Configuring the proxy server for reverse proxy

Reverse proxy is used to route incoming transfers from the proxy server to the internal server destination. To do so, user accounts must be set up on the proxy server and rules that dictate how transfers are routed must be configured. The following instructions describe the steps to set up user accounts, grant them sudo access, and configure settings and logging.

Creating and authorizing users on the Proxy Server

Proxy user accounts can be set up in two ways:

  • Squashed user account: Multiple users make transfers to a single “squashed” user account on the internal server. No individual accounts are required on the destination server, but individual accounts are still required on the proxy server. The squash-user account is required only on the destination server, not on the proxy server. At the destination, the transferred files are owned by the squash-user. The squash-user approach is generally considered the best choice for IBM® Aspera® Faspex.

  • Individual user accounts: Each user makes transfers to their own account on the destination server. The individual user accounts must exist at the destination, as well as on the proxy server. When transferred files arrive at the destination, they are still owned by the user who is specified when the transfer was initiated.

Proxy supports a mix of these two approaches. The following steps cover the setup of both squashed and individual accounts:

  1. Log in to the Proxy server as root and create an account for each user.

    You do not need to set up a squashed user account on the Proxy server, but you do need individual accounts for each user that will use the squashed account.

    1. Generate an SSH key pair for each user on the proxy server: 
      $ su -username-c ssh-keygen
      Note: You can specify the key type by using -t key_type. Consider that the key type depends on your configuration and workload, so suggesting a specific type is not within the scope of this guide.

      The ssh-keygen generates and copies the private key and public key to the .ssh directory in the user’s home directory, typically /home/username/.ssh.

      If you are using a squashed user account on the Proxy server, generate an SSH key pair on the Proxy server by using the same command.

  3. Add the public keys for individual or squashed user accounts to the appropriate server.

    For each user, create the file authorized_keys in /home/username/.ssh on the Proxy server. Copy and paste the text of each user's public key into their corresponding authorized_keys file.

    For a squashed user account, create the file /home/squash_username/.ssh/authorized_keys on the internal servers and copy and paste the text of the squashed user's public key into their authorized_keys file.

    If you created the .ssh directories and authorized_keys files as root, be sure to change the ownership from root to the transfer user.

  4. On the Proxy server, set the default shell to /bin/aspshell for each user by running the following command: 
    # chsh -s /bin/aspshellusername
    For example, 
    # chsh -s /bin/aspshell bear
Changing shell for bear.
Warning: "/bin/aspshell" is not listed in /etc/shells.  
Shell changed.

    The warning message can be safely ignored.

Creating a group of proxy users (optional)

Managing permissions for Proxy users is often easier if they are part of a system group.

  1. Create a group for Proxy users. 
    # groupaddgroupname
  2. Confirm that the group was created. 
    # cat /etc/group

    The new group must appear at the end of list.

  3. To add users to the group, run the following command: 
    # usermod -a -Ggroupname username

Granting sudo access to proxy users or groups

To use reverse proxy, the transfer user must be able to run the /sbin/iptables-restore command as root by using sudo and without a terminal (TTY).

In a default Linux® configuration, as root, create a file in /etc/sudoers.d/ (for example, aspera_rproxy) containing the following three lines for each user: 
Defaults:username !requiretty
Defaults:username secure_path = /sbin:/bin:/usr/sbin:/usr/bin
username ALL = NOPASSWD: /sbin/iptables-restore

You can specify multiple users in the same file or in different files. To specify a group instead of individual users, replace username in the previous example with %groupname.

Notes on sudo:
  • The configuration file is /etc/sudoers .
  • Groups must be specified with a leading % .
  • By default, the last entry in the sudoers file is usually #includedir /etc/sudoers.d. This evaluates all files in the sudoers.d folder in lexical order.
  • Configuration stanzas are evaluated in order, and the last evaluation takes precedence.
For more information, see the man page for sudo.

