Traffic Server as Forward Proxy

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Traffic Server as Forward Proxy

jameshdx80


I have an application (C# software) that has been running on several clients. This application access a webservice from another company (ABC, for instance). However, in order to ensure protection, ABC company is now forcing us to use a single IP to use its webservice. Therefore, all my C# applications (in several different clients) needs to access using same IP. 

I have installed Apache Traffic Server as forward proxy and everything is working fine. The problem is that it is working as an open proxy and I know this is very risky. 

How can I keep this solution with Traffic Server and add some security?

1. Is it possible to use some form of authenticated requests in Traffic Server?
2. Is it possible to force the proxy to redirect all access the a webservice.abc-company.com domain? Therefore, it would not be an open proxy.

Regards,
Jameshdx80
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Traffic Server as Forward Proxy

gksalil
Hi James 

Yes traffic server has different mechanism to do authentication. Most secure way is to make the port as ssl port 

CONFIG proxy.config.http.server_ports STRING 8445:ssl


take a look at the following parameter on how to control client access

CONFIG proxy.config.ssl.client.certification_level INT 2


origin server access can be controlled by writing/modifying plugin. for authentication you may consider auth plugin

Thanks
~S




On 19 June 2017 at 16:02, James P <[hidden email]> wrote:


I have an application (C# software) that has been running on several clients. This application access a webservice from another company (ABC, for instance). However, in order to ensure protection, ABC company is now forcing us to use a single IP to use its webservice. Therefore, all my C# applications (in several different clients) needs to access using same IP. 

I have installed Apache Traffic Server as forward proxy and everything is working fine. The problem is that it is working as an open proxy and I know this is very risky. 

How can I keep this solution with Traffic Server and add some security?

1. Is it possible to use some form of authenticated requests in Traffic Server?
2. Is it possible to force the proxy to redirect all access the a webservice.abc-company.com domain? Therefore, it would not be an open proxy.

Regards,
Jameshdx80

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Traffic Server as Forward Proxy

Leif Hedstrom
Why can't you run this as a reverse proxy? Have all your service names in DNS point to the same IP running the proxy server, and add appropriate map rules for each one to the respective service IP (which are 1918 ranges I assume). You then want to require remap n the config she, which disables ATS as an open forward proxy.

In this scenario you likely want to enable the pristine host header configuration as well.

-- Leif 

On Jun 19, 2017, at 5:24 AM, salil GK <[hidden email]> wrote:

Hi James 

Yes traffic server has different mechanism to do authentication. Most secure way is to make the port as ssl port 

CONFIG proxy.config.http.server_ports STRING 8445:ssl


take a look at the following parameter on how to control client access

CONFIG proxy.config.ssl.client.certification_level INT 2


origin server access can be controlled by writing/modifying plugin. for authentication you may consider auth plugin

Thanks
~S




On 19 June 2017 at 16:02, James P <[hidden email]> wrote:


I have an application (C# software) that has been running on several clients. This application access a webservice from another company (ABC, for instance). However, in order to ensure protection, ABC company is now forcing us to use a single IP to use its webservice. Therefore, all my C# applications (in several different clients) needs to access using same IP. 

I have installed Apache Traffic Server as forward proxy and everything is working fine. The problem is that it is working as an open proxy and I know this is very risky. 

How can I keep this solution with Traffic Server and add some security?

1. Is it possible to use some form of authenticated requests in Traffic Server?
2. Is it possible to force the proxy to redirect all access the a webservice.abc-company.com domain? Therefore, it would not be an open proxy.

Regards,
Jameshdx80

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Traffic Server as Forward Proxy

Alan Carroll
ip_allow.config would also work to allow inbound connections only from specific (client) IP addresses. Note that remap works for forward proxy therefore a remap.config could force all requests to the target. Alternatively, since ip_allow.config now supports outbound controls that could be set to allow outbound connections to only that specific IP address.



