We'll kick this post off by saying it's an addendum to this post describing one way to host an Ignition Gateway publicly. In that post we discuss how to limit access to the root gateway url to increase security for the gateway configuration page, the designer, and vision client access. This post assumes you've gone through that and you have an Ignition gateway running in an LXD container on a virtual private server.
In that post we discuss how to limit access to the root gateway url to increase security for the gateway configuration page, the designer, and vision client access. Here we will show you how to increase security even more by demonstrating how to completely deny gateway root url access in NGINX and use a SOCKS proxy to provide an encrypted, RSA keyed tunnel to access gateway development features. This is much more secure than just using IP address filtering in NGINX plus, anecdotally, I've been having reliability issues when trying to access the gateway through an NGINX HTTPS reverse proxy anyway.
We'll show you how to do this from an Ubuntu client machine, but you can also do this from Windows using Putty (ignoring all the LXD steps). This guide has some relevant instructions for configuring Putty. This Windows 7 proxy guide also has some information about where to configure Windows proxies. You could also run Ubuntu desktop in a virtual machine and follow along.
If you're doing Ignition development from a linux computer. The best way to get a secure connection over SSH with SOCKS that you don't have to initialize every time is to create a development environment in LXD. In this environment we'll set up a permanent SOCKS proxy and configure it so all http(s) connections use it.
If you want to know how to initialize an LXD environment you can view my previous post. Or there is also some great info on Digital Ocean.
LXD containers by default are headless, so we need to add a profile
allowing lxd to launch GUI (graphical user interface) applications. To
do that, create a text file with the following content called
lxdguiprofile.txt:
config:
environment.DISPLAY: :0
raw.idmap: both 1000 1000
user.user-data: |
#cloud-config
runcmd:
- 'sed -i "s/; enable-shm = yes/enable-shm = no/g" /etc/pulse/client.conf'
- 'echo export PULSE_SERVER=unix:/tmp/.pulse-native | tee --append /home/ubuntu/.profile'
packages:
- x11-apps
- mesa-utils
- pulseaudio
description: GUI LXD profile
devices:
PASocket:
path: /tmp/.pulse-native
source: /run/user/1000/pulse/native
type: disk
X0:
path: /tmp/.X11-unix/X0
source: /tmp/.X11-unix/X0
type: disk
mygpu:
type: gpu
name: gui
used_by:
Then create the gui profile and insert the configuration:
lxc profile create gui
cat lxdguiprofile.txt | lxc profile edit gui
Now we'll be able to create our ignition-client container:
lxc launch --profile default --profile gui ubuntu:18.04 ignition-client #use any container name you prefer
Then start a shell for you container:
lxc exec ignition-client -- su --login ubuntu
You can test the ability to launch GUI applications from your new
container by typing the command glxgears. If it's
successful, you'll see some animated gears that look like this:
Now we'll create a permanent SOCKS connection that starts and stops with the container. To do this we create a systemd service file:
sudo vim /etc/systemd/system/socks-proxy.service
Edit the file to look like this:
[Unit]
Description=Socks proxy via SSH
ConditionPathExists=|/usr/bin
After=network.target
[Service]
User=ubuntu
ExecStart=/usr/bin/ssh -D 1080 -NTC -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no user@ignition.jarautomation.io #Use your username and domain
# Restart every >2 seconds to avoid StartLimitInterval failure
RestartSec=5
Restart=always
[Install]
WantedBy=multi-user.target
Then use the following to start the service:
sudo systemctl start socks-proxy.service
You can check the service with:
sudo systemctl status socks-proxy.service
If everything is working well you can enable the socks-proxy.service to start and stop swith the system:
sudo systemctl enable socks-proxy.service
If you ever need to make changes to the service file, you can make the changes and then reload systemd with:
sudo systemctl daemon-reload
Now lets install the chromium browser so we can test the SOCKS proxy, plus the Perspective module in the Ignition Designer will require all of the dependencies that are installed with the chromium browser.
sudo apt update
sudo apt install chromium-browser
We'll also have to update some environment variables to tell chrome to
use our reverse proxy for all http(s) requests. To make these permanent
we'll put the environment variable assignments in our
/etc/environment file. Add the following to the bottom of it:
SOCKS_SERVER=localhost:1080
SOCKS_VERSION=5
Then exit your container and run the following to restart
it.
lxc restart ignition-client
Then start the shell for the ignition client again:
lxc exec ignition-client -- su --login ubuntu
Now start chromium by typing chromium-browser. You'll need
the lxd IP address of the remote Ignition server container, not to be
confused with your local Ignition client container. You can get this by
running lxc list on the server (I describe this more in
this previous post. Type that ip address and make sure to include the port in the url
(the default is 8088 for Ignition). You'll see something
like the below image if your Gateway is successfully running and the
proxy is working.
Congratulations! You successfully, securely accessed your gateway through an encrypted SSH tunnel!
While you're at the gateway home page, go ahead and download the
designer. Chromium will put it in /home/ubuntu/Downloads.
Unpack the directory:
tar xvzf Downloads/designerlauncher.tar.gz
Now we need to edit the designer launcher configuration file to make it
use our socks proxy. The network properties configuration file will be
located at
/home/ubuntu/designerlauncher/runtime/conf/net.properties.
Add the following line to the configuration file. I like to add it just
below the commented section titled: HTTP Proxy Settings.
socksProxyHost=localhost
We don't need to specify the port if using 1080. If you use a different
port then you need to add another line to specify
socksProxyPort.
I also like to add an alias so I can just type designer to
launch the designerlauncher. To do that we create a
.bash_aliases file in our home directory, if one doesn't
exist already, and the default .bashrc file will create the
alias upon starting the container terminal shell. Add the following to
.bash_aliases:
alias designer=/home/ubuntu/designerlauncher/app/designerlauncher.sh
Then tell your current terminal to use the new settings:
source .bashrc
Now type designer and the designer launcher window will
open like shown below:
Click Add Designer, then Manually Add Gateway and enter the IP address and port number for the Ignition server container (again, not to be confused with your Ignition client contaner):
We need to tell the designer launcher to launch designer applications that use our new SOCKS proxy. To do this, click on the three vertical dots in the upper right hand corner of the card for the gateway you just added. Select Manage from the drop down menu.
Enter -DsocksProxyHost=localhost in the JVM Arguments entry
like shown below. To reiterate, since we're using the default port
1080 we don't need to add a
-DsocksProxyPort argument here, but if you want to use a
different port you'll have to add it.
Save the changes and select Launch on the card for your Ignition gateway. Enter your login information and select the project you want to work with.
There you have it! Persistent, secure SOCKS tunnel access to the gateway web page and designer without exposing it to the public!