I think I'm having trouble finding an answer to my questions largely because I don't fully know how to express them, so I'm going to try to do so here and see if another member of this list can take my English language fuzzy logic and turn it into question(s) that can more easily be answered ... I'm running application servers that have to make queries to servers behind a firewall. The firewall (not in my control) has to be configured to admit IP addresses. Getting addresses added to the firewall can be slow. So it seems to me the best way to do this would be to set up a couple of proxy servers with fixed/known IPs so that the application servers (fluctuating headcount and IPs) could make their requests through the proxy servers - which are known to the firewall. This makes sense in my head so far. But here's the problem: I'd like to send all network traffic from the application servers through the proxy servers, regardless of content, port, destination, anything. But in saying that, it begins to sound more like "routing" than "proxying", and enforcing this seems like it might be tricky on the open internet. And authentication of some sort would seem to be needed to prevent bad actors using the proxy to access stuff behind the firewall. A VPN is a possibility, but not one I'm enthusiastic about: I tackled OpenVPN a few months back, and after a day and a half and very little progress my brains started to slide out my ears. But if that's what I need to do, I'll get back on it. Thanks! -- Giles http://www.gilesorr.com/ gilesorr@gmail.com
I don't understand all the parameters of your problem. If the application servers are all on a secure LAN, and the "proxy" machine is on that LAN, and it also has access to the internet, then it sounds like NAPTing ("masquerading" is the old Linux name) would do what you want. The "proxy" would then be the LAN's gateway (in a routing sense). If the application servers are not on a LAN, it isn't clear what you want. In particular, why would you want *all their traffic* to go through the "proxy". Or do you mean *all their traffic that reaches the proxy* to go through the proxy? If the application servers are not on a LAN, how would the traffic be authenticated by the "proxy"? Without authentication, you are just destroying the (admittedly weak) security mechanism of the firewall and the servers behind it. BTW, VPNs and routing are not opposites. FreeS/WAN IPSec actually used Linux routing to select packets for VPN processing. It turned out to be a reasonable choice. Note: NAPTing is generally limited to protocols with ports: UDP and TCP essentially. It doesn't really handle "all traffic". You probably only care about those protocols.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Giles: Do the computers you maintain need to accept arbitrary inbound connections from the external system? Or other systems? If not, then in this scenario they're really clients to the external system's server(s). In this case you can use a NAT router, where all outbound connections come from the same IP address. Any external servers they connect to can exchange data. If your application servers do need to accept arbitrary inbound connections are there inbound port duplicates? ie. Are there multiple computers that need to accept HTTP traffic on port 80? Or FTP? or SSH? If not, then you can still use a NAT router, but you'll need to set up inbound port forwarding. For both these scenarios a consumer-level router has the smarts to accomplish your task, although I'd recommend something a bit more robust like pfSense. If you do need to accept arbitrary inbound requests on duplicate port numbers for different servers then I don't see an easy way to do that on one IP address... (needs an application-level router that can determine what hostname is being addressed, what used to be called a "bastion server"). - --Bob. On 2016-09-03 11:05 AM, Giles Orr via talk wrote:
I think I'm having trouble finding an answer to my questions largely because I don't fully know how to express them, so I'm going to try to do so here and see if another member of this list can take my English language fuzzy logic and turn it into question(s) that can more easily be answered ...
I'm running application servers that have to make queries to servers behind a firewall. The firewall (not in my control) has to be configured to admit IP addresses. Getting addresses added to the firewall can be slow. So it seems to me the best way to do this would be to set up a couple of proxy servers with fixed/known IPs so that the application servers (fluctuating headcount and IPs) could make their requests through the proxy servers - which are known to the firewall.
This makes sense in my head so far. But here's the problem: I'd like to send all network traffic from the application servers through the proxy servers, regardless of content, port, destination, anything. But in saying that, it begins to sound more like "routing" than "proxying", and enforcing this seems like it might be tricky on the open internet. And authentication of some sort would seem to be needed to prevent bad actors using the proxy to access stuff behind the firewall.
