Bastion+ with Dedicated Portal¶
Overview of a Bastion+ WebSocket setup providing a protocol break and access to a work environment.
Prerequisites¶
Retrieve the following Ansible roles:
reemo-infra
reemo-provision
reemo-relayws
Have a license key.
Architecture¶
Overview of the infrastructure for a Bastion+ installation with a dedicated Portal¶
Flow Matrix¶
DESCRIPTION |
TRANSPORT |
SOURCE IP |
SOURCE PORT |
DESTINATION IP |
DESTINATION PORT |
SERVICES |
|---|---|---|---|---|---|---|
Portal -> API |
TCP |
10.1.1.1 |
1024:65535 |
10.3.1.1 |
443 |
HTTPS |
API -> PROVISION |
TCP |
10.3.1.1 |
1024:65535 |
10.4.1.1 |
8443 |
HTTPS |
API -> RELAY |
TCP |
10.3.1.1 |
1024:65535 |
10.2.1.1 |
443,8443 |
HTTPS |
Portal Admin -> API |
TCP |
10.5.1.1 |
1024:65535 |
10.3.1.1 |
443 |
HTTPS |
Admin -> Portal Admin |
TCP |
10.6.1.0/24 |
1024:65535 |
10.5.1.1 |
443 |
HTTPS |
PROVISION -> Internet Portal |
TCP |
10.4.1.0/24 |
1024:65535 |
10.1.1.1 |
8443 |
HTTPS |
PROVISION -> RELAY |
TCP |
10.4.1.0/24 |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
INTERNET -> RELAY |
TCP |
WAN |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
INTERNET -> INFRA |
TCP |
WAN |
1024:65535 |
10.1.1.1 |
443 |
HTTPS |
Initialization¶
On all three environments, run the following command to initialize Docker Swarm:
docker swarm init
In multi-node environments, join nodes with the corresponding docker swarm join commands.
Infra Environment: Swarm Manager Provision Environment: Swarm Manager + Worker Relay Environment: Swarm Manager
Ansible Inventory File¶
all:
vars:
ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
INIT_TYPE: "bastion"
DOCKER_VERSION: preprod
API_LICENSE: "ewogICAg ... Uw5NXhGVDF0NFU2TkxOdjQvZU53PT0iCiAgICC9Cn0="
HMACSECRET: "Taikohshugh8tahb2m"
portal_manager:
children:
portaluser_manager:
vars:
PORTAL_URL: "url.domain.tld"
PORTAL_TYPE: "user"
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.tld.crt"
key_file: "/localpath/to/key_domain.tld.key"
API_IP:
- ip: "10.3.1.1"
hosts:
portaluser1:
ansible_host: "10.1.1.1"
portaladmin_manager:
vars:
PORTAL_URL: "admin.domain.local"
PORTAL_TYPE: "admin"
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.local.crt"
key_file: "/localpath/to/key_domain.local.key"
API_IP:
- ip: "10.3.1.1"
hosts:
portaladmin1:
ansible_host: "10.5.1.1"
api_manager:
vars:
RELAYS_URL: "relay.domain.tld"
PROVISION_SIGNAL_IP:
- ip: "10.1.1.1"
PROVISION_IP:
- ip: "10.4.1.1"
RELAYS_IP:
- ip: "10.2.1.1"
hosts:
api1:
ansible_host: "10.3.1.1"
provision:
vars:
PROVISION_SWARM_ADVERTISE_ADDR: "10.4.1.1"
children:
provision_manager:
hosts:
provision_manager1:
ansible_host: "10.4.1.1"
provision_worker:
hosts:
provision_worker1:
ansible_host: "10.4.1.2"
relayws_manager:
vars:
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.tld.crt"
key_file: "/localpath/to/key_domain.tld.key"
hosts:
relayws_manager1:
ansible_host: "10.2.1.1"
Installation¶
Prerequisites¶
Have the following Ansible roles:
reemo-infra
reemo-provision
reemo-relayws
Have the following playbooks:
reemo-infra.yml
- name: Reemo Infra Server Installation
hosts: infra_manager,portal_manager,api_manager
gather_facts: yes
roles:
- role: reemo-infra
become: yes
reemo-provision.yml
- name: Deploy Reemo Provision environment in swarm cluster
hosts: provision,provision_manager
gather_facts: yes
roles:
- role: reemo-provision
become: yes
reemo-relayws.yml
- name: Reemo Relay WebSocket Installation
hosts: relayws_manager
gather_facts: yes
roles:
- role: reemo-relayws
become: yes
With Internet¶
If hosts have Internet access and you want to automate Docker installation and Swarm initialization, use:
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit api_manager --extra-vars "INIT_DB=true" --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaladmin_manager --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaluser_manager --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true"
Without Internet¶
If there is no Internet access, install Docker on all hosts and initialize Docker Swarm before running the roles.
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --extra-vars "TARBALL_GENERATE=true" --extra-vars "TARBALL_PATH=/opt/reemo/images" --tags tarball_generate
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit api_manager --extra-vars "INIT_DB=true" --extra-vars "TARBALL_PATH=/opt/reemo/images" --extra-vars "LOAD_IMAGE=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaladmin_manager --extra-vars "TARBALL_PATH=/opt/reemo/images" --extra-vars "LOAD_IMAGE=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaluser_manager --extra-vars "TARBALL_PATH=/opt/reemo/images" --extra-vars "LOAD_IMAGE=true"
ansible-playbook -i inventory.yml playbooks/reemo-provision.yml
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "TARBALL_PATH=/opt/reemo/images" --extra-vars "LOAD_IMAGE=true"