Search…
TVO-4.1
About TrilioVault for OpenStack
TrilioVault for OpenStack Architecture
TrilioVault 4.1 Release Notes
Deployment Guide
Support Matrix
Requirements
TrilioVault network considerations
Preparing the installation
Spinning up the TrilioVault VM
Installing TrilioVault Components
Configuring TrilioVault
Apply the TrilioVault license
Post Installation Health-Check
Uninstall TrilioVault
Upgrade TrilioVault
Install workloadmgr CLI client
Switch Backup Target on Kolla-ansible
Switch NFS Backing file
TrilioVault Appliance Administration Guide
Set TrilioVault GUI login banner
TrilioVault Appliance Dashboard
Set network accessibility of TrilioVault GUI
Reconfigure the TrilioVault Cluster
Change the TrilioVault GUI password
Reset the TrilioVault GUI password
Reinitialize TrilioVault
Download TrilioVault logs
Change Certificates used by TrilioVault
Restart TrilioVault Services
Shutdown/Restart the TrilioVault cluster
User Guide
Workloads
Snapshots
Restores
File Search
Snapshot Mount
Schedulers
E-Mail Notifications
Admin Guide
Backups-Admin Area
Workload Policies
Workload Quotas
Managing Trusts
Workload Import & Migration
Disaster Recovery
Troubleshooting
General Troubleshooting Tips
Using the workloadmgr CLI tool on the Triliovault Appliance
Healthcheck of TrilioVault
Important log files
API GUIDE
Workloads
Snapshots
Restores
File Search
Snapshot Mount
Schedulers
E-Mail Notification Settings
Workload Policies
Workload Quotas
Managing Trusts
Workload Import and Migration
Powered By GitBook
Set network accessibility of TrilioVault GUI
By default is the TrilioVault GUI available on all NICs on port 443.
To limit this to only one IP the following steps need to be applied.

Network Setup

The TrilioVault Appliance provides by default the possibility of 4 VIPs.
  • A general VIP which can be used for everything
  • A public VIP for the public endpoint
  • An internal VIP for the internal endpoint
  • An admin VIP for the admin endpoint
Should an additional VIP be required to restrict the access of the TrilioVault Dashboard to this VIP the new VIP needs to be created as a new resource inside the PCS cluster.
1
pcs resource create dashboard_ip ocf:heartbeat:IPaddr2 ip=<new_vip> cidr_netmask=24 nic=<new_nw_interface> op monitor interval=30s
2
pcs constraint colocation add dashboard_ip virtual_ip
Copied!

Nginx setup

When the new dashboard_ip has been created or decided, then the next step is to set up the proxy forwarding inside Nginx, which will make the TrilioVault GUI available through port 8000
  1. 1.
    Create new conf file at /etc/nginx/conf.d/tvault-dashboard.conf. Replace variables dashboard_ip and virtual_ip as configured or decided.
    1
    [[email protected] ~]# cat /etc/nginx/conf.d/tvault-dashboard.conf
    2
    server {
    3
    listen <dashboard_ip>:8000 ssl ;
    4
    ssl_certificate "/opt/stack/data/cert/workloadmgr.cert";
    5
    ssl_certificate_key "/opt/stack/data/cert/workloadmgr.key";
    6
    keepalive_timeout 65;
    7
    proxy_read_timeout 1800;
    8
    access_log on;
    9
    location / {
    10
    proxy_set_header Host $host:$server_port;
    11
    proxy_set_header X-Real-IP $remote_addr;
    12
    proxy_pass https://<virtual_ip>:443;
    13
    }
    14
    }
    Copied!
  2. 2.
    edit /etc/nginx/nginx.conf and uncomment line #include /etc/nginx/conf.d/*.conf;
  3. 3.
    check nginx syntax: nginx -t
  4. 4.
    reload nginx conf: nginx -s reload
  5. 5.
    Verify the availability of the TrilioVault dashboard on the dashboard_ip on port 8000 or through the pcs resource command

Limit the access of the Dashboard

The configured dashboard_ip will always end on the nginx service on port 8000 and will then be forwarded to the local dashboard service on port 443.
This configuration limits the required access to the local dashboard service to the TrilioVault appliance cluster itself. All other connections on port 443 can be dropped.
The following commands will set the required iptable rules.
1
iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 80 -j ACCEPT
2
iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 443 -j ACCEPT
3
iptables -A INPUT -p tcp --dport 80 -j DROP
4
iptables -A INPUT -p tcp --dport 443 -j DROP
Copied!

Verify the accessibility as required

At this point is the TrilioVault GUI only reachable on the dashboard_ip on port 8000. Accessing the TrilioVault GUI through any other IP or on port 443 is not allowed.
TrilioVault Appliance Administration Guide - Previous
TrilioVault Appliance Dashboard
Next - TrilioVault Appliance Administration Guide
Reconfigure the TrilioVault Cluster
Last modified 28d ago
Export as PDF
Copy link
Contents
Network Setup
Nginx setup
Limit the access of the Dashboard
Verify the accessibility as required