Reverse Proxy Server Recommendations?

[johnnyt]

Would like to setup a reverse proxy server to share one inbound TCP port 443 (https) between three web servers on my LAN: my router admin, Homeseer and ISY. The main reason for it is that the corporate firewall at my work does not allow one to use anything other than port 443 with https. That means before I leave the house I have to chose one server (only) to expose. Secondary reasons are convenience and security (at least I think it's more secure and improves client side convenience).

 

Am wondering if:

 

1) ISY with network module can act as a reverse proxy server? (doesn't look like it to me but want to confirm)

 

2) there are any recommendations (and some how to's) for setting up a Windows XP compatible reverse proxy server with SSL that would allow me to use my target web server by simply appending something like "/ISY", "/HS", "/router" to the url?

 

Any advice would be appreciated.

[bbconvert]

I use a SonicWall SSL VPN appliance for that very purpose.

[johnnyt]

I can't install any client s/w on my work machine. In fact it won't even let me install the active X app that my SSL VPN router pushes out for it to provide that path into my home network (I bought the router in part hoping to use the SSL VPN functionality for this). I also cannot change the browser settings to allow any active X app to run. Things are locked down pretty tight.

[bbconvert]

A SonicWall TZ 200 is a router with SSL VPN capabilities and it will allow you only to "extend" your home network by providing your work PC with a second IP address on your home network. To do that, you do need to install SW on your work PC. Even if that were allowed by your work IT group, I would not recommend (you dont want to take the risk of commingling your home and work networks).

 

A SonicWall SRA appliance like the SonicWall SRA 1200 offers several different SSL VPN services, including reverse proxy. In reverse proxy mode, there is absolutely nothing that needs to be installed on the client (your work PC) side. It behaves 100% like a normal website.

 

Cisco has similar offerings but I am not familiar with them.

[johnnyt]

While the SonicWall SRA 1200 sounds like it might do what I'm looking for, it's well outside my budget for this... even if I hadn't already invested in my other router (at about a quarter of the price)

[MWareman]

I do this for exactly the reason - accessing multiple interfaces from work where only 80 and 443 is allowed out. There is also a forced proxy - and I wanted to securely access various hosts within my home network.

 

I have an internal Apache host setup (Ubuntu) with a wildcard certificate for *.domain.com (in this example) from http://www.cacert.org/. Get Apache working with the cert first and then NAT in port 443.

 

I have a dynamic DNS setup for my external IP. I then use CNAME records in my external DNS (so - if my dynamic dns is 'xyz.no-ip.org' my cnames would be 'router CNAME xyz.no-ip.org' 'isy CNAME xyz.no-ip.org' etc.. If you have a static IP - you could setup a wildcard 'a' record for the IP.

 

So - I can now access my Apache install from the outside with the unique URLs all resolving tot he same IP 'https://router.domain.com' and 'https://isy.domain.com' and I get a valid certificate each time (assuming your remove machine trusts CACert as a root authority).

 

Now - I create a config file for each internal site I wish to publish (/etc/apache2/sites-enabled/isy in this case) like the following:

 

       ServerAdmin webmaster@domain.com
       ServerName isy.domain.com

       ProxyRequests Off
       ProxyPreserveHost On
       ProxyVia On

               Order deny,allow
               Allow from all

       ProxyPass / http://1.2.3.5:80/
       ProxyPassReverse / http://1.2.3.5:80/
       CustomLog ${APACHE_LOG_DIR}/access_proxy.log combined
       ErrorLog ${APACHE_LOG_DIR}/error_proxy.log
       SSLEngine on
       SSLCertificateFile    /etc/ssl/certs/cert.pem
       SSLCertificateKeyFile /etc/ssl/private/cert.key

 

Be sure to set the certificate key paths correctly. Also - change 1.2.3.5:80 to the internal IP and port to the service to be published. You also need to set the 'ServerName' to match the external CNAME record you setup.

 

A quick reload of Apache - and it should work.

 

I use this to publish several security cameras, a mythtv system, my ISY and my router. Generally works fairly well - but there can be issues with some web services that embed absolute links in the HTML. There is no rewriting of URLs within the HTML going on - so each published service may involve some work.

 

Michael.