Search…
Set network accessibility of TrilioVault GUI
By default is the TrilioVault GUI available on all NICs on port 443.
To limit this to only one IP the following steps need to be applied.

Network Setup

The TrilioVault Appliance provides by default the possibility of 4 VIPs.
  • A general VIP which can be used for everything
  • A public VIP for the public endpoint
  • An internal VIP for the internal endpoint
  • An admin VIP for the admin endpoint
Should an additional VIP be required to restrict the access of the TrilioVault Dashboard to this VIP the new VIP needs to be created as a new resource inside the PCS cluster.
1
pcs resource create dashboard_ip ocf:heartbeat:IPaddr2 ip=<new_vip> cidr_netmask=24 nic=<new_nw_interface> op monitor interval=30s
2
pcs constraint colocation add dashboard_ip virtual_ip
Copied!

Nginx setup

When the new dashboard_ip has been created or decided, then the next step is to set up the proxy forwarding inside Nginx, which will make the TrilioVault GUI available through port 8000
  1. 1.
    Create new conf file at /etc/nginx/conf.d/tvault-dashboard.conf. Replace variables dashboard_ip and virtual_ip as configured or decided.
    1
    [[email protected] ~]# cat /etc/nginx/conf.d/tvault-dashboard.conf
    2
    server {
    3
    listen <dashboard_ip>:8000 ssl ;
    4
    ssl_certificate "/opt/stack/data/cert/workloadmgr.cert";
    5
    ssl_certificate_key "/opt/stack/data/cert/workloadmgr.key";
    6
    keepalive_timeout 65;
    7
    proxy_read_timeout 1800;
    8
    access_log on;
    9
    location / {
    10
    proxy_set_header Host $host:$server_port;
    11
    proxy_set_header X-Real-IP $remote_addr;
    12
    proxy_pass https://<virtual_ip>:443;
    13
    }
    14
    }
    Copied!
  2. 2.
    edit /etc/nginx/nginx.conf and uncomment line #include /etc/nginx/conf.d/*.conf;
  3. 3.
    check nginx syntax: nginx -t
  4. 4.
    reload nginx conf: nginx -s reload
  5. 5.
    Verify the availability of the TrilioVault dashboard on the dashboard_ip on port 8000 or through the pcs resource command

Limit the access of the Dashboard

The configured dashboard_ip will always end on the nginx service on port 8000 and will then be forwarded to the local dashboard service on port 443.
This configuration limits the required access to the local dashboard service to the TrilioVault appliance cluster itself. All other connections on port 443 can be dropped.
The following commands will set the required iptable rules.
1
iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 80 -j ACCEPT
2
iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 443 -j ACCEPT
3
iptables -A INPUT -p tcp --dport 80 -j DROP
4
iptables -A INPUT -p tcp --dport 443 -j DROP
Copied!

Verify the accessibility as required

At this point is the TrilioVault GUI only reachable on the dashboard_ip on port 8000. Accessing the TrilioVault GUI through any other IP or on port 443 is not allowed.
Last modified 28d ago