Jump to:navigation, search
Wiki

Reverse Proxy

From Securepoint Wiki


















































| Name of the network object }}



| Zone of the network object }}









| Authentication for access from the Internet }}






































Thumbnail for

Load video
Vimeo
Securepoint OpenWeb Reverse Proxy
De.png
En.png
Fr.png






The goal of this tutorial is to access an internal web server via the reverse proxy
Last adaptation to the version: 12.3.6 (03.2023)
New:
Last updated: 
05.2023
notempty
This article refers to a Resellerpreview

12.1 11.7

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 → Application →Reverse-Proxy


Intended use

With a reverse proxy, one can control access to the "internal" web servers from the Internet. In contrast to a port forwarding, dedicated filter rules can be created via the reverse proxy. In addition, with only one public IP address, several internal web servers can be addressed based on the domain.

Another highlight is offered by the load balancing. Servers can be combined into groups, to which the requests are then distributed using the selected algorithm (e.g. Round-Robin).


Requirements

The following values are assumed for the example configuration:

  • Web server with the private IP: 10.1.0.150
  • Domain: www.ttt-point.de


Preparations

  • Attention:
    If the web server is also to be accessed via https, the port of the Userinterface must be changed first.
UTM v12.2 Servereinstellungen-en.png

In the factory setting, port 443 for https is already occupied by the user web interface of the UTM. This must then be changed to another port.
The settings for this are in the menu → Network →Appliance SettingsTab Appliance Settings in the section
Webserver
.
  • If necessary, port filter rules that allow access to the user Webinterface must be adjusted.
    • Save

    • For https, the reverse proxy needs a certificate to accept the encrypted connection.
    • For this, a certificate is used from → Authentication →Certificates
  • If a locally self-created certificate is used, external users must confirm a certificate warning when calling up the certificate for the first time
  • It is better to import a publicly issued, purchased certificate or to create an ACME certificate

  • Important: the name of the certificate must be named like the domain.
    In this example, a wildcard certificate *.ttt-point.de is used.

    • Portfilter rule

    For the reverse proxy to be reachable, the following port filter rule must be in place. This can be checked under → Firewall →Port filter. If this is not present, Add rule will add this rule.

    # Source Destination Service NAT Action Active
    Dragndrop.png 3 World.svg internet Interface.svg external-interface Tcp.svg https Accept On


    notempty
    If necessary, this port filter rule must also be created using the Tcp.svg http service.


    Configuration

    Wizard

    Step 1 - Internal

    → Applications →Reverse-ProxyTab Server groups Button Reverse-Proxy Assistant

    The settings for the reverse proxy are located in the menu → Applications →Reverse-Proxy
    Clicking on the button Reverse-Proxy wizard opens the wizard.

    Caption Value Description UTM v12.3.6 Reverse-Proxy Assistent Schritt 1-en.png
    Target server already exists as a network object
    Target Server: www.ttt-point.de If the host has already been created as a network object, it can be selected directly in the drop-down menu.
    Port: 443Link= The web server should be accessed via an encrypted connection.
    Use SSL: On SSL should definitely be activated
    Target Server: Create server If the Exchange Server does not yet exist as a network object, it can be created via the selection point new server in the wizard. UTM v12.3.6 Reverse-Proxy Assistent Schritt 1 Server anlegen-en.png
    Target server does not yet exist as a network object
    Server name: www.ttt-point.de Name of the network object.
    The server name of the network object can be freely selected when creating a new object, but must not already be in use with other objects. A meaningful name conventions should be considered and kept. Since here for the Web server with the homepage the connection is configured and the goal is to be attainable later also as "www.ttt-pint.de", this designation is used also for the network object.
    IP address: 10.1.0.150/---  IP address of the webserver
    Zone: dmz1 Zone of the network object.
    The zone is entered automatically if the IP range of the UTM is known.
  • It is recommended to set up the server in its own network with its own zone.
    • Port: 443Link= The web server should be accessed via an encrypted connection.
    Use SSL: Yes (Default: off) SSL should definitely be activated

    Advanced settings
    notempty
    New configuration options as of v12.3.6

    notempty

    These TLS settings apply to the connection between this appliance and the (local) server.
    For TLS settings between the clients and this appliance, the settings in the → Authentication →EncryptionTab Reverse-Proxy dialog apply.

