The Tealeaf Packet Forwarder can be configured through the configuration files that are stored in the installation directory.
The typical scenario of a Cloud website would include an elastic load balancer (ELB) to distribute web traffic to a dynamically provisioned web server tier that consists of multiple web-server instances. Each web-server instance would have a Packet Forwarder installed to forward the captured web traffic to a centralized CX PCA. The CX PCA runs on a virtual machine instance and processes the web traffic. After the web-server instance is properly configured, an Amazon machine instance (AMI) is created for the instance. The AMI is then dynamically provisioned to provide as many instances as needed.
Configuring a Packet Forwarder to communicate with the CX PCA
To process web traffic in a cloud-based environment, a packet forwarder must be configured to transmit data to a central CX PCA that is operating on a virtual machine.
The following prerequisites must be completed before you configure the packet forwarder software.
- All installation and configuration operations must be completed using the
root
user account. Using thesudo
command may not provide sufficient permissions to allow system parameter modifications and might cause an incomplete or incorrect installation. - Install the packet forwarder software.
Use the following steps to configure the packet forwarder and CX PCA for communication in your cloud-based environment.
- Locate /usr/local/ctccap/etc/fwdr-conf.xml on the reverse proxy server or on the virtual web server that is hosting the packet forwarder transmitter.
- Back up the existing configuration file by copying /usr/local/ctccap/etc/fwdr-conf.xml to a backup directory.
If your configuration file becomes corrupted or invalid, you can restore from your backup or create a new configuration file from fwdr-conf-defaults.xml. fwdr-conf-defaults.xml contains the default configuration settings for the packet forwarder.
- Edit the /usr/local/ctccap/etc/fwdr-conf.xml.
You can use the
vi
editor or another text editor to edit the configuration file. - Locate the
<PrimaryInterface>
tag and edit the virtual NIC device name for the packet forwarder.The packet forwarder captures the traffic from the web server. For most installations,eth0
is used as the device name. - Edit the port numbers to reflect the traffic ports that are used for your server.
The default capture traffic filter rule is defined to listen to port 80 and 443 traffic.
Example port settings:
<ListenTos> <ListenTo> <Port>80</Port> <Port>443</Port> </ListenTo> </ListenTos>
- Locate the
Delivery
tag and edit the delivery network connection for the packet forwarder. This connects the packet forwarder to the centralized CX PCA VM instance.Example delivery network connection settings:
<Peers> <Peer> <Address>127.0.0.1</Address>> <Port>1888</Port> </Peer> </Peers>
- Locate and edit the
<Address>
and<Port>
tag match the assigned internal IP address and port of the CX PCA that is installed on the virtual machine.Example setting for the CX PCA VM internal IP address:
Note: The<Port>
tag defines the port number of the base network connection. This is a base port number where it defines the block of port numbers that can be used for the number of web server instances that can be provisioned. For example, if you know that there will be a maximum of five web-server instances that can be dynamically provisioned, then the block of ports that are used start with 1888. In this example, port numbers 1888 - 1892 would be used based on the maximum of five instances.<Peers> <Peer> <Address>127.0.0.1</Address> <Port>1888</Port> </Peer> </Peers>
- Locate and edit the
<MaxRotatePeers>
tag to define the maximum number of web server instances that can be dynamically provisioned. The default is set to 1 for just one web-server instance where there are no other instances of the packet forwarder used in the web server tier.Note: If you are statically assigning a fixed number of web server instances with associated packet forwarders, then the<MaxRotatePeers>
would remain set to the default value of 1. Each packet forwarder has to configured with a unique port number to identify a unique network connection to the centralized CX PCA VM instance. The port numbers must be assigned in sequential order. This is required by the socket receiver for the CX PCA when it is configured for the packet forwarder's network connections. If you decide to start with port number 1888 for the first packet forwarder, then defining five of them would be 1888 through 1892. - Save your changes to the configuration file.
- You must configure a packet forwarder receiver instance for each Packet Forwarder transmitter instance that you have deployed.
Once the packet forwarder is running, you can also perform the following actions:
- Check the status of a packet forwarder, by running
service pktfwdr status
. - Stop a packet forwarder, by running
service pktfwdr stop
. - View the statistics for a packet forwarder, by running
ctcstats -p
.
