Using Nginx to enable Data Server Manager to bypass a firewall

In a production environment, a database is usually behind a firewall, where the user cannot access from their desktop. However,IBM® Data Server Manager (DSM) must be set up behind the firewall in order to monitor the production environment. We will examine how the user can access DSM from their local browser.

About this task

In this article, we outline how to use Nginx, a web server that can also be used as a reverse proxy, load balancer and HTTP cache, to bypass the firewall while complying with security, as shown below.

The Nginx server is at 9.30.33.144, and set up with 8080 port. The DSM server is at 9.30.33.125 and uses the 11080 port for http.

Shown below is a sample nginx.conf file. 
...
       
        upstream dsm215{
            server 9.30.33.125:11080;
         }
       server {
          #listen       80 default_server;
         #listen       [::]:80 default_server;
          listen  8080;
          #server_name  9.30.33.144;
          # Load configuration files for the default server block.
          include /etc/nginx/default.d/*.conf;
        location / {
        proxy_pass http://dsm215;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
       
         location /console/adm{
           proxy_redirect off;
          # proxy_pass_header Server;
           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass http://dsm215/console/adm;
        }
        location /console/ots{
          proxy_redirect off;
          # proxy_pass_header Server;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://dsm215/console/ots;
        }
        location ^~ /console/channel/ {
        proxy_pass http://dsm215;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
        
        #only for cmz user
        location ^~ /cmx/controller {
        rewrite ^/cmx/controller(.*)$ console/cmx/controller$1 break;
        proxy_pass http://dsm215;
    }
        
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
 
 
...
Follow the steps outlined below to configure your desktop to use Nginx.

Procedure

  1. Add the remote DSM server host and port 
    #gzip  on;
	upstream dsm215{
            server 9.30.122.103:11080;
     }
  2. Update the Proxy server and port, then define $context_path 
    server {
        listen       8080;
        server_name  localhost;
	set $context_path /console;
  3. Configure the root location 
    location / {
		proxy_pass http://dsm215; 
	    proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
	}
  4. (Optional) If you are using IBM Configuration Manager for Db2 for z/OS (CMz), to monitor clients, configure the following: 
    location ^~ /cmx/controller {
		rewrite ^/cmx/controller(.*)$ $context_path/cmx/controller$1 break;
		proxy_pass http://dsm215;
	}
  5. Update the iptables on the server where DSM is installed. These are required for DSM v2.1.3 and up. 
    sudo iptables -t nat -| OUTPUT --source 0/0 --destination 0/0 -p tcp --dport 8080 -j REDIRECT --to-ports 11080
    sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

Results

Users can access DSM through the Nginx server, 9.30.33.144.