Configuring Reverse Proxy for Use with Faspex and Shares

To use IBM Aspera Faspex and IBM Aspera Shares from behind a reverse proxy, you must configure both the transfer nodes (Connect Server, Enterprise Server, or Point-to-Point) that are used by Faspex and Shares and are running behind a reverse proxy, and the proxy server.

Configuring the Transfer Nodes

  1. Set the transfer user's default shell to aspshell.
    The transfer user's username is typically faspex for Faspex and asp1 or shares for Shares. The method to set the default shell to aspshell varies by operating system:
    • Windows: Set the transfer user's docroot in the GUI to automatically set up the user with the Aspera shell.
    • Linux and Mac OS X: Change the transfer user's default shell by running the following commands as root. For example, using user faspex as the user):
      $ chsh -s /bin/aspshell faspex
      

      If a warning message appears saying /bin/aspshell is not listed in /etc/shells, it can be safely ignored.

    • Mac OS X:You can also change the transfer user's default shell from the GUI. In System Preferences, click Accounts or Users & Groups (depending on your version). Click Click the lock to make changes and enter admin credentials. Right-click the transfer-user account name and click Advanced Options. Look for the "Login shell" field and replace the default value /bin/bash with /bin/aspshell.

    For further information about aspshell, see the guide for your Aspera server product (Connect Server, Enterprise Server, or Point-to-Point).

  2. Configure token authentication is set for the transfer user.
    Token authentication can be set in the GUI or using the asconfigurator command.
    Note: If the transfer nodes are in a cluster, use the same token encryption key on all nodes in the cluster.

    From the GUI:

    • Click the Configuration button to open the Server Configuration dialog.
    • Click the Users tab and click the transfer user. In the righthand pane, click the Authorization tab.
    • For Incoming Transfers and Outgoing Transfers, select Override and select token from the dropdown menu.
    • For Token Encryption Key, select Override and set the value to your encryption key.

    Using asconfigurator:

    • For Linux and Mac OS X, open a Terminal window as root. For Windows, launch Command Prompt as an administrator (click Start, right-click Command Prompt, and click Run as administrator).
    • To require a valid token for transfers to this computer, run the following command:
      # asconfigurator -x "set_user_data;user_name,transfer_username;authorization_transfer_in_value,token"
    • To require a valid token for transfers from this computer, run the following command:
      # asconfigurator -x "set_user_data;user_name,transfer_username;authorization_transfer_out_value,token"
    • To specify the token encryption key, run the following command:
      # asconfigurator -x "set_user_data;user_name,transfer_username;token_encryption_key,my_secret_key"
  3. Authorize a public SSH key for use by the transfer user.
    Log in as the transfer user to ensure that the user will own any files that are created. Create the directory /.ssh in the transfer user's home directory and create the file authorized_keys (with no .txt extension) in the new /.ssh directory:
    Windows C:\Users\faspex\.ssh\authorized_keys
    Linux /home/faspex/.ssh/authorized_keys
    Mac OS X /Users/faspex/.ssh/authorized_keys

    Aspera provides a public key in the file aspera_tokenauth_id_rsa.pub stored in the following locations:

    Windows C:\Program Files[ (x86)]\Aspera\Enterprise Server\var\aspera_tokenauth_id_rsa.pub
    Linux /opt/aspera/var/aspera_tokenauth_id_rsa.pub
    Mac OS X /Library/Aspera/var/aspera_tokenauth_id_rsa.pub

    Copy and paste the public key into the transfer user's authorized_keys file. Save the file and confirm that .ssh and authorized_keys are owned by the user.

    Note: On Linux and Mac OS X, permissions on these files must be set as specified in the admin guide for your server product. See Configuring for Faspex or Configuring for Shares.

Configuring the Proxy Server

  1. Create the faspex or shares transfer user on the proxy server.
    For instructions on creating the transfer user, see Configuring the Server for Reverse Proxy. Set the default shell to aspshell, as described above in Configuring the Transfer Nodes.
  2. Confirm the transfer user is using the correct SSH private key.
    File permissions for the private key must be set as follows for Faspex (transfer user faspex), similarly for Shares:
    # cd /home/faspex
    # chown faspex:faspex .ssh
    # chmod 700 .ssh
    # chmod 600 .ssh/id_rsa
  3. Authorize the public SSH key for use by the transfer user.
    Cut and paste the public key text from /opt/aspera/var/aspera_tokenauth_id_rsa.pub into the file /home/transfer_username/.ssh/authorized_keys, as described in step 3 in the above section.
    Note: You may use a newly generated set of SSH private/public keys for authenticating the transfer sessions coming from the reverse proxy to the transfer node, rather than those provided by Aspera. This ensures that no FASP transfer session can be established without going through the reverse proxy.