...
Panel |
---|
# Proxy Configuration
[proxy]
# Port, default "5000"
port = "5000"
# Network interface, default "0.0.0.0"
inet = "127.0.0.1"
# Enable recover on panic, default true, should be true for production environment
recover = true
# Enable Cross-Origin Resource Sharing (CORS), should be true for production environment
cors = true
# Enable Request Track ID, default true
tracker = true
# Enable Request Logguer, default true
logger = true
# Rate Limit IP Request over 1 second, default 0 (unlimited)
limit = 0
# Enable the Prometheus Metric Endpoint '/metric', default false
metrics = false
# Service 'local' with direct authentication on the waarp gateway
[service.local]
# MFT Waarp Gateway Listen Protocol
protocol = "http"
[[service.local.targets]]
# MFT Waarp Gateway Hostname or IP
hostname = "localhost"
# MFT Waarp Gateway Port
port = " 18080"
|
- Install the binary under
/usr/local/bin:
...
Configuration for LDAP Authentication
The UDMG Authentication Proxy is capable to use a LDAP Service to authenticate users for UDMG Admin UI:
Panel |
---|
# vi /etc/mft/auth_proxy/config.toml
|
Panel |
---|
# Proxy Configuration
[proxy]
# Port, default "5000"
port = "5000"
# Network interface, default "0.0.0.0"
inet = "127.0.0.1"
# Enable recover on panic, default true, should be true for production environment
recover = true
# Enable Cross-Origin Resource Sharing (CORS), should be true for production environment
cors = true
# Enable Request Track ID, default true
tracker = true
# Enable Request Logguer, default true
logger = true
# Rate Limit IP Request over 1 second, default 0 (unlimited)
limit = 0
# Enable the Prometheus Metric Endpoint '/metric', default false
metrics = false
# Service 'mft' with LDAP Authentication
[service.mft]
# MFT Waarp Gateway connection protocol(http or https)
protocol = "http"
# This is breaking glass option for admins,
# the users in the admins list are authenticated directly on the MFT service, not with LDAP
admins = ["admin"]
[[service.mft.targets]]
# MFT Waarp Gateway Hostname or IP
hostname = "localhost"
# MFT Waarp Gateway Port
port = " 18080"
# Credentials for the synchronisation from LDAP to MFT service
# user must have permission to create/update waarp gateway users
[service.mft.credential]
username = "ldap_sync"
password = "ldap_password"
# LDAP Configuration
[service.mft.auth.ldap]
# LDAP Server DC with OU
dn = "ou=users,dc=stonebranch,dc=com"
# LDAP Server FQDN or IP
hostname = "myldap.server.fqdn.com"
# LDAP Server Port
port = "1389"
|
...
Panel |
---|
[agent]
# MFT Agent Proxy Hostname or IP, and port
hostname = "0.0.0.0"
port = "2222"
# path to the SSH private key file
ssh_key = "agent"
# path to the SSH public key file
ssh_key_pub = "agent.pub"
# Agent Service User and password
username = "mft"
password = "61ee8b5601a84d5154387578466c8998848ba089"
|
The password key will be used for the client authentication.
Client Configuration
Create a configuration file as /etc/mft/agent_proxy/client.toml:
...
Panel |
---|
[client]
# Target MFT Agent Proxy Hostname or IP, and port
hostname = "localhost"
port = "2222"
# path to the SSH private key file
ssh_key = "/etc/mft/agent_proxy/client"
# path to the SSH public key file
ssh_key_pub = "/etc/mft/agent_proxy/client.pub"
# Agent Service User and password
username = "mft"
password = "61ee8b5601a84d5154387578466c8998848ba089"
# Default TTL to Connection Retry
ttl="5s"
[client.api]
# Administrative API port
port="2280"
[gateway]
# MFT Waarp Gateway Hostname or IP, and port
hostname = "localhost"
port = "18080"
# MFT Waarp Gateway Username/Password
username = "admin"
password = "admin_password"
|
The password key will be used for the client authentication.
