Reverse Proxy?
-
@jimmy9008 said in Reverse Proxy?:
By setting this proxy.reverse proxy thing up, students can point to our proxy, which is set as the 2nd type of access, from anywhere...
If you don't authenticate access to that proxy (meaning they type us/pass - or it's saved in some app) you've just nullified the whole point of the IP authentication.
Let me put this another way, what keeps a hacker in China from using that proxy and bypassing username/password requirement?My company has a similar situation. Our IPs are registered with a local hospital - while my users attempt to use the hospital systems from our registered IPs, they don't require 2FA, leave our location, 2FA is required. Solution - those who must access while not onsite have been issued a security token, authentication of user remains more secure.
-
@bigbear said in Reverse Proxy?:
So you are restricting traffic to ip ranges as a method of adding additional security?
I'm guessing they offer a paid service that the university pays for. Unlimited access to anyone on campus, but limited for those off campus.
-
@jimmy9008 said in Reverse Proxy?:
Is it possible to have Squid proxy app.justis.com, but tell the client to go via its non proxy route for all other?
Not sure this is how proxies work. If you make their machines all use your proxy, then all traffic from those machines will go through your proxy. I can't speak for those users, but I sure in the heck wouldn't want all of my traffic flowing through your proxy server.
Additionally, this could (and I think would) put a huge amount of traffic through that proxy.Assuming I'm thinking about this correctly (ready to be blasted by @JaredBusch if I'm wrong), you'd need to set this proxy as the default in the browser/phone/computer whatever. Then regardless of where the user is (on campus or off) all traffic would go to you for anything they do.
-
@dashrender said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
Is it possible to have Squid proxy app.justis.com, but tell the client to go via its non proxy route for all other?
Not sure this is how proxies work. If you make their machines all use your proxy, then all traffic from those machines will go through your proxy. I can't speak for those users, but I sure in the heck wouldn't want all of my traffic flowing through your proxy server.
Additionally, this could (and I think would) put a huge amount of traffic through that proxy.Assuming I'm thinking about this correctly (ready to be blasted by @JaredBusch if I'm wrong), you'd need to set this proxy as the default in the browser/phone/computer whatever. Then regardless of where the user is (on campus or off) all traffic would go to you for anything they do.
A proxy would require this. A reverse proxy I don't believe would. I still think this kind of defeats the purpose of what @Jimmy9008's company is trying to do though.
-
@coliver said in Reverse Proxy?:
@dashrender said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
Is it possible to have Squid proxy app.justis.com, but tell the client to go via its non proxy route for all other?
Not sure this is how proxies work. If you make their machines all use your proxy, then all traffic from those machines will go through your proxy. I can't speak for those users, but I sure in the heck wouldn't want all of my traffic flowing through your proxy server.
Additionally, this could (and I think would) put a huge amount of traffic through that proxy.Assuming I'm thinking about this correctly (ready to be blasted by @JaredBusch if I'm wrong), you'd need to set this proxy as the default in the browser/phone/computer whatever. Then regardless of where the user is (on campus or off) all traffic would go to you for anything they do.
A proxy would require this. A reverse proxy I don't believe would. I still think this kind of defeats the purpose of what @Jimmy9008's company is trying to do though.
Wouldn't a reverse proxy kill it for everyone on the internet? i.e. as we've both already said - defeating the purpose of IP authentication?
I'm guessing the proxy could be limited to only proxy abc IPs, but is that really useful since @Jimmy9008 can't reasonably know what IPs would be used by the students.
-
@dashrender said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@dashrender said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
Is it possible to have Squid proxy app.justis.com, but tell the client to go via its non proxy route for all other?
Not sure this is how proxies work. If you make their machines all use your proxy, then all traffic from those machines will go through your proxy. I can't speak for those users, but I sure in the heck wouldn't want all of my traffic flowing through your proxy server.
Additionally, this could (and I think would) put a huge amount of traffic through that proxy.Assuming I'm thinking about this correctly (ready to be blasted by @JaredBusch if I'm wrong), you'd need to set this proxy as the default in the browser/phone/computer whatever. Then regardless of where the user is (on campus or off) all traffic would go to you for anything they do.
A proxy would require this. A reverse proxy I don't believe would. I still think this kind of defeats the purpose of what @Jimmy9008's company is trying to do though.
Wouldn't a reverse proxy kill it for everyone on the internet? i.e. as we've both already said - defeating the purpose of IP authentication?
I'm guessing the proxy could be limited to only proxy abc IPs, but is that really useful since @Jimmy9008 can't reasonably know what IPs would be used by the students.
Right, that's what I'm saying. It's useless in the context of what @Jimmy9008's company is trying to do. It could/would be better if they did some type of SSO arrangement with the universities so students could login with their campus credentials and all @Jimmy9008 would get would be a token confirming they are who they say they are.
That being said @Jimmy9008 have you looked at something like EZProxy? I'm not sure if it would fit your needs entirely though.
-
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
-
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
-
@dafyre said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
You're using IP authentication? That's odd.
@JaredBusch has an nginx proxy guide on here somewhere.
