This feature is available as part of the Honeycomb Enterprise plan.
The Honeycomb team will provide you with either a system package, such as a DEB or RPM, or a
.tar.gz containing the elements required to run the Secure Proxy.
If we provide a full package, you may not need to create some of the files or directories mentioned here manually, but rather edit their values.
If you choose to install elsewhere, you must specify the location of the configuration file as a command line argument (
-hnyconfig flag) to the binary.
mkdir -p /srv/hny cd /srv/hny <place file from above step in this directory> tar --strip-components 1 -xjf <provided_tarball>
Your authentication token is sensitive information and should not be shared outside of the operator(s) of the Secure Proxy.
Run this command to generate a long random hexadecimal token:
head -c64 /dev/urandom | openssl dgst -sha256 -hex | sed -e 's/(stdin)= //'
If you use a secret management tool, such as Vault, and wish to keep this secret there, use a
# to comment out the
auth_token line in the configuration file below, and instead set the
HONEYCOMB_AUTH_TOKEN environment variable to the correct value when the proxy is started.
Environment variables override the values from the configuration file, so if both are set, the values from the environment will be used.
Add the token from the step above to
The value must be in quotes.
/srv/hny/config/honeycomb.yml is also the file used for other configuration values, like GRPC and HSTS.
# ---- auth_token ----- # # This token is sent to Honeycomb with each ingest API request. if it doesn't match the value on the # ingest side (configurable in your team settings on https://ui.honeycomb.io/) # the request will be rejected. auth_token: ... # CHANGE ME (hex string, max 255 characters, e.g. "0123456789abcdef0123456789abcdef") # # ---- Proxy Metrics setup (optional, but recommended ---- # # See documentation for info on finding this parameter. libhoney_writekey: ... # CHANGE ME <copy parameter from team API key, per doc> # # ---- GRPC (optional) ----- # # Address for honeycomb to ingest grpc data. If GRPC is used, this value is required, # including the port. # api_grpc_base_url: https://api.honeycomb.io:443 # # Address on which the proxy should listen for grpc requests. # Defaults to all interfaces # grpc_listen_addr: :8081 # # ---- HSTS (optional) ----- # # Enable HTTP Strict Transport Security (HSTS) # (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) # http_strict_transport_security_enabled: false # # The maximum time (in seconds) that client browsers should cache the HSTS configuration. # Must be an integer greater than 0. # http_strict_transport_security_max_age: 600 # # ---- Use behind proxies (optional) ----- # # CORS: normally, the Honeycomb client expects to be talking to the honeycomb UI at # https://ui.honeycomb.io # # This can be overridden in the case of a proxy by uncommenting the line below and # changing the destination URL: # ui_base_url: https://ui.honeycomb.io # # Client requests must pass CORS. The default behavior is to return the # "Access-Control-Allow-Origin" header with the value from ui_base_url above. # If your client requests don't appear to originate from that address, # you can specify one or more allowed_origins by uncommenting the lines below. # One of these must exactly match the Origin header to be returned; wildcards # are not supported. # allowed_origins: # - https://proxy1.myserver.com # - https://proxy2.myserver.com # # Some browser requests to the Secure Tenancy service are returned with a redirect # which is normally directed to the ui_base_url. However, if the proxy used by # the ST service is not the same as the proxy used by the browser, this redirect # might fail, so you can specify a different address by uncommenting below. # redirect_url: https://browserproxy.mysite.com # # ---- Hashing (optional) ---- # # Uncomment this line to use hashing instead of encryption. Note that doing so will # significantly increase the minimum required size and performance of your SQL database. # See docs for more info. # transformer: sha256hmac
After installing MySQL on the database server, create or edit
/srv/hny/config/mysql.yml to include the following fields, so it is able to connect to the MySQL instance:
user: root password: "" host: localhost:3306 database: honeycomb_secure_proxy maxopenconns: 100
Use this command to create the MySQL database:
mysql -u root -e 'create database honeycomb_secure_proxy;'
Run the database migrations to populate the database schemas:
cd /srv/hny && \ bin/migrate -url "mysql://<user>:<password>@tcp(<host>:<port>)/honeycomb_secure_proxy" -path ./migrate up
If Secure Proxy is connecting to MySQL over TLS, set the
The following values are supported:
false: disables TLS (default)
true: enables TLS, uses the hostname portion of
skip-verify: enables TLS, doesn’t verify ServerName matches the cert
To specify a non-default location for the MySQL configuration file, use the
Do a pre-flight check to ensure that the Secure Proxy installation and the MySQL database are not accessible from outside the private network(s) they are installed in. The MySQL database contains the keys used to encrypt and decrypt information sent to Honeycomb. Be sure to secure the database from untrusted access.
This step is optional, but recommended.
You can help Honeycomb ensure the quality of our service by sending usage and debugging information from the Secure Proxy to Honeycomb. This data does not contain any sensitive information, and is available to access in your own Honeycomb account.
To enable sending proxy metrics, you must create a new team that is not in high security mode. Log into Honeycomb and go to the Teams page. On that page, use Create Team with a new name for the team.
After creating this new team, set the
libhoney_writekey parameter in
/srv/hny/config/honeycomb.yml with the team’s API key, which is found on the Account page.
Then, let your Honeycomb representative know about the team name. This team for telemetry information is still under your control, and you can delete the dataset at any time you choose.
systemd, create the following file:
Edit the file to include the following:
[Unit] Description=Honeycomb Secure Proxy After=network.target [Service] ExecStart=/srv/hny/bin/honeycomb_secure_proxy KillMode=process Restart=on-failure [Install] Alias=honeycomb_secure_proxy honeycomb_secure_proxy.service
sudo systemctl daemon-reload
Start the system service:
sudo systemctl start honeycomb_secure_proxy
Enable the service to start on boot:
sudo systemctl enable honeycomb_secure_proxy
By default, the Secure Proxy will run on port
When you have deployed the Secure Proxy, configure TLS termination on the load balancer that fronts the proxy instances. If HTTP/HTTPS content is mixed, the Honeycomb browser UI will not load.
Now continue your setup.