Search…
TVO-4.2
Set network accessibility of TrilioVault GUI
By default is the TrilioVault GUI available on all NICs on port 443.
To limit this to only one IP the following steps need to be applied.

Network Setup

The TrilioVault Appliance provides by default the possibility of 4 VIPs.
  • A general VIP which can be used for everything
  • A public VIP for the public endpoint
  • An internal VIP for the internal endpoint
  • An admin VIP for the admin endpoint
Should an additional VIP be required to restrict the access of the TrilioVault Dashboard to this VIP the new VIP needs to be created as a new resource inside the PCS cluster.
pcs resource create dashboard_ip ocf:heartbeat:IPaddr2 ip=<new_vip> cidr_netmask=<netmask> nic=<new_nw_interface> op monitor interval=30s
pcs constraint colocation add dashboard_ip virtual_ip

Nginx setup

When the new dashboard_ip has been created or decided, then the next step is to set up the proxy forwarding inside Nginx, which will make the TrilioVault GUI available through port 8000.
All of the following steps need to be done all TrilioVault appliances of the cluster.
  1. 1.
    Create new conf file at /etc/nginx/conf.d/tvault-dashboard.conf. Replace variables dashboard_ip and virtual_ip as configured or decided.
    server {
    listen <dashboard_ip>:8000 ssl ;
    ssl_certificate "/opt/stack/data/cert/workloadmgr.cert";
    ssl_certificate_key "/opt/stack/data/cert/workloadmgr.key";
    keepalive_timeout 65;
    proxy_read_timeout 1800;
    access_log on;
    location / {
    proxy_set_header Host $host:$server_port;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass https://<virtual_ip>:443;
    }
    }
    server {
    listen <dashboard_ip>:3001 ssl ;
    ssl_certificate "/opt/stack/data/cert/workloadmgr.cert";
    ssl_certificate_key "/opt/stack/data/cert/workloadmgr.key";
    keepalive_timeout 65;
    proxy_read_timeout 1800;
    access_log on;
    location / {
    proxy_set_header Host $host:$server_port;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass https://<virtual_ip>:3001;
    }
    }
  2. 2.
    edit /etc/nginx/nginx.conf and uncomment line #include /etc/nginx/conf.d/*.conf;
  3. 3.
    check nginx syntax: nginx -t
  4. 4.
    reload nginx conf: nginx -s reload
  5. 5.
    Verify if the new cluster resource is visible or not using pcs resource command and by accessing the dashboard_ip.

Limit the access of the Dashboard

The configured dashboard_ip will always end on the nginx service on port 8000 and will then be forwarded to the local dashboard service on port 443.
This configuration limits the required access to the local dashboard service to the TrilioVault appliance cluster itself. All other connections on port 443 can be dropped.
The following commands will set the required iptable rules.
iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Verify the accessibility as required

At this point is the TrilioVault GUI only reachable on the dashboard_ip on port 8000. Accessing the TrilioVault GUI through any other IP or on port 443 is not allowed.
https://<dashboard_ip>:8000
Export as PDF
Copy link
Outline
Network Setup
Nginx setup
Limit the access of the Dashboard
Verify the accessibility as required