[GTALUG] Routing and/or Proxying

David Collier-Brown davec-b at rogers.com
Tue Sep 6 08:33:08 EDT 2016 

On 03/09/16 11:05 AM, Giles Orr via talk wrote:
> I think I'm having trouble finding an answer to my questions largely
> because I don't fully know how to express them, so I'm going to try to
> do so here and see if another member of this list can take my English
> language fuzzy logic and turn it into question(s) that can more easily
> be answered ...
>
> I'm running application servers that have to make queries to servers
> behind a firewall.  The firewall (not in my control) has to be
> configured to admit IP addresses.  Getting addresses added to the
> firewall can be slow.  So it seems to me the best way to do this would
> be to set up a couple of proxy servers with fixed/known IPs so that
> the application servers (fluctuating headcount and IPs) could make
> their requests through the proxy servers - which are known to the
> firewall.
>
> This makes sense in my head so far.  But here's the problem: I'd like
> to send all network traffic from the application servers through the
> proxy servers, regardless of content, port, destination, anything.
> But in saying that, it begins to sound more like "routing" than
> "proxying", and enforcing this seems like it might be tricky on the
> open internet.  And authentication of some sort would seem to be
> needed to prevent bad actors using the proxy to access stuff behind
> the firewall.
>
> A VPN is a possibility, but not one I'm enthusiastic about: I tackled
> OpenVPN a few months back, and after a day and a half and very little
> progress my brains started to slide out my ears.  But if that's what I
> need to do, I'll get back on it.
>
> Thanks!
>
That sounds like what my Smarter Colleagues are calling an "API 
Gateway", where the people on the outside talk to the web server (eg, 
nginx) which proxies the back end calls into  purpose-built AGW, rather 
like the one described at 
https://www.nginx.com/blog/building-microservices-using-an-api-gateway/ 
Programs on the back end call into it, instead of being hard-coded to go 
to particular components.

A simple outside-only AGW can be done directly in the nginx config, 
proxying /foo/bar to localhost:9999 and /foo/zot to localhost:76329

--dave


-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net           |                      -- Mark Twain

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20160906/325e324c/attachment.html>

More information about the talk mailing list