Need Suggestion

JaredBusch

See: https://mangolassi.it/topic/6905/setting-up-nginx-on-centos-7-as-a-reverse-proxy

thwr

Nginx, all day long.

If you need something like NTLM auth through the proxy or SSL termination for example:
Kemp Loadmaster is doing a pretty good job in front of SharePoint 2010 for me. There's a free version available which runs as a VM and could be used for eval purposes.

scottalanmiller

We use Nginx as well. Easy to use and very powerful.

sreekumarpg

@scottalanmiller , @JaredBusch @thwr
Thanks for the support. I will be testing the Ngnix.

Proposed requirement diagram

thwr

@sreekumarpg said in Need Suggestion:

@scottalanmiller , @JaredBusch @thwr
Thanks for the support. I will be testing the Ngnix.

Proposed requirement diagram

There are multiple possible approaches, for example:

• Address based: Block every access using a local firewall on your webserver that does not come from your proxy
• Header based: Insert a special header field on your proxy and check that header on your webserver. Reject access in case the header does not exist

PS: Upvote for providing sufficient information AND a diagram. Makes helping you so much easier.

scottalanmiller

What is your goal in that diagram?

JaredBusch

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

JaredBusch

@thwr said in Need Suggestion:

PS: Upvote for providing sufficient information AND a diagram. Makes helping you so much easier.

I am so not used to clear questions

Dashrender

@JaredBusch said in Need Suggestion:

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

So are DMZs just not a thing anymore?

I'm curious what the proxy provides in this case?

JaredBusch

@sreekumarpg said in Need Suggestion:

@scottalanmiller , @JaredBusch @thwr
Thanks for the support. I will be testing the Ngnix.

Proposed requirement diagram

You will have to make sure that your DNS in house gets updated so that

app.domain.com points to the proxy server instead of app server.

One would assume the following:
Web Server: 10.1.1.2
App URL: app1.domain.com
Internal DNS result for URL returns 10.1.1.2
Firewall port forward is to 10.1.1.2
External DNS resolves app1.domain.com to your WAN IP.

You will implement the proxy and give it 10.1.1.3
Update your internal DNS for app1.domain.com to point to 10.1.1.3
Change your firewall to port forward to 10.1.13
Do not change your External DNS.

JaredBusch

@Dashrender said in Need Suggestion:

@JaredBusch said in Need Suggestion:

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

So are DMZs just not a thing anymore?

I'm curious what the proxy provides in this case?

DMZ is a lazy answer, and should never be used.

Dashrender

@JaredBusch said in Need Suggestion:

@Dashrender said in Need Suggestion:

@JaredBusch said in Need Suggestion:

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

So are DMZs just not a thing anymore?

I'm curious what the proxy provides in this case?

DMZ is a lazy answer, and should never be used.

huh - more explanation on that would be great.

But just having the DMZ doesn't mean that @thwr's suggestion of blocking access via a firewall on the webserver shouldn't be used.

JaredBusch

@Dashrender said in Need Suggestion:

@JaredBusch said in Need Suggestion:

@Dashrender said in Need Suggestion:

@JaredBusch said in Need Suggestion:

@scottalanmiller said in Need Suggestion:

What is your goal in that diagram?

Showing that it is a LAN device that he wants to use the proxy.

So are DMZs just not a thing anymore?

I'm curious what the proxy provides in this case?

DMZ is a lazy answer, and should never be used.

huh - more explanation on that would be great.

But just having the DMZ doesn't mean that @thwr's suggestion of blocking access via a firewall on the webserver shouldn't be used.

A DMZ is just dumping everything to a system/subnet. Using a proxy lets you selectively forward on what you want. A proxy gives you a single place to defend and manage, instead of every system on the DMZ subnet.

JaredBusch

split the DMZ stuff to a new thread.

JaredBusch

@scottalanmiller said in Need Suggestion:

@sreekumarpg said in Need Suggestion:

The development team requirement is that if they want to connect to the web server then they need the proxy setting in the client machine.

If the client machine is not configured with proxy setting , then they can browse all other site expect the web server. if they configure the proxy setting in client machine they should reach the server. This is their exact requirement to test their application is working fine if a proxy is configure.

That's totally different to what you are doing here.

Yeah, this is totally different. This is an inline proxy/webfilter design.

art_of_shred

Temporarily locking this topic in order to split the thread.

art_of_shred

Topic unlocked. To continue discussing DMZ, please go to:

https://mangolassi.it/topic/12427/proper-dmz-configuration-and-use

sreekumarpg

Thanks All

I will be installing Nginx and will do as per @Dashrender suggestion