Reverse Proxy?
-
Hi folks,
With our service, we take the IP address of customers and store in a database. Upon accessing the service, if their traffic is from a documented IP, they get a special login. That works well.
The problem... users. They dont understand that when they go to say a coffee shop, or wherever with a laptop, the IP recognition will not work as their gateway IP is different. They are not technical, and are not interested in why it doesnt work - only that 'it doesnt work'.
We would like to setup some sort of reverse proxy to sort this out where they can set their laptops etc to point to our proxy, which is added to our database as an IP, so that they always get the special page. No matter where they login from, they would go through us and get where they need...
What can I use for that? It will need to point their traffic to a different public IP/site, not an internal IP.
Not sure exactly here, so any ideas or thoughts welcome...Any ideas,
Jim -
You're using IP authentication? That's odd.
@JaredBusch has an nginx proxy guide on here somewhere.
-
Perhaps this is just standard proxy?
Client sends rquest for xyz... that goes to my proxy at A, which sends their traffic to XYX. From XYZ, it appears to have came from A. Not the original client.Thats what i am trying to do.
Would be great to have the proxy work by a username and password.
-
@coliver said in Reverse Proxy?:
You're using IP authentication? That's odd.
@JaredBusch has an nginx proxy guide on here somewhere.
We have a few different things going on here.
- You go to our site, aernt IP recognised as you are not subscribed to that, and get the default login page. UN/PW using an SQL backend.
- You go to our site, are IP recognised as your public IP is on the list, and get access to 90% of the site without having to type your UN/PW. (For Universities etc this is helpful as any students on their LAN can just go to our site, and use it without needing a UN/PW).
For the case of 2, a lot of places expect it to work when at Starbucks etc... and it wont as they are coming from a different public IP.
By setting this proxy.reverse proxy thing up, students can point to our proxy, which is set as the 2nd type of access, from anywhere...
See what i'm trying to do here?
-
What is the website/service offering?
-
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
-
Looks like I can do what I want with CentOS and Squid. See any issues?
Is it possible to have Squid proxy app.justis.com, but tell the client to go via its non proxy route for all other? -
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
-
Not sure if its relevant, but I used this on a recent project/experiment.
-
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
You're using IP authentication? That's odd.
@JaredBusch has an nginx proxy guide on here somewhere.
We have a few different things going on here.
1) You go to our site, aernt IP recognised as you are not subscribed to that, and get the default login page. UN/PW using an SQL backend.
2) You go to our site, are IP recognised as your public IP is on the list, and get access to 90% of the site without having to type your UN/PW. (For Universities etc this is helpful as any students on their LAN can just go to our site, and use it without needing a UN/PW).For the case of 2, a lot of places expect it to work when at Starbucks etc... and it wont as they are coming from a different public IP.
By setting this proxy.reverse proxy thing up, students can point to our proxy, which is set as the 2nd type of access, from anywhere...
See what i'm trying to do here?
Why not just stick with doing #1 for Sites / IPs that aren't recognized?
-
@jimmy9008 said in Reverse Proxy?:
By setting this proxy.reverse proxy thing up, students can point to our proxy, which is set as the 2nd type of access, from anywhere...
If you don't authenticate access to that proxy (meaning they type us/pass - or it's saved in some app) you've just nullified the whole point of the IP authentication.
Let me put this another way, what keeps a hacker in China from using that proxy and bypassing username/password requirement?My company has a similar situation. Our IPs are registered with a local hospital - while my users attempt to use the hospital systems from our registered IPs, they don't require 2FA, leave our location, 2FA is required. Solution - those who must access while not onsite have been issued a security token, authentication of user remains more secure.
-
@bigbear said in Reverse Proxy?:
So you are restricting traffic to ip ranges as a method of adding additional security?
I'm guessing they offer a paid service that the university pays for. Unlimited access to anyone on campus, but limited for those off campus.
-
@jimmy9008 said in Reverse Proxy?:
Is it possible to have Squid proxy app.justis.com, but tell the client to go via its non proxy route for all other?
Not sure this is how proxies work. If you make their machines all use your proxy, then all traffic from those machines will go through your proxy. I can't speak for those users, but I sure in the heck wouldn't want all of my traffic flowing through your proxy server.
Additionally, this could (and I think would) put a huge amount of traffic through that proxy.Assuming I'm thinking about this correctly (ready to be blasted by @JaredBusch if I'm wrong), you'd need to set this proxy as the default in the browser/phone/computer whatever. Then regardless of where the user is (on campus or off) all traffic would go to you for anything they do.
