Configuring the Proxy Server for Reverse Proxy

Reverse proxy is used to route incoming transfers from the proxy server to the internal destination. In order to do so, user accounts must be set up on the proxy server and rules that dictate how transfers are routed must be configured. The instructions below describe the steps to set up user accounts, grant them sudo access, and configure settings and logging.

Creating and Authorizing Users on the Proxy Server

Proxy user accounts can be set up in two ways:
  • Squashed user account: Multiple users make transfers to a single “squashed” user account on the internal destination server. No individual accounts are required on the destination server, but individual accounts are still required on the proxy server. The squash-user account is required only on the destination server, not on the proxy server. At the destinatoin, the transferred files are owned by the squash-user. The squashed approach is generally considered the best choice for IBM Aspera Faspex.

  • Individual user accounts: Each user makes transfers to their own account on the destination server. The individual user accounts must exist at the destination, as well as on the proxy server. When transferred files arrive at the destination, they are still owned by the user who initiated the transfer. The individual-account approach is generally considered the better choice for transfers initiated from IBM Aspera transfer servers (a.k.a. IBM Aspera Connect Server and IBM Aspera Enterprise Server).

Proxy supports a mix of these two approaches. The following steps cover the setup of both squashed and individual accounts:

  1. Log into the Proxy server as root and create an account for each user.
    You do not need to set up a squashed user account on the Proxy server, but you do need individual accounts for each user that will use the squashed account.
  2. For each user, set the default shell to /bin/aspshell by running the following command:
    $ chsh -s /bin/aspshell username

    For example:

    $ chsh -s /bin/aspshell bear
    Changing shell for bear.
    Warning: "/bin/aspshell" is not listed in /etc/shells.   
    Shell changed.

    The warning message can be safely ignored.

  3. Generate an SSH key pair for each user on the proxy server:
    $ su - username -c ssh-keygen 

    By default, ssh-keygen generates and copies the private key (usually id_rsa) and public key (usually id_rsa.pub) to the .ssh directory in the user’s home directory, typically /home/username/.ssh.

    If you are using a squashed user account on the Proxy server, generate an SSH key pair on the Proxy server using the same command.

  4. Add the public keys for individual or squashed user accounts to the appropriate server.
    For each user, create the file authorized_keys in /home/username/.ssh on the Proxy server. Copy and paste the text of each user's public key into their corresponding authorized_keys file.

    For a squashed user account, create the file /home/squash_username/.ssh/authorized_keys on the internal server(s) and copy and paste the text of the squashed user's public key into their authorized_keys file.

Creating a Group of Proxy Users (Optional)

Managing permissions for Proxy users is often easier if they are part of a system group.
  1. Create a group for Proxy users.
    # groupadd group_name
  2. Confirm the group was created.
    # cat /etc/group

    The new group should appear at the end of list.

  3. To add users to the group, run the following command:
    # usermod -a -G group_name username

Granting sudo Access to Proxy Users Individually or as a Group

You can grant sudo access to users individually or as a group.
  1. Edit the /etc/sudoers file by running the following command:
    # visudo
  2. Under the line Defaults requiretty, add the following line for the user or group that will use the Proxy server:
    Defaults:username !requiretty
    Defaults:%group_name !requiretty
  3. Grant sudo access to users or groups.
    For users, add the following line under the root ALL=(ALL) ALL line:
    username ALL=(ALL) NOPASSWD: /sbin/iptables-restore

    For a group, add the following line under the line %wheel ALL=(ALL) ALL or %sudo ALL=(ALL) ALL (depending on your operating system):

    %group_name ALL=(ALL) NOPASSWD: /sbin/iptables-restore
  4. Save your changes and exit.

Configure Reverse Proxy Settings

The configuration steps below require setting values in the proxy server's aspera.conf file, which is found in the following location:.

/opt/aspera/proxy/etc/aspera.conf

You can edit the file manually, or by using the asconfigurator utility. Both methods are described below.

The asconfigurator command is located in /opt/aspera/proxy/bin. The examples below assume that the command is already on the path. You can either add it to root's path or prepend the path to the command each time you execute it.

For more information about the aspera.conf settings and corresponding asconfigurator settings, see Reverse Proxy Configuration Options.
  1. Enable reverse proxy:
    # asconfigurator -x "set_server_data;rproxy_enabled,true"

    This adds the following to the <server> section of /opt/aspera/proxy/etc/aspera.conf:

    <server>
         <rproxy>
              <enabled>true</enabled>
         </rproxy>
    </server>
  2. Create forwarding rules.
    Single Rule: If you are only setting one rule, you can use asconfigurator commands. Rules must specify a host, which is the IP address of the internal destination. You can also specify the port to use, rather than the default 22. To set a rule and specify the file to use for SSH authentication, run the following commands:
    # asconfigurator -x "set_server_data;rproxy_rules_rule_host,host_ip_address[:port]"
    # asconfigurator -x "set_server_data;rproxy_rules_rule_keyfile,filepath"

    Multiple Rules: You can specify different rules keyed by the IP address or host name used for connecting to the Proxy server. For example, using multiple rules allows you to set one rule block for transfers to faspex.asperasoft.com and set another for transfers to shares.asperasoft.com.

    Authentication: Each rule requires a <keyfile> setting of $(user)/.ssh/id_rsa, which specifies the location of the SSH private keyfile. If no <squash_user> is specified, the proxy server uses the proxy user’s account to authenticate with the internal server.

    For example, to set a rule such that transfers destined for Proxy host 7.7.7.7 are forwarded to internal server 10.0.0.10, add the following:

    <server>
        <rproxy>
            <enabled>true</enabled>
            <rules>
                <rule host_ip="7.7.7.7">
                    <host>10.0.0.10:22</host>
                    <keyfile>/home/$(user)/.ssh/id_rsa</keyfile>
                </rule>
            </rules>
        </rproxy>
    </server>

    To set an additional rule such that transfers destined for 7.7.7.8 should be forwarded to the squashed user account xfer on internal server 10.0.0.30, add the following:

    <server>
        <rproxy>
            <enabled>true</enabled>
            <rules>
            <!–- Incoming SSH connections to 7.7.7.7 --> 
                <rule host_ip="7.7.7.7">
                    <host>10.0.0.10:22</host>
                </rule>
    
                <!-- Incoming SSH connections to 7.7.7.8 -->
                <rule host_ip="7.7.7.8">
                    <host>10.0.0.30:22</host>
                    <squash_user>xfer</squash_user>
                    <keyfile>/opt/aspera/proxy/etc/ssh_keys/id_rsa</keyfile>
                </rule>
            </rules>
        </rproxy>
    </server>
  3. Set up logging for reverse proxy.
    1. In /etc/rsyslog.d, create the file aspera.conf. Enter the following in the file:
      local2.*     -/var/log/aspera.log
      & stop

      (The above example is for CentOS 7. In other Linux platforms, the equivalent commands are similar.)

    2. Restart the logger:
      # systemctl restart rsyslog
    3. Create the file /etc/logrotate.d/aspera containing the following:
      /var/log/aspera.log {
      daily
      rotate 15
      copytruncate
      postrotate
      chmod 644 /var/log/aspera || true
      endscript
      compress
      }