440 Stimmen
HTTP Reverse Proxy
Add a Reverse proxy to ASG which is mainly requested for securing OWA as customers do not want to put it directly onto the internet. - some customers ask for Authentication prior allowing access - other customer want SSL-Offloading - third want Webseite security by preventing Cross site scripting... mehr
Status:
fertiggestellt
This feature is included as part of ASG Version 8 which will be Generally Available at the end of June.
Watch http://up2date.astaro.com for the official announcement.
Ribeiro Da Cunha Abilio
hi , sorry in advance for my poor english.
i'm using revert proxy with apache 2 for secure owa or any web app on my organisation.
i use for exemple this directive for auth to access my webmail.
if astaro can do this is great using astaro certificate etc...
SSLProxyEngine on
SecRuleInheritance Off
ServerName webmail.mairie-lognes.fr
ProxyPass / https://internal-mail-ip/
ProxyPassReverse / https://internal-mail-ip//
SSLEngine on
SSLCertificateFile /etc/ssl/apache/webmail.internal.fr-ce... mehr
hi , sorry in advance for my poor english.
i'm using revert proxy with apache 2 for secure owa or any web app on my organisation.
i use for exemple this directive for auth to access my webmail.
if astaro can do this is great using astaro certificate etc...
SSLProxyEngine on
SecRuleInheritance Off
ServerName webmail.mairie-lognes.fr
ProxyPass / https://internal-mail-ip/
ProxyPassReverse / https://internal-mail-ip//
SSLEngine on
SSLCertificateFile /etc/ssl/apache/webmail.internal.fr-cert.pem
SSLCertificateKeyFile /etc/ssl/apache/webmail.internal.fr-key.pem
SSLVerifyClient require
SSLCACertificatePath /etc/ssl/apache
SSLCACertificateFile /etc/ssl/apache/cacert.crt
if astaro can use this exemple for ssl cert auth in reverse proxy mode as i do with apache 2 that great.
Sascha Paris
@Heiko Bickenbach: Word ! I totally agree with URL rewriting feature ! A must have feature...
Brandon
And I would KILL for Heiko Bickenbach's use of the url-based redirection... This is crucial for our business.
Mustafa Nasser
One of the main strengths of Astaro is providing a rich set of proxies, however, lacking a reverse proxy for OWA is a weakness as I have to forward the traffic directly to the server without scanning content, or I have to use a front end server in the DMZ. Adding this feature will minimize risk and reduce costs.
nils
Single Sign On feature like the ISA SSO would be necessary.
Brandon
This could/should be implemented in a reverse proxy feature set as well:
Vote for http://feature.astaro.com/pages/17359-astaro-gateway-feature-requests/suggestions/178298-http-reverse-proxy?ref=title
Brandon
I have tried using DNS-host-based NATting, but have not had any success. My supposition is that this feature is not intended for this purpose.
Phugh
I agree with this feature. We will win more deal with this.
Paolo
also if you are using astaro as DNS you can set static DNS entries.
Paolo
on the DNAT rule use this..
traffic source = internal network
service = http
traffic detination = pick DNS host as a type then input the hostname
NAT mode = DNAT
destination = 192.168.0.1
Brandon
I'm not familiar with ipt_REDIRECT... to confirm or deny, do you have any documentation?
Paolo
I think he is pertaining to the ipt_REDIRECT module on netfilter
Frank Lichtenheld
I guess that would belong to the HTTP reverse proxy features
gnujuba
If you are thinking about securing OWA and Sharepoint and all other MS stuff with the reverse proxy feature please consider implementing kerberos constrained delegation as in MS IAG/ISA or juniper SA plus support for OTP so that the domain credentials never traverse the network between client and proxy.
Heiko Bickenbach
The reverse Proxy could be usefull to share ONE external TCP Adress:Port combination to different servers on the DMZ, depending on the requested url.
Sample:
You have got one external IP-Adress on your DSL PPPOE Interface, but you have multiple webservers/webservices on your DMZ.
http://extern-ip/exchange -> http://intern-ip-01/exchange
http://extern-ip/webservice1 -> http://intern-ip-02/webservice1
http://extern-ip/webservice2 -> http://intern-ip-02/webservice2
http://extern-ip/others... mehr
The reverse Proxy could be usefull to share ONE external TCP Adress:Port combination to different servers on the DMZ, depending on the requested url.
Sample:
You have got one external IP-Adress on your DSL PPPOE Interface, but you have multiple webservers/webservices on your DMZ.
http://extern-ip/exchange -> http://intern-ip-01/exchange
http://extern-ip/webservice1 -> http://intern-ip-02/webservice1
http://extern-ip/webservice2 -> http://intern-ip-02/webservice2
http://extern-ip/otherservice -> http://intern-ip-03/otherservice
We already had webservices which did adressrewriting with links in their responses, so using differnt external Ports and DNAT caused broken links. With the above solution even this wouldn't be ab problem.
HTTPS should be supported an maybe loadbalancing too.
William Warren
this is redundant as owa already uses ssl just on a different port.
BrucekConvergent
I vote for this as well; it would be nice to be able to route SSL website traffic through the IPS to have the traffic scrutinized; right now, all a website attacker has to do to circumvent the IPS is to use SSL...
Bob Alfson
There's already load-balancing available for web servers, and Astaro's already said they plan to do a reverse HTTP proxy, so wouldn't that address your concern about OWA/OMA being exposed to the Internet?
david haman
It would ease the total load on my web servers, astaro reverse proxy could actually distribute the request. an hide mail server/ web server etc
Bob Alfson
David, what do you mean by this? What things would a reverse SMTP proxy provide?