On 03/09/16 16:05, Giles Orr via talk wrote:
I'm running application servers that have to make queries to servers behind a firewall. The firewall (not in my control) has to be configured to admit IP addresses. Getting addresses added to the firewall can be slow. So it seems to me the best way to do this would be to set up a couple of proxy servers with fixed/known IPs so that the application servers (fluctuating headcount and IPs) could make their requests through the proxy servers - which are known to the firewall.
HAproxy is perfect for this. You can set ACLs on it to only allow traffic from the app servers (you'll still have to update the HAproxy ACLs, but you control that so it is quick and easy right?) Then HAproxy just proxies to the server(s) behind the firewall. You can weight traffic to whichever you choose, or direct traffic to different backends depending on many different criteria. You can have multiple HAproxies with DNS A records, or I've set it up with VRRP and made it failover when sharing a single IP.
This makes sense in my head so far. But here's the problem: I'd like to send all network traffic from the application servers through the proxy servers, regardless of content, port, destination, anything. But in saying that, it begins to sound more like "routing" than "proxying", and enforcing this seems like it might be tricky on the open internet. And authentication of some sort would seem to be needed to prevent bad actors using the proxy to access stuff behind the firewall.
If it was just stuff like HTTP/HTTPS I'd suggest squid for this, but it sounds like you likely need something like what you've mentioned below.
A VPN is a possibility, but not one I'm enthusiastic about: I tackled OpenVPN a few months back, and after a day and a half and very little progress my brains started to slide out my ears. But if that's what I need to do, I'll get back on it.
OpenVPN isn't so bad once you have the CA set and you use easy-rsa to issue certs. Then you just set the VPN to the default route for your traffic, and enable forwarding on the proxy server (which also hosts your HAproxy) You could also use IPSec for a quick and dirty VPN. If you weren't going over the open internet I'd suggest plain GRE, but it sounds like you need to encrypt the traffic before it reaches your egress. Cheers, Jamon