Set up proxies

This page describes information needed to set up HTTP communication proxies and use HTTP tunneling for situations where you require communication through complex proxies or firewall chains.

Overview

AppMon endpoints such as the AppMon Client, AppMon Collector, and the AppMon Server are able to communicate through HTTP proxies to ensure compatibility with the vastness of the web and the complexity of intranet setups. AppMon supports HTTP Tunneling, which makes it possible to encompass all traffic between components in HTTP requests.

HTTP tunneling

Use HTTP tunneling when you want to communicate through complex proxy or firewall chains. The AppMon HTTP tunneling approach uses standard HTTP POST messages to transmit all data necessary for communication between the AppMon endpoints. This makes AppMon fully HTTP reverse proxy compatible. Use the HTTP Tunneling feature whenever reverse proxies are involved in connecting two AppMon endpoints. However, due to the technical limitations of the HTTP protocol, this tunneling approach increases traffic and affect throughput and performance.

Default ports

If enabled, the AppMon Server listens to the default HTTP tunnel port on 8023 for both the Collector and Client. Change this port in the Services pane of the Dynatrace Server Settings dialog box.

AppMon Server

You can configure all other related settings in the AppMon Client in the Services pane of the Dynatrace Server Settings dialog box, as shown below.

Services pane of the server settings dialog box
Services pane of the server settings dialog box

AppMon Client

To connect the AppMon Client to the AppMon Server using a HTTP tunnel, the Server's HTTP tunnel port has to be configured in the AppMon Client. All options are available in the Connectivity pane of the Dynatrace Server Settings dialog box for the AppMon Server.

Connectivity pane of the server settings dialog box
Connectivity pane of the server settings dialog box

AppMon Collector

While the AppMon Client and AppMon Server connectivity settings are configured in the UI, the AppMon Collector's setup is stored in <DT_HOME>/collector/conf/collector.config.xml on the machine where the AppMon Collector is installed.

This table lists the related XML attributes, values, and defaults:

XML attribute Description Value type Default
usetunnel Whether to use HTTP tunneling for this collector's connections. true, false false
tunnel Server tunnel address. Change hostname or port on demand. String http://localhost:8023/tunnel

Connect using forward proxies

HTTP CONNECT is used for forward proxies. The active component initializing the connection must tell the proxy to which endpoint it wants to be connected using the CONNECT request. As soon as the connection is established, all communication is made without HTTP requests, so communication has less overhead and performance is better.

Connect the AppMon Client

Use the Via Proxy setting in the Connectivity pane of the Server Settings dialog box to connect an AppMon Client and the AppMon Server using a forward proxy.

Use the Via Proxy setting in the Connectivity pane of the Server Settings dialog box to connect an AppMon Client and the AppMon Server using a forward proxy.

Enter the proxy's address and port, and optionally enter user credentials if authentication is required. Preemptive authentication is used by default. Preemptive authentication can only be turned off by editing the Client's  <DT_HOME>/client/conf/client.config.xml file and setting the usepreemtiveproxyauth attribute to false.

Connect the AppMon Collector

To configure an AppMon Collector, open the <DT_HOME>/collector/conf/collector.config.xml file and set the following XML attributes to your environment:

<dynatrace>
  <collectorconfig serveraddress="dynatrace" serverport="6699"
    useproxy="true" proxyhost="companyproxy" proxyport="8080"
    useproxyauthentication="true" proxyusername="myusername" proxypassword="mypass"
    compress="true">
  </collectorconfig>
</dynatrace>

Note

You must set the useproxy and optionally the useproxyauthentication attribute to true. Otherwise, the AppMon Collector ignores your proxy settings.

Use a proxy password

To avoid saving any clear-text passwords in configuration files, the password to authenticate at the proxy server is transferred to a password-protected KeyStore.

AppMon Collector

There are two options to configure the proxy password at the Collector, but the effect of all options is the same. The password is transferred at the first startup to the KeyStore and deleted in the according config file, including the identifier of the option. To update the proxy password, you can add the identifier and the password again to one of the two configuration files, thus updating the existing password. Similarly, to delete the password, just provide an empty string as the password.

In <DT_HOME>/collector/conf/collector.config.xml using "proxypassword=":

<dynatrace>
  <collectorconfig serveraddress="dynatrace" serverport="6699"
    useproxy="true" proxyhost="companyproxy" proxyport="8080"
    useproxyauthentication="true" proxyusername="myusername" proxypassword="mypass"
    compress="true">
  </collectorconfig>
</dynatrace>

In <DT_HOME>/dtcollector.ini:

-Dtransfer.to.keystore.collector.proxypassword=mypass

Example reverse proxy configuration (using apache2 on ubuntu)

Reverse proxy configuration is made through the /etc/apache2/httpd.conf file.

After changing the configuration, restart the apache2 daemon with the command: /usr/sbin/apache2ctl restart.

Log files can be found at /var/log/apache2.

The following example sets up a proxy chain consisting of three proxies running on one host using httpd.conf.

ServerName proxychain
LogLevel INFO

<Proxy \*>
  Order deny,allow
  Allow from all
</Proxy>

Listen 9005
NameVirtualHost \*:9005
<VirtualHost \*:9005>
  ProxyRequests Off
  Header set Host "proxydemo.anywhere.com:8023"
  ProxyPass /anyurl http://proxydemo.anywhere.com:8023/tunnel
  ProxyPassReverse /anyurl http://proxydemo.anywhere.com:8023/tunnel
  ProxyRemote * http://localhost:9002/
</VirtualHost>

Listen 9002
NameVirtualHost \*:9002
<VirtualHost \*:9002>
  ProxyRequests On
  ProxyRemote * http://localhost:9003/
</VirtualHost>

Listen 9003
NameVirtualHost \*:9003
<VirtualHost \*:9003>
  ProxyRequests On
</VirtualHost>

Setup reverse proxy to support SSL

Load SSL modules at Apache startup

Set links to SSL library and proxy SSL support in /etc/apache2/mods-enabled:

ln -s ../mods-available/ssl.load ssl.load
ln -s ../mods-available/ssl.conf ssl.conf
ln -s ../mods-available/ proxy_connect.load proxy_connect.load

Retrieve a certificate/key file

Either you already have a certificate or you can create a self-signed file (for testing purposes only - should not be used in production). See: http://www.debuntu.org/how-to-create-a-self-signed-certificate

See also: http://www.debuntu.org/ssh-key-based-authentication

Enable SSL for the reverse proxy

...

Listen 9005
NameVirtualHost \*:9005
<VirtualHost \*:9005>

  SSLEngine on
  SSLOptions +StrictRequire
  SSLCertificateFile /path/to/server.crt
  SSLCertificateKeyFile /path/to/server.key

  ProxyRequests Off
  Header set Host "proxydemo.anywhere.com:8023"
  ProxyPass /anyurl http://proxydemo.anywhere.com:8023/tunnel
  ProxyPassReverse /anyurl http://proxydemo.anywhere.com:8023/tunnel
  ProxyRemote * http://localhost:9002/
</VirtualHost>
...