FAQ related to scenarios - Bastionhost - Alibaba Cloud Documentation Center

This topic provides answers to some frequently asked questions about Bastionhost scenarios.

How do I manage third-party hosts in the Bastionhost console?

If you want to import hosts from a third party or a data center and the hosts can communicate with your bastion host, you can create hosts by using your bastion host to import the hosts. Then, you can perform O&M operations on the hosts over the Internet. For more information, see Add hosts.
If you want to manage hosts that belong to different virtual private clouds (VPCs) or accounts and the networks are not connected by using Express Connect, you can use the network domain feature of Bastionhost. For more information, see Best practices of hybrid O&M.

Am I able to perform O&M operations on assets across VPCs and accounts in Bastionhost?

Yes, you can perform O&M operations on assets across VPCs and accounts in Bastionhost. If a bastion host and a server belong to different VPCs or accounts, you can perform O&M operations on the server over the Internet. You can connect the bastion host and the server by using Express Connect to perform O&M operations on the server over an internal network.

Note

If you want to manage servers over an internal network but cannot connect the bastion host and the server, you can use the network domain feature of Bastionhost. For more information, see Best practices of hybrid O&M.

How do I perform O&M operations on assets located in a classic network?

To perform O&M operations on Alibaba Cloud Elastic Compute Service (ECS) instances that are deployed in the classic network, you must connect the classic network to the VPC of the bastion host by using ClassicLink. For more information about the ClassicLink feature, see Overview.

How do I configure a server as an HTTP or SOCKS5 proxy server?

To configure a server as an HTTP or SOCKS5 proxy server, see the following example. An ECS instance that runs CentOS 8.3 is used in the example.

Log on to the ECS instance.
Run the yum install 3proxy command to install 3proxy.
Run the vim /etc/3proxy.cfg command to modify the configuration file.
- Configure the username and password of the proxy server.
- Configure access control parameters.
- Enable HTTP and SOCKS5 proxies and specify the listening port and the source IP address that is used to access the proxy server.
Run the systemctl start 3proxy.service command to enable the proxies.
Run the iptables -F command to disable the firewall of the server to ensure that the server can be accessed.
Create a security group rule for the server. For more information, see Add a security group rule.
Important
When you create a security group rule, set Port Range to the listening port that is specified in Step 3 and Authorization Object to the egress IP addresses of your bastion host. To obtain the egress IP addresses, find your bastion host on the Instances page of the Bastionhost console and click Egress IP.
After you create the security group rule for the server, the proxy server is configured.

How do I configure a server as an HTTPS proxy server?

In this section, GOST is used to describe how to configure an ECS instance that runs CentOS 8.3 as an HTTPS proxy server.

Prepare a server certificate, a private key for the server certificate, and a certificate authority (CA) root certificate. The server certificate is saved in a file named server.crt. The private key is saved in a file named server.key. The CA root certificate is saved in a file named ca.crt. The following items describe two methods that you can use to obtain a certificate.
- Use tools such as OpenSSL to create a self-signed certificate.
- Use an individual test certificate (free of charge) provided by Alibaba Cloud or purchase an official certificate. For more information, see Select an SSL certificate.
Install GOST on your ECS instance. For more information, see Install GOST.
Upload the certificate file to the GOST installation directory and configure and start the GOST proxy server.
- CLI mode: Start GOST after you modify the parameters.
```
gost -L="https://admin:123456@:8843?cert=./server.crt&key=./server.key"
```
  - admin:123456: the custom GOST username and password, which correspond to the host account and password in the HTTPS proxy of the network domain feature of Bastionhost.
  - 8443: the custom proxy port, which corresponds to the server port in the HTTPS proxy of the network domain feature of Bastionhost.
    You must create an inbound rule for the security group to which the ECS instance belongs to open the custom proxy port. When you create the rule, you must set the Port Range parameter to 8443 and the Authorization Object parameter to the egress IP address of your bastion host. To obtain the egress IP address, find your bastion host on the Instances page of the Bastionhost console and click Egress IP. For more information, see Add a security group rule.
  - ./server.crt: the file that contains the server certificate.
  - ./server.key: the file that contains the private key of the server certificate.
- JSON file mode: Start GOST after you modify the parameters.
  - If a JSON configuration file does not exist, create one by yourself. In this example, the gost.json file is used.
```
{
  "ServeNodes": [
    "https://admin:123456@:8843?cert=./server.crt&key=./server.key"
  ]
}
```
    - admin:123456: the custom GOST username and password, which correspond to the host account and password in the HTTPS proxy of the network domain feature of Bastionhost.
    - 8443: the custom proxy port, which corresponds to the server port in the HTTPS proxy of the network domain feature of Bastionhost.
      You must create an inbound rule for the security group to which the ECS instance belongs to open the custom proxy port. When you create the rule, you must set the Port Range parameter to 8443 and the Authorization Object parameter to the egress IP address of your bastion host. To obtain the egress IP address, find your bastion host on the Instances page of the Bastionhost console and click Egress IP. For more information, see Add a security group rule.
    - ./server.crt: the file that contains the server certificate.
    - ./server.key: the file that contains the private key of the server certificate.
  - Start GOST.
```
gost -C gost.json
```

Am I able to perform O&M operations on databases in Bastionhost?

Yes, if you use Bastionhost Enterprise Edition, you can perform O&M operations on databases in Bastionhost. Bastionhost Enterprise Edition allows you to perform O&M operations on database assets in a secure manner. The assets include ApsaraDB RDS for MySQL instances, ApsaraDB RDS for SQL Server instances, ApsaraDB RDS for PostgreSQL instances, and self-managed databases. For more information, see Best practices for database O&M.

Important

Only Bastionhost V3.2 supports the Enterprise edition.

Which assets am I able to perform O&M operations on?

You can perform O&M operations on Linux hosts, Windows hosts, ApsaraDB RDS for MySQL instances, ApsaraDB RDS for SQL Server instances, and ApsaraDB RDS for PostgreSQL instances. You can import ECS and ApsaraDB RDS instances, and batch import hosts deployed in a data center or on a heterogeneous cloud. For more information, see O&M overview.

Is data that is transmitted and stored in Bastionhost encrypted?

Yes, data transmission and storage are encrypted in Bastionhost. Multiple mainstream encryption protocols are supported during data transmission, such as HTTPS (TLS), RDP, and SSH. This ensures the data security during transmission and storage.

Does Bastionhost support servers that are accessed over privately used public IP addresses?

Yes, Bastionhost supports servers that are accessed over privately used public IP addresses. If you deployed privately used public IP addresses in your network, you can configure the IP addresses in the Bastionhost console. For more information, see Configure privately used public IP addresses.