Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Edit /etc/firewalld/zones/public.xml or (swarm-site.xml whichever has the other port rules) and add a rule to allow port 8090 requests. The remainder of the instructions assume port 8090 is used. The result resembles:

    Code Block
    <?xml version="1.0" encoding="utf-8"?>
    <zone>
      <short>Public</short>
      <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
      <service name="ssh"/>
      <service name="dhcpv6-client"/>
      <port protocol="tcp" port="8009"/>
      <port protocol="tcp" port="8080"/>
      <port protocol="tcp" port="8081"/>
      <port protocol="udp" port="123"/>
      <port protocol="udp" port="514"/>
      <port protocol="tcp" port="514"/>
      <port protocol="tcp" port="8090"/>
      <masquerade/>
    </zone>
  2. Reload the firewall rules:

    Code Block
    firewall-cmd --reload
  3. Create a directory to configure port90 files

    Code Block
    mkdir -p /opt/datacore/swarm-port90-console/
  4. Create a configuration file to disable HTTP/1.0, remove headers that might expose internal IP addresses, Access Control for port90 container (opt/datacore/swarm-port90-console/disable_http1.0.conf)

    Code Block
    <IfModule mod_rewrite.c>
        RewriteEngine On
        # Block HTTP/1.0 requests
        RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
        RewriteRule .* - [F,L]
    </IfModule>
    
    <IfModule mod_headers.c>
        # Remove any headers that might contain internal IP addresses
        Header unset X-Forwarded-For
        Header unset X-Real-IP
        Header unset X-Client-IP
        Header unset Via
        Header unset X-Forwarded-Host
    
        # Anonymize the internal IP address
        RequestHeader edit X-Forwarded-For "192\.168\.\d+\.\d+" "anonymized"
    </IfModule>
    
    # Set proxy settings in the main configuration or a VirtualHost
    # For instance, you can place this in your main httpd.conf or a VirtualHost config:
    ProxyRequests Off
    ProxyVia Off
    ProxyPreserveHost On
    
    <Proxy *>
        Order deny,allow
        Deny from all
        Allow from 192.168.1.0/24
        Allow from 10.0.0.0/16
        Allow from 127.0.0.1
    </Proxy>
  5. Download the container scs-container-port90-console.tar.gz here and transfer it to the SCS server. Load the container:

    Code Block
    podman load < scs-container-port90-console.tar.gz
  6. Collect the IP address of any Swarm node and replace it in the following command. Install the container:

    Code Block
    podman run -d --name swarm-port90-console --security-opt=seccomp=unconfined -p 8090:8090 -e SCSP_HOST=[Swarm node IP] -v /opt/datacore/swarm-port90-console/disable_http1.0.conf:/etc/httpd/conf.d/block_http1.0.conf:Z docker-repo.tx.caringo.com/caringo-syslog:stable
  7. Now port 8090 on the SCS server can be used to access Swarm’s port90 console: http://[SCS-IP]:8090

  8. No further actions are required. However, the container does not run when the SCS server is restarted. Continue with the instructions below to configure the container to auto-start.

...