Skip to content

Network Configuration: Public Network and Reverse Proxy Access

1. Access Scenario Description

  • Internal Network Access Only: If your business is limited to the internal network environment, you can directly use the internal IP of the Master Management Node for access. In this scenario, this chapter's configuration can be skipped.

    • System Console (access 443):
      • https://master_node_internal_IP
      • https://master_node_internal_IP/admin
      • https://master_node_internal_IP:443
      • https://master_node_internal_IP:443/admin
    • Tenant Console (access 443 or 44331):
      • https://master_node_internal_IP/tenant
      • https://master_node_internal_IP:443/tenant
      • https://master_node_internal_IP:44331
    • xSpace Client: Configure the cloud platform address as https://master_node_internal_IP, port number 44301.

  • Public Network / Cross-Network Access:

    • If clients need to access via the public network, port 44301 must be mapped.
    • If only tenant administrators need to access from the public network, port 44331 must be mapped.
    • If system administrators need to access from the public network, port 443 must be mapped.

2. Modify Configuration to Support Public Network Access

2.1 Port Mapping Consistency Adjustment

It is strongly recommended that public network mapped ports remain consistent with internal network ports. If they must be inconsistent, the Nginx configuration needs to be adjusted to make the internal port consistent with the public port.

All kubectl related commands below need to be executed on the Master Management Node.

1. View Current Listening Ports:

[xspace@host151 ~]# sudo kubectl describe configmap/nginx-conf -n nginx | grep -w 44301
    listen [::]:44301 ssl;
    listen 44301  ssl;
[xspace@host151 ~]#
[xspace@host151 ~]# sudo kubectl describe configmap/nginx-conf -n nginx | grep -w 44331
    listen [::]:44331 ssl;
    listen 44331  ssl;

2. Edit Configuration:

Execute the following command to enter the editing state of the ConfigMap configuration file, and change the corresponding 44301 or 44331 to the actual port after public network mapping.

[xspace@host151 ~]# sudo kubectl edit configmap/nginx-conf -n nginx

2.2 System Console (Port 443) Special Security Configuration

The system console is generally not recommended to be exposed to the public network. If it must be enabled, due to policy and security supervision requirements for port 443, public network access usually requires adjustment to a non-standard port (e.g., 8443).

Step A: Adjust Listening Port

Adjust ConfigMap, change 443 to the mapped port (e.g., 8443).

Before Adjustment:

[xspace@host151 ~]# sudo kubectl describe configmap/nginx-conf -n nginx | grep -w 443
    listen [::]:443 ssl;
    listen 443  ssl;

After Adjustment:

[xspace@host151 ~]# sudo kubectl describe configmap/nginx-conf -n nginx | grep -w 8443
    listen [::]:8443 ssl;
    listen 8443  ssl;

Step B: Configure Access Whitelist (is_allowed)

The system console has strict interception for public network access. Even if the port is mapped, the public network address must be manually added to the is_allowed list, otherwise 403 Forbidden will be displayed.

Note: Ports 44301 and 44331 do not have this whitelist requirement.

View Current Allowed List:

[xspace@host151 ~]# sudo kubectl describe configmap/nginx-conf -n nginx | grep -w ^map -A 6
map $http_host $is_allowed {
  default 0;
  xspace.local 1;
  192.222.8.151 1;
  192.222.8.152 1;
  192.222.8.153 1;
}

Edit ConfigMap:

Execute the following command to enter the editing state of the configuration file

sudo kubectl edit configmap/nginx-conf -n nginx

Add Matching Rules (Configuration Example):

Add according to the actual access address, ensuring it includes the mapped port.

map $http_host $is_allowed {
  default 0;
  xspace.local 1;
  192.222.8.151 1;       # Allow Internal IP
  192.222.8.152 1;
  192.222.8.153 1;
  202.1.1.1:8443 1;      # Allow Web access address after public network mapping
}

🔴 Important Redline:

  • Do not modify variable name: Must use map $http_host, strictly forbidden to change to map $host.

  • Exact Match: Must include the port number (e.g., IP:8443), the system does not accept or match IP entries without a port number.

3. Apply Configuration

After modifying and saving the ConfigMap (enter :wq in vi editor), you must restart the Nginx service on the Master Management Node to load the configuration:

[xspace@host151 ~]# sudo kubectl rollout restart daemonset/nginx -n nginx
daemonset.apps/nginx restarted

4. Maintenance Reminder

  • 403 Error Troubleshooting: If a 403 error still occurs after configuration, please check if the IP:port in the browser address bar is character-for-character identical to the string in the ConfigMap list.
  • Version Upgrade: When the system is upgraded, custom configmaps will be reset and need to be reconfigured.