Attention : support for WAPT 2.0 ended on June the 30th 2022.

Please upgrade to the latest supported version

Configuring the WAPT agent with advanced options

The configuration file wapt-get.ini defines the behavior of the WAPT agent.

Location of wapt-get.ini by system

System

Location

Windows

C:\Program Files(x86)\wapt\wapt-get.ini

Linux

/opt/wapt/

Mac OS

/opt/wapt/

The [global] section is required.

[global]

After standard installation, the default configuration is:

[global]
waptupdate_task_period=120
wapt_server=https://srvwapt.mydomain.lan
repo_url=https://srvwapt.mydomain.lan/wapt/
use_hostpackages=1

All parameters are not available on agent generation. It is possible to make changes in wapt-get.ini manually or by deploying a WAPT package with the new configuration settings.

An example package is available from the Tranquil IT repository:

https://store.wapt.fr/store/tis-wapt-conf-policy

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def install():

  print('Modify max_gpo_script_wait')
  inifile_writestring(WAPT.config_filename,'global','max_gpo_script_wait',180)

  print('Modify Preshutdowntimeout')
  inifile_writestring(WAPT.config_filename,'global','pre_shutdown_timeout',180)

  print('Disable Hyberboot')
  inifile_writestring(WAPT.config_filename,'global','hiberboot_enabled',0)

  print('Disable Notify User')
  inifile_writestring(WAPT.config_filename,'global','notify_user',0)

  print('Reload WAPT configuration')
  WAPT.reload_config_if_updated()

The function inifile_writestring definition is:

inifile_writestring(inifilename,section,key,value)

Description of available sections

Description of available sections for the WAPT agent

Section

Description

[global]

Global WAPT agent options.

[wapt]

Main repository options.

[wapt-template]

External remote repository options.

[wapt-host]

Repository for host packages options.

[waptwua]

WUA agent options.

[repo-sync]

For synching multiple repositories.

All sections are detailed below.

Description of available options by section

[global]

General settings

Description of available options for the WAPT agent in the [global] section

Options / Default value

Description

Example

WAPT Enterprise feature only allow_remote_reboot = False

Allows rebooting hosts remotely from the WAPT console (default False).

allow_remote_reboot = True

WAPT Enterprise feature only allow_remote_shutdown = False

Allows shutting down the host remotely from the WAPT console (default False).

allow_remote_reboot = True

check_certificates_validity = False

Forces the package certificate’s date and CRL to be verified.

check_certificates_validity = True

dbpath = WAPT root dir)\wapt\db\waptdb.sqlite

Path to the local database file.

dbpath = C:\Program Files(x86\db\waptdb.sqlite

download_after_update_with_waptupdate_task_period = True

Defines whether a download of pending packages should be started after an update with waptupdate_task_period.

download_after_update_with_waptupdate_task_period = False

WAPT Enterprise feature only host_organizational_unit_dn = None

Allows to force an Organizational Unit on the WAPT agent (convenient for assigning a fake OU for out-of-domain PC).

Make sure it respects a consistent case (do not mix “dc”s and “DC”s, for example), which you can find in the console (in the DN/computer_ad_dn fields for each host)

host_organizational_unit_dn = OU=TOTO,OU=TEST,DC=MYDOMAIN,DC=LAN

WAPT Enterprise feature only host_profiles = not defined

Allows to define a WAPT package list that the WAPT agent must install.

host_profiles = tis-firefox,tis-java

language = default locale on client

Forces the default language for the GUI (not for package filtering)

language = en

locales = default locale on client

Allows to set the list of WAPT agent languages to pre-filter the list of packages visible by the WAPT agent (for package filtering). The parameter accepts multiple entries ordered by preference (eg. locales=fr,en).

locales = en

log_to_windows_events = False

Sends the WAPT logs in the Window event log.

log_to_windows_events = True

loglevel = warning

Log level of the WAPT agent. Possible values are: debug, info, warning, critical.

loglevel = critical

maturities = PROD

List of package maturities than can be viewed and installed by WAPT Agent. Default value is PROD.

