Reverse Proxy Configuration Options

Single rule: If you are configuring a single rule, you can use asconfigurator to set most options, using the syntax:

# asconfigurator -x "set_server_data;parameter,value"

Multiple rules: If you are configuring multiple rules or setting options that do not have asconfigurator parameters, you must manually edit the Proxy configuration file found in:

/opt/aspera/proxy/etc/aspera.conf 

To display a list all reverse-proxy configuration options in well-formed XML, run:

# /opt/aspera/proxy/bin/asuserdata -s

Configuration options and default values for the reverse proxy server are contained in the <rproxy> subsection of the <server> section. The following table describes these options. For an example of an aspera.conf file that incorporates these options, see the example below.

Reverse Proxy Configuration Options

aspera.conf option
asconfigurator parameter

Description Default Value

<enabled>
rproxy_enabled

Turn reverse proxy on/off (true/false). false

<log_level>

rproxy_log_level
Set the logging level. 0 - Log connection status. 1 - Log only debug message level 1. 2 - Log only debug message level 2. 0
<rule> Rule with no conditional attributes. N/A

<rule host_domain="hostname:port">
(no asconfigurator option)

Set a rule for requests directed to the specified host name (and optionally the SSH port) of the proxy server. This setting can be used to set rules for different hosts and different ports. Requires an ascp client version 3.1 or later. (none)

<rule host_ip="ipaddr">
(no asconfigurator option)

Rule specifying the IP address of the proxy server. (none)

<rule host_domain="hostname:port" host_ip="ipaddr">
(no asconfigurator option)

Combined version of the above. (none)

<host>

rproxy_rules_rule_host

IP address and optional SSH port of internal destination, with the syntax ip_address[:port]. The default port (if unspecified) is 22. blank (null)

<hosts>
(no asconfigurator option)

Specifies a list of hosts for load balancing and SSH port reuse. Each host is listed as ip_address:port. See Load Balancing and UDP Port Reuse. (none)

<proxy_port>

rproxy_rules_rule_proxy_port

Proxy server port that receives UDP traffic. 33001

<bind_source_address>

rproxy_rules_rule_bind_source_address

Bind the outgoing TCP/UDP channel to a specified IP address. By default (no value set), outgoing TCP traffic uses a system-assigned IP address and UDP traffic uses the source IP address.

Important: For Proxy servers with more than one NIC, <bind_source_address> must be specified to identify the interface for the connection with Enterprise Server.

blank (null)

<balancing>
(no asconfigurator option)

Enables load balancing and specifies the method for distributing transfers to a list of multiple destintations. Round-robin selection is currently the only supported method. For details, see Load Balancing. round_robin

<squash_user>
rproxy_rules_rule_squash_user

Squash account name used for authenticating with the internal server. blank (null)

<keyfile>
rproxy_rules_rule_keyfile

Path and file of the SSH private key for authenticating with the internal server. blank (null)

<src_port_filtering>
rproxy_rules_rule_src_port_filtering

Enable/disable (true/false) reverse proxy source-port filtering on or off (true/false). CAUTION: Setting this option to false reduces reverse proxy security and therefore should be used only when necessary. For details, see Source-Port Filtering. false

<udp_port_reuse>
rproxy_rules_rule_udp_port_reuse

Setting this option to false enables reverse proxy to create iptables rules that increment the UDP port number to which clients send each concurrent transfer and the internal server's UDP port to which the transfer is routed. For details, see UDP Port Reuse. Note: Must be set to false for Windows destinations. true

Sample aspera.conf for Reverse Proxy

The sample below includes three example rules.

  1. Minimal rule. Incoming transfers are forwarded to the specified internal host (10.0.0.10:22) if they have been sent by users with valid SSH key authentication. Other configuration options take default values and load balancing is not enabled.
  2. Load balancing rule. Incoming transfers are forwarded to the specified internal hosts (10.20.103.133-135:33001). As in rule 1, only transfers sent by users with valid SSH key authentication are allowed through the reverse proxy. Since three hosts have been specified and the default UDP port is 33001, the three incremental ports UDP/33001-33003 must be open on the external firewall.
  3. UDP port reuse and squash user account rule. Incoming transfers to the proxy server with the IP address of 10.20.101.151 that are destined to an internal Windows server are received and forwarded on incremental UDP ports beginning with 5555. Transfers are forwarded as the squash user once the clients have been authenticated on the proxy server. The incremental UDP ports beginning with 5555 and up to the number of concurrent UDP transfers allowed must be open on the external firewall. For example, if 10 concurrent UDP streams are allowed, UDP ports 5555-5565 must be open.
<server>
...
<rproxy>
  <enabled>true</enabled>                  
  <log_level>0</log_level>
  <rules>
    <rule>                                             <-- rule 1 –->
      <host>10.0.0.10:22</host>
      <keyfile>/home/$(user)/.ssh/id_rsa</keyfile> 
    </rule>
    <rule>                                             <-- rule 2 –->                         
      <hosts>
             <host>10.20.103.133:33001</host>
             <host>10.20.103.134:33001</host>
             <host>10.20.103.135:33001</host>
      </hosts>                               
      <keyfile>/home/$(user)/.ssh/id_rsa</keyfile>            
      <udp_port_reuse>true</udp_port_reuse> 
      <balancing>round_robin</balancing>        
    </rule>
    <rule host_ip="10.20.101.151">                      <-- rule 3 –-> 
      <proxy_port>5555</proxy_port>
      <squash_user>sender</squash_user>
      <keyfile>/opt/aspera/proxy/etc/ssh_keys/id_rsa</keyfile>
      <udp_port_reuse>false</udp_port_reuse>   
  </rules>
</rproxy>
...
</server>