Skip to main content

Grusher Proxy Service

Working from build_352

As development of the new proxy module for Grusher is now in active progress, another important step has been taken toward building a truly flexible and scalable infrastructure.

Core Operating Principle

When Grusher needs to retrieve data via SNMP, it does not directly contact the network equipment. Instead, it sends an encrypted request to the Grusher Proxy. The proxy performs the SNMP operation on the server side and returns an encrypted response.

The proxy module will bring several key capabilities:

  • Proxying SNMP (get/walk/set) and Ping requests to remote subnets
  • Isolation of system components
  • Improved scalability and the ability to balance load
  • Simplified integration with external services
  • Support for request caching, logging, and access control

Essentially, it adds an extra layer of abstraction that makes Grusher significantly more powerful.

зображення.png

Installing the Service with systemd

To run the Grusher Proxy Service reliably in the background as a systemd service on Linux, follow these steps:

1. Create the service file

sudo nano /etc/systemd/system/grusher-proxy-service.service

sudo nano /etc/systemd/system/grusher-proxy-service.service
2. Insert the following content:
[Unit]
Description=Grusher SNMP and Ping proxy Service
After=network.target

[Service]
# Path to the binary and working directory (where grusher_proxy_config.json is located)
ExecStart=/opt/grusher_proxy/grusher-proxy-service
WorkingDirectory=/opt/grusher_proxy/

# Automatic restart on failure
Restart=always
RestartSec=3

# Logging
StandardOutput=append:/opt/grusher_proxy/log/snmp-service.log
StandardError=append:/opt/grusher_proxy/log/snmp-service.err

[Install]
WantedBy=multi-user.target
3. Manage the service
sudo systemctl daemon-reload                  # Reload systemd configuration
sudo systemctl enable grusher-proxy-service   # Enable autostart on boot
sudo systemctl start grusher-proxy-service    # Start the service
sudo systemctl stop grusher-proxy-service     # Stop the service
sudo systemctl restart grusher-proxy-service  # Restart the service
sudo systemctl status grusher-proxy-service   # Check service status
4. Setting proxy in Grusher

Go to http://GRUSHER_IP/system/proxies and setup like this

зображення.png

Set proxy in device card

зображення.png

Set your X_API_KEY

5. Setting proxy in service

Default proxy config

{
  "listen": ":8080",
  "x_api_key": "secret123",
  "shared_encryption_key": "a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0",
  "max_request_age": 60,
  "allowed_ips": [
    "127.0.0.1",
    "::1",
    "192.168.1.0/24"
  ],
  "rate_limit_rps": 1000,
  "burst": 20,
  "workers": 10,
  "queue_size": 1000,
  "cache_ttl": 10,
  "default_timeout": 5,
  "default_retries": 2,
  "log_file": "app.log"
}

Description

Parameter Type Description Recommended Value Note
listen string Address and port on which the server listens (HTTP). ":8080" Usually :8080 or :443 (for HTTPS)
x_api_key string API key for request authorization. Passed in the X-API-Key header. "secret123" Better to rename to api_key in config
shared_encryption_key string 32-byte key (64 hex characters) for AES-256-GCM encryption of requests and responses. 64 hex characters Very important. Do not commit
max_request_age integer Maximum request age in seconds (protection against replay attacks). Requests older than this are rejected. 60 Recommended range: 30–120 seconds
allowed_ips array List of allowed IP addresses or subnets (supports CIDR notation). ["127.0.0.1", "192.168.1.0/24"] Very important for security
rate_limit_rps integer Maximum number of requests per second (Rate Limit). 30100 Increase for heavy polling
burst integer Maximum number of requests that can be made in a short burst. 50100 Usually 1.5–2x higher than rate_limit_rps
workers integer Number of concurrent workers (goroutines) processing requests. 1030 Higher = better throughput
queue_size integer Size of the job queue (if all workers are busy, new requests wait here). 5002000 Larger value reduces rejection risk
cache_ttl integer Cache lifetime for responses in seconds (0 = cache disabled). 530 Useful for snmp_get, less for walks
default_timeout integer Default timeout for a single SNMP request (in seconds). 515 For walks, better to set 10–20
default_retries integer Default number of retries if an SNMP request fails. 23 Usually 2 is enough
log_file string Path to the log file. If empty - logs go to console. "app.log" Recommended to specify

For heavy polling (many ports), increase rate_limit_rps, burst, workers, and queue_size.

Download proxy

  • v0.2 - Added AES-256-GCM encrypt support + replay-attack fix Download
  • v0.1 - first release

Test run

Unpack to /opt/grusher_proxy/

cd /opt/grusher_proxy/
chmod +x grusher-proxy-service 
./grusher-proxy-service 

This setup ensures the proxy service starts automatically after system boot, restarts in case of failure, and keeps logs in the designated directory.

The new proxy module represents a major enhancement to the Grusher ecosystem, paving the way for more robust, secure, and scalable network monitoring and management.