Set network accessibility of TrilioVault GUI

​
By default is the TrilioVault GUI available on all NICs on port 443.
To limit this to only one IP the following steps need to be applied.
Network Setup
The TrilioVault Appliance provides by default the possibility of 4 VIPs.
A general VIP which can be used for everything
A public VIP for the public endpoint
An internal VIP for the internal endpoint
An admin VIP for the admin endpoint
Should an additional VIP be required to restrict the access of the TrilioVault Dashboard to this VIP the new VIP needs to be created as a new resource inside the  PCS cluster.
1
pcs resource create dashboard_ip ocf:heartbeat:IPaddr2 ip=<new_vip> cidr_netmask=<netmask> nic=<new_nw_interface> op monitor interval=30s
2
pcs constraint colocation add dashboard_ip virtual_ip
Copied!
Nginx setup
When the new dashboard_ip has been created or decided, then the next step is to set up the proxy forwarding inside Nginx, which will make the TrilioVault GUI available through port 8000.
All of the following steps need to be done all TrilioVault appliances of the cluster.
1.Create new conf file at /etc/nginx/conf.d/tvault-dashboard.conf. Replace variables dashboard_ip and virtual_ip as configured or decided.
1
server {
2
    listen <dashboard_ip>:8000 ssl ;
3
    ssl_certificate "/opt/stack/data/cert/workloadmgr.cert";
4
    ssl_certificate_key "/opt/stack/data/cert/workloadmgr.key";
5
    keepalive_timeout 65;
6
    proxy_read_timeout 1800;
7
    access_log on;
8
    location / {
9
        proxy_set_header Host $host:$server_port;
10
        proxy_set_header X-Real-IP $remote_addr;
11
        proxy_pass https://<virtual_ip>:443;
12
    }
13
}
14
server {
15
    listen <dashboard_ip>:3001 ssl ;
16
    ssl_certificate "/opt/stack/data/cert/workloadmgr.cert";
17
    ssl_certificate_key "/opt/stack/data/cert/workloadmgr.key";
18
    keepalive_timeout 65;
19
    proxy_read_timeout 1800;
20
    access_log on;
21
    location / {
22
        proxy_set_header Host $host:$server_port;
23
        proxy_set_header X-Real-IP $remote_addr;
24
        proxy_pass https://<virtual_ip>:3001;
25
    }
26
}
27
​
Copied!
2.edit /etc/nginx/nginx.conf and uncomment line
#include /etc/nginx/conf.d/*.conf;
3.check nginx syntax: nginx -t
4.reload nginx conf: nginx -s reload
5.Verify if the new cluster resource is visible or not using pcs resource command and
by accessing the dashboard_ip.
Limit the access of the Dashboard
The configured dashboard_ip will always end on the nginx service on port 8000 and will then be forwarded to the local dashboard service on port 443.
This configuration limits the required access to the local dashboard service to the TrilioVault appliance cluster itself. All other connections on port 443 can be dropped.
The following commands will set the required iptable rules.
1
iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 80 -j ACCEPT
2
iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 443 -j ACCEPT
3
iptables -A INPUT -p tcp --dport 80 -j DROP
4
iptables -A INPUT -p tcp --dport 443 -j DROP
Copied!
Verify the accessibility as required
At this point is the TrilioVault GUI only reachable on the dashboard_ip on port 8000. 
Accessing the TrilioVault GUI through any other IP or on port 443 is not allowed.
1
https://<dashboard_ip>:8000
Copied!

TrilioVault Appliance Administration Guide - Previous

TrilioVault Appliance Dashboard

Next - TrilioVault Appliance Administration Guide

Reconfigure the TrilioVault Cluster

Last modified 3mo ago

Export as PDF

Copy link

Contents

Network Setup

Nginx setup

Limit the access of the Dashboard

Verify the accessibility as required