Setup the Systemd Services
UDMG Server
Create a new service definition:
Panel |
---|
# vi /etc/systemd/system/mft_waarp_gateway.service
|
...
Panel |
---|
# systemctl start mft_waarp_gateway
# systemctl status mft_waarp_gateway
● mft_waarp_gateway.service - MFT Waarp Gateway server
Loaded: loaded ( /etc/systemd/system/mft_waarp_gateway.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-07 16:43:16 -03; 10s ago
Main PID: 24888 (waarp-gatewayd)
Tasks: 6 (limit: 3509)
CPU: 11ms
CGroup: /system.slice/mft_waarp_gateway.service
└─24888 /usr/local/bin/waarp-gatewayd server -c /etc/mft/waarp_gateway/server.ini
|
Be sure that the listen port and network interface is reachable by UDMG Authentication Proxy and UDMG Agent Client.
UDMG Authentication Proxy
...
Panel |
---|
# systemctl start mft_auth_proxy
# systemctl status mft_auth_proxy
● mft_auth_proxy.service - MFT Auth Proxy server
Loaded: loaded ( /etc/systemd/system/mft_auth_proxy.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-07 16:58:48 -03; 21s ago
Main PID: 25008 (mft_auth_proxy_)
Tasks: 3 (limit: 3509)
CPU: 4ms
CGroup: /system.slice/mft_auth_proxy.serviceservice
└─25008 /usr/local/bin/mft_auth_proxservicey_server
|
Be sure that the listen port and network interface is reachable by NGINX Server.
UDMG Agent Proxy
Agent Proxy Server Service
...
Panel |
---|
# systemctl start mft_agent_proxy_server
# systemctl status mft_agent_proxy_server
● mft_agent_proxy_server.service - MFT Agent Proxy Server
Loaded: loaded ( /etc/systemd/system/mft_agent_proxy_server.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-07 16:26:53 -03; 2s ago
Main PID: 25444 (mft_agent_proxy)
Tasks: 5 (limit: 3509)
CPU: 5ms
CGroup: /system.slice/mft_agent_proxy_server.service
└─25444 /usr/local/bin/mft_agent_proxy_server
Jun 07 16:26:53 localhost.localdomain systemd[1]: Started MFT Agent Proxy Server.
Jun 07 16:26:53 localhost.localdomain sh[25444]: level=info TS=2022-06-07T19:26:53.624296821Z HostKey=Ok Path=/data/agent
|
Be sure that the listen port and network interface is reachable by UDMG Agent Client .
Agent Proxy Client Service
...
Panel |
---|
# systemctl start mft_agent_proxy_client
# systemctl status mft_agent_proxy_client
● mft_agent_proxy_client.service - MFT Agent Proxy Client
Loaded: loaded ( /etc/systemd/system/mft_agent_proxy_client.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-07 17:26:53 -03; 2s ago
Main PID: 25445 (mft_agent_proxy)
Tasks: 5 (limit: 3509)
CPU: 6ms
CGroup: /system.slice/mft_agent_proxy_client.service
└─25445 /usr/local/bin/mft_agent_proxy_client
Jun 07 17:26:53 localhost.localdomain systemd[1]: Started MFT Agent Proxy Server.
Jun 07 17:26:53 localhost.localdomain sh[25445]: level=info TS=2022-06-07T20:26:53.624296821Z Servers=[]
|
Component Ports
Make sure that all the ports needed are open under your firewall configuration.
Using UDMG with SELinux
- Modify the file label so that NGINX (as a process labeled with the
httpd_t
context) can access the configuration file
...
Panel |
---|
# setsebool -P httpd_can_network_connect 1
|
References
This document references the following documents.
Name | Location |
---|
Systemd | |
NGINX with SELinux | |
PostgreSQL Client Authentication | |
PostgreSQL Password Authentication | |