Only DEV, PREPROD and PROD values are used by Tranquil IT, however any value can be used to suit your internal processes.

maturities = PROD,PREPROD

repo_url = your WAPT repo address

Address of the main WAPT repository.

repo_url = https://srvwapt.mydomain.lan/wapt

repositories = None

List of enabled repositories, separated by a comma. Each value defines a section of the wapt-get.ini file. More info here.

repositories = repo1, repo2

send_usage_report = True

Allows the WAPT console to send anonymous statistics to Tranquil IT. Set to 0 to disable telemetry.

send_usage_report = True

service_auth_type = system

Sets how the self service authentication works. Possible values are: system, waptserver-ldap or waptagent-ldap

service_auth_type = waptserver-ldap

WAPT Enterprise feature only uninstall_allowed = True

Defines whether or not it is possible for the user to uninstall applications via the self-service.

uninstall_allowed = False

WAPT Enterprise feature only use_ad_groups = False

For using group packages (default False).

use_ad_groups = True

use_fqdn_as_uuid = False

Allows to use the FQDN rather than the BIOS UUID as the unique machine identifier in WAPT (default False).

use_fqdn_as_uuid = True

use_hostpackages = False

Defines whether host packages are to be used (default False).

use_hostpackages = True

WAPT Enterprise feature only use_repo_rules = False

Defines whether repositories are replicated (default False).

use_repo_rules = True

waptaudit_task_period = None

Defines the frequency at which audits are triggered.

waptaudit_task_period = 120

wapt_server = None

Defines the WAPT Server URL. If the attribute is not present, no WAPT Server will be contacted.

wapt_server = https://srvwapt.mydomain.lan

waptservice_port = 8088

WAPT agent loopback port. The port is not accessible from the network.

waptservice_port = 8080

waptupdate_task_period = 120m

Defines the update frequency (120 minutes by default).

waptupdate_task_period = 24h

waptupgrade_task_period = None

Defines the upgrade frequency

waptupgrade_task_period = 360

Note

  • If there is no repo_url attribute in the [global] section, then a repository in the [wapt] section will have to be explicitly defined. It will have to be enabled by adding it to the repositories attribute.

  • If there is no wapt_server attribute in the [global] section, then no WAPT Server will be used.

Server settings

These options will set the WAPT agent behavior when connecting to the WAPT Server.

Description of available options for the WAPT agent in the [global] section for server configuration

Options / Default value

Description

Example

public_certs_dir = None

Folder of certificates authorized to verify the signature of WAPT packages.

public_certs_dir = C:\Program Files (x86)\wapt\ssl (on Windows) public_certs_dir = /opt/wapt/ssl/ (on Linux and MacOS)

use_kerberos = False

Use kerberos authentication for initial registration on the WAPT Server (default False).

use_kerberos = True

verify_cert = False

See the documentation on activating the verification of HTTPS certificates

verify_cert = True

wapt_server = None

WAPT Server URL. If the attribute is not present, no WAPT Server will be contacted.

wapt_server = https://srvwapt.mydomain.lan

wapt_server_timeout = 30

WAPT Server HTTPS connection timeout in seconds

wapt_server_timeout = 10

waptexit settings

Description of available options for the WAPT agent in the [global] section for waptexit

Options / Default value

Description

Example

allow_cancel_upgrade = True (default True)

Prevents users from canceling package upgrades on computer shutdown. If disabled, users will not be able to cancel an upgrade on computer shutdown.

allow_cancel_upgrade = True

hiberboot_enabled = True (default None)

Disables Hiberboot on Windows 10 to make waptexit work correctly.

hiberboot_enabled = True

max_gpo_script_wait = None (default None)

Timeout for GPO execution at computer shutdown.

max_gpo_script_wait = 180 (default None)

pre_shutdown_timeout = None

Timeout for scripts at computer shutdown.

pre_shutdown_timeout = 180

WAPT Self-Service and Waptservice Authentification settings

Description of available options for the WAPT agent in the [global] section for the WAPT Self-Service and Waptservice Authentification

Options / Default value

Description

Example

ldap_auth_base_dn = None

Useful with waptagent-ldap, defines the base dn for the LDAP request.

ldap_auth_base_dn = dc=domain,dc=lan

ldap_auth_ssl_enabled = False

Useful with waptagent-ldap, defines whether the LDAP request must be encrypted.

ldap_auth_ssl_enabled = True

ldap_auth_server = None

Useful with waptagent-ldap, defines the LDAP server to contact.

ldap_auth_server = srvads.domain.lan

service_auth_type = system

Defines the authentication system of the WAPT service, available value are system, waptserver-ldap, waptagent-ldap.