We have a few different things going on here.
1) You go to our site, aernt IP recognised as you are not subscribed to that, and get the default login page. UN/PW using an SQL backend.
2) You go to our site, are IP recognised as your public IP is on the list, and get access to 90% of the site without having to type your UN/PW. (For Universities etc this is helpful as any students on their LAN can just go to our site, and use it without needing a UN/PW).For the case of 2, a lot of places expect it to work when at Starbucks etc... and it wont as they are coming from a different public IP.
By setting this proxy.reverse proxy thing up, students can point to our proxy, which is set as the 2nd type of access, from anywhere...
See what i'm trying to do here?
Why not just stick with doing #1 for Sites / IPs that aren't recognized?
Because the user expects number 2 to work, even outside of the office.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
-
@jimmy9008 said in Reverse Proxy?:
@dafyre said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
You're using IP authentication? That's odd.
@JaredBusch has an nginx proxy guide on here somewhere.
We have a few different things going on here.
1) You go to our site, aernt IP recognised as you are not subscribed to that, and get the default login page. UN/PW using an SQL backend.
2) You go to our site, are IP recognised as your public IP is on the list, and get access to 90% of the site without having to type your UN/PW. (For Universities etc this is helpful as any students on their LAN can just go to our site, and use it without needing a UN/PW).For the case of 2, a lot of places expect it to work when at Starbucks etc... and it wont as they are coming from a different public IP.
By setting this proxy.reverse proxy thing up, students can point to our proxy, which is set as the 2nd type of access, from anywhere...
See what i'm trying to do here?
Why not just stick with doing #1 for Sites / IPs that aren't recognized?
Because the user expects number 2 to work, even outside of the office.
Too bad. Nothing you are doing here is a good idea.
You cannot have ip security from the public internet.
A reverse proxy makes the entire thing open to anywho who finds the reverse proxy, and this sounds like what you are trying to do.
A proxy, requires settings on every single computer be manually set and removed. When a lawyer is no longer allowed access how do you forcibly remove their proxy settings from their browser?
-
I have been thinking about this over lunch and as mentioned in another post, all traffic would go to us - likley something most places would not want. So we will have to ditch this idea.
-
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
Tell them too bad? The schools pay for one thing and you're trying to provide something above and beyond that. If they want that type of access then you need to build out a system to support that.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
Tell them too bad? The schools pay for one thing and you're trying to provide something above and beyond that. If they want that type of access then you need to build out a system to support that.
It is not a school. it is a research platform for law.
-
@jimmy9008 said in Reverse Proxy?:
because the IP recognition isnt working getting
The IP recognition is 100% working. It's doing exactly what it was, presumably, designed to do.
-
@jaredbusch said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
Tell them too bad? The schools pay for one thing and you're trying to provide something above and beyond that. If they want that type of access then you need to build out a system to support that.
It is not a school. it is a research platform for law.
He said Universities. I assumed they would be either Law Schools or something similar.
-
@coliver said in Reverse Proxy?:
@jaredbusch said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
Tell them too bad? The schools pay for one thing and you're trying to provide something above and beyond that. If they want that type of access then you need to build out a system to support that.
It is not a school. it is a research platform for law.
He said Universities. I assumed they would be either Law Schools or something similar.
They are an example of client. We have many different clients.
Were providing the ability to allow them to get access to a certain point in the service, based on their IP.
For users, when they are out of their own office, as far as they care they expect to still get to that same point - even though they are outside of the office.
My thought was by setting up a proxy server, they can connect to that from anywhere, and get to the site and where they want.
-
@jimmy9008 said in Reverse Proxy?:
even though they are outside of the office.
But that's not what they are paying for, at least from how you described it here.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
because the IP recognition isnt working getting
The IP recognition is 100% working. It's doing exactly what it was, presumably, designed to do.
Yes. It does work. Folks on premise at their respective org using the service can get where they need to go. Its when those folk want to use the service from home, from starbucks, from a hotel, from whererver... thats the issue. Despite easy ways to reset your own password, they open calls to our helpdesk as they cant login (as since they are off their main site, they will require the UN/PW as they cannot be IP rec'd)
-
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
because the IP recognition isnt working getting
The IP recognition is 100% working. It's doing exactly what it was, presumably, designed to do.
Yes. It does work. Folks on premise at their respective org using the service can get where they need to go. Its when those folk want to use the service from home, from starbucks, from a hotel, from whererver... thats the issue. Despite easy ways to reset your own password, they open calls to our helpdesk as they cant login (as since they are off their main site, they will require the UN/PW as they cannot be IP rec'd)
I understand how the software works, you've done a wonderful job explaining it. It just seems like you're searching for a solution to a problem that doesn't actually exist, at least to me. The customer (I was mistaken that it was just Universities) pays for their public IP address to be white-listed with the service and now wants access from anywhere with the same rights.
Here is a product idea. Implement a SAML-esque (or just SAML) login tool and push the authentication off to the businesses that purchase from you. Your company could up sell it calling it "login from anywhere" and charge for it similar as to how you're doing IP white-listing.