Reverse Proxy

With a reverse proxy, one can control access to the "internal" web servers from the Internet. In contrast to a port forwarding, dedicated filter rules can be created via the reverse proxy. In addition, with only one public IP address, several internal web servers can be addressed based on the domain.

Another highlight is offered by the load balancing. Servers can be combined into groups, to which the requests are then distributed using the selected algorithm (e.g. Round-Robin).

The following values are assumed for the example configuration:

• Web server with the private IP: 10.1.0.150
• Domain: www.ttt-point.de

• Attention:
  If the web server is also to be accessed via https, the port of the Userinterface must be changed first.

Packet filter rule

For the reverse proxy to be reachable, the following packet filter rule must be in place. This can be checked under Firewall Port filter . If this is not present, Add rule will add this rule.

	#	Source	Destination	Service	NAT	Logging	Acion	Active
		internet	external-interface	https		3/Min	Accept	On

notempty

If necessary, this packet filter rule must also be created using the http service.

Configuration

Wizard

Step 1 - Internal

Step 1 - Internal: Target server already exists as a network object
Caption	Value	Description	Reverse Proxy Assistant UTMuser@firewall.name.fqdnApplicationReverse-Proxy Target server already exists as a network object
Target Server:	www.ttt-point.de	If the host has already been created as a network object, it can be selected directly in the drop-down menu.
	Add network object	If no network object has been created yet, a network object can be created using this button.
Port:	443	The web server should be accessed via an encrypted connection.
Use SSL:	On	Determines whether SSL can be used
[ - ] Advanced settings notempty These TLS settings apply to the connection between this appliance and the (local) server. For TLS settings between the clients and this appliance, the settings in the Authentication Encryption  Area Reverse-Proxy dialog apply.
Use default TLS settings:	Yes	Allows connections with TLS 1.2 or 1.3 only
Minimal TLS version:	Use default value	The outdated TLS versions 1.1 and 1.0 can be selected.
Cipher-Suite:	Standardwert verwenden	Note that to directly use a OpenSSL security level, the notation @SECLEVEL=N can be used in the cipher string, where N represents the selected level from 0 to 5. This can also be used with the security level 0 for servers, which offers outdated and insecure algorithms. This is strongly not recommended, instead the server should be updated. A specific cipher or default must still be specified. Examples: DEFAULT@SECLEVEL=0 ECDHE-RSA-AES256-SHA@SECLEVEL=0
Next
Step 2 - External Define incoming connection
External domain name:	www.ttt-point.de	Here you enter how the server behind the UTM is addressed. The public IP address that the client calls up from the Internet can also be entered here. However, it is then not possible to distinguish further individual servers via additional subdomains.	Configuring external access so that the reverse proxy responds to requests
Next
Step 3 - External (Global)
Mode	HTTP + HTTPS	Mode to be used
Proxy-Port:	80	Port for the proxy of the corresponding server
SSL-Proxy Port:	443	Port for the SSL proxy of the corresponding server
SSL certificate:	*.ttt-point.de	The certificate that was selected in the step Preparations is selected here.
Next
Step 4 - Authentication
Forward authentication:	Provide login data	The proxy should not perform authentication ‍ The string can include URL escapes (i.e. %20 for spaces). This also means % must be written as %%.	Datei:UTM v12.7.0 Reverse Proxy Wizard Schritt 4-en.png No authentication!
	Forward access data (client)	Forwards the client's authentication headers to the remote station. Login data received from the UTM is sent to the reverse proxy. Authentication is not required for this option.
	Forward access data (client & proxy)	Proxy and authentication headers are forwarded unchanged. Sends the login data received from the client to the reverse proxy. Both proxy and WWW authorisation headers are forwarded to the remote peer without modification.
Login name
Password
Finish
Server groups
The arrangement in server groups makes it possible to display different relationships in the reverse Proxy: 1:1 - One domain/IP : One server 1:N - One domain/IP : Multiple servers (load balancing) N:1 - Multiple domains/IPs : One server N:M - Multiple Domains/IPs : Multiple Servers (Load Balancing) A port forwarding only allows a 1:1 relationship, the connection is forwarded to one server.
Add server group		Adds a new server group. The wizard automatically creates a server group.	Reverse-Proxy UTMuser@firewall.name.fqdnApplication Reverse Proxy Assistant Automatically created server group
Name	server-www.ttt-point.de	Name
Server	www.ttt-point.de (10.1.0.150) …	List of network objects that belong to the server group
	IP address Port: SSL: …	Hovering with the mouse shows further details about the network object
Edit		Opens the dialog for editing a server group (add or delete server)
Delete		Deletes the server group (confirmation required)
Edit server group - nginx General
Name	server-www.ttt-point.de	Name of the server group (not editable)	Edit server group UTMuser@firewall.name.fqdnApplicationReverse-Proxy Example with different TLS versions and cipher suites using the ngnix engine
Use SSL	Yes	Determines whether SSL can be used
Authentication Authentication is only configured centrally for the entire group when using the ‘’‘ngnix engine’‘’.When using the ‘’squid‘’ engine, this is done individually for each server.
Forward authentication:	Provide login data	The proxy should not perform authentication ‍ The string can include URL escapes (i.e. %20 for spaces). This also means % must be written as %%.