Configuring a Packet Forwarder receiver and the CX PCA to receive forwarded packets
To process web traffic in a cloud-based environment, Packet Forwarder receiver instances must be deployed to the central cloud-based CX PCA that is operating on a virtual machine.
For each packet forwarder transmitter instance that is deployed, you must also deploy a Packet Forwarder receiver instance on the CX PCA server.
Complete the following steps to configure the settings for a packet receiver.
- Log in to CX PCA web console.
- Change the number of pipelined instances in the Pipeline tab as desired.
Depending on whether CX PCA privacy rules have been applied, the default number of CX PCA
pipelined
processes is set to one. This might be insufficient and can be increased to handle the processing load. This assumes that the VM instance has sufficient resources such as enough processor cores to support the increase. - Save the changes to the CX PCA but do not restart the CX PCA at this time.
- Edit the CX PCA configuration file
ctc-conf.xml
. - Locate the
Capture
tag section in the configuration file and change the content of this section to:<ListenerSocketEnabled>true</ListenerSocketEnabled> <TransparentLoadBalancingEnabled>false</TransparentLoadBalancingEnabled> <SslSessionInfoOnMemcachedServer>false</SslSessionInfoOnMemcachedServer>
Note: If the CX PCA is configured to decrypt SSL traffic from the packet forwarder, then set<SslSessionInfoOnMemcachedServer>
totrue
. - Locate the socket receiver settings and edit the settings for your network environment.
The following example displays the default socket receiver settings:
<Listener> <Module>pktr</Module> <Logfile>/var/log/tealeaf/listener.log</Logfile> <BasePort>1888</BasePort> <Instances>1</Instances> <Options> <Option> <Value>-p</Value> </Option></Options> </Listener>
The
BasePort
tag defines the base port number that is used by the packet forwarders. This must be the same port number for the CX PCA to correctly capture traffic from the packet forwarder or forwarders. The default setting is to use a base port of1888
and only receive from one packet forwarder.The
Instances
tag defines the maximum number of packet forwarders that the CX PCA will connect to. Set this value according to the total or maximum number as determined by the number of deployed packet forwarders. - Save your changes to
ctc-conf.xml
. - Start the CX PCA.
- After the CX PCA has restarted, you can start your web server tier and any deployed packet forwarder. Run
service pktfwdr start
to start the packet forwarder daemon.
Once the packet forwarder receiver is running, you can also perform the following actions:
- Check the status of a packet forwarder, by running
service pktfwdr status
. - Stop a packet forwarder, by running
service pktfwdr stop
. - View the statistics for a packet forwarder, by running
ctcstats -p
.
Automatically configuring multiple packet forwarders from a PCA
Use this task to configure multiple packet forwarders at once, instead of one at a time.
You need to modify the initconn
script on the packet forwarder to include the IP address of the PCA. After you modify the script you restart the initconn
service manually on the command line or by restarting your web server.
- Create public and private RSA key pairs on the PCA machine.
- On each packet forwarder, add the public rsa key to the authorized_keys file under root: cat <public key> >> ~/.ssh/authorized_keys.
- On the packet forwarder:
- Modify the initconn script in the sbin directory. Add the IP address of the PCAs in your configuration to the file.
- Restart the initconn service by either restarting your web server or enter service initconn restart.
- Create a new image or save this image to create additional packet forwarders. For AWS, this would be creating a new AMI image.
- Use the image you created in Step 3c to create additional packet forwarder instances that you want to be automatically configured. How you do this depends on the could platform. For AWS, this can be done by creating new instances from an AMI image.
- On the PCA machine:
- Modify the pfconf-conf.xml file in the <install>/dir and enter the IP address and maximum number of peers for the PCAs in your solution.
- Enter
./pfconf -s
to configure the rest of the packet forwarders associated with the PCA machine. If you want the pserv process to listen on a port other than the default 1880 port, enter./pfconf -s <port number>
- Optional: Manually modify the packet forwarder configuration locally on the master PCA. If you want to set the configuration for just one of the packet forwarders, you edit the fwdr-conf.xml file for the packet forwarder. Each packet forwarder has a configuration file in <installdir>/etc/pf-confs/<ipaddress>/fwdr-conf.xml. Any changes you make to this file are picked up by the pfconf script when it runs. The script sends the edited configuration to the packet forwarder and restarts the service to use the new configuration.