-
@dashrender said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
Is it possible to have Squid proxy app.justis.com, but tell the client to go via its non proxy route for all other?
Not sure this is how proxies work. If you make their machines all use your proxy, then all traffic from those machines will go through your proxy. I can't speak for those users, but I sure in the heck wouldn't want all of my traffic flowing through your proxy server.
Additionally, this could (and I think would) put a huge amount of traffic through that proxy.Assuming I'm thinking about this correctly (ready to be blasted by @JaredBusch if I'm wrong), you'd need to set this proxy as the default in the browser/phone/computer whatever. Then regardless of where the user is (on campus or off) all traffic would go to you for anything they do.
A proxy would require this. A reverse proxy I don't believe would. I still think this kind of defeats the purpose of what @Jimmy9008's company is trying to do though.
-
@coliver said in Reverse Proxy?:
@dashrender said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
Is it possible to have Squid proxy app.justis.com, but tell the client to go via its non proxy route for all other?
Not sure this is how proxies work. If you make their machines all use your proxy, then all traffic from those machines will go through your proxy. I can't speak for those users, but I sure in the heck wouldn't want all of my traffic flowing through your proxy server.
Additionally, this could (and I think would) put a huge amount of traffic through that proxy.Assuming I'm thinking about this correctly (ready to be blasted by @JaredBusch if I'm wrong), you'd need to set this proxy as the default in the browser/phone/computer whatever. Then regardless of where the user is (on campus or off) all traffic would go to you for anything they do.
A proxy would require this. A reverse proxy I don't believe would. I still think this kind of defeats the purpose of what @Jimmy9008's company is trying to do though.
Wouldn't a reverse proxy kill it for everyone on the internet? i.e. as we've both already said - defeating the purpose of IP authentication?
I'm guessing the proxy could be limited to only proxy abc IPs, but is that really useful since @Jimmy9008 can't reasonably know what IPs would be used by the students.
-
@dashrender said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@dashrender said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
Is it possible to have Squid proxy app.justis.com, but tell the client to go via its non proxy route for all other?
Not sure this is how proxies work. If you make their machines all use your proxy, then all traffic from those machines will go through your proxy. I can't speak for those users, but I sure in the heck wouldn't want all of my traffic flowing through your proxy server.
Additionally, this could (and I think would) put a huge amount of traffic through that proxy.Assuming I'm thinking about this correctly (ready to be blasted by @JaredBusch if I'm wrong), you'd need to set this proxy as the default in the browser/phone/computer whatever. Then regardless of where the user is (on campus or off) all traffic would go to you for anything they do.
A proxy would require this. A reverse proxy I don't believe would. I still think this kind of defeats the purpose of what @Jimmy9008's company is trying to do though.
Wouldn't a reverse proxy kill it for everyone on the internet? i.e. as we've both already said - defeating the purpose of IP authentication?
I'm guessing the proxy could be limited to only proxy abc IPs, but is that really useful since @Jimmy9008 can't reasonably know what IPs would be used by the students.
Right, that's what I'm saying. It's useless in the context of what @Jimmy9008's company is trying to do. It could/would be better if they did some type of SSO arrangement with the universities so students could login with their campus credentials and all @Jimmy9008 would get would be a token confirming they are who they say they are.
That being said @Jimmy9008 have you looked at something like EZProxy? I'm not sure if it would fit your needs entirely though.
-
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
-
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
-
@dafyre said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
You're using IP authentication? That's odd.
@JaredBusch has an nginx proxy guide on here somewhere.
We have a few different things going on here.
1) You go to our site, aernt IP recognised as you are not subscribed to that, and get the default login page. UN/PW using an SQL backend.
2) You go to our site, are IP recognised as your public IP is on the list, and get access to 90% of the site without having to type your UN/PW. (For Universities etc this is helpful as any students on their LAN can just go to our site, and use it without needing a UN/PW).For the case of 2, a lot of places expect it to work when at Starbucks etc... and it wont as they are coming from a different public IP.
By setting this proxy.reverse proxy thing up, students can point to our proxy, which is set as the 2nd type of access, from anywhere...
See what i'm trying to do here?
Why not just stick with doing #1 for Sites / IPs that aren't recognized?
Because the user expects number 2 to work, even outside of the office.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...