OpenSim ran as a grid with Robust is not secured by default, it's not its role. Adding third party tools also brings complexity on how various part of the grid (web site, admininstration area, the grid itself) is accessed. There is a well known solution to all those issues: use a frontend for all your network.
Micro-services architecture
The solution is well known, because nowadays, it is heavily used for all those micro-services based web applications. A micro-service is a small server software that provides a simple, yet powerful service, usually through the web. Of course, a micro-service by is not used alone, and usually part of a bigger conglomerate of micro-services. That's where the frontend comes handy, with a reverse proxy:
Web servers to the rescue
The good news is that pretty all current HTTP servers provide such a functionnality. The most widely used one is NgInx, because it's fast, low on resources and scalable. But other traditionnal web servers can perform the same. The most famous one is Apache HTTPD.
Combined with virtual hosts configuration and certificates to secure the network, you can entirely model your grid as you want and not usable by the man in the middle.
To reuse the diagram above, let's say we have a domain name mygrid.net. We want to provide an HG accessible grid run by Robust, as well as a web frontend. Usually, without special configuration, you would have your web site on mygrid.net, and Robust on mygrid.net:8002 or grid.mygrid.net:8002.
Apache can handle all requests (except simulators communication), and forward grid requests to Robust transparently:
That way you can:
- Protect all your web and grid requests under HTTPS (secured protocol)
- Define the address and port on which your grid will be available: you can choose a subdomain or the same domain on another port
- Use the power of Apache to control who is allowed to make requests, limit bandwidth, and whatever known feature of Apache
How to do it?
Domain name
First I assume you own a domain name (mygrid.net in my example). If you don't, you can get free subdomains at various providers like NoIP.com or Afraid. If you cannot have a fixed IP address, you can use a dynamic DNS service like Dyn.com. (the two providers above also feature free dynamic DNS).
Web server
Then you need Apache HTTPD (or another web server, but this guide is made for Apache). Ensure you have it up and running before trying to insert Robust in the chain.
Secure your HTTP server by getting a free certificate (with LetsEncrypt) if you don't already have one. Be sure the certificate is a wildcard one, to provide security to subdomains as well.
I wont detail all the configuration for a basic setup here. The web is already full of tutorials and guides to get it running.
Grid
Then you also need a running grid. For the sake of security, be sure your grid address (mygrid.net:8002 by default) is not available to the public (port 8002 should not be forward by your router for incoming requests)
If you point your viewer to your grid from the machine hosting the grid, it should work, but hypergrid should not work (as the hypergrid gateway is not accessible from outside).
Configure a virtual host
Let's say we want our grid to be reached from grid.mygrid.net. First you must ensure on your DNS configuration that both mygrid.net and grid.mygrid.net point to your machine.
Define a new virtual host in Apache to forward requests made for your grid :
ServerName grid.mygrid.net
ServiceAdmin your@email.address
# it is good to separate virtual host logs from others
ErrorLog "/path/to/logs/error_log"
CustomLog "/path/to/logs/access_log" common
# magic of reverse proxying
ProxyPass "/" "http://localhost:8002/"
ProxyPassReverse "/" "http://localhost:8002/"
# if your Robust runs on another computer of your internal network,
# just replace localhost with the internal network hostname of your grid server
</VirtualHost>
That's the most simple setup for a setup without SSL (not secured), but access to your grid is managed by Apache now.
But Robust is said not only to listen on 8002, but also to tell viewers that the grid is reachable at http://mygrid.net:8002, so how to do? Modify Robust.ini to tell which information to give:
WebURI = http://grid.mygrid.net:80
login = ${Const|WebURI}
gatekeeper = ${Const|WebURI}
uas = ${Const|WebURI}
; any other grid info needing the public URL...
As you can see we don't touch how Robust runs itself (it still listens on 8002), we just change how grid information is provided to the viewer
Now if you point your viewer to grid.mygrid.net:80, it should work.
Bonus: making it all secured
Using SSL for all web server is a standard nowadays, so why not securing our network? Doing it needs two steps :
- Make a new virtual host on Apache to handle SSL requests (port 443)
- Redirect all non secured requests to the SSL virtual host
This can be done globally on the main Apache listener, I will show the configuration for the grid forward only:
With a more modular configuration, you can make it prettier and easier to maintain (using includes), but for this guide, it's enough :)
Then you also need to update your grid info in Robust.ini :
WebURI = https://grid.mygrid.net:443
That's a real quick tutorial. The goal is only to give the idea and bricks to start your secured environment.
Comments
Post a Comment