	Forward access data (client)	Forwards the client's authentication headers to the remote station. Login data received from the UTM is sent to the reverse proxy. Authentication is not required for this option.
	Forward access data (client & proxy)	Proxy and authentication headers are forwarded unchanged. Sends the login data received from the client to the reverse proxy. Both proxy and WWW authorisation headers are forwarded to the remote peer without modification.
Login name: Only for Provide login data
Password: Only for Provide login data
Forward connection-oriented Microsoft authentication: notempty New as of v12.7.1	off	Enables support for NTLM, Negotiate and Kerberos
Server
		Search field for the servers
Network	www.ttt-point.de	Name
IP address	10.1.0.150	IP address of the webserver
Port	443	Port via which the server is to be addressed
TLS	Default @Sec Level=4	TLS settings for this server
Delete	Deletes the server from the reverse proxy server group
Edit notempty New as of v12.7.0 / Server hinzufügen
General
Network		Name	Add server UTMuser@firewall.name.fqdnApplicationReverse-Proxy
		Opens the dialogue for adding a network object
Port	443	Port via which the server is to be addressed
Advanced settings notempty These TLS settings apply to the connection between this appliance and the (local) server. For TLS settings between the clients and this appliance, the settings in the Authentication Encryption  Area Reverse-Proxy dialog apply.
Use default TLS settings:	Yes	Allows connections with TLS 1.2 or 1.3 only
Minimal TLS version:	Use default value	The outdated TLS versions 1.1 and 1.0 can be selected.
Cipher-Suite:	Standardwert verwenden	Note that to directly use a OpenSSL security level, the notation @SECLEVEL=N can be used in the cipher string, where N represents the selected level from 0 to 5. This can also be used with the security level 0 for servers, which offers outdated and insecure algorithms. This is strongly not recommended, instead the server should be updated. A specific cipher or default must still be specified. Examples: DEFAULT@SECLEVEL=0 ECDHE-RSA-AES256-SHA@SECLEVEL=0
Edit server group - squid
General
Name	server-www.ttt-point.de	Name of the server group (not editable)	Edit server group UTMuser@firewall.name.fqdnApplicationReverse-Proxy Example with different TLS versions and cipher suites using the squid engine
Server
		Search field for the servers
Network	www.ttt-point.de	Name
IP address	10.1.0.150	IP address of the webserver
Port	443	Port via which the server is to be addressed
SSL	Yes	Shows whether SSL is activated for the server
Type	Provide login data	Authentication type used by the server
Login name		{{#var:Leer}
MS-Auth	aus	Status for connection-oriented Microsoft authentication (support for NTLM, Negotiate and Kerberos)
TLS	Default @Sec Level=4	TLS settings for this server
Delete	Deletes the server from the reverse proxy server group
Edit notempty New as of v12.7.0 / Add server
General			Add server UTMuser@firewall.name.fqdnApplicationReverse-Proxy
Network		Name
		Opens the dialogue for adding a network object
Port	443	Port via which the server is to be addressed
Use SSL:	Yes	Determines whether SSL can be used
Authentication
Forward authentication:	Provide login data	The proxy should not perform authentication ‍ The string can include URL escapes (i.e. %20 for spaces). This also means % must be written as %%.
	Forward access data (client)	Forwards the client's authentication headers to the remote station. Login data received from the UTM is sent to the reverse proxy. Authentication is not required for this option.
	Forward access data (client & proxy)	Proxy and authentication headers are forwarded unchanged. Sends the login data received from the client to the reverse proxy. Both proxy and WWW authorisation headers are forwarded to the remote peer without modification.
Login name Only for Provide login data
Password Only for Provide login data
Forward connection-oriented Microsoft authentication: notempty Caption updated	off	Enables support for NTLM, Negotiate and Kerberos
Advanced settings notempty These TLS settings apply to the connection between this appliance and the (local) server. For TLS settings between the clients and this appliance, the settings in the Authentication Encryption  Area Reverse-Proxy dialog apply.
Use default TLS settings:	Yes	Allows connections with TLS 1.2 or 1.3 only
Minimal TLS version:	Use default value	The outdated TLS versions 1.1 and 1.0 can be selected.
Cipher-Suite:	Standardwert verwenden	Note that to directly use a OpenSSL security level, the notation @SECLEVEL=N can be used in the cipher string, where N represents the selected level from 0 to 5. This can also be used with the security level 0 for servers, which offers outdated and insecure algorithms. This is strongly not recommended, instead the server should be updated. A specific cipher or default must still be specified. Examples: DEFAULT@SECLEVEL=0 ECDHE-RSA-AES256-SHA@SECLEVEL=0
Sites
Applications Reverse-Proxy  Area Sites Hier können die Sites Einträge überblickt, bearbeitet ( ) und gelöscht ( ) werden. Falls ungültige Konfigurationen vorliegen, werden diese mit einer Warnung () versehen. Beim Hovern über diese Warnung wird außerdem eine kurze Beschreibung des Problems gezeigt. Alle Sites müssen ein dst_dom*-ACL aktiv haben, andernfalls werden sie ignoriert. notempty Neu ab v14.0.1 ACL Sets mit und ohne dst_dom* zeigen ACL Set bearbeiten UTMuser@firewall.name.fqdnApplicationReverse-Proxy ACL Set ohne dst_dom* ACL Set bearbeiten UTMuser@firewall.name.fqdnApplicationReverse-Proxy ACL Set mit dst_dom*			Reverse Proxy Assistant UTMuser@firewall.name.fqdnApplicationReverse-Proxy Sites overview when using the ngnix engine   Reverse Proxy Assistant UTMuser@firewall.name.fqdnApplicationReverse-Proxy Site overview when using the squid engine