service_auth_type = waptagent-ldap

verify_cert_ldap = False

Useful with waptagent-ldap, define whether the certificate should be verified.

verify_cert_ldap = True

waptservice_admin_filter = False

Apply selfservice package view filtering for Local Administrators.

waptservice_admin_filter = True

waptservice_password = None

sha256 hashed password when waptservice_user is used (the value NOPASSWORD disables the requirement for a password).

waptservice_password = 5e884898da

waptservice_user = None

Forces a user to authenticate on the WAPT service.

waptservice_user = admin

wapttray settings

Description of available options for the WAPT agent in the [global] section for the wapttray

Options / Default value

Description

Example

notify_user = False

Prevents wapttray from sending notifications (popup).

notify_user = True

Proxy settings

Description of available options for the WAPT agent in the [global] section for the proxy

Options / Default value

Description

Example

http_proxy = ‘’

HTTP proxy address

http_proxy = http://user:pwd@host_fqdn:port

use_http_proxy_for_repo = False

Use the proxy to access the repositories.

use_http_proxy_for_repo = True

use_http_proxy_for_server = False

Use a proxy to access the WAPT Server.

use_http_proxy_for_server = True

Creating packages settings

Description of available options for the WAPT agent in the [global] section for creating WAPT packages

Options / Default value

Description

Example

default_package_prefix = tis

Default prefix for new or imported packages.

default_package_prefix = doc

default_sources_root = C:\waptdev (Windows) or ~/waptdev (Linux)

Directory for storing packages in development.

default_sources_root = C:\waptdev

default_sources_suffix = wapt

Default prefix for new or imported packages.

default_sources_suffix = doc

personal_certificate_path = ‘’

Path to the Administrator’s private key.

personal_certificate_path = None

[wapt-wua]

Refer to configuring WAPTWUA on the WAPT agent.

Several repository settings

Comprehensive list of repositories usable on wapt-get.ini, another [section] can be added.

Note

Active repositories are listed in the repositories attribute of the [global] section.

Attention

This parameter can be configured both in the WAPT agent configuration and in the WAPT console configuration file C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

For information on configuring the WAPT console, please refer to this documentation.

[wapt]

Hint

If this section does not exist, parameters are read from the [global] section.

[wapt-templates]

External remote repositories that will be used in the WAPT console for importing new or updated packages. The Tranquil IT repository is set by default.

[wapt-host]

Repository for host packages. If this section does not exist, default locations will be used on the main repository.

More information on that usage can be found in this article on working with multiple public or private repositories.

Configuring the WAPT console

Hint

the WAPT console configuration is stored in 2 locations:

  • C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

  • C:\Users\%username%\AppData\Roaming\waptconsole\waptconsole.ini.

These files are automatically generated when the waptconsole is first launched and it is generated from the wapt-get.ini file configured on the Administrator’s workstation;

Description of available sections

Description of available sections for the WAPT agent

Section

Description

[global]

global console options

[sections]

external repository options. [wapt-template] has Tranquil IT default repositories

[waptwua]

WUA options

All sections are detailed below.

Others sections present on C:\Users\%username%\AppData\Roaming\waptconsole\waptconsole.ini are not editable manually, therefore they are not detailed.

Attention

For parameters both present in wapt-get.ini and waptconsole.ini, values are set in wapt-get.ini and copied to waptconsole.ini. Do not edit manually these parameters.

Description of available options by section

[global]

Several options are available in the [global] section of the waptconsole.ini file.

Description of available options in AppData\Local

Options / Default value

Description

Example

advanced_mode = False

Launches the console in debug mode.

advanced_mode = True

WAPT Enterprise feature only allow_remote_reboot = False

Allows rebooting hosts remotely from the WAPT console (default False).

allow_remote_reboot = True

WAPT Enterprise feature only allow_remote_shutdown = False

Allows shutting down the host remotely from the WAPT console (default False).

allow_remote_shutdown = True

client_certificate = None

If remote repository is using Client Side SSL Authentification

client_certificate = C:\private\org-coder.crt

client_private_key = None

If remote repository is using Client Side SSL Authentification

client_private_key = C:\private\org-coder.pem

check_certificates_validity = False

Forces the package certificate’s date and CRL to be verified.