On Monday, June 19, 2017, 8:36:22 AM CDT, Leif Hedstrom <[hidden email]> wrote:


Why can't you run this as a reverse proxy? Have all your service names in DNS point to the same IP running the proxy server, and add appropriate map rules for each one to the respective service IP (which are 1918 ranges I assume). You then want to require remap n the config she, which disables ATS as an open forward proxy.

In this scenario you likely want to enable the pristine host header configuration as well.

-- Leif 

On Jun 19, 2017, at 5:24 AM, salil GK <[hidden email]> wrote:

Hi James 

Yes traffic server has different mechanism to do authentication. Most secure way is to make the port as ssl port 

CONFIG proxy.config.http.server_ports STRING 8445:ssl


take a look at the following parameter on how to control client access

CONFIG proxy.config.ssl.client.certification_level INT 2


origin server access can be controlled by writing/modifying plugin. for authentication you may consider auth plugin

Thanks
~S




On 19 June 2017 at 16:02, James P <[hidden email]> wrote:


I have an application (C# software) that has been running on several clients. This application access a webservice from another company (ABC, for instance). However, in order to ensure protection, ABC company is now forcing us to use a single IP to use its webservice. Therefore, all my C# applications (in several different clients) needs to access using same IP. 

I have installed Apache Traffic Server as forward proxy and everything is working fine. The problem is that it is working as an open proxy and I know this is very risky. 

How can I keep this solution with Traffic Server and add some security?

1. Is it possible to use some form of authenticated requests in Traffic Server?
2. Is it possible to force the proxy to redirect all access the a webservice.abc-company.com domain? Therefore, it would not be an open proxy.

Regards,
Jameshdx80

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Traffic Server as Forward Proxy

jameshdx80
Hi all,

Before asking in this mailing list I could not figure out any solution, I think any of the three proposed will solve the problem. I've already tried remap.config solution and it worked. Now, I will try reverse-proxy and proxy with SSL. 
My thanks to Sail GK, Leif Hedstrom, and Alan Carroll. You have saved me days of work.

James



On Mon, Jun 19, 2017 at 11:33 AM, Alan Carroll <[hidden email]> wrote:
ip_allow.config would also work to allow inbound connections only from specific (client) IP addresses. Note that remap works for forward proxy therefore a remap.config could force all requests to the target. Alternatively, since ip_allow.config now supports outbound controls that could be set to allow outbound connections to only that specific IP address.



On Monday, June 19, 2017, 8:36:22 AM CDT, Leif Hedstrom <[hidden email]> wrote:


Why can't you run this as a reverse proxy? Have all your service names in DNS point to the same IP running the proxy server, and add appropriate map rules for each one to the respective service IP (which are 1918 ranges I assume). You then want to require remap n the config she, which disables ATS as an open forward proxy.

In this scenario you likely want to enable the pristine host header configuration as well.

-- Leif 

On Jun 19, 2017, at 5:24 AM, salil GK <[hidden email]> wrote:

Hi James 

Yes traffic server has different mechanism to do authentication. Most secure way is to make the port as ssl port 

CONFIG proxy.config.http.server_ports STRING 8445:ssl


take a look at the following parameter on how to control client access

CONFIG proxy.config.ssl.client.certification_level INT 2


origin server access can be controlled by writing/modifying plugin. for authentication you may consider auth plugin

Thanks
~S




On 19 June 2017 at 16:02, James P <[hidden email]> wrote:


I have an application (C# software) that has been running on several clients. This application access a webservice from another company (ABC, for instance). However, in order to ensure protection, ABC company is now forcing us to use a single IP to use its webservice. Therefore, all my C# applications (in several different clients) needs to access using same IP. 

I have installed Apache Traffic Server as forward proxy and everything is working fine. The problem is that it is working as an open proxy and I know this is very risky. 

How can I keep this solution with Traffic Server and add some security?

1. Is it possible to use some form of authenticated requests in Traffic Server?
2. Is it possible to force the proxy to redirect all access the a webservice.abc-company.com domain? Therefore, it would not be an open proxy.

Regards,
Jameshdx80


Loading...