Sites - ngnix
Domain name:	www.ttt-point.de	This is where you enter how the server behind the UTM is addressed.	Edit site UTMuser@firewall.name.fqdnApplicationReverse-Proxy Edit sites when using the ngnix engine
Server group:	servergroup-www.ttt-point.de	The associated server group is selected here
Client bandwidth:	0 kbits/s	Maximum bandwidth that should be available to a client
Load distribution:	round-robin	The connections are processed one after the other.
	userhash	A user's connections (hash on the user name) are always routed to the same server.
	sourcehash	Connections from the same source (IP address) are always routed to the same server.
Redirect HTTP: Only with mode: HTTP + HTTPS	No	When activated, HTTP requests are redirected to the HTTPS port
Websockets:	off	Activates Websockets connections for the site
Site-specific proxy port:	On 80 Default: off	Enables a specific port for HTTP connections in this site
Site-specific SSL proxy port:	On 8443 Default: off	Enables a specific port for HTTP connections in this site
Site-specific SSL certificate:	off	A site-specific server certificate can be selected
ACL Sets	TTT-Point Login allow	Selection of an ACL set to be added
	Add	Add selected ACL set
Pos.		The order of the ACL sets can be customised using drag and drop. The ‘’allowed‘’ ACL sets should generally come before the forbidden ones.
ACL Set	aclset-www.ttt-point.de	Name
Acion		Configuration of whether the ACL set should be permitted or prohibited
Status	On	Activation or deactivation of the configuration for the ACL set
Delete		Deletes the entry for the ACL set
Sites - squid
Domain name:	www.ttt-point.de	This is where you enter how the server behind the UTM is addressed.	Edit site UTMuser@firewall.name.fqdnApplicationReverse-Proxy Edit sites when using the squid engine
Server group:	servergroup-www.ttt-point.de	The associated server group is selected here
Site bandwidth:	0 kbits/s	Maximum bandwidth that should be available to a site
Client bandwidth:	0 kbits/s	Maximum bandwidth that should be available to a client
Load distribution:	round-robin	The connections are processed one after the other.
	userhash	A user's connections (hash on the user name) are always routed to the same server.
	sourcehash	Connections from the same source (IP address) are always routed to the same server.
	weighted-round-robin	Connections are processed one after the other, but there are weightings that determine how often the same connection is served in succession.
ACL Sets	TTT-Point Login allow	Selection of an ACL set to be added
	Add	Add selected ACL set
Pos.		The order of the ACL sets can be customised using drag and drop. The ‘’allowed‘’ ACL sets should generally come before the forbidden ones.
ACL Set	aclset-www.ttt-point.de	Name
Acion		Configuration of whether the ACL set should be permitted or prohibited
Status	On	Activation or deactivation of the configuration for the ACL set
Delete		Deletes the entry for the ACL set
Combination example By combining different ACL sets with corresponding authorisations, it is possible, for example, to ensure that the login page of a server can only be accessed from a specific (e.g. your own) public IP address. Allow and Deny combination example Add ACLSet UTMuser@firewall.name.fqdnApplicationReverse-Proxy Combination example step 1 Firstly, an ACL is required for this, which contains the dstdomain and the public IP address as src. Add ACLSet UTMuser@firewall.name.fqdnApplicationReverse-Proxy Combination example step 2 An ACL is then required, which contains the path as urlpath_regex. Edit site UTMuser@firewall.name.fqdnApplicationReverse-Proxy Combination example step 3 Finally, a site is set up where the first rule is allowed and the second rule is forbidden.
ACL Sets
Under Applications Reverse Proxy  Area ACLSets Button Button Add ACL. Access rights can be assigned via ACLs.
Type	Description	Example	Add ACL UTMuser@firewall.name.fqdnApplicationReverse-Proxy
dstdom_regex	Regex to the target domain	.*\ttt-point\.(de|com)
dstdomain	Specifies the domain/IP of the destination server	www.ttt-point.de or IP address
proto	protoProtocol	http, https
req_header	Filter on the header of the client	It could be determined, for example, the browser
src	Specifies the source IP of the client	87.139.55.127/255.255.255.255
srcdom_regex Only for squid engine	Regex to the domain	anyideas
srcdomain Only for squid engine	Specifies the domain of the sender	anyideas.de
time	Time specification	M T W H F 9:00-17:00 Days of the Week S - Sunday M - Monday T - Tuesday W - Wednesday H - Thursday F - Friday A - Saturday D - All weekdays
urlpath_regex	Regex for paths	ttt-point.de/login
Options
Caption	Value	Description	Reverse-Proxy UTMuser@firewall.name.fqdnApplication Setting when using the ngnix engine
Engine: notempty New as of v12.7.0	nginx	Selection of the engine to be used between nginx (new) or squid A change of engine will therefore most likely result in an adjustment of the configuration, as each engine supports different features. After the changeover, unsupported settings are marked. An engine change is only implemented with the Save .
Mode:	HTTP + HTTPS	Mode to be used
Proxy-Port:	80	Port for the proxy of the corresponding server
SSL-Proxy Port:	8443	Port for the SSL proxy of the corresponding server
SSL certificate: ‍ Only certificates with a private key part can be selected	*.ttt-point.de	Certificate for the corresponding server
Websocket Timeout: notempty New as of v12.7.0	60	Defines the time for a websocket timeout
Activate certificate-based authentication Activate certificate-based authentication notempty updated
SSL-CA:	CA ttt-point.de	Certificate for certificate-based authentication Can be activated for non-public (web) servers

