Need Suggestion

sreekumarpg

Hello All,

I have a requirement to use a proxy server which support web service and Web socket.

The details are , we are having an application which sends data to the server. We need to test this feature in a proxy environment. The requirement is that if the application machine use the proxy address then only it can reach the server, if the proxy is not configured in the client application then it should not reach the server.

Kindly let me know which proxy server I can use here which support web service and Web socket. Our Web application is in ASP and hosted in IIS.

JaredBusch

@sreekumarpg said in Need Suggestion:

Hello All,

I have a requirement to use a proxy server which support web service and Web socket.

The details are , we are having an application which sends data to the server. We need to test this feature in a proxy environment. The requirement is that if the application machine use the proxy address then only it can reach the server, if the proxy is not configured in the client application then it should not reach the server.

Kindly let me know which proxy server I can use here which support web service and Web socket. Our Web application is in ASP and hosted in IIS.

Everything on my servers in the colo are running behind a Nginx proxy.

• NodeBB x2 (Uses websockets), 2 different linux servers
• WordPress x4 all on one linux server
• ScreenConnect (uses asp and mono) on a linux server
• ScreenConnect (ASP and IIS) on a windows server
• ownCloud on a linux server
• NextCloud on a linux server

The Nginx proxy runs certbot for all the SSL. None of the boxes behind the proxy have their own SSL.

JaredBusch

See: https://mangolassi.it/topic/6905/setting-up-nginx-on-centos-7-as-a-reverse-proxy

thwr

Nginx, all day long.

If you need something like NTLM auth through the proxy or SSL termination for example:
Kemp Loadmaster is doing a pretty good job in front of SharePoint 2010 for me. There's a free version available which runs as a VM and could be used for eval purposes.

scottalanmiller

We use Nginx as well. Easy to use and very powerful.

sreekumarpg

@scottalanmiller , @JaredBusch @thwr
Thanks for the support. I will be testing the Ngnix.

Proposed requirement diagram

thwr

@sreekumarpg said in Need Suggestion:

@scottalanmiller , @JaredBusch @thwr
Thanks for the support. I will be testing the Ngnix.

Proposed requirement diagram

There are multiple possible approaches, for example:

• Address based: Block every access using a local firewall on your webserver that does not come from your proxy
• Header based: Insert a special header field on your proxy and check that header on your webserver. Reject access in case the header does not exist

PS: Upvote for providing sufficient information AND a diagram. Makes helping you so much easier.

scottalanmiller

What is your goal in that diagram?

JaredBusch

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

JaredBusch

@thwr said in Need Suggestion:

PS: Upvote for providing sufficient information AND a diagram. Makes helping you so much easier.

I am so not used to clear questions

Dashrender

@JaredBusch said in Need Suggestion:

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

So are DMZs just not a thing anymore?

I'm curious what the proxy provides in this case?

JaredBusch

@sreekumarpg said in Need Suggestion:

@scottalanmiller , @JaredBusch @thwr
Thanks for the support. I will be testing the Ngnix.

Proposed requirement diagram

You will have to make sure that your DNS in house gets updated so that

app.domain.com points to the proxy server instead of app server.

One would assume the following:
Web Server: 10.1.1.2
App URL: app1.domain.com
Internal DNS result for URL returns 10.1.1.2
Firewall port forward is to 10.1.1.2
External DNS resolves app1.domain.com to your WAN IP.

You will implement the proxy and give it 10.1.1.3
Update your internal DNS for app1.domain.com to point to 10.1.1.3
Change your firewall to port forward to 10.1.13
Do not change your External DNS.

JaredBusch

@Dashrender said in Need Suggestion:

@JaredBusch said in Need Suggestion:

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

So are DMZs just not a thing anymore?

I'm curious what the proxy provides in this case?

DMZ is a lazy answer, and should never be used.

Dashrender

@JaredBusch said in Need Suggestion:

@Dashrender said in Need Suggestion:

@JaredBusch said in Need Suggestion:

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

So are DMZs just not a thing anymore?

I'm curious what the proxy provides in this case?

DMZ is a lazy answer, and should never be used.

huh - more explanation on that would be great.

But just having the DMZ doesn't mean that @thwr's suggestion of blocking access via a firewall on the webserver shouldn't be used.

JaredBusch

@Dashrender said in Need Suggestion:

@JaredBusch said in Need Suggestion:

@Dashrender said in Need Suggestion:

@JaredBusch said in Need Suggestion:

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

So are DMZs just not a thing anymore?

I'm curious what the proxy provides in this case?

DMZ is a lazy answer, and should never be used.

huh - more explanation on that would be great.

But just having the DMZ doesn't mean that @thwr's suggestion of blocking access via a firewall on the webserver shouldn't be used.

A DMZ is just dumping everything to a system/subnet. Using a proxy lets you selectively forward on what you want. A proxy gives you a single place to defend and manage, instead of every system on the DMZ subnet.

JaredBusch

split the DMZ stuff to a new thread.

JaredBusch

@scottalanmiller said in Need Suggestion:

@sreekumarpg said in Need Suggestion:

The development team requirement is that if they want to connect to the web server then they need the proxy setting in the client machine.

If the client machine is not configured with proxy setting , then they can browse all other site expect the web server. if they configure the proxy setting in client machine they should reach the server. This is their exact requirement to test their application is working fine if a proxy is configure.

That's totally different to what you are doing here.

Yeah, this is totally different. This is an inline proxy/webfilter design.

art_of_shred

Temporarily locking this topic in order to split the thread.

art_of_shred

Topic unlocked. To continue discussing DMZ, please go to:

https://mangolassi.it/topic/12427/proper-dmz-configuration-and-use

sreekumarpg

Thanks All

I will be installing Nginx and will do as per @Dashrender suggestion