[GTALUG] Routing and/or Proxying

Jamon Camisso jamon.camisso at utoronto.ca
Mon Sep 5 16:27:03 EDT 2016 

On 03/09/16 16:05, Giles Orr via talk wrote:
> I'm running application servers that have to make queries to servers
> behind a firewall.  The firewall (not in my control) has to be
> configured to admit IP addresses.  Getting addresses added to the
> firewall can be slow.  So it seems to me the best way to do this would
> be to set up a couple of proxy servers with fixed/known IPs so that
> the application servers (fluctuating headcount and IPs) could make
> their requests through the proxy servers - which are known to the
> firewall.

HAproxy is perfect for this. You can set ACLs on it to only allow 
traffic from the app servers (you'll still have to update the HAproxy 
ACLs, but you control that so it is quick and easy right?)

Then HAproxy just proxies to the server(s) behind the firewall. You can 
weight traffic to whichever you choose, or direct traffic to different 
backends depending on many different criteria.

You can have multiple HAproxies with DNS A records, or I've set it up 
with VRRP and made it failover when sharing a single IP.

> This makes sense in my head so far.  But here's the problem: I'd like
> to send all network traffic from the application servers through the
> proxy servers, regardless of content, port, destination, anything.
> But in saying that, it begins to sound more like "routing" than
> "proxying", and enforcing this seems like it might be tricky on the
> open internet.  And authentication of some sort would seem to be
> needed to prevent bad actors using the proxy to access stuff behind
> the firewall.

If it was just stuff like HTTP/HTTPS I'd suggest squid for this, but it 
sounds like you likely need something like what you've mentioned below.

> A VPN is a possibility, but not one I'm enthusiastic about: I tackled
> OpenVPN a few months back, and after a day and a half and very little
> progress my brains started to slide out my ears.  But if that's what I
> need to do, I'll get back on it.

OpenVPN isn't so bad once you have the CA set and you use easy-rsa to 
issue certs. Then you just set the VPN to the default route for your 
traffic, and enable forwarding on the proxy server (which also hosts 
your HAproxy)

You could also use IPSec for a quick and dirty VPN. If you weren't going 
over the open internet I'd suggest plain GRE, but it sounds like you 
need to encrypt the traffic before it reaches your egress.

Cheers, Jamon

More information about the talk mailing list