The servers of an enterprise may be deployed on Alibaba Cloud, in data centers, across virtual private clouds (VPCs), or on other cloud platforms. The enterprise wants to manage and maintain these servers in a centralized manner. To meet the enterprise requirements, Bastionhost supports O&M based on leased lines, O&M based on public IP addresses, and centralized O&M based on the proxy modes of the network domain feature. This topic describes centralized O&M based on the proxy modes of the network domain feature.

Background information

In most cases, the servers of an enterprise are deployed in different regions and may fail to communicate with a bastion host. The enterprise uses public IP addresses for O&M because the enterprise has not purchased leased lines or the O&M costs of leased lines are high. However, the exposure of public IP addresses may pose security risks. In this case, we recommend that you use the proxy modes of the network domain feature to maintain the servers that reside on different networks in a centralized manner. The proxy modes are supported by Bastionhost HA Edition. The servers include those in a data center, a heterogeneous cloud, and different VPCs. O&M solution

Centralized O&M based on the proxy modes of the network domain feature

To use the proxy modes of the network domain feature for centralized O&M, configure a proxy server in a network domain. Then, connect the proxy server to the servers that need to be maintained over an internal network and connect the proxy server to your bastion host. This way, you can use your bastion host to maintain the servers that reside on different networks. Both LANs and VPCs are network domains.

Network domain
  1. Configure proxy servers in different network domains.
    In this topic, an Alibaba Cloud Elastic Compute Service (ECS) instance that runs CentOS 8.3 is used to describe how to configure a server as an HTTP or SOCKS5 proxy server.
    Note
    • Before you configure a proxy server, make sure that the network between your bastion host and the proxy server is connected.
    • If you use a Linux server, you do not need to configure an SSH proxy server.
    1. Log on to the proxy server.
    2. Run the yum install 3proxy command to install 3proxy.
    3. Run the vim /etc/3proxy.cfg command to modify the configuration file.
      • Configure the host account and password of the proxy server. Configure the username and password
      • Configure access control parameters. Access control parameters
      • Enable HTTP and SOCKS5 proxies and specify the listening port and the source IP address that is used to access the proxy server. Enable HTTP and SOCKS5 proxies
    4. Run the bin/systemctl start 3proxy.service command to enable the proxies.
    5. Run the iptables -F command to disable the firewall of the server to ensure that the server can be accessed.
    6. Add a security group rule for the server. For more information, see Add security group rules.
      Note When you configure a security group rule, set Port Range to the listening port specified in Step c and Authorization Object to the egress IP address of your bastion host. To obtain the egress IP address, find your bastion host on the Instances page of the Bastionhost console and click Egress IP.
  2. Create a network domain in the Bastionhost console and connect the network domain to the proxy server.
    1. Log on to the Bastionhost console.
    2. In the left-side navigation pane, choose Assets > Network Domain.
    3. On the Network Domain page, click Create Network Domain.
    4. Configure the parameters. After the network domain is created, the system displays a message, indicating that the creation succeeded.
    5. Click Associate Host below the message to add the required hosts to the newly created network domain.

    For more information, see Use the network domain feature.

  3. Authorize hosts.
    1. Log on to the Bastionhost console.
    2. In the left-side navigation pane, choose Users > Users.
    3. On the Users page, find the required user and click Authorize Hosts or Authorize Host Groups in the Actions column. Then, select the required hosts or host groups for authorization.
  4. Use the host O&M feature provided by Bastionhost to maintain the hosts in the network domain.
    1. Log on to the Bastionhost console.
    2. In the left-side navigation pane, choose O&M > Host O&M.
    3. On the Host O&M page, find the required host and click the Logon icon icon in the Log On column to go to the web page for O&M.

    For more information, see Use the host O&M feature.