Aller au contenu principal

Proxiserver

1. Introduction

Proxiserver is the combination of webservers and gateways, which plays a fundamental role in the system.
The webservers do not have direct access to networks and services. To expose applications on the internet or other external networks, the webservers must query the gateways.

2. Architecture and Networking

infra

The webservers and gateways communicate within a specific private network and are the only ones with access to it. This choice is conditioned by certificate management, which will be studied in the next chapter.

3. Example of Routing Configuration

  prometheus:
    gateway:
      mode: http
      address: "*"
      port: 9090
      destination:
        addresses: 
          - name: supervisor-1
            address: 192.168.1.6
            port: 9090
        balance: roundrobin
        options:
          - httplog
    webserver:
      - location: /prometheus/
        params:
          proxy_pass:
            values: "http://{{ gateway_external_vip }}:9090/prometheus/"

  grafana:
    gateway:
      mode: http
      address: "*"
      port: 3000
      destination:
        addresses: 
          - name: supervisor-1
            address: 192.168.1.6
            port: 3000
        balance: roundrobin
        options:
          - httplog

HAProxy configuration generated by the Protobox framework:

infra

4. Certificates

4.1. Encryption Patterns

infra

4.1.1. EDGE Pattern

This mode is suitable for connections within a highly secure internal network where the reverse proxy maintains a secure connection (HTTP over TLS) with the clients while communicating with the application in HTTP mode without TLS. This operating mode allows for a common TLS across a set of applications.

4.1.2. PASSTHROUGH Pattern

This mode is suitable for applications configured to provide their own certificates. To avoid encrypting the communication twice at the expense of performance, the reverse proxy uses HTTP communication to perform a BYPASS.

4.1.3. RE-ENCRYPT Pattern

This mode significantly enhances security by using two different encryptions. For this, two certificates are installed:

  • A front certificate is installed on the reverse proxy to encrypt communication with the client.
  • A back certificate establishes a TLS connection between the reverse proxy and the client.

5. Pattern Choice for Proxiserver

5.1. HTTP/HTTPS Communication

infra

5.2. Network Interfacing