scheme used to connect to the engine node. Acceptable values are:
|
|
|
The PingAccess host name. |
The value in the agent node's |
|
The port that the agent connects to on the PingAccess host. Tip:
This value is defined in the PingAccess run.properties file. |
Defined in the PingAccess admin console |
|
The unique agent name that identifies the agent in PingAccess. |
Defined in the PingAccess admin console |
|
The password which is used to authenticate the agent to the engine. |
Defined in the PingAccess admin console |
|
The base64-encoded public certificate which is used to establish HTTPS trust by the agent to the PingAccess engine. Note:
If you are having difficulty connecting an agent to the PingAccess engine, complete the following steps to verify that the Agent Trusted Certificate is configured correctly:
|
Generated by PingAccess |
|
The number of connections that a single web server worker process
maintains to the PingAccess
engine defined in the
|
|
|
The maximum amount of time, in milliseconds, that an agent request made to PingAccess can take. If this time is exceeded, the client receives a generic 500 Server Error response. |
|
|
The maximum amount of time, in milliseconds, that the agent can take to connect to the PingAccess engine. If this time is exceeded, the client receives a generic 500 Server Error response. |
|
|
The maximum amount of time (in milliseconds) that a web server worker process waits for a response to a policy cache request sent to other web server worker processes. |
|
|
The network port that web server processes use to publish policy cache requests to other web server worker processes. This port is bound to the localhost network only. |
|
|
The network port that web server processes use to receive policy cache requests from other web server worker processes. This port is bound to the localhost network only. |
|
agent.cache.maxTokens |
The maximum number of tokens that are stored in the policy cache
for a single web server worker process. A value of
|
|
|
Determines whether policy decision caching is enabled or
disabled. A value of You might want to use this option for custom rules created using the PingAccess SDK that involve data that changes with every request within a resource and session. Warning:
Disabling caching has a significant impact on the scalability of the PingAccess policy servers, as every rule evaluation is processed by the policy server. Because of the performance penalty, only use this option if necessary. |
|
|
The host name and port of the PingAccess server where the agent should send requests in the event of a failover from the PingAccess host. Note:
If this parameter is set, the upstream block name in
For example, if your PingAccess certificate
contains the name |
Defined in the PingAccess admin console |
|
The number of seconds to wait before the agent should retry connecting to a failed PingAccess server. |
|
|
The number of times to retry a connection to a PingAccess server after an
unsuccessful attempt. If all retries fail, the agent marks the
PingAccess server as
failed for the duration of the
|
|
|
Controls the type of policy cache used by the agent. There are three acceptable values for this property:
|
|
agent.send.inventory |
Determines whether the This header contains the following fields:
Learn more in Agent inventory logging. |
|
agent.inventory |
Specifies additional values to include in the
This property uses the following syntax:
Note:
The specified header fields are case-sensitive. |
This property isn't present by default. |
You can add comments to the agent.properties files if
necessary. The agent ignores lines beginning with the #
or
!
characters.
If you make changes to the agent.properties file, you must restart the web server.
Learn more about improving agent performance in the Performance tuning guide.