Web Access Advanced Configuration
Web Access Bastion
Cluster Name
clusterName: defaultCluster
Each Bastion is uniquely identified by combining the Privilege Access ID Authentication Method and the Cluster Name.
It means that changing the Privilege Access ID or the Cluster Name of your Bastion instance will create an entirely new Bastion instance.
It is recommended to set a meaningful Cluster Name for your Bastion cluster from the very beginning. By default, your cluster name is defaultCluster.
To do that, you can set the clusterName="meaningful-cluster-name"
field as part of the Bastion deployment.
Proxy
To configure your proxy settings, you can set several parameters, including proxy settings for HTTP traffic, HTTPS traffic, and Ignore Hosts, using the no_proxy
field, to prevent local traffic from going through your proxy server.
# Linux system HTTP Proxy
httpProxySettings:
http_proxy: ""
https_proxy: ""
no_proxy: ""
Log Forwarding
To enable log forwarding to an existing log management system, please find a list of available target systems and configurations on this page.
logForward: |
target_log_type="splunk"
target_splunk_sourcetype=""
target_splunk_source=""
target_splunk_index=""
target_splunk_token=""
target_splunk_url=""
WebWorker
This section enables global settings of the internal dedicated remote browsers your users will use. You can customize the settings to provide a more flexible experience for your users.
Default policies
sections aimed to provide the most secure work mode. By default, all URLs
are blocked hence users will not be able to navigate inside the remote browser to different sites. If needed, set the relevant URLs
in the Exceptions
list.
webWorker:
config:
displayWidth: 2560
displayHeight: 1200
policies: |
{
"policies": {
"BlockAboutConfig": true,
"BlockAboutAddons": true,
"BlockAboutProfiles": true,
"BlockAboutSupport": true,
"DisableDeveloperTools": true,
"DisableFirefoxAccounts": true,
"DisablePasswordReveal": true,
"DisablePrivateBrowsing": true,
"DisableProfileImport": true,
"DisableSafeMode": true,
"OfferToSaveLogins": false,
"OfferToSaveLoginsDefault": false,
"PasswordManagerEnabled": false,
"Proxy": {
"Mode": "none",
"Locked": true
},
"Preferences": {},
"Certificates": {
# "Install": ["/etc/ssl/certs/yourOrgRootCA.crt"]
},
"WebsiteFilter": {
"Block": [
"<all_urls>"
],
"Exceptions": [
"https://*.akeyless.io/*"
]
}
}
}
Notice: If your organization uses private certificate authorities (CAs) to issue certificates for your internal web apps, and you either wish to access those websites through the web-access-bastion, or if your apiGatewayURL is pointing to a Gateway that uses such a certificate, you must configure the WebWorkers as follows:
- Mount your organization's Root CA certificate to the pods. For the Gateway specifically, in the helm-chart, you can specify an existing k8s-secret for the gateway tls certificate under apiGatewayCert.tlsCertsSecretName (see ztwa/values.yaml)
- In the
policies.json
above, uncomment the Certificates.Install line and set it to the relevant certificates' paths inside the pod
DLP
To work with Data Leak Protection (DLP) tools, you can explicitly set the target settings of your DLP server, as well as with dedicated audit logs forwarding.
dlp:
enabled: false
config:
hostAddress: ""
# host/{pathPrefix}
pathPrefix: ""
# FORCING or LEARNING
mode: ""
logLevel: "INFO"
audit: |
target_log_type="splunk"
target_splunk_sourcetype=""
target_splunk_source=""
target_splunk_index=""
target_splunk_token=""
target_splunk_url=""
Redirect to Bastion URLs
To ensure only validated redirects are accepted, you can harden your bastion using the allowedBastionUrls
variable with a list of URLs that will be considered valid for redirection from the Akeyless Zero Trust Portal back to the relevant web-dispatcher-bastion:
dispatcher:
config:
# List of URLs that will be considered valid for redirection from the Portal back to the bastion
allowedBastionUrls: []
Disable Fullscreen Mode
When set to true
, this option disables the default fullscreen mode for Web Access sessions and also shows the internal browser address bar. To use this feature, the following should be added in the webWorker
section under env
:
webWorker:
env:
- name: DISABLE_FULLSCREEN
value: "true"
Updated 13 days ago