A VPN is a possibility, but not one I'm enthusiastic about: I tackled OpenVPN a few months back, and after a day and a half and very little progress my brains started to slide out my ears. But if that's what I need to do, I'll get back on it.
Thanks!
- -- - -- Bob Jonkman <bjonkman@sobac.com> Phone: +1-519-635-9413 SOBAC Microcomputer Services http://sobac.com/sobac/ Software --- Office & Business Automation --- Consulting GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Ensure confidentiality, authenticity, non-repudiability iEYEARECAAYFAlfLRhwACgkQuRKJsNLM5epCHQCgx32wJXGXklEwfZOhvYheCj8O xggAoN/FGW0ondBWCo3+b7UxuFU+XR45 =xp3k -----END PGP SIGNATURE-----
If it's more port forwarding you want, then "ssh -D". Not sure about routing, though vpn is the first thing that comes mind. -- William On Sat, Sep 03, 2016 at 11:05:40AM -0400, Giles Orr via talk wrote:
I think I'm having trouble finding an answer to my questions largely because I don't fully know how to express them, so I'm going to try to do so here and see if another member of this list can take my English language fuzzy logic and turn it into question(s) that can more easily be answered ...
I'm running application servers that have to make queries to servers behind a firewall. The firewall (not in my control) has to be configured to admit IP addresses. Getting addresses added to the firewall can be slow. So it seems to me the best way to do this would be to set up a couple of proxy servers with fixed/known IPs so that the application servers (fluctuating headcount and IPs) could make their requests through the proxy servers - which are known to the firewall.
This makes sense in my head so far. But here's the problem: I'd like to send all network traffic from the application servers through the proxy servers, regardless of content, port, destination, anything. But in saying that, it begins to sound more like "routing" than "proxying", and enforcing this seems like it might be tricky on the open internet. And authentication of some sort would seem to be needed to prevent bad actors using the proxy to access stuff behind the firewall.
A VPN is a possibility, but not one I'm enthusiastic about: I tackled OpenVPN a few months back, and after a day and a half and very little progress my brains started to slide out my ears. But if that's what I need to do, I'll get back on it.
Thanks!
-- Giles http://www.gilesorr.com/ gilesorr@gmail.com --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
On 03/09/16 16:05, Giles Orr via talk wrote:
I'm running application servers that have to make queries to servers behind a firewall. The firewall (not in my control) has to be configured to admit IP addresses. Getting addresses added to the firewall can be slow. So it seems to me the best way to do this would be to set up a couple of proxy servers with fixed/known IPs so that the application servers (fluctuating headcount and IPs) could make their requests through the proxy servers - which are known to the firewall.
HAproxy is perfect for this. You can set ACLs on it to only allow traffic from the app servers (you'll still have to update the HAproxy ACLs, but you control that so it is quick and easy right?) Then HAproxy just proxies to the server(s) behind the firewall. You can weight traffic to whichever you choose, or direct traffic to different backends depending on many different criteria. You can have multiple HAproxies with DNS A records, or I've set it up with VRRP and made it failover when sharing a single IP.
This makes sense in my head so far. But here's the problem: I'd like to send all network traffic from the application servers through the proxy servers, regardless of content, port, destination, anything. But in saying that, it begins to sound more like "routing" than "proxying", and enforcing this seems like it might be tricky on the open internet. And authentication of some sort would seem to be needed to prevent bad actors using the proxy to access stuff behind the firewall.
If it was just stuff like HTTP/HTTPS I'd suggest squid for this, but it sounds like you likely need something like what you've mentioned below.
A VPN is a possibility, but not one I'm enthusiastic about: I tackled OpenVPN a few months back, and after a day and a half and very little progress my brains started to slide out my ears. But if that's what I need to do, I'll get back on it.
OpenVPN isn't so bad once you have the CA set and you use easy-rsa to issue certs. Then you just set the VPN to the default route for your traffic, and enable forwarding on the proxy server (which also hosts your HAproxy) You could also use IPSec for a quick and dirty VPN. If you weren't going over the open internet I'd suggest plain GRE, but it sounds like you need to encrypt the traffic before it reaches your egress. Cheers, Jamon
On 03/09/16 11:05 AM, Giles Orr via talk wrote:
I think I'm having trouble finding an answer to my questions largely because I don't fully know how to express them, so I'm going to try to do so here and see if another member of this list can take my English language fuzzy logic and turn it into question(s) that can more easily be answered ...
