All Products
Search

This Product

    Security Center:Add servers in a data center to Security Center by using a proxy cluster

    Document Center

    Security Center:Add servers in a data center to Security Center by using a proxy cluster

    Last Updated:Feb 07, 2024

    You can add servers in a data center to Security Center to protect the servers against security risks. If the servers are accessible over the Internet, you can add the server to Security Center by installing the Security Center agent on the servers. If the servers are inaccessible over the Internet, you can add the servers to Security Center by using a proxy cluster. This topic describes how to add servers in a data center to Security Center by using a proxy cluster.

    Scenarios

    If all servers in a data center are accessible over the Internet, you do not need to build a proxy cluster. To protect the servers, you can manually install the Security Center agent on the servers. For more information, see Manually install the Security Center agent.

    If all or specific servers in a data center are inaccessible over the Internet, you must build a proxy cluster in the data center and then install the Security Center agent.

    image

    Procedure

    To add servers in a data center to Security Center by using a proxy cluster, perform the following operations:

    1. Build a proxy cluster in the data center to enable connections between the servers and the Internet.

    2. Modify the hosts file or configure Domain Name System (DNS) settings of the servers in the data center to enable connections between the proxy cluster and the servers.

    3. Install the Security Center agent on the servers for protection.

    Step 1: Build a proxy cluster

    The Security Center agent connects to the servers that support persistent connections and the HTTP servers in a proxy cluster by using the jsrv.aegis.aliyun.com and update.aegis.aliyun.com endpoints. Persistent connection and HTTP proxies must be deployed on different servers. Therefore, you must specify at least two servers to build a proxy cluster.

    1. Preparations

    Note

    You can specify the numbers of servers on which you want to deploy persistent connection and HTTP proxies based on the number of servers in the data center. If a large number of servers reside in the data center, we recommend that you specify multiple servers for proxy deployment to ensure load balancing and high availability.

    • Specify at least one server to deploy a persistent connection proxy. Make sure that GNU Compiler Collection (GCC) and zlib-devel are installed on the server.

    • Specify at least one server to deploy an HTTP proxy.

    • Download NGINX of a specific version that supports reverse proxies. Click here to download NGINX.

    2. Configure a server to deploy a persistent connection proxy

    1. TCP persistent connections use Layer 4 proxies. After you download NGINX, run the following compilation commands to install NGINX. Before you run the compilation commands, you must add the --with-stream parameter. 

      tar -xvf nginx-1.9.0.tar.gz
cd nginx-1.9.0
sudo ./configure --without-http_rewrite_module --with-stream
sudo make
sudo make install

    2. Go to the directory of the nginx.conf configuration file and modify the file based on the following code: 

      #user  nobody;
worker_processes  auto;

error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    use     epoll;
    worker_connections  60000;
}


stream {
        server {
            listen 80;
            proxy_timeout 20m;
            proxy_connect_timeout 60s;
            proxy_pass app;
        }

        upstream app {
           server jsrv.aegis.aliyun.com:80;
        }
}

    3. After you modify the nginx.conf file, restart NGINX.

    3. Configure a server to deploy an HTTP proxy

    1. HTTP connections use Layer 4 proxies. After you download NGINX, run the following compilation commands to install NGINX. Before you run the compilation commands, you must add the --with-stream parameter. 

      tar -xvf nginx-1.9.0.tar.gz
cd nginx-1.9.0
sudo ./configure --without-http_rewrite_module --with-stream
sudo make
sudo make install

    2. Go to the directory of the nginx.conf configuration file and modify the file based on the following code: 

      #user  nobody;
worker_processes  auto;

error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    use     epoll;
    worker_connections  60000;
}


stream {
        upstream updatessl {
            server update.aegis.aliyun.com:443;
        }
        server {
            listen 443;
            proxy_connect_timeout 60s;
            proxy_pass updatessl;
        }
        upstream updatehttp {
            server update.aegis.aliyun.com:80;
        }
        server {
            listen 80;
            proxy_connect_timeout 60s;
            proxy_pass updatehttp;
        }
  }

    3. After you modify the nginx.conf file, restart NGINX.

    Step 2: Connect the proxy cluster to the servers in the data center

    Select one of the following methods to connect the proxy cluster to the servers in the data center.

    Modify the hosts file of each server

    Modify the hosts file of each server to forward the access requests that are initiated from a server to an endpoint of Security Center to the proxy cluster. You must bind the endpoints of Security Center to the IP addresses of the proxy cluster in the hosts file. In the following example, replace xx.xx.xx.xx with the IP addresses of the proxy cluster that you built.

    Important

    Bind the endpoints that contain jsrv to the IP addresses of the servers on which persistent connection proxies are deployed. Bind the endpoints that contain alicdn and update to the IP addresses of servers on which HTTP proxies are deployed. 

    xx.xx.xx.xx jsrv.aegis.aliyun.com
xx.xx.xx.xx jsrv2.aegis.aliyun.com
xx.xx.xx.xx jsrv3.aegis.aliyun.com
xx.xx.xx.xx jsrv4.aegis.aliyun.com
xx.xx.xx.xx jsrv5.aegis.aliyun.com
xx.xx.xx.xx aegis.alicdn.com
xx.xx.xx.xx update.aegis.aliyun.com
xx.xx.xx.xx update2.aegis.aliyun.com
xx.xx.xx.xx update3.aegis.aliyun.com
xx.xx.xx.xx update4.aegis.aliyun.com
xx.xx.xx.xx update5.aegis.aliyun.com

    Modify the DNS settings of servers in the data center

    Modify the DNS settings of servers in the data center to map the jsrv.aegis.aliyun.com and jsrv.aegis.aliyun.com endpoints to the IP addresses of the proxy cluster.

    Step 3: Install the Security Center agent on the servers in the data center

    Security Center can protect the servers in the data center only after you install the Security Center agent on the servers. To install the Security Center agent on Windows servers, download the installation package of the Security Center agent. To install the Security Center agent on Linux servers, run commands. For more information, see Manually install the Security Center agent.

    References

    • The features supported by Security Center vary based on the edition. For more information, see Functions and features.

    • After you add servers in a data center to Security Center, you can use the features of Security Center to protect the servers. The features include alert notifications, virus detection and removal, webshell detection, client protection, and container image scan. For more information, see Configure common features (simplified).