Based on these notes, it is also possible to edit the main sudoers files by using the visudo command. In this case, make sure that the previous stanzas are evaluated after the corresponding default generic stanzas:

Defaults requiretty

%wheel ALL=(ALL) ALL or %sudo ALL=(ALL) ALL (depending on your system configuration).

Configure reverse proxy settings

The following configuration steps require setting values in the proxy server's aspera.conf file, which is found in the following location:.

/opt/aspera/proxy/etc/aspera.conf

You can edit the file manually, or by using the asconfigurator utility. The following steps describe both methods.

The asconfigurator command is located in /opt/aspera/proxy/bin. The following examples assume that the command is already on the path. You can either add it to root's path or add a prefix to the path to the command each time you run it.

For more information about the aspera.conf settings and corresponding asconfigurator settings, see Reverse Proxy configuration options.

  1. Enable reverse proxy: 
    # asconfigurator -x "set_server_data;rproxy_enabled,true"

    This command adds the following to the <server> section of /opt/aspera/proxy/etc/aspera.conf:

    <server>
    <rproxy>
         <enabled>true</enabled>
    </rproxy>
</server>
  2. Create forwarding rules.
    Single Rule: If you are setting only one rule, you can use asconfigurator commands. Rules must specify a host, which is the IP address of the internal server. You can also specify the port to use, rather than the default 22. To set a rule and specify the file to use for SSH authentication, run the following commands: 
    # asconfigurator -x "set_server_data;rproxy_rules_rule_host,host_ip_address[:port]"
# asconfigurator -x "set_server_data;rproxy_rules_rule_keyfile,filepath"

    Multiple Rules: You can specify different rules that are keyed by the IP address or hostname that is used for connecting to the Proxy server. For example, by using multiple rules you can set one rule block for transfers to faspex.asperasoft.com and set another for transfers to shares.asperasoft.com.

    Authentication: Each rule requires a <keyfile> setting of $(user)/.ssh/id_ed25519, which specifies the location of the SSH private keyfile. If no <squash_user> is specified, the proxy server uses the proxy user’s account to authenticate with the internal server.

    For example, to set a rule such that transfers destined for Proxy host 7.7.7.7 are forwarded to internal server 10.0.0.10, add the following:

    <server>
   <rproxy>
       <enabled>true</enabled>
       <rules>
           <rule host_ip="7.7.7.7">
               <host>10.0.0.10:22</host>
               <keyfile>/home/$(user)/.ssh/id_ed25519</keyfile>
           </rule>
       </rules>
   </rproxy>
</server>

    To set an additional rule such that transfers destined for 7.7.7.8 must be forwarded to the squashed user account xfer on internal server 10.0.0.30, add the following:

    <server>
   <rproxy>
       <enabled>true</enabled>
       <rules>
       <!–- Incoming SSH connections to 7.7.7.7 -->
           <rule host_ip="7.7.7.7">
               <host>10.0.0.10:22</host>
           </rule>

           <!-- Incoming SSH connections to 7.7.7.8 -->
           <rule host_ip="7.7.7.8">
               <host>10.0.0.30:22</host>
               <squash_user>xfer</squash_user>
               <keyfile>/opt/aspera/proxy/etc/ssh_keys/id_ed25519</keyfile>
           </rule>
       </rules>
   </rproxy>
</server>
  3. Set up logging for reverse proxy.
    1. In /etc/rsyslog.d, create the file aspera.conf. Enter the following in the file: 
      local2.*     -/var/log/aspera.log
& stop

      The previous example is for CentOS 7. In other Linux platforms, the equivalent commands are similar.

    2. Restart the logger: 
      # systemctl restart rsyslog
    3. Create the file /etc/logrotate.d/aspera containing the following: 
      /var/log/aspera.log {
daily
rotate 15
copytruncate
postrotate
chmod 644 /var/log/aspera || true
endscript
compress
}