Using Aspera Proxy with HSTS
If your environment provides public IP addresses for worker nodes, you do not need to install Aspera Proxy. In all other cases, Aspera Proxy must be used to allow transfers from clients to the HSTS instance. External traffic must be routed to the reverse proxy instance, which then routes it to the appropriate HSTS services within the Kubernetes cluster (which is exposed by using NodePort).
Overview of workflow
- Install an Aspera Proxy Server.
- Configure cloud-based servers for Aspera Proxy.
- Configure Aspera Proxy for use as a reverse proxy.
- Configure HSTS for use with Aspera Proxy.
These steps are explained as follows.
Install and configure Aspera Proxy
Note: You must install Aspera Proxy outside of the cluster in which your HSTS instance is created.
However, Aspera Proxy must be on the same network as that cluster.
These instructions provide a streamlined workflow for installation. For more detailed instructions, see IBM Aspera Proxy Admin Guide.
- Download Aspera Proxy to the host from IBM Aspera downloads.
- As root, install Aspera Proxy. For example,
rpm -ivh ibm-aspera-proxy-1.4.4.174906-linux-64.rpm
- Copy the contents of your Aspera Proxy license file into /opt/aspera/proxy/etc/aspera-license.
- Create a transfer user named xfer. You must use the string "
xfer
" for the username.adduser xfer
- As the user
xfer
, run the following command:cat /opt/aspera/proxy/var/aspera_tokenauth_id_rsa.pub >> /home/xfer/.ssh/authorized_keys
- Go to the file /home/xfer/.ssh/authorized_keys and confirm that the file
belongs to the user
xfer
. - Add
Port 33001
to /etc/ssh/sshd_config. - Restart SSHD.
systemctl restart sshd
- Change the
xfer
users shell to the secure aspshell.chsh -s /bin/aspshell xfer
- Create the file /etc/sudoers.d/aspera_rproxy with the following
content:
Defaults:xfer !requiretty Defaults:xfer secure_path = /sbin:/bin:/usr/sbin:/usr/bin xfer ALL = NOPASSWD: /sbin/iptables-restore
- Create the directory /opt/aspera/proxy/etc/ssh_keys.
Configure cloud-based servers for Aspera Proxy
- Create an instance in your OpenShift VPC’s Public network subnet.
- Create a security group that allows inbound TCP 33001 and UDP 33001 - 33100.
- Locate OpenShift and Aspera Proxy on the same network subnet.
- Create a public IP address and attach it to your instance.
Configure Aspera Proxy for use as a reverse proxy
- Get the private IP and port for the Aspera reverse proxy to connect with HSTS.Use this syntax for an OpenShift deployment of the proxy, where
cr.name
identifies the name of your OpenShift project for the proxy:oc get svc -l cr.name=my_cr_name,name=tcp-proxy
For example,
In the output,$ oc get svc -l cr.name=my-test,name=tcp-proxy NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-test-tcp-proxy LoadBalancer 172.30.91.229 10.24.33.3 33001:30027/TCP 4d2h
CLUSTER-IP
identifies the IP address (172.30.91.229), and the first element ofPORT(S)
identifies the port (3001). - Update the
<server>
section of the /opt/aspera/proxy/etc/aspera.conf file to identify the node user, public key, IP address, and port.- <squash_user>
- Specifies the node user. Must be set to
xfer
. - <keyfile>
- Specifies the location of the SSH private key file.
- <host>
- Specifies the IP address and port.
- <bind_source_address>
- Specifies the private IP address of the Aspera Proxy server instance. It is needed when there
are both private and public interfaces, which is the case for AWS. You can use the ip
addr command to get this address, or the
Instances
screen of the AWS console.
(For a description of all the
<server>
elements, see IBM Aspera Proxy Admin Guide.)For example,
<?xml version="1.0" encoding="UTF-8"?> <CONF version="2"> <server> <rproxy> <enabled>true</enabled> <rules> <rule> <udp_port_reuse>false</udp_port_reuse> <squash_user>xfer</squash_user> <keyfile>/opt/aspera/proxy/etc/ssh_keys/id_rsa</keyfile> <host>172.30.91.229:33001</host> <bind_source_address>10.24.33.3</bind_source_address> </rule> </rules> </rproxy> </server> </CONF>
- If you want to use a public SSH key that is created as part of the Aspera reverse proxy installation to validate communication with the HSTS instance, make a copy of the key for later use. For more information, see IBM Aspera Proxy Admin Guide.
- Restart the Aspera Proxy server.
systemctl restart asperaproxy
Configure HSTS for use with Aspera Proxy
- Access your HSTS YAML configuration file.
- Add the following template content. The
configurations
key must be indented two spaces.configurations: serverName: "<hostname_or_public_ip_of_aspera_rproxy>" services: httpProxy: type: ClusterIP tcpProxy: type: LoadBalancer metadata: annotations: # Delete the annotations not needed for your provider service.beta.kubernetes.io/aws-load-balancer-internal: "true" service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private" service.kubernetes.io/ibm-load-balancer-cloud-provider-zone: "<zone>" service.kubernetes.io/ibm-load-balancer-cloud-provider-vlan: "<vlan_id>"
- Replace the
<hostname_or_ip_of_aspera_rproxy>
value with the IP address of your Aspera Proxy Server. - Replace the
<zone>
value with the zone name. - Replace the
<vlan_id>
value with the Vlan ID. - Optionally, you can use the public SSH key that is created as part of the Aspera reverse proxy
installation. To do so, at same level as the
services
key (that is, with two spaces of indentation), create anauthorizedKeys
key and set the value to public key of the proxy server. - Delete the
annotations
values that are not relevant to your deployment.