    Use default TLS settings: Yes Allows connections with TLS 1.2 or 1.3 only
    Minimal TLS version: Use default value The outdated TLS versions 1.1 and 1.0 can be selected.
    Cipher-Suite: Standardwert verwenden Note that to directly use a OpenSSL security level, the notation @SECLEVEL=N can be used in the cipher string, where N represents the selected level from 0 to 5.
  • This can also be used with the security level 0 for servers, which offers outdated and insecure algorithms. This is strongly not recommended, instead the server should be updated.
  • A specific cipher or default must still be specified.
    • Examples:
      • DEFAULT@SECLEVEL=0
      • ECDHE-RSA-AES256-SHA@SECLEVEL=0
    Next
    Step 2 - External

    Define incoming connection

    External domain name: www.ttt-point.de Here you enter how the server behind the UTM is addressed

  • The public IP address that the client calls up from the Internet can also be entered here. However, it is then not possible to distinguish further individual servers via additional subdomains.
    		•  UTM v12.3.6 Reverse-Proxy Assistent Schritt 2-en.png
    Configuring external access so that the reverse proxy responds to requests
    Mode HTTPS Access shall be exclusively encrypted via https.
    SSL-Proxy Port: 443Link= Proxy port is 443 as well
    SSL certificate: *.ttt-point.de The certificate that was selected in the step Preparations is selected here.
    Next
    Step 3 - Authentication
    Forward authentication: Provide login data The proxy should not perform authentication
    The string can include URL escapes (i.e. %20 for spaces).
    This also means % must be written as %%.
          		 UTM v12.3.6 Reverse-Proxy Assistent Schritt 3-en.png
    No authentication!
    Zugangsdaten Weiterleiten (Client) Leitet die Authentifizierungs-Header des Clients an die Gegenstelle weiter.
    Von der UTM empfangene Anmeldedaten werden an den Reverse Proxy gesendet.
    Dadurch wird das Proxy-Passwort des Benutzers für die Gegenstelle sichtbar.
    Eine Authentifizierung ist bei dieser Option nicht erforderlich.
    Zugangsdaten Weiterleiten (Client & Proxy) Proxy- und Authentifizierung-Header werden unverändert weitergeleitet
    Sendet die vom Client empfangenen Anmeldedaten an den Reverse Proxy. Sowohl Proxy- als auch WWW-Authorization-Header werden ohne Änderung an die Gegenstelle weitergegeben.
    Login name     Blank
    Password     Blank
    Authentication: off Authentication is not useful for a web server that maintains the public home page.
    Finish

    Server groups

    Server groups
    • A server group is created automatically
    • New server groups can be added
    • Existing server groups can be extended with additional servers
  • A port forwarding allows a 1:1 relationship, the connection is forwarded to a server. With a reverse proxy it is different, these are the relationships:
    • 1:1 - One domain/IP : One server
    • 1:N - One domain/IP : Multiple servers (load balancing)
    • N:1 - Multiple domains/IPs : One server
    • N:M - Multiple Domains/IPs : Multiple Servers (Load Balancing)
    Now it is also clear, why the servers are in groups. You can, but do not have to put multiple objects in these groups.
    • The button can be used to edit a server group.     		UTM v12.1 ReverseProxy Servergruppen-en.png
    Automatically created server group
    The Add Server button can be used to expand the server group. UTM v12.3.6 Reverse-Proxy Servergruppe bearbeiten-en.png
    Example with different TLS versions and cipher suites

    ACL Sets

    ACL Sets
    ACLs - Access rights
    Access rights can be assigned via ACLs.    		 Rp-www-acl-en.png
    req_header Filter on the header of the client (It could be determined, for example, the browser).
    src Specifies the source IP of the client (87.139.55.127/255.255.255.255)
    dstdomain Specifies the domain/IP of the destination server (www.ttt-point.de or IP address).
    dstdom_regex Regex to the target domain (.*\ttt-point\.(en|com))
    srcdomain Specifies the domain of the sender (anyideas.com)
    srcdom_regex Regex to the domain (anyideas)
    urlpath_regex Regex for paths
    proto protoProtocol (http, https)
    time Time specification (M T W H F 9:00-17:00)
    S - Sunday

    M - Monday
    T - Tuesday
    W - Wednesday
    H - Thursday
    F - Friday
    A - Saturday

    D - All weekdays

    Sites

    Sites
    Now the assignments of the ACLs, the action "Allow/Deny", the order, the distribution algorithm, as well as the bandwidth for the server can be made.
    The ACLs are processed in order, you can either allow them "Allow" or deny them "Deny".
  • In the order, the ACLs of the type "Deny" should come before the ACLs of the type "Allow".
    		•  Rp-www-SITE-en.png

    Options

    Options
    Here you can specify whether HTTP/HTTPS or both should be used, the ports and the certificate for the corresponding server. Rp-www-einstellungen-en.png
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Reverse_Proxy&oldid=87635"