20 Jul 2020 12:47 AM
The documentation provides information about adding a load balancer in front of a Сluster ActiveGate.
What are the guidelines for setting it up?
Also a question about the security of such a scheme, can an attacker get into the internal network with such a scheme?
Solved! Go to Solution.
20 Jul 2020 01:43 AM
Hello Mikhail A ,
Even we are in progress to set Cluster AG.
Steps which we are following up are which may help you as well.
As certificate will be SSL not no major security impact.
Cheers!
R
20 Jul 2020 01:59 AM
What parameters are checked by the AG from the js agent? What headers from exactly understands the data from the agent ?
20 Jul 2020 02:09 AM
What are the guidelines for setting it up?
The only requirement from Dynatrace side is to open required incoming/outgoing network ports and preserve incoming headers - as cluster node will verify them to make sure they come from a valid source. Load balancing might be implemented as round-robin or based on health checks that execute /rest/health on port :9999.
I'll try to add something to our documentation pages. Thanks!Can an attacker get into the internal network with such a scheme?
Dynatrace recommends closing all ports that are not required for all components - incl. customer-provided Load Balancer (LB). For example, LB can accept only 443 and redirect that only to 9999. All other is closed.
20 Jul 2020 02:24 AM
Thank Radoslaw
what headers AG checks to verify that the request came from the correct source ?
Is it only x-dynatrace-application ?
20 Jul 2020 02:32 AM
The header that needs to be transmitted is"Server" : "ruxit security gateway"
20 Jul 2020 03:03 AM
A couple more questions.
Does AG not verify that the request came from our js?
Is it necessary for the balancer to forward/save the client's ip address or all the necessary information for monitoring RUM is contained in the request body ?
20 Jul 2020 08:24 AM
on the second additional question found the answer in the documentation:
Be sure to configure the load balancer to set the x-forwarded-for
parameter for all forwarded requests. This parameter contains the IP address of the original request. Dynatrace needs this parameter to determine where the request originated from
21 Jul 2020 07:13 AM
21 Jul 2020 07:00 AM
Hello @Radoslaw S.
Could you please tell me what kind of validation and verification does Cluster ActiveGate for data from js agent (agentless) ?
21 Jul 2020 07:26 AM
21 Jul 2020 07:42 AM
does checks ActiveGate or the Dynatrace server?
Does ActiveGate verify that the request came from our js-agent (what parameters are checked)?
Or ActiveGate simply redirects all traffic to the server ?
Thanks!
21 Jul 2020 07:44 AM
AG aggregates and redirect the traffic to Cluster nodes. Then cluster node (server) extracts the data and validates.
21 Jul 2020 07:48 AM
AG only does some checks on the querystring/url and a payload length restrictions
21 Jul 2020 08:09 AM
thanks a lot for the answers!
the last question - is the data of js-agent in protobuff format ?
21 Jul 2020 08:27 AM
between agent and AG - it's just a string key-value pairs. between AG and Cluster node - protobuf.
22 Jul 2020 02:01 AM
Is it possible to fix the parameters of the AG SSL certificate in the js to prevent the transfer of metrics to a fake server?
22 Jul 2020 03:10 AM
I don't understand the question. Can you please give some examples?