Bastion+ / WebSocket / URL Dédiée
Présentation d’une mise en place type Bastion+ mode WebSocket permettant d’avoir une rupture protocolaire et un accès à un environnement de travail
Prérequis
Récupérer les différents roles Ansible suivants:
reemo-infra
reemo-infra-images
reemo-provision
reemo-relayws
Architecture
Matrice de flux
DESCRIPTION |
TRANSPORT |
SOURCE IP |
SOURCE PORT |
DESTINATION IP |
DESTINATION PORT |
SERVICES |
|---|---|---|---|---|---|---|
INFRA -> PROVISION |
TCP |
10.1.1.1 |
1024:65535 |
10.4.1.1 |
8443 |
HTTPS |
INFRA -> RELAY |
TCP |
10.1.1.1 |
1024:65535 |
10.2.1.1 |
443,8443 |
HTTPS |
Admin -> INFRA |
TCP |
10.6.1.0/24 |
1024:65535 |
10.1.1.1 |
8444 |
HTTPS |
PROVISION -> INFRA |
TCP |
10.4.1.0/24 |
1024:65535 |
10.1.1.1 |
8443 |
HTTPS |
PROVISION -> RELAY |
TCP |
10.4.1.0/24 |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
INTERNET -> RELAY |
TCP |
WAN |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
INTERNET -> INFRA |
TCP |
WAN |
1024:65535 |
10.1.1.1 |
443 |
HTTPS |
Fichier inventaire Ansible
all:
vars:
API_LICENSE: "ewogICAg ... Uw5NXhGVDF0NFU2TkxOdjQvZU53PT0iCiAgICC9Cn0="
infra_manager:
vars:
INIT_TYPE: "bastion"
PORTAL_URL: "url.domain.tld"
PORTALADMIN_URL: "admin.domain.local"
PORTALADMIN_URL_PORT: "8444"
RELAYS_URL: "relay.domain.tld"
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.tld.crt"
key_file: "/localpath/to/key_domain.tld.key"
- cert_file: "/localpath/to/cert_domain.local.crt"
key_file: "/localpath/to/key_domain.local.key"
PROVISION_SIGNAL_IP:
- ip: "10.1.1.1"
PROVISION_IP:
- ip: "10.4.1.1"
RELAYS_IP:
- ip: "10.2.1.1"
hosts:
infra_manager1:
ansible_host: "10.1.1.1"
provision:
children:
provision_manager:
hosts:
provision_manager1:
ansible_host: "10.4.1.1"
relayws_manager:
vars:
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.tld.crt"
key_file: "/localpath/to/key_domain.tld.key"
hosts:
relayws_manager1:
ansible_host: "10.2.1.1"
Installation
pré-requis
Avoir les roles Ansible suivants:
reemo-infra-images
reemo-infra
reemo-provision
reemo-relayws
Avoir les playbooks suivants:
reemo-infra-images.yml
- name: Load Reemo Docker Image
hosts: infra_manager,api_manager,portal_manager,relayws_manager
gather_facts: yes
roles:
- role: reemo-infra-images
become: yes
reemo-infra.yml
- name: Installation Reemo Infra Server
hosts: infra_manager,portal_manager,api_manager
gather_facts: yes
roles:
- role: reemo-infra
become: yes
reemo-provision.yml
- name: Deploy Provision Reemo environment in swarm cluster
hosts: provision,provision_manager
gather_facts: yes
roles:
- role: reemo-provision
become: yes
reemo-relayws.yml
- name: Installation Reemo Relay WebSocket
hosts: relayws_manager
gather_facts: yes
roles:
- role: reemo-relayws
become: yes
Avec Internet
Si les machines ont accès à internet, le role ansible est capable d’installer et d’initialiser automatiquement Docker Swarm
ansible-playbook -i inventory.yml playbooks/reemo-infra-images.yml --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --extra-vars "INIT_DB=true" --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true"
Sans Internet
Si les machines n’ont pas accès à Internet, avant de lancer les roles Ansible il faut installer et initialiser Docker Swarm
ansible-playbook -i inventory.yml playbooks/reemo-infra-images.yml
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --extra-vars "INIT_DB=true"
ansible-playbook -i inventory.yml playbooks/reemo-provision.yml
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml
Vous pouvez passer à la suite de la documentation sur la page suivante : Guide de démarrage