check_certificates_validity = True

default_maturity = ‘’

Default upload maturity for WAPT packages.

default_maturity = PROD

default_package_prefix = tis

Prefix used for naming WAPT packages.

default_package_prefix = doc

default_sources_root = C:\waptdev (Windows) or ~/waptdev (Linux)

WAPT base package development folder.

default_sources_root = C:\waptdev

grid_hosts_plugins = W10=

External plugins for the WAPT console. Default is W10= because [] in base64.

grid_hosts_plugins = W3siZXhlY3V0YWJsZSI6ImV4cGxd

host_profiles = None

Allows to define a WAPT package list that the WAPT agent must install.

host_profiles = tis-firefox,tis-java

hiberboot_enabled = False

Disables Hiberboot on Windows 10 to make waptexit

hiberboot_enabled = True

http_proxy = None

Address of the proxy server in the WAPT console.

http_proxy = https://proxy.domain.lan

last_usage_report = ‘’

Date when the WAPT console was last used.

last_usage_report = 12/05/2021 18:45:51

lastwaptserveruser = ‘’

Last user logged on this WAPT console.

lastwaptserveruser = admin

max_gpo_script_wait = 180

Timeout for GPO execution at computer shutdown.

max_gpo_script_wait = 360

personal_certificate_path = ‘’

Path to the certificate associated with the Administrator’s private key.

personal_certificate_path = C:\private\mykey.crt

pre_shutdown_timeout = 180

Timeout for scripts at computer shutdown.

pre_shutdown_timeout = 360

repo_url = your WAPT repo address

Address of the main WAPT repository.

repo_url = https://srvwapt.mydomain.lan/wapt

send_usage_report = True

Allows the WAPT console to send anonymous statistics to Tranquil IT. Set to False to disable telemetry.

send_usage_report = True

sign_digests = sha256

List of allowed signature algorithms for the WAPT packages.

sign_digests = sha1

WAPT Enterprise feature only use_ad_groups = False

For using unit packages.

use_ad_groups = True

use_fqdn_as_uuid = False

Allows to use the FQDN rather than the BIOS UUID as the unique machine identifier in WAPT.

use_fqdn_as_uuid = True

use_kerberos = False

Use kerberos authentication for initial registration on the WAPT Server.

use_kerberos = True

use_hostpackages = False

Use host packages.

use_hostpackages = True

use_http_proxy_for_repo = False

Use a proxy to connect to the main WAPT repository from the console.

use_http_proxy_for_repo = True

use_http_proxy_for_server = False

Use a proxy to connect to the WAPT Server from the console.

use_http_proxy_for_server = True

WAPT Enterprise feature only use_repo_rules = False

For replicating repository.

use_repo_rules = True

verify_cert = False

For verifying SSL / TLS certificate.

verify_cert = True

wapt_server = ‘’

Address of the WAPT Server.

wapt_server = https://srvwapt.mydomain.lan

Description of available options on AppData\Roaming

Options / Default value

Description

Example

advanced_mode = False

Launches the console in debug mode.

advanced_mode = True

enable_external_tools = False

Displays the actions that call external applications (RDP, Windows tools etc…).

enable_external_tools = True

enable_management_features = False

Displays the button to create self-signed certificates or to create the WAPT agent’s installer.

enable_management_features = True

hide_unavailable_actions = False

Hides actions that are not available for the WAPT agent

hide_unavailable_actions = True

HostsLimit = 2000

Limit of hosts displayed in the WAPT console.

HostsLimit = 300

language = default locale on client

Force default langage for GUI (not for package filtering)

language = en

lastappinifilename = ‘’

Ini file was actually used by console.

lastappinifilename = C:\Users\%username%\AppData\Roaming\waptconsole\waptconsole.ini

show_host_audit_data_tab = False

Display Audit data tab on host inventory.

show_host_audit_data_tab = True

WAPT Enterprise feature only use_ad_groups = False

For using unit packages (default False).

use_ad_groups = True

use_fqdn_as_uuid = False

Allows you to use the fqdn name rather than the uuid BIOS as the unique machine identifier in wapt (default False).

use_fqdn_as_uuid = True

waptconsole.version = ‘’

Version of console

waptconsole.version = 2.0.0.9424

waptwua_enabled = False

For displaying Windows Update tab on console

waptwua_enabled = True

[sections]

You may add several external repositories by adding [sections] in C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

Attention

This parameter can be configured both in the WAPT agent configuration and in the WAPT console configuration C:\Users\%username%\AppData\Local\waptconsole\waptconsole.ini.

