Traffic Server as Forward Proxy

Discussion:

James P

2017-06-19 10:32:10 UTC

I have an application (C# software) that has been running on several
clients. This application access a webservice from another company (ABC,
for instance). However, in order to ensure protection, ABC company is now
forcing us to use a single IP to use its webservice. Therefore, all my C#
applications (in several different clients) needs to access using same IP.

I have installed Apache Traffic Server as forward proxy and everything is
working fine. The problem is that it is working as an open proxy and I know
this is very risky.

How can I keep this solution with Traffic Server and add some security?

1. Is it possible to use some form of authenticated requests in Traffic
Server?
2. Is it possible to force the proxy to redirect all access the a
webservice.abc-company.com domain? Therefore, it would not be an open proxy.

Regards,
Jameshdx80

salil GK

2017-06-19 11:24:22 UTC

Permalink

Hi James

Yes traffic server has different mechanism to do authentication. Most
secure way is to make the port as ssl port

CONFIG proxy.config.http.server_ports STRING 8445:ssl

take a look at the following parameter on how to control client access

CONFIG proxy.config.ssl.client.certification_level INT 2

origin server access can be controlled by writing/modifying plugin. for
authentication you may consider auth plugin

Thanks
~S

Post by James P
I have an application (C# software) that has been running on several
clients. This application access a webservice from another company (ABC,
for instance). However, in order to ensure protection, ABC company is now
forcing us to use a single IP to use its webservice. Therefore, all my C#
applications (in several different clients) needs to access using same IP.
I have installed Apache Traffic Server as forward proxy and everything is
working fine. The problem is that it is working as an open proxy and I know
this is very risky.
How can I keep this solution with Traffic Server and add some security?
1. Is it possible to use some form of authenticated requests in Traffic
Server?
2. Is it possible to force the proxy to redirect all access the a
webservice.abc-company.com domain? Therefore, it would not be an open proxy.
Regards,
Jameshdx80

Leif Hedstrom

2017-06-19 13:36:15 UTC

Permalink

Why can't you run this as a reverse proxy? Have all your service names in DNS point to the same IP running the proxy server, and add appropriate map rules for each one to the respective service IP (which are 1918 ranges I assume). You then want to require remap n the config she, which disables ATS as an open forward proxy.

In this scenario you likely want to enable the pristine host header configuration as well.

-- Leif

Post by salil GK
Hi James
Yes traffic server has different mechanism to do authentication. Most secure way is to make the port as ssl port
CONFIG proxy.config.http.server_ports STRING 8445:ssl
take a look at the following parameter on how to control client access
CONFIG proxy.config.ssl.client.certification_level INT 2
origin server access can be controlled by writing/modifying plugin. for authentication you may consider auth plugin
Thanks
~S

I have an application (C# software) that has been running on several clients. This application access a webservice from another company (ABC, for instance). However, in order to ensure protection, ABC company is now forcing us to use a single IP to use its webservice. Therefore, all my C# applications (in several different clients) needs to access using same IP.
I have installed Apache Traffic Server as forward proxy and everything is working fine. The problem is that it is working as an open proxy and I know this is very risky.
How can I keep this solution with Traffic Server and add some security?
1. Is it possible to use some form of authenticated requests in Traffic Server?
2. Is it possible to force the proxy to redirect all access the a webservice.abc-company.com domain? Therefore, it would not be an open proxy.
Regards,
Jameshdx80

Alan Carroll

2017-06-19 14:33:21 UTC

Permalink

ip_allow.config would also work to allow inbound connections only from specific (client) IP addresses. Note that remap works for forward proxy therefore a remap.config could force all requests to the target. Alternatively, since ip_allow.config now supports outbound controls that could be set to allow outbound connections to only that specific IP address.