Import of personal certificates

In order for the Enable certificate-based authentication function to be used correctly, the personal certificate must be available in the browser used.

Import into the Windows certificate store (here, for Edge)

Fig.1

Open the folder with the certificate file and click on the file.

Fig.2

In the certificate import wizard, select the "Current User" option and confirm with "Next".

Fig.3

The certificate file to be imported is displayed in the File name input field. Click "Next" to start the next dialogue window.

Fig.4

The "Password" input field expects the same password that was assigned when the certificate file was downloaded. It is advisable to select the "Mark this key as exportable" and "Include all extended properties" radio buttons in case the personal certificate is to be exported from the browser later. Finally, the "Next" button is selected.

Fig.5

In the next step of the certificate import wizard, the option "Automatically select the certificate store ..." is set and confirmed with "Next".

Fig.6

The "Certificate Import Wizard" displays a summary of the settings made. The import of the personal certificate is carried out via "Finish".

Fig.7

The import process was successful.

Firefox - Import personal certificate (Ubuntu)

Firefox can also be configured to use the Windows certificate store and the GPO can be distributed with the configuration entry "security.enterprise_roots.enabled = true".

Fig.1

The top Settings is selected from the application menu.

Fig.2

Select the "Data protection & security" category from the left-hand side of the window. In the right-hand window area, go to "Certificates". The "Show certificates ..." button can be selected there.

Fig.3

In the certificate management, switch to the "Your certificates" tab. The list is currently empty as no personal certificates have been imported yet. Now select the "Import" button.

Fig.4

Select the certificate file and click the "Open" button to start the import dialogue.

Fig.5

The "Password" input field expects the same password that was assigned when the certificate file was downloaded.

Fig.6

The imported personal certificate is now displayed on the index card in the certificate management. Click "OK" to close the certificate management.

Chrome - Import personal certificate (Ubuntu)

Fig.1

The top "Settings" is selected from the application menu.

Fig.2

The "Data protection & security" category is selected from the left-hand window area.

Fig.3

Scroll down to the "Advanced" section and select "Manage certificates".

Fig.4

Select the "Import" button.

Fig.5

Select the certificate file and click the "Open" button to start the import dialogue.

Fig.6

The "Password" input field expects the same password that was assigned when the certificate file was downloaded. Confirm with "Ok".

Fig.7

The certificate is now displayed and the process is complete.