For information on configuring the WAPT agent, please refer to this point.

See available parameters and configurations by visiting this documentation on setting up multiple repositories.

Configuring the WAPT Server

The WAPT Server configuration file on GNU/ Linux and macOS systems is found in /opt/wapt/conf/waptserver.ini or in /opt/wapt/waptserver/waptserver.ini.

The WAPT Server configuration file on Windows is found in C:\wapt\conf\waptserver.ini.

Attention

Modification of these files is reserved for advanced users!!

Section [option] of waptserver.ini

Several options can be defined in the [option] section.

[options]
Available parameters for the [option] section of waptserver.ini

Options / Default value

Description

Example

allow_unauthenticated_connect = None

Defines whether websocket connections should be authenticated. If use_kerberos = True, then allow_unauthenticated_connect MUST BE set to False or it will take precedence.

allow_unauthenticated_connect = True

allow_unauthenticated_registration = False

Allows the initial registration of the WAPT agent using a login and password.

allow_unauthenticated_registration = True

allow_unsigned_status_data = False

Debug only - Allows unsigned status data from agent.

allow_unsigned_status_data = True

application_root = ‘’

Defines a custom WAPT server application root path.

application_root = wapt

auto_create_ldap_users = True

Related to user ACLs

auto_create_ldap_users = False

client_certificate_lifetime = 3650

Defines the host certificate lifetime (in days).

client_certificate_lifetime = 500

clients_read_timeout = 5

Defines the websocket client timeout.

clients_read_timeout = 10

clients_signing_certificate = None

Defines the host certificate signing cert path.

clients_signing_certificate = C:\private\org-coder.crt

clients_signing_crl_days = 30

Defines the host certificate signing CRL periodicity (in days).

clients_signing_crl_days = 15

clients_signing_crl = None

Defines the host certificate signing CRL path.

clients_signing_crl = C:\private\org-coder.crt

clients_signing_crl_url = None

Defines the host certificate signing CRL URL.

clients_signing_crl_url = https://srvwapt.mydomain.lan/crl

clients_signing_key = None

Defines the host certificate signing key path.

clients_signing_key = C:\private\org-coder.crt

client_tasks_timeout = 5

Defines the maximum allowed delay before WAPT agent requests timeout.

client_tasks_timeout = True

db_connect_timeout = 3

Defines the maximum allowed delay before PostgreSQL queries timeout.

db_connect_timeout = 10

db_host = None

Defines the url of the PostgreSQL server (by default WAPT use a local Unix Socket).

db_host = https://sql.mydomain.lan

db_max_connections = 90

Defines the maximum simultaneous connections to the PostgreSQL database.

db_max_connections = 100

db_name = wapt

Defines the PostgreSQL database that the WAPT Server will connect to.

db_name = doc

db_password = None

Defines the password for authenticating the user on the PostgreSQL database (by default WAPT use a local UNIX socket).

db_password = WAPT-DB

db_port = 5432

Defines the port of the PostgreSQL server.

db_port = 1365

db_stale_timeout = 300

Defines the database stale timeout.

db_stale_timeout = 500

db_user = wapt

Defines the PostgreSQL user connecting to the database.

db_user = doc

WAPT Enterprise feature only enable_store = False

Enables WAPT Store Webui.

enable_store = False

encrypt_host_packages = False

Encrypts host package with client certificate.

encrypt_host_packages = True

htpasswd_path = None

Adds basic authentication to WAPT Server.

htpasswd_path = True

http_proxy = None

Defines the proxy server to allow the WAPT server to recover its CRL.

http_proxy = http://srvproxy.mydomain.lan:3128

known_certificates_folder = default WAPT /ssl/ folder

Adds additional known CA to verify certificates.

known_certificates_folder = /opt/wapt/ssl/

ldap_auth_base_dn = None

Defines the LDAP authentication base DN.

ldap_auth_base_dn = dc=mydomain,dc=lan

ldap_auth_server = None

Defines the LDAP authentication server.

ldap_auth_server = srvads.mydomain.lan

ldap_auth_ssl_enabled = True

Sets SSL authentication on LDAP connections.

