signalfx-agent icon indicating copy to clipboard operation
signalfx-agent copied to clipboard

Published 20 hours ago verified publisher icon signalfx

set proxy for windows

Open xp-1000 opened this issue 4 years ago • 5 comments

Currenlty signalfx supports proxy only from env var, there is not explicit option in its configuration.

This works fine for linux while it is easy to config this env var for signalfx service only.

Sadly, on windows it is much difficult to do:

  • set this env var globally will affect every other services
  • set for the default user local_system will also affect lot of users which also use this user

the only possible workaround in our knowledge is to create a new user dedicated to signalfx and set this env ver for him.

I think there are two ways to address this issue properly:

  • add this mechanism (adding specific user with env var set) as reference (in doc, ansible role ..)
  • add explicit internal configuration option to set a proxy like datadog https://docs.datadoghq.com/agent/proxy/?tab=agentv6v7#using-a-web-proxy-as-proxy

The first one seems acceptable but if you choose it, please could you advice on windows permissions required by signalfx user ?

The second one seems to be the best way because it is not os specific anymore and will work in every cases but will probably require more work on the agent side.

xp-1000 avatar Oct 23 '20 11:10 xp-1000

The first one seems best from an overall security standpoint since currently we run the agent as the administrator user which gives it I think the equivalent of Unix root user.

It is going to need permissions to read the list of processes, network ports/sockets, disks, cpu usage, memory usage, and probably a few other minor things. I have no idea if Windows even has these permissions broken out in such a granular manner or if they even require specially permission to access (much of this stuff is open to any users on Linux).

keitwb avatar Oct 23 '20 14:10 keitwb

thanks for the answer. I don't know windows either. Indeed, using dedicated user is a good security practice but I confess it is not the goal of this issue which focus on configuring proxy for signalfx agent service.

in first time we will make a PR on ansible role to handle the user/service creation and try to find required permissions (if exist). I will also try to update relevant documentation to give users a guideline if others need this (or want to add the equivalent to puppet, chef ..).

that said, is this possible to plan the implementation of an internal proxy configuration ?

Honestly, I would not say it is useful on *nix platform but this will provide an independent and system agnostic way to configure proxy available for every platforms and constraints. This will promote the homogeneity of config no matter the env and will mostly address the lack of ability to configure a proxy on windows.

xp-1000 avatar Oct 23 '20 17:10 xp-1000

We have resolved this issue an alternate way within our environment. We set the proxy as a service specific env var during the install process, upgrades/reinstalls remove this setting so we baked it into the chocolatey install process.

reg add hklm\system\currentcontrolset\services\signalfx-agent /v Environment /t REG_MULTI_SZ /d 'HTTP_PROXY=%your proxy%'

mcmiv413 avatar Jan 08 '21 19:01 mcmiv413

We have resolved this issue an alternate way within our environment. We set the proxy as a service specific env var during the install process, upgrades/reinstalls remove this setting so we backed it into the chocolatey install process.

reg add hklm\system\currentcontrolset\services\signalfx-agent /v Environment /t REG_MULTI_SZ /d 'HTTP_PROXY=%your proxy%'

thank you for the good suggestion! sadly we do not use chocolatey to install signalfx agent but this https://docs.signalfx.com/en/latest/integrations/agent/quick-install.html#install-the-smart-agent-on-windows

xp-1000 avatar Jan 11 '21 12:01 xp-1000

Was just looking through here again, this is the specific code we use to set the proxy for windows if it helps you.

We set this env var $env:signalfxproxy separately, but you could replace that for your needs.

        $regpath = "HKLM:\system\currentcontrolset\services"
        $regkey = "signalfx-agent"
        $sfxregpath = "$regpath\$regkey"
        $name = "Environment"
        $currentregvalue = $null
        if ( Test-Path $sfxregpath) { $currentregvalue = (get-ItemProperty -Path $sfxregpath ).Environment }
        $value = "HTTP_PROXY=$env:signalfxproxy"
        if ( $currentregvalue -ne $value )
        {
            if (-not (Test-Path $sfxregpath))
            {
                New-Item -Path $regpath -Name $regkey -Force
            }
            New-ItemProperty -Path $sfxregpath -Name $name -Value $value -PropertyType MultiString -Force | Out-Null
            If (Get-Service signalfx-agent -ErrorAction SilentlyContinue) { Restart-Service signalfx-agent }
        }

mcmiv413 avatar Feb 22 '21 19:02 mcmiv413

Closing this issue as inactive. Please reopen if this issue is still occurring.

atoulme avatar Sep 22 '22 04:09 atoulme