On Monday, June 19, 2017, 8:36:22 AM CDT, Leif Hedstrom <***@apache.org> wrote:

Why can't you run this as a reverse proxy? Have all your service names in DNS point to the same IP running the proxy server, and add appropriate map rules for each one to the respective service IP (which are 1918 ranges I assume). You then want to require remap n the config she, which disables ATS as an open forward proxy.
In this scenario you likely want to enable the pristine host header configuration as well.
-- LeifÂ
On Jun 19, 2017, at 5:24 AM, salil GK <***@gmail.com> wrote:

Hi JamesÂ
Yes traffic server has different mechanism to do authentication. Most secure way is to make the port as ssl portÂ
CONFIG proxy.config.http.server_ports STRING 8445:ssl

take a look at the following parameter on how to control client access
CONFIG proxy.config.ssl.client.certification_level INT 2

origin server access can be controlled by writing/modifying plugin. for authentication you may consider auth plugin
Thanks~S

On 19 June 2017 at 16:02, James P <***@gmail.com> wrote:

I have an application (C# software) that has been running on several clients. This application access a webservice from another company (ABC, for instance). However, in order to ensure protection, ABC company is now forcing us to use a single IP to use its webservice. Therefore, all my C# applications (in several different clients) needs to access using same IP.Â
I have installed Apache Traffic Server as forward proxy and everything is working fine. The problem is that it is working as an open proxy and I know this is very risky.Â
How can I keep this solution with Traffic Server and add some security?
1. Is it possible to use some form of authenticated requests in Traffic Server?2. Is it possible to force the proxy to redirect all access the a webservice.abc-company.com domain? Therefore, it would not be an open proxy.
Regards,Jameshdx80

James P

2017-06-20 19:25:39 UTC

Permalink

Hi all,

Before asking in this mailing list I could not figure out any solution, I
think any of the three proposed will solve the problem. I've already tried
remap.config solution and it worked. Now, I will try reverse-proxy and
proxy with SSL.
My thanks to Sail GK, Leif Hedstrom, and Alan Carroll. You have saved me
days of work.

James

On Mon, Jun 19, 2017 at 11:33 AM, Alan Carroll <

Post by Alan Carroll
ip_allow.config would also work to allow inbound connections only from
specific (client) IP addresses. Note that remap works for forward proxy
therefore a remap.config could force all requests to the target.
Alternatively, since ip_allow.config now supports outbound controls that
could be set to allow outbound connections to only that specific IP address.
Why can't you run this as a reverse proxy? Have all your service names in
DNS point to the same IP running the proxy server, and add appropriate map
rules for each one to the respective service IP (which are 1918 ranges I
assume). You then want to require remap n the config she, which disables
ATS as an open forward proxy.
In this scenario you likely want to enable the pristine host header configuration as well.
-- Leif
Hi James
Yes traffic server has different mechanism to do authentication. Most
secure way is to make the port as ssl port
CONFIG proxy.config.http.server_ports STRING 8445:ssl
take a look at the following parameter on how to control client access
CONFIG proxy.config.ssl.client.certification_level INT 2
origin server access can be controlled by writing/modifying plugin. for
authentication you may consider auth plugin
Thanks
~S
I have an application (C# software) that has been running on several
clients. This application access a webservice from another company (ABC,
for instance). However, in order to ensure protection, ABC company is now
forcing us to use a single IP to use its webservice. Therefore, all my C#
applications (in several different clients) needs to access using same IP.
I have installed Apache Traffic Server as forward proxy and everything is
working fine. The problem is that it is working as an open proxy and I know
this is very risky.
How can I keep this solution with Traffic Server and add some security?
1. Is it possible to use some form of authenticated requests in Traffic Server?
2. Is it possible to force the proxy to redirect all access the a
webservice.abc-company.com domain? Therefore, it would not be an open proxy.
Regards,
Jameshdx80

Continue reading on narkive:

Search results for 'Traffic Server as Forward Proxy' (Questions and Answers)

replies

Routing Traffic with a WRT54G Router to a proxy server on my inside lan?

started 2006-09-29 05:56:24 UTC

computer networking

replies

How to get rid of a proxy?

started 2010-03-02 01:23:06 UTC

security

replies

How to use a website as a proxy or other way to access a different site.?