ldap_auth_ssl_enabled = False

loglevel = warning

Defines the log level. Possible values are: debug, info, warning, critical.

loglevel = debug

max_clients = 4096

Sets the maximum simultaneous WAPT clients connection.

max_clients = 2048

min_password_length = 10

Sets the minimum admin password length.

min_password_length = 15

nginx_http = 80

Defines the Nginx web server HTTP port (Windows only).

nginx_http = 8080

nginx_https = 443

Defines the Nginx web server HTTPS port (Windows only).

nginx_https = 44380

remote_repo_support = False

Enables remote repositories functionality from the WAPT Server.

remote_repo_support = True

remote_repo_websockets = True

Enables websocket communication with agents configured as remote repositories.

remote_repo_websockets = False

secret_key = None

Defines the random string for initializing the Python Flask application server. It is generated when first installing the WAPT Server and is unique for every WAPT Server.

secret_key = FKjfzjfkF687fjrkeznfkj7678jknk78687

server_uuid = None

Defines the WAPT Server UUID (this anonymous id is used for WAPT statistics).

server_uuid = 76efezfa6-b309-1fez5-92cd-8ea48fc122dc

signature_clockskew = 300

Defines the maximum allowed time difference for the websockets (in seconds).

signature_clockskew = 72000

token_lifetime = 12*60*60

Defines the authentication token lifetime (in seconds).

token_lifetime = 43200

trusted_signers_certificates_folder = None

Defines the path to the trusted signers certificate directory.

trusted_signers_certificates_folder = C:\private\org-coder.crt

trusted_users_certificates_folder = None

Defines the path to trusted users CA certificate directory.

trusted_users_certificates_folder = C:\private\org-coder.crt

use_kerberos = False

Enables a WAPT agent to register using its kerberos account. If use_kerberos = True, then allow_unauthenticated_connect MUST BE set to False or it will take precedence.

use_kerberos = True

use_ssl_client_auth = False

Enables client certification authentication.

use_ssl_client_auth = True

wapt_admin_group_dn = []

LDAP DN of Active Directory User Group allowed to connect to the WAPT console.

wapt_admin_group_dn = CN=waptadmins,OU=groups,DC=ad,DC=mydomain,DC=lan

wapt_folder = /var/www/wapt or /var/www/html/wapt or WAPT root_dir/waptserver/repository/wapt

Defines the directory path of the WAPT repository.

wapt_folder = /var/www/wapt

wapt_huey_db = None

Defines the path to database that handles tasks.

wapt_huey_db = C:\Program Files(x86)\wapt\db\waptservertasks.sqlite

wapt_password = None

Defines the SuperAdmin password for connecting to the WAPT console.

wapt_password = 46642dd2b1dfezfezgfezgadf0ezgeezgezf53d

waptserver_port = 8080

Defines the WAPT Server python service port, default is 8080.

waptserver_port = 1313

wapt_user = admin

Defines the SuperAdmin username in the WAPT console.

wapt_user = wapt_admin

waptwua_folder = wapt_folder + ‘wua’

Defines the location of WAPT WUA folder.

waptwua_folder = /var/www/waptwua

wol_port = 9

Defines the list of WakeOnLAN UDP ports to send magic packets to.

wol_port = 9,123,4000

wapt_bind_interface = 127.0.0.1

Defines how to listen to the waptserver service.

wapt_bind_interface = 192.168.0.50

Configuring Nginx

The default Nginx configuration is as follows:

server {
  listen                      80;
  listen                      443 ssl;
  server_name                 _;
  ssl_certificate             "/opt/wapt/waptserver/ssl/cert.pem";
  ssl_certificate_key         "/opt/wapt/waptserver/ssl/key.pem";
  ssl_protocols               TLSv1.2;
  ssl_dhparam                 /etc/ssl/certs/dhparam.pem;
  ssl_prefer_server_ciphers   on;
  ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_stapling                on;
  ssl_stapling_verify         on;
  ssl_session_cache           none;
  ssl_session_tickets         off;
  index index.html;

  location ~ ^/wapt.* {
    proxy_set_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
    proxy_set_header Pragma "no-cache";
    proxy_set_header Expires "Sun, 19 Nov 1978 05:00:00 GMT";
    root "/var/www";
    }

  location / {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  location  ~ ^/(api/v3/upload_packages|api/v3/upload_hosts/|upload_waptsetup)  {
    proxy_pass http://127.0.0.1:8080;
    client_max_body_size 4096m;
    client_body_timeout 1800;
    }

  location /wapt-host/Packages {
    return 403;
    }

  location /wapt-host/add_host_kerberos {
    return 403;
    }

  location / {
    proxy_pass http://127.0.0.1:8080;
    }

  location /socket.io {
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_pass http://127.0.0.1:8080/socket.io;
    }
  }
}