I'm running application servers that have to make queries to servers behind a firewall. The firewall (not in my control) has to be configured to admit IP addresses. Getting addresses added to the firewall can be slow. So it seems to me the best way to do this would be to set up a couple of proxy servers with fixed/known IPs so that the application servers (fluctuating headcount and IPs) could make their requests through the proxy servers - which are known to the firewall.
This makes sense in my head so far. But here's the problem: I'd like to send all network traffic from the application servers through the proxy servers, regardless of content, port, destination, anything. But in saying that, it begins to sound more like "routing" than "proxying", and enforcing this seems like it might be tricky on the open internet. And authentication of some sort would seem to be needed to prevent bad actors using the proxy to access stuff behind the firewall.
A VPN is a possibility, but not one I'm enthusiastic about: I tackled OpenVPN a few months back, and after a day and a half and very little progress my brains started to slide out my ears. But if that's what I need to do, I'll get back on it.
Thanks!
That sounds like what my Smarter Colleagues are calling an "API Gateway", where the people on the outside talk to the web server (eg, nginx) which proxies the back end calls into purpose-built AGW, rather like the one described at https://www.nginx.com/blog/building-microservices-using-an-api-gateway/ Programs on the back end call into it, instead of being hard-coded to go to particular components. A simple outside-only AGW can be done directly in the nginx config, proxying /foo/bar to localhost:9999 and /foo/zot to localhost:76329 --dave -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
If you and the other end have full IPv6 access, then you can get a nice IPv6 block and the firewall can accept that block. As long as the block is yours only, and your not worried about someone being able to spoof at or close to your dest. point, this would solve it with out addition of extra layer of openVpn, or ipsec issues with openSwan and "maybe" compatible routers (10-18 years ago this drove me nuts, but maybe its better now). You could also buy a movable ipv4 class, but if you were coming from a few POP's best to get a few ipv6 classes, give them to peer point FW, and have them config it once and be done with it. But if you set up at an additional pop, then your waiting for another admin FW request to occur on their time frame. In this later case, openSwan is probably only easy solution, provided peering FW is dead on reliable with openSwan road warrior configs, say with 509 certs, etc. -tl On Sat, Sep 3, 2016 at 11:05 AM, Giles Orr via talk <talk@gtalug.org> wrote:
I think I'm having trouble finding an answer to my questions largely because I don't fully know how to express them, so I'm going to try to do so here and see if another member of this list can take my English language fuzzy logic and turn it into question(s) that can more easily be answered ...
I'm running application servers that have to make queries to servers behind a firewall. The firewall (not in my control) has to be configured to admit IP addresses. Getting addresses added to the firewall can be slow. So it seems to me the best way to do this would be to set up a couple of proxy servers with fixed/known IPs so that the application servers (fluctuating headcount and IPs) could make their requests through the proxy servers - which are known to the firewall.
This makes sense in my head so far. But here's the problem: I'd like to send all network traffic from the application servers through the proxy servers, regardless of content, port, destination, anything. But in saying that, it begins to sound more like "routing" than "proxying", and enforcing this seems like it might be tricky on the open internet. And authentication of some sort would seem to be needed to prevent bad actors using the proxy to access stuff behind the firewall.
A VPN is a possibility, but not one I'm enthusiastic about: I tackled OpenVPN a few months back, and after a day and a half and very little progress my brains started to slide out my ears. But if that's what I need to do, I'll get back on it.
Thanks!
-- Giles http://www.gilesorr.com/ gilesorr@gmail.com --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
| From: ted leslie via talk <talk@gtalug.org> | In this later case, openSwan is probably only | easy solution The Openswan project forked a few years ago and the resulting Libreswan project is where almost all development (including bug fixes) happens.
participants (7)
-
Bob Jonkman -
D. Hugh Redelmeier -
David Collier-Brown -
Giles Orr -
Jamon Camisso -
ted leslie -
William Park