Set network accessibility of Trilio GUI

By default is the Trilio GUI available on all NICs on port 443.

To limit this to only one IP the following steps need to be applied.

Network Setup

The Trilio Appliance provides by default the possibility of 4 VIPs.

A general VIP which can be used for everything
A public VIP for the public endpoint
An internal VIP for the internal endpoint
An admin VIP for the admin endpoint

Should an additional VIP be required to restrict the access of the Trilio Dashboard to this VIP the new VIP needs to be created as a new resource inside the PCS cluster.

pcs resource create dashboard_ip ocf:heartbeat:IPaddr2 ip=<new_vip> cidr_netmask=<netmask> nic=<new_nw_interface> op monitor interval=30s
pcs constraint colocation add dashboard_ip virtual_ip

Nginx setup

When the new dashboard_ip has been created or decided, then the next step is to set up the proxy forwarding inside Nginx, which will make the Trilio GUI available through port 8000.

All of the following steps need to be done all Trilio appliances of the cluster.

Create new conf file at /etc/nginx/conf.d/tvault-dashboard.conf. Replace variables dashboard_ip and virtual_ip as configured or decided.

server {
    listen <dashboard_ip>:8000 ssl ;
    ssl_certificate "/opt/stack/data/cert/workloadmgr.cert";
    ssl_certificate_key "/opt/stack/data/cert/workloadmgr.key";
    keepalive_timeout 65;
    proxy_read_timeout 1800;
    access_log on;
    location / {
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass https://<virtual_ip>:443;
    }
}
server {
    listen <dashboard_ip>:3001 ssl ;
    ssl_certificate "/opt/stack/data/cert/workloadmgr.cert";
    ssl_certificate_key "/opt/stack/data/cert/workloadmgr.key";
    keepalive_timeout 65;
    proxy_read_timeout 1800;
    access_log on;
    location / {
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass https://<virtual_ip>:3001;
    }
}

edit /etc/nginx/nginx.conf and uncomment line #include /etc/nginx/conf.d/*.conf;
check nginx syntax: nginx -t
reload nginx conf: nginx -s reload
Verify if the new cluster resource is visible or not using pcs resource command and by accessing the dashboard_ip.

Limit the access of the Dashboard

The configured dashboard_ip will always end on the nginx service on port 8000 and will then be forwarded to the local dashboard service on port 443.

This configuration limits the required access to the local dashboard service to the Trilio appliance cluster itself. All other connections on port 443 can be dropped.

The following commands will set the required iptable rules.

iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s tvm1,tvm2,tvm3 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Verify the accessibility as required

At this point is the Trilio GUI only reachable on the dashboard_ip on port 8000. Accessing the Trilio GUI through any other IP or on port 443 is not allowed.

https://<dashboard_ip>:8000

PreviousTrilio Appliance Dashboard NextReconfigure the Trilio Cluster

Last updated 1 year ago