Aspera

Aspera

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Setting up a Reverse Proxy for HSTS (in Virtual Machine)

By RAJAN N C KRISHNAN posted Fri December 08, 2023 11:17 AM

  

In this guide, I will be highlighting the basic steps needed to setup IBM Aspera Proxy in front of a HSTS in Virtual Machine.

Full details of installing and setting up the Proxy is available here. You can refer to this document to install Proxy.   Install and Set Up Proxy

It also includes setting up NGINX reverse proxy (assuming you have a Shares installed)

There will be 3 sections in setting up the proxy.

  1. Setting up the HSTS specifically for Reverse Proxy
  2. Setting up NGINX reverse proxy for NodeAPI (https) connection to Shares.
  3. Setting up Aspera reverse proxy for file transfers.

Setting up HSTS

You should have completed installation of HSTS and have setup NodeAPI for integration with Shares. 

  1. Add a SSH public key in HSTS. This will be used by the proxy to connect to the HSTS. A pair of public/private key is provided during the proxy install. You can use /opt/aspera/proxy/var/aspera_rproxy_id_rsa.pub  of the Proxy server. Copy the contents of public key and put it in the HSTS transfer user's home folder (copy it to a file called /home/<Transfer-User>/.ssh/authorized keys
  2. Configure the HSTS such that it provides the Proxy URL and Proxy SSH port  (and not the HSTS URL) to clients who connect. 
asconfigurator -F "set_server_data;server_name,<PROXY IP ADDRESS>;ssh_port,<PORT>"
Example:
asconfigurator -F "set_server_data;server_name,67.228.82.52;ssh_port,33001"
  1. Restart asperanoded service.

Setting up NGINX reverse proxy

This setup is needed to proxy NodeAPI /Shares requests. Start with the provided template.

cp /opt/aspera/nginx/conf/nginx.conf.example /opt/aspera/nginx/conf/nginx.conf

Edit nginx.conf and paste this for the http section. Change the proxy_pass setting to point to your Shares  URL or NodeAPI URL in HSTS. 

http {
  server {
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDME-RSA-AES256-SHA384:AES256-SHA256:HIGH:RC4:!MD5:!aNULL:!EDH:!AESGCM;
    ssl_prefer_server_ciphers on;
    ssl_certificate /opt/aspera/proxy/etc/aspera_server_cert.pem;
    ssl_certificate_key /opt/aspera/proxy/etc/aspera_server_key.pem;
    ssl on;
    ssl_verify_client   off;
    listen 8443;
    client_max_body_size 0;
    max_ranges 1;
    location / {
        proxy_pass https://URL-SHARES;
        proxy_set_header            Connection        "";
        proxy_set_header            X-Forwarded-Proto $scheme;
        proxy_set_header            X-Real-IP         $remote_addr;
        proxy_set_header            X-Forwarded-Host  $host:$server_port;
        proxy_set_header            X-Forwarded-For   $proxy_add_x_forwarded_for;
 proxy_ssl_server_name on;
    }
  }
}

Restart nginx

systemctl restart asperanginx

Setting up Aspera Reverse Proxy

1. Add a transfer user in the Proxy and setup the use for SSH Key authentication. Use the same transfer user as created in HSTS. In this example, assuming the transfer user is xfer.

useradd xfer
mkdir /home/xfer/.ssh/

chmod 700 /home/xfer/.ssh/
Add the standard public key /opt/aspera/var/aspera_id_dsa.pub (from  HSTS) to /home/xfer/.ssh/authorized_keys in proxy
chown xfer:xfer /home/xfer/.ssh/authorized_keys 
chmod 600 /home/xfer/.ssh/authorized_keys 

2. Add SSH private key to be used to connect to HSTS. (We have earlier added the public key to HSTS in the transfer users authorized_keys).

cp /opt/aspera/proxy/var/aspera_rproxy_id_rsa /home/xfer/.ssh/id_rsa
chown -R xfer:xfer /home/xfer/.ssh/
chmod 700 /home/xfer/.ssh/
chmod 600 /home/xfer/.ssh/id_rsa

3. Open port 33001 in  /etc/ssh/sshd_config and restart sshd

4. Create a file /etc/sudoers.d/aspera_rproxy and paste this.

Defaults:xfer !requiretty
Defaults:xfer secure_path = /sbin:/bin:/usr/sbin:/usr/bin
xfer ALL = NOPASSWD: /sbin/iptables-restore

5. Change shell of xfer user in proxy.
chsh -s /bin/aspshell xfer

Configure the Aspera proxy. Edit /opt/aspera/proxy/etc/aspera.conf and paste this. Change the <host> and <bind_source_address>.

<host> is the IP address and SSH port of the HSTS 

<bind_source_address> is the IP of the proxy that will connect to the HSTS.

<?xml version='1.0' encoding='UTF-8'?>
<CONF version="2">
    <central_server>
        <port>40001</port>
        <address>127.0.0.1</address>
    </central_server>
    <default />
    <aaa />
    <server>
        <rproxy>
            <enabled>true</enabled>
            <log_level>2</log_level>
            <rules>
                <rule>
            <balancing>round_robin</balancing>
            <hosts>
            <host>168.1.196.67:33001</host>
            </hosts>
                    <squash_user>xfer</squash_user>
                    <keyfile>/home/xfer/.ssh/id_rsa</keyfile>
                    <udp_port_reuse>true</udp_port_reuse>
                    <src_port_filtering>false</src_port_filtering>
            <bind_udp_port>33001</bind_udp_port>
            <bind_source_address>168.1.62.212</bind_source_address>
                </rule>
            </rules>
        </rproxy>
    </server>
</CONF>

Restart Aspera Proxy.

systemctl restart asperaproxy

Testing Transfer With Browser Plugin.

  1. Open the Proxy URL in a browser. That should forward you to the Shares web interface. 
  2. Login using the Shares username / password. 
  3. Install the browser extension/plugin if instructed to do so. 
  4. Test transfers.

Testing Transfer With Desktop Client

  1. Download and install the Desktop Client.
  2. Create a Connection in the Desktop Client. Use the following information.
  3. For username / password - user Shares Username and Password. 
  1. Double-click on the newly created connection and test upload / download files. 

0 comments
10 views

Permalink

https://community.ibm.com/community/user/blogs/rajan-n-c-krishnan1/2023/12/08/setting-up-a-reverse-proxy-for-hsts-in-virtual-mac