cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Loadbalancing oneagent with an Apache RP

Hello,

Can I use an Apache Reverse Proxy to send the data from Oneagent hosted outside my DC to 2 Appmon datacollector hosted inside my DC?

Or is it best to use that RP to send directly the data to the dtserver?

If yes, what can a typical apache conf looks like?

Thanks

5 REPLIES 5

pahofmann
Champion

The scenario you describe is not supported, a reverse/forward proxy is only support between Server/Client and Server/Collector. You should use an local collector if possible in your case.

You can find more information in the documentation for proxies.

Hi Patrick,

I believe that that doc is only for the classic agent and not for the Oneagent.

The OneAgent have the following advantage listed:

"Easy traffic tunneling using https based protocol"

Source: https://www.dynatrace.com/support/doc/appmon/appli...

From my understanding that means it can be proxyed

You are right, sorry I overread the one.

For the oneagent this should be possible, I have not tired it yet though. maybe someone else can give more insights.

I would be also very interested in knowing what can of certificate need to be put on which components.

c_schwarzbauer
Dynatrace Champion
Dynatrace Champion

hi Jonathan,

you're right, using a reverse proxy should work with the new AppMon Agents. I'm not yet aware of any meaningful how-to on that yet, but here's a few things that come to my mind to take care of:

  • Collector Balancing: the Agents get a list of Collectors to connect to, which is coming from the Server. if those should not be the actual Collectors, but one or more reverse proxies, then this would have to be configured in the AppMon UI for the Collector Groups. However, if you're not using Collector Groups, you should be good AFAIR.
  • Certificates: if you're terminating (and reestablishing) the TLS connection, you'd have to deploy proper certificates on the reverse proxy. the Agents will accept trusted chains by most root CAs, however, there's a few preferred ones (which will lead to better performance), including e.g. Let's Encrypt. host verification will not be done, unless it's a well-known domain (live.dynatrace.com, ...) and self-signed certificates are not allowed per default AFAIR.

HTH,
Christian