In this guide, I will be highlighting the basic steps needed to setup IBM Aspera Proxy in front of a HSTS in CP4I (OpenShift).
Setting up a proxy becomes important especially if the HSTS is not able to provide an external IP accessible from outside the OpenShift cluster.
Full details of installing and setting up the Proxy is available here. You can refer to this document to install Proxy. Install and Set Up Proxy
There will be 3 sections in setting up the proxy.
- Setting up the HSTS specifically for Reverse Proxy
- Setting up NGINX reverse proxy for NodeAPI (https) connection.
- Setting up Aspera reverse proxy for file transfers.
Setting up HSTS
1. Add a SSH public key in HSTS CR. This will be used by the proxy to connect to the HSTS. A pair of public/private key is provided during the proxy install. You can use /opt/aspera/proxy/var/aspera_rproxy_id_rsa.pub of the Proxy server. Copy the contents of public key and put it in the HSTS Common Resource.
|
publickeys:
keys: >-
ssh-rsa
PASTE THE SSH PUBLIC KEY HERE
services:
|
2. Set the server name config in the HSTS CR.
configurations:
serverName: <IP Address or URL of Proxy>
publickeys: |
Setting up NGINX reverse proxy
This setup is needed to proxy NodeAPI requests. Start with the provided template.
cp /opt/aspera/nginx/conf/nginx.conf.example /opt/aspera/nginx/conf/nginx.conf
Edit nginx.conf and paste this for the http section. Change the proxy_pass setting to point to your http-proxy URL in HSTS.
http {
server {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDME-RSA-AES256-SHA384:AES256-SHA256:HIGH:RC4:!MD5:!aNULL:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_certificate /opt/aspera/proxy/etc/aspera_server_cert.pem;
ssl_certificate_key /opt/aspera/proxy/etc/aspera_server_key.pem;
ssl on;
ssl_verify_client off;
listen 8443;
client_max_body_size 0;
max_ranges 1;
location / {
proxy_pass https://URL-HTTP-PROXY;
proxy_set_header Connection "";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
}
}
|
Restart nginx
systemctl restart asperanginx
Setting up Aspera Reverse Proxy
1. Add a transfer user in the Proxy and setup the use for SSH Key authentication.
|
useradd xfer
mkdir /home/xfer/.ssh/
chmod 700 /home/xfer/.ssh/
Add the standard public key /opt/aspera/var/aspera_id_dsa.pub (from some other HSTS) to /home/xfer/.ssh/authorized_keys in proxy
chown xfer:xfer /home/xfer/.ssh/authorized_keys
chmod 600 /home/xfer/.ssh/authorized_keys
|
2. Add SSH private key to be used to connect to HSTS. (We have earlier added the public key to HSTS in CP4I).
cp /opt/aspera/proxy/var/aspera_rproxy_id_rsa /home/xfer/.ssh/id_rsa
chown -R xfer:xfer /home/xfer/.ssh/
chmod 700 /home/xfer/.ssh/
chmod 600 /home/xfer/.ssh/id_rsa |
3. Open port 33001 in /etc/ssh/sshd_config and restart sshd
4. Create a file /etc/sudoers.d/aspera_rproxy and paste this.
Defaults:xfer !requiretty
Defaults:xfer secure_path = /sbin:/bin:/usr/sbin:/usr/bin
xfer ALL = NOPASSWD: /sbin/iptables-restore |
5. Change shell of xfer user in proxy.
chsh -s /bin/aspshell xfer
Configure the Aspera proxy. Edit /opt/aspera/proxy/etc/aspera.conf and paste this. Change the <host> and <bind_source_address>.
<host> is the tcp-proxy URL of the HSTS.
<bind_source_address> is the IP of the proxy that will connect to the HSTS.
<?xml version='1.0' encoding='UTF-8'?>
<CONF version="2">
<central_server>
<port>40001</port>
<address>127.0.0.1</address>
</central_server>
<default />
<aaa />
<server>
<rproxy>
<enabled>true</enabled>
<log_level>2</log_level>
<rules>
<rule>
<balancing>round_robin</balancing>
<hosts>
<host>168.1.196.67:30508</host>
</hosts>
<squash_user>xfer</squash_user>
<keyfile>/home/xfer/.ssh/id_rsa</keyfile>
<udp_port_reuse>true</udp_port_reuse>
<src_port_filtering>false</src_port_filtering>
<bind_udp_port>33001</bind_udp_port>
<bind_source_address>168.1.62.212</bind_source_address>
</rule>
</rules>
</rproxy>
</server>
</CONF> |
Restart Aspera Proxy.
systemctl restart asperaproxy
Start Testing Transfer
With that the setting up of the Reverse proxy is done. We can start testing transferring files. We will use the ascli command line to test.
1. Download and install aspera-cli from here: Aspera CLI (OpenSource)
2. Get the NodeAPI user and password from the HSTS.
In the Open-shift Console, goto Workloads -> Secrets -> [deployment-name]-asperanoded-admin .
Take note of the username and password. This will be called as NodeUser and NodePassword.
3. Create access-key and secret.
| curl -ki -u NodeUser:NodePassword https://REVERSE-PROXY:8443/access_keys -d '{"storage":{"type":"local", "path":"/data/"}}' |
Replace NodeUser, NodePassword and REVERSE-PROXY. Take note of the access-id and secret.
4. Use ascli to browse folder.
| ascli node access_key do self browse / --url=https://REVERSE-PROXY:8443 --username=ACCESS-ID --password=SECRET --insecure=yes |
5. Use ascli to upload file
ascli node access_key do self upload --url=https://REVERSE-PROXY:8443/ --username=ACCESS-ID --password=SECRET SOURCE-FILE --insecure=yes
E.g.
ascli node access_key do self upload --url=https://9.30.218.96:8443/ --username=vDChUCg --password=TN6CyMtr8 ./10MB.1 --insecure=yes
|
6. Use ascli to download file
ascli node access_key do self download --url=https://REVERSE-PROXY:8443/ --username=ACCESS-ID --password=SECRET FILE-TO-DOWNLOAD --insecure=yes
|
Continue Testing Transfer With Desktop Client
- Download and install the Desktop Client.
- Create a Connection in the Desktop Client. Use the following information:
- Double-click on the newly created connection and test upload / download files.