Bind services to localhost¶
Argus services can be deployed all on the same machine.
The service that is mandatory to expose outside the machine is only the PEP service. So to avoid to expose PAP and PDP services, these daemon can configured to listen on loopback interface.
To achieve this kind of deployment, change the configuration as described below.
Warning
To bind the services on the loopback interface,
ensure that the host certificate includes localhost
and
127.0.0.1
in the Subject Alternative Name.
PAP¶
Argus PAP service listen on all interfaces, by design. So, it cannot be binded only to loopback interface.
PDP¶
Edit /etc/argus/pdp/pdp.ini
specifying localhost
as hostname:
hostname = localhost
port = 8152
Update the paps
option with the endpoint of the local PAP:
[POLICY]
paps = https://localhost:8150/pap/services/ProvisioningService
PEP¶
Edit /etc/argus/pepd/pepd.ini
with the local PDP endpoint:
[PDP]
pdps = https://localhost:8152/authz
Validation¶
Restart the services; on EL7 platforms:
$ systemctl restart argus-pap argus-pdp argus-pepd
On EL6 platforms:
$ for svc in pap pdp pepd; do service argus-$svc restart; done
Check the ports:
$ ss -tnpl sport ge :8150 and sport le :8155 | column -t
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 50 :::8150 :::* users:(("java",pid=8030,fd=63))
LISTEN 0 50 ::ffff:127.0.0.1:8151 :::* users:(("java",pid=8030,fd=58))
LISTEN 0 50 ::ffff:127.0.0.1:8152 :::* users:(("java",pid=7963,fd=67))
LISTEN 0 50 ::ffff:127.0.0.1:8153 :::* users:(("java",pid=7963,fd=62))
LISTEN 0 50 ::ffff:10.0.0.173:8154 :::* users:(("java",pid=7979,fd=66))
LISTEN 0 50 ::ffff:127.0.0.1:8155 :::* users:(("java",pid=7979,fd=60))
From another host, scan the Argus ports:
$ nmap -p8150-8155 argus.cnaf.test
Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-04 15:07 CET
Nmap scan report for argus.cnaf.test (10.0.0.173)
Host is up (0.00015s latency).
rDNS record for 10.0.0.173: argus
PORT STATE SERVICE
8150/tcp open unknown
8151/tcp closed unknown
8152/tcp closed unknown
8153/tcp closed quantastor
8154/tcp open unknown
8155/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds