Reverse Proxy?
-
@jimmy9008 said in Reverse Proxy?:
@dafyre said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
You're using IP authentication? That's odd.
@JaredBusch has an nginx proxy guide on here somewhere.
We have a few different things going on here.
1) You go to our site, aernt IP recognised as you are not subscribed to that, and get the default login page. UN/PW using an SQL backend.
2) You go to our site, are IP recognised as your public IP is on the list, and get access to 90% of the site without having to type your UN/PW. (For Universities etc this is helpful as any students on their LAN can just go to our site, and use it without needing a UN/PW).For the case of 2, a lot of places expect it to work when at Starbucks etc... and it wont as they are coming from a different public IP.
By setting this proxy.reverse proxy thing up, students can point to our proxy, which is set as the 2nd type of access, from anywhere...
See what i'm trying to do here?
Why not just stick with doing #1 for Sites / IPs that aren't recognized?
Because the user expects number 2 to work, even outside of the office.
Too bad. Nothing you are doing here is a good idea.
You cannot have ip security from the public internet.
A reverse proxy makes the entire thing open to anywho who finds the reverse proxy, and this sounds like what you are trying to do.
A proxy, requires settings on every single computer be manually set and removed. When a lawyer is no longer allowed access how do you forcibly remove their proxy settings from their browser?
-
I have been thinking about this over lunch and as mentioned in another post, all traffic would go to us - likley something most places would not want. So we will have to ditch this idea.
-
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
Tell them too bad? The schools pay for one thing and you're trying to provide something above and beyond that. If they want that type of access then you need to build out a system to support that.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
Tell them too bad? The schools pay for one thing and you're trying to provide something above and beyond that. If they want that type of access then you need to build out a system to support that.
It is not a school. it is a research platform for law.
-
@jimmy9008 said in Reverse Proxy?:
because the IP recognition isnt working getting
The IP recognition is 100% working. It's doing exactly what it was, presumably, designed to do.
-
@jaredbusch said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
Tell them too bad? The schools pay for one thing and you're trying to provide something above and beyond that. If they want that type of access then you need to build out a system to support that.
It is not a school. it is a research platform for law.
He said Universities. I assumed they would be either Law Schools or something similar.
-
@coliver said in Reverse Proxy?:
@jaredbusch said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
Tell them too bad? The schools pay for one thing and you're trying to provide something above and beyond that. If they want that type of access then you need to build out a system to support that.
It is not a school. it is a research platform for law.
He said Universities. I assumed they would be either Law Schools or something similar.
They are an example of client. We have many different clients.
Were providing the ability to allow them to get access to a certain point in the service, based on their IP.
For users, when they are out of their own office, as far as they care they expect to still get to that same point - even though they are outside of the office.
My thought was by setting up a proxy server, they can connect to that from anywhere, and get to the site and where they want.
-
@jimmy9008 said in Reverse Proxy?:
even though they are outside of the office.
But that's not what they are paying for, at least from how you described it here.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
because the IP recognition isnt working getting
The IP recognition is 100% working. It's doing exactly what it was, presumably, designed to do.
Yes. It does work. Folks on premise at their respective org using the service can get where they need to go. Its when those folk want to use the service from home, from starbucks, from a hotel, from whererver... thats the issue. Despite easy ways to reset your own password, they open calls to our helpdesk as they cant login (as since they are off their main site, they will require the UN/PW as they cannot be IP rec'd)
-
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
because the IP recognition isnt working getting
The IP recognition is 100% working. It's doing exactly what it was, presumably, designed to do.
Yes. It does work. Folks on premise at their respective org using the service can get where they need to go. Its when those folk want to use the service from home, from starbucks, from a hotel, from whererver... thats the issue. Despite easy ways to reset your own password, they open calls to our helpdesk as they cant login (as since they are off their main site, they will require the UN/PW as they cannot be IP rec'd)
I understand how the software works, you've done a wonderful job explaining it. It just seems like you're searching for a solution to a problem that doesn't actually exist, at least to me. The customer (I was mistaken that it was just Universities) pays for their public IP address to be white-listed with the service and now wants access from anywhere with the same rights.
Here is a product idea. Implement a SAML-esque (or just SAML) login tool and push the authentication off to the businesses that purchase from you. Your company could up sell it calling it "login from anywhere" and charge for it similar as to how you're doing IP white-listing.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
even though they are outside of the office.
But that's not what they are paying for, at least from how you described it here.
I'd like to find a way where we are able to accomplish that for them when working outside of the office. It will give them the same level of servcie and the site will work in the same way; and for us, we will lose a lot of helpdesk tickets for UN/PW where the folks do not remember what it is.
-
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
even though they are outside of the office.
But that's not what they are paying for, at least from how you described it here.
I'd like to find a way where we are able to accomplish that for them when working outside of the office. It will give them the same level of servcie and the site will work in the same way; and for us, we will lose a lot of helpdesk tickets for UN/PW where the folks do not remember what it is.
Sure but how much does that solution cost as opposed to the tickets in the system? You've said that users can reset their own password. Just forwarding them the link to that tool and closing the ticket would be faster and cheaper then trying to figure out how to do this with the current authentication method.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
because the IP recognition isnt working getting
The IP recognition is 100% working. It's doing exactly what it was, presumably, designed to do.
Yes. It does work. Folks on premise at their respective org using the service can get where they need to go. Its when those folk want to use the service from home, from starbucks, from a hotel, from whererver... thats the issue. Despite easy ways to reset your own password, they open calls to our helpdesk as they cant login (as since they are off their main site, they will require the UN/PW as they cannot be IP rec'd)
I understand how the software works, you've done a wonderful job explaining it. It just seems like you're searching for a solution to a problem that doesn't actually exist, at least to me. The customer (I was mistaken that it was just Universities) pays for their public IP address to be white-listed with the service and now wants access from anywhere with the same rights.
Here is a product idea. Implement a SAML-esque (or just SAML) login tool and push the authentication off to the businesses that purchase from you. Your company could up sell it calling it "login from anywhere" and charge for it similar as to how you're doing IP white-listing.
That sounds like an idea worth looking at, as the proxy will not work. We would not want all of their traffic hitting us.
Any pointers? -
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
because the IP recognition isnt working getting
The IP recognition is 100% working. It's doing exactly what it was, presumably, designed to do.
Yes. It does work. Folks on premise at their respective org using the service can get where they need to go. Its when those folk want to use the service from home, from starbucks, from a hotel, from whererver... thats the issue. Despite easy ways to reset your own password, they open calls to our helpdesk as they cant login (as since they are off their main site, they will require the UN/PW as they cannot be IP rec'd)
I understand how the software works, you've done a wonderful job explaining it. It just seems like you're searching for a solution to a problem that doesn't actually exist, at least to me. The customer (I was mistaken that it was just Universities) pays for their public IP address to be white-listed with the service and now wants access from anywhere with the same rights.
Here is a product idea. Implement a SAML-esque (or just SAML) login tool and push the authentication off to the businesses that purchase from you. Your company could up sell it calling it "login from anywhere" and charge for it similar as to how you're doing IP white-listing.
That sounds like an idea worth looking at, as the proxy will not work. We would not want all of their traffic hitting us.
Any pointers?It really depends on how your app is written.... as well as how your customer's implement authentication/authorization. I like SAML and SSO but it doesn't fit with a lot of businesses in a lot of places.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
even though they are outside of the office.
But that's not what they are paying for, at least from how you described it here.
I'd like to find a way where we are able to accomplish that for them when working outside of the office. It will give them the same level of servcie and the site will work in the same way; and for us, we will lose a lot of helpdesk tickets for UN/PW where the folks do not remember what it is.
Sure but how much does that solution cost as opposed to the tickets in the system? You've said that users can reset their own password. Just forwarding them the link to that tool and closing the ticket would be faster and cheaper then trying to figure out how to do this with the current authentication method.
Having users open a call as they cannot access a service they thought they had access to (via IP rec), is pretty bad. They dont understand that outside of the office = not IP rec. However, as it happens, if those users feedback that they cannot login repeatedly, we could lose the subscription in following years. By having a way (I guess non IP based) to allow them easy access in and out of the office, they are getting what they expect, and no complaints = resubscribe.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
because the IP recognition isnt working getting
The IP recognition is 100% working. It's doing exactly what it was, presumably, designed to do.
Yes. It does work. Folks on premise at their respective org using the service can get where they need to go. Its when those folk want to use the service from home, from starbucks, from a hotel, from whererver... thats the issue. Despite easy ways to reset your own password, they open calls to our helpdesk as they cant login (as since they are off their main site, they will require the UN/PW as they cannot be IP rec'd)
I understand how the software works, you've done a wonderful job explaining it. It just seems like you're searching for a solution to a problem that doesn't actually exist, at least to me. The customer (I was mistaken that it was just Universities) pays for their public IP address to be white-listed with the service and now wants access from anywhere with the same rights.
Here is a product idea. Implement a SAML-esque (or just SAML) login tool and push the authentication off to the businesses that purchase from you. Your company could up sell it calling it "login from anywhere" and charge for it similar as to how you're doing IP white-listing.
That sounds like an idea worth looking at, as the proxy will not work. We would not want all of their traffic hitting us.
Any pointers?It really depends on how your app is written.... as well as how your customer's implement authentication/authorization. I like SAML and SSO but it doesn't fit with a lot of businesses in a lot of places.
This is a bit outside of my knowledge, but are we able to provide them with a certificate they deploy? When they visit the site, the page can check for the certificate and display to the level they expect?
-
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
even though they are outside of the office.
But that's not what they are paying for, at least from how you described it here.
I'd like to find a way where we are able to accomplish that for them when working outside of the office. It will give them the same level of servcie and the site will work in the same way; and for us, we will lose a lot of helpdesk tickets for UN/PW where the folks do not remember what it is.
Sure but how much does that solution cost as opposed to the tickets in the system? You've said that users can reset their own password. Just forwarding them the link to that tool and closing the ticket would be faster and cheaper then trying to figure out how to do this with the current authentication method.
Having users open a call as they cannot access a service they thought they had access to (via IP rec), is pretty bad. They dont understand that outside of the office = not IP rec. However, as it happens, if those users feedback that they cannot login repeatedly, we could lose the subscription in following years. By having a way (I guess non IP based) to allow them easy access in and out of the office, they are getting what they expect, and no complaints = resubscribe.
No this is not bad. THis is poorly educated users. Users do not buy your systems. Universities do. The University is the one with the problem. You update your education to the University. They have to be responsible for updating their users.
-
@jaredbusch said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
even though they are outside of the office.
But that's not what they are paying for, at least from how you described it here.
I'd like to find a way where we are able to accomplish that for them when working outside of the office. It will give them the same level of servcie and the site will work in the same way; and for us, we will lose a lot of helpdesk tickets for UN/PW where the folks do not remember what it is.
Sure but how much does that solution cost as opposed to the tickets in the system? You've said that users can reset their own password. Just forwarding them the link to that tool and closing the ticket would be faster and cheaper then trying to figure out how to do this with the current authentication method.
Having users open a call as they cannot access a service they thought they had access to (via IP rec), is pretty bad. They dont understand that outside of the office = not IP rec. However, as it happens, if those users feedback that they cannot login repeatedly, we could lose the subscription in following years. By having a way (I guess non IP based) to allow them easy access in and out of the office, they are getting what they expect, and no complaints = resubscribe.
No this is not bad. THis is poorly educated users. Users do not buy your systems. Universities do. The University is the one with the problem. You update your education to the University. They have to be responsible for updating their users.
I do see your point. The reset password feature is more than easy to use. Its standard reset password link as with other sites... I get what you are saying above too.
-
Pretty simple, User must access from your web app from customer wan address range initially, place a session cookie without expiration for 30/60/90 days and just keep them logged in that way.
It’s definitely something you can resolve within your web server and app without tunnels or proxies.
Anything else you are referring to would require IT planning from the university side.
-
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@coliver said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
@jimmy9008 said in Reverse Proxy?:
@bigbear said in Reverse Proxy?:
What is the website/service offering?
Were a research platform for law. This doesnt affect the content at all. This regards users accessing the service...
Gotcha, similar to a Lexis Nexis?
So you are restricting traffic to ip ranges as a method of adding additional security?
Yes. Similar indeed. No, not for additional security. Its additional functionality. For organisations that sign up for that service, all users of their LAN (as they all have the same gateway/ip) have access to the site without needing a un/pw.
Problem is, when off of the LAN, they still expect to have access but cannot. By having a proxy, they can.
So they pay for people on their LAN to have access. Is it defined that way in the agreement? If it is then your job is done.
They will subscribe to the service with IP recognition, so that users that do not login (although all have creds), can still access 90% of functionality.
What im trying to solve is that we get a lot of helpdesk calls from users outside of their physical office, saying that they are unable to login (many dont bother to remember their passwords), because the IP recognition isnt working getting them to the point they usually work...
Tell them too bad? The schools pay for one thing and you're trying to provide something above and beyond that. If they want that type of access then you need to build out a system to support that.
They already have, it's called a username/password when not on campus.