Configuring WAPT Server for large deployments

The default operating system, Nginx and Postgresql settings are adapted for around 400 WAPT agents. If you have more than 400 clients it is necessary to modify a few system level parameters along with PostgreSQL database, Nginx web and WAPT Server python server.

In the future the postconf.sh script might take charge of this configuration depending on the expected number of client computers.

With the following parameters, one WAPT Server should scale up to around 5000 concurrent active clients. You may have more clients in the database if they are not all running at the same time. If you have more than 5000 clients it is recommended to have more than one WAPT Server.

The limit in the number of end point clients is due to the bottleneck in the python code and the PostgreSQL backend. WAPT performance gets better with time and in the future WAPT Server might support a large base on a single server. However the Nginx part scales very well and it can takes full advantage of a 10Gbps connection for high load package deployments.

Note

The parameters to be modified below are linked together and should be modified globally and not individually.

Configuring Nginx

In the /etc/nginx/nginx.conf file (for Windows C:\wapt\waptserver\nginx\conf\nginx.conf), modify worker_connections parameter. The value should be around 2.5 times the number of WAPT clients (n connections for websockets and n connections for package downloads and inventory upload + some margin).

events {
    worker_connections 4096;
}

Then upgrade the number of filedescriptors in the /etc/nginx/nginx.conf file (for Windows C:\wapt\waptserver\nginx\conf\nginx.conf):

worker_rlimit_nofile 32768;

Depending on the partitioning of your WAPT server you might have to be careful with the Nginx temporary file upload directory. Nginx acts as a reverse proxy for the WAPTServer Python engine and its does a caching of packages uploaded when uploading a new package from the console.

The packages are stored in the /var/lib/nginx/proxy directory. You have to make sure that the partition hosting this directory is large enough. You may change this directory location using the following Nginx configuration parameter.

$client_body_temp_path

Configuring the Linux System

Increase the number of filedescriptors. The system unit file asks for an increase in the allowed number of filedescriptors (LimitNOFILE=32768). We should have the same thing for Nginx. There are a few limits to modify.

First we modify system wide the number of filedescriptors allowed for Nginx and WAPT.

  • Create the /etc/security/limits.d/wapt.conf.

    cat > /etc/security/limits.d/wapt.conf <<EOF
    wapt         hard    nofile      32768
    wapt         soft    nofile      32768
    www-data     hard    nofile      32768
    www-data     soft    nofile      32768
    EOF
    

Nginx serves as a reverse proxy and makes quite a lot of connections. Each WAPT client keeps a websocket connection up all the time in order to respond to actions from the WAPT Server.

The Linux kernel has a protection against having too many TCP connections opened at the same time and one may get the SYN flooding on port message in the Nginx log. In order to avoid these messages, it is necessary to modify the two following parameters. It must around 1.5 times the number of WAPT clients.

cat > /etc/sysctl.d/wapt.conf <<EOF
net.ipv4.tcp_max_syn_backlog=4096
net.core.somaxconn=4096
EOF

sysctl --system

Configuring the PostgreSQL database

A higher number of clients need a higher number of connections to the PostgreSQL database. In the postgresql.conf file (file:/etc/postgresql/{version}/main/postgresql.conf on debian 10 for example or for Windows C:\wapt\waptserver\pgsqlversion_data\postgresql.conf), you need to increase the following parameter to approximately 1/4 the number of active WAPT agents.

max_connections = 1000

In /opt/wapt/conf/waptserver.ini file (for Windows C:\wapt\conf\waptserver.ini, db_max_connections should be equal to PostgreSQL max_connections minus 10 (PostgreSQL needs to keep some connections for its housekeeping stuff). The max_clients parameter should be set around 1.2 times the number of WAPT agents:

[options]
...
max_clients = 4096
db_max_connections =  990