Have you ever struggled to give your end users access to the PowerVC UI, but don't want to give them real access to the PowerVC host? For example, I've seen a few scenarios recently where we want to make PowerVC UI
publicly available, but still need PowerVC itself sitting on an internal private network with connections to the private management infrastructure. There are a number of ways you can go about doing this with port forwarding, iptables rules, etc. But perhaps the easiest way to do this is to set up a very simple light-weight HTTP proxy with NGINX.
Scenario:
User ---> NGINX Proxy Server
Public IP X.X.X.9
Private IP 10.0.0.9 --> PowerVC Server
Private IP 10.0.0.10
- ONLY http/s traffic is forwarded. The user cannot access the Private IP of PowerVC directly.
- This supports both the Web UI as well as PowerVC/Openstack APIs
- PowerVC behaves as if traffic was coming directly from the proxy server, and not from the end user (although that information is included in the headers for logging).
Instructions:
- Install nginx. On Ubuntu/Debian, simply run:
sudo apt install nginx. On Redhat, run: sudo yum install nginx
- nginx should start automatically. If not, run:
sudo systemctl start nginx
- Remove the default config file:
sudo rm /etc/nginx/sites-enabled/default
- Install ssl-cert. This will allow automatic generation of self-signed ssl certificates:
sudo apt install ssl-cert or sudo yum install ssl-cert.
- Add the following configuration file, modifying the 10.0.0.10 IP address to match that of your PowerVC server (paste this entire entry into a bash shell):
sudo cat > /etc/nginx/sites-enabled/pvc << EOM
include snippets/snakeoil.conf;
server { # http
server_name nginx-1-vm;
listen *:80;
location / {
return 302 https://$host$request_uri;
}
}
server { # https
server_name nginx-1-vm;
listen *:443 ssl; # Web UI
listen *:5000 ssl; # API - keystone
listen *:8041 ssl; # API - gnocchi
listen *:8428 ssl; # API - validator
listen *:8774 ssl; # API - nova
listen *:8778 ssl; # API - panko
listen *:9000 ssl; # API - cinder
listen *:9292 ssl; # API - glance
listen *:9696 ssl; # API - neutron
listen *:35357 ssl; # API - keystone
location / {
proxy_pass $scheme://10.0.0.10:$server_port;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Origin $scheme://$host;
proxy_set_header Accept-Encoding "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 330;
}
}
EOM
Finally, restart nginx (
sudo systemctl restart nginx), and point your web browser to http://
X.X.X.9 and you should see the PowerVC GUI.
Now for some explanation...
SSL Certificates: We're letting the system autogenerate self-signed certificates. These are the certificates for the nginx web server. You can create your own (just look at the content of snippits/snakeoil.conf for info.)
HTTP: You'll notice that we are listening on port 80. Every inbound request on port 80 gets a 302 response (redirect) to https (443) with the same URL. This just makes it easy to forward any http requests to https. You can turn this off if you don't want http->https redirect.
HTTPS:
- All traffic will get forwarded to the proxy_pass address. Make sure you modify this address to match the address of your PowerVC server.
- The server listens on multiple ports - 443 provides web UI access, and the others provide API access. If you do not want API access, just remove the
listen clauses for the API ports.
- The upgrade items are there to ensure the browser can 'upgrade' the connection from https to wss (websockets). Websockets are used by PowerVC to provide the console for the user. Note that wss is still going over port 443. It's just a different protocol.
- The proxy_read_timeout is set high because PowerVC queries for event changes and waits up to 5 minutes for a response, so we don't want the proxy server timing out.
- The other items all allow PowerVC to not have to worry that the client is remote.
You can find lots more information about these settings in the NGINX documentation:
http://nginx.org/en/docs/http/ngx_http_proxy_module.htmlEnjoy providing your users access to the PowerVC UI without giving them access to the management network!
#privatecloud#security