For teams that use a Link Agent configuration file, Link Agent v2.13.0 offers two new features that give you more control over how your Link Agent runs:
- Connection filters: restrict outbound connections from the Link Agent
- Auto-reload: immediately apply configuration changes to certain settings without restarting the Link Agent
Connection filters
In some cases, you may want to restrict the hosts your Link Agent is allowed to connect to. Previously, it was necessary to use a firewall to restrict outbound Link Agent connections. In v2.13.0, you can now use connection filters to provide more granular connection control. Connection filters can only be specified from the Link Agent configuration file.
Using connection filters to block connections may result in errors in the application under test if connections to dependent resources are blocked. Connection filters are only recommended when absolutely necessary, such as for satisfying mandatory security or compliance requirements.
Connection filters require two settings: mode and destination. The following are examples that could be added to a Link Agent configuration file:
"connectionFilter": {
"mode": "deny",
"destinations": [
"example.com",
"10.0.0.0/8:22",
"127.0.0.1",
":80"
]
}connectionFilter:
mode: deny
destinations:
- example.com
- 10.0.0.0/8:22
- 127.0.0.1
- :80Modes
Connection filters can be configured in one of three modes:
- allow: The Link Agent is allowed to connect only to targets matching the filter
- deny: The Link Agent is allowed to connect to any target except those matching the filter
- disabled: The connection filter is disabled. This option is mainly for debugging purposes to allow turning on/off the filter without removing the configuration
Destinations
Destinations represent the target for the connection filter. They may be specified using a host expression, a port, or both using one of the following forms:
- Host only
[host-expression]- Port only
:[port]- Host and port
[host-expression]:[port]
A host can be specified using a single IP address, CIDR block, or FQDN suffix. The following table lists examples of supported host expressions:
| Expression | Matching examples | Non-matching examples |
|---|---|---|
|
Single IP address
|
10.1.2.3 |
10.1.2.4, 10.0.0.1
|
|
CIDR block
|
10.1.2.3, 10.24.36.200
|
11.1.2.3, 192.168.1.1
|
|
FQDN suffix (domain)
|
example.co, www.example.co
|
example.com, example.co.uk
|
|
Specific FQDN
|
www.example.com, 1.www.example.com
|
www1.example.com, api.example.com
|
Auto-reload
In addition to connection filters, Link Agent v.2.13.0 also supports auto-reload. Previously, if you wanted to update settings in the Link Agent configuration file, you had to restart the Agent to apply the changes. Auto-reload eliminates the need to restart and ensures the Link Tunnel remains active during updates.
To enable auto-reload, pass the -R or --config-reload command-line options when starting the Link Agent. When the auto-reload setting is used in conjunction with a Link Agent configuration file, the Agent automatically monitors that file for changes and applies them when detected:
bin/link-agent --config /path/to/config.json -R
# Or:
bin/link-agent -c /path/to/config.yaml --config-reloadCurrently, the following configuration properties support auto-reload:
connectionFilterhttpProxylogLevelproxyAuthproxyAutoConfigurationproxyExclusionsproxyMode