It is normal in a production environment, database is in a firewall user can't access by desktop. Data Server Manager has to setup in the firewall to monitor the production environment, but how to allow user to access the Data Server Manager use customer local browser?
In this article we share a best practice use nginx to bypass the firewall and follow the security process.
Problem:
An example for the solution architecture:
An example for nginx configure, the nginx server is at 9.30.33.144, and setup with 8080 port. and Data Server Manager is at 9.30.33.125 server and use 11080 port for http.Below is the sample for nginx.conf file
| ... #setup support for websocket,required after 2.1.3 map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream dsm213{
server 9.30.33.125:11080;
} server {
#listen 80 default_server;
#listen [::]:80 default_server;
listen 8080;
#server_name 9.30.33.144; # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf; location / {
root html;
index index.php index.html index.htm;
}
location /console/{
proxy_pass http://dsm213/console/;
#proxy_redirect off;
# proxy_redirect http://9.30.33.144:11080/console http://9.30.33.144/console;
# proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_bind 9.30.33.144;
}
location /adm{
proxy_redirect off;
# proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://dsm213/console/adm;
} location /ots{
proxy_redirect off;
# proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://dsm213/console/ots;
} #Required after 2.1.3 location /message-service/ {
proxy_pass http://dsm213/message-service/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
error_page 404 /404.html;
location = /40x.html {
} error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
... |
Besides that, you also need update iptables on the server Data Server Manager installed. Required after 2.1.3
| sudo iptables -t nat -I OUTPUT --source 0/0 --destination 0/0 -p tcp --dport 8080 -j REDIRECT --to-ports 11080 sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT |
Now user is access using Data Server Manager by 9.30.33.144 which is the nginx server.
[{"Product":{"code":"SS5Q8A","label":"IBM Data Server Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}],"Version":"2.1.3;2.1.4;2.1.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]