Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Service Configuration

Services are configured by editing various configuration files, as detailed below. Go through this chapter and configure your settings as appropriate.

Summary of relevant configuration files:

  • /etc/apache2/sites-available/netrounds-ssl.conf
  • /etc/apache2/sites-available/netrounds.conf
  • /etc/netrounds/netrounds.conf
  • /etc/netrounds/probe-connect.conf
  • /etc/netrounds/test-agent-gateway.yaml
  • /etc/openvpn/netrounds.conf

Main Settings File

  • /etc/netrounds/netrounds.conf

This file has inline documentation and examples for all supported settings. The SITE_URL setting is one that always needs to be modified to get the correct URL to Control Center, for example in emails and reports. It should be set the same as SITE_URL for the REST API (defined in /etc/netrounds/netrounds.conf).

Summary of settings in this file:

  • Unique, secret string used for cryptographic operations
  • Control Center web server URL
  • Sender name in outgoing emails
  • Contact email address shown to users
  • Settings for sending email (backend, host, and more)
  • PostgreSQL configuration (see the section PostgreSQL Configuration)
  • Logging configuration (for details see the section Logging)
  • Maximum length of log tags
  • User session timeout (time of inactivity before the user is automatically logged out; governed by SESSION_COOKIE_AGE, set in seconds; one must also set SESSION_SAVE_EVERY_REQUEST=True in order for user actions to reset the timer)
  • Number of days a password reset link is valid
  • Criteria for automatic update of Test Agent software
  • Storage location for time series data
  • Storage location for OpenVPN certificates and keys used to authenticate Test Agents
  • Number of tasks from the background task queue that can be processed in parallel
  • Allow/Disallow sign-up for new account through the Control Center web GUI
  • Send/Do not send notifications about SLA status changes to ConfD
  • User time zone; the default is UTC

Apache

  • /etc/apache2/sites-available/netrounds-ssl.conf
  • /etc/apache2/sites-available/netrounds.conf

These files hold Apache settings.

For exhaustive information on this topic, please consult Apache documentation.

Note:

It is strongly discouraged to change the Apache configuration files unless you are fully aware of the consequences. Inappropriate changes may break Paragon Active Assurance functionality.

Test Agent Appliance Registration

  • /etc/openvpn/netrounds.conf

To configure the TCP port towards which Test Agent Appliances register, use the keyword port followed by the port number: for example, port 6000. The default port is 6000. Restart openvpn@netrounds for the configuration to take effect:

SSL Certificate Configuration

  • /etc/apache2/sites-available/netrounds-ssl.conf

This Apache configuration file contains the following SSL certificate settings, with default values as shown:

For exhaustive information on this topic, please consult Apache documentation.

  • /etc/netrounds/test-agent-application.yaml

This configuration file contains settings for the Test Agent Application gateway service (netrounds-test-agent-gateway), including SSL settings. It has the same snakeoil default certificates as above, which also should be changed.

  • /etc/netrounds/test-agent-gateway.yaml

This configuration file contains SSL certificate settings for the Test Agent Application Gateway, which is used by Test Agent Applications to connect to Control Center.

By default snakeoil SSL certificates are used in all cases, as seen in the code snippets above. These are created from the ssl-cert package which is preinstalled in Ubuntu. However, to ensure an encrypted and secure connection in a production environment, you are strongly advised to obtain proper, signed SSL certificates instead.

PostgreSQL Configuration

  • /etc/netrounds/netrounds.conf
  • /etc/netrounds/probe-connect.conf

To configure the PostgreSQL server, you must edit settings in both of these files. Below is an example of file contents specifying database "database", user name "user", and password "password".

When updating the password in either of the configuration files, you need to escape any characters that are identical to the character surrounding strings (above, this is the single quote, '). The escape character used is the backslash.

When updating the password in the file probe-connect.conf, it is best to escape any non-alphanumeric characters. You can verify that you have set the intended password as follows:

Note:

After making changes to these settings, you must also update the PostgreSQL database itself. How to do this is explained in the Lifecycle Management Guide.

How to Configure OpenVPN keys

  • /etc/openvpn/netrounds.conf

Here you configure the location of the OpenVPN keys. Restart OpenVPN for the configuration to take effect.

HSTS Configuration

  • /etc/netrounds/netrounds.conf

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

A server implements an HSTS policy by supplying a header (Strict-Transport-Security) over an HTTPS connection. The header age is set to one hour.

Note:

By default HSTS is disabled in Paragon Active Assurance since the Speedtest page uses HTTP for performance reasons. Uncomment the line below to enable HSTS if you are not using Speedtest.

Another way to allow enabling of HSTS in Control Center is to host Speedtest on a separate web server, as explained in the document Creating a Custom Speedtest Web Page.