Creating a forward proxy

[NotionCommotion]

I would like to create a web proxy which will allow HTTPS requests from a webclient browser to be forwarded to a webserver with a different IP (and maybe port), and upon a response from the webserver, have the response forwarded back to the webclient browser.

 

This is considered a forward proxy and not a reverse proxy, right?

Any recommendations on where to start?

Will I need to install a webserver such as ngnix on the proxy machine, or are their other options?

 

Thanks

[Jacques1]

This is considered a forward proxy and not a reverse proxy, right?

 

If the client explicitly connects to the proxy for the sake of reaching another server, then it's a forward proxy.

 

 

 

Will I need to install a webserver such as ngnix on the proxy machine, or are their other options?

 

You will need a forward proxy. nginx isn't one, and Apache needs additional modules. Consider using a dedicated proxy like squid.

[NotionCommotion]

Thanks Jacques1,  I will definitely check out squid.

[NotionCommotion]

Before committing to squid, let me provide some more information.

 

Content transferred will be very limited, and will only be small json strings.  As such, caching is not required.

No filtering or restricting access is required, and the firewall is configured to only allow outgoing access from the machine in question to the single desired ip.

I would like to keep cpu/memory requirements to a minimum.

 

I've also looked at tinyproxy, but wonder if it too is overkill.

[requinix]

Are you proxying HTTPSHTTPS? Then your "proxy" could be as simple as port forwarding in the firewall, or one or two iptables rules in Linux.

[Jacques1]

Appearently there's confusion about the terms.

 

If you just want to rewrite the destination of packets, then we're talking about NAT (network address translation). If you want to route packets, that's routing. None of this has anything to do with a forward proxy.

[requinix]

I'm reading between the lines. Notion mentions a proxy but so far the only requirement has been a device that is able to carry HTTP(S) transactions between two networks, and "proxy" is a popular term for the general purpose of ferrying packets even though the word has a more technical definition.

 

Now, if there needed to be HTTPS->HTTP forwarding then a true proxy would be necessary rather than dumb forwarding.

[Jacques1]

Sure, I'm simply saying that using a specific term like "forward proxy" (as opposed to the generic "proxy") when you want something entirely different is not very clever, especially in a programming community where words actually have meanings.

 

But I agree this sounds more like a case for forwarding.

[NotionCommotion]

Sorry for the ambiguity.

 

No need for HTTPS->HTTP.

 

Firewall/gatway is configured to allow outgoing access for IP 10.1.1.100:443 to 55.55.55.55:443

Webbrowser with IP 10.1.1.200 makes a request to 10.1.1.100:443.

Pseudoproxy with IP 10.1.1.100 changes request from 10.1.1.100:443 to 55.55.55.55:443

Webserver with IP 55.55.55.55 receives the request, and responds to 10.1.1.100:443 which in turn responds to 10.1.1.200:443 

 

[NotionCommotion]

Hi,

 

Is the verdict that all I need is dumb forwarding?  And will the response magically be forwarded back to the originator?  Is this a sysctl or iptables thing?

 

PS.  Note that I am not attempting to circumvent some organization's IT policy. When I stated that the firewall is configured to allow outgoing access from a given ip/port to another, it is because I asked them to configure it so and not that I discovered some vulnerability.  I actually need to conduits to this external ip, and thought it would be easier for them to manage a single ip with two ports.

[requinix]

Dumb forwarding from a LAN to a WAN is a bit unusual to do but probably still possible. However personally I would care more about the nature of the setup rather than technical feasibility.

 

What's this 10 and 55 network like? Are they at all related to each other? Controlled by the same organization, or administered separately? Is the 55 machine publicly accessible, possibly with its own hostname (be that a domain- or subdomain-level name)?

 

Forwarding and proxying "feel" different. Forwarding is more about the (in)convenience of a network setup and is a software solution to a hardware problem, while proxying is like providing a workaround to a sensible situation that is yet disadvantageous to your needs and unable to be altered. Forwarding is about getting into somewhere while proxying is about getting out of somewhere. Or something like that. One of those two should "feel" more appropriate for this situation.

[NotionCommotion]

The 10 network is an elementary school managed by the school's IT department.

The 55 network is just being used to indicate a public server with a host name on the Internet.

 

There are really two things going on.

 

Getting data

 udp_servers >------> udp_client_to_http_client >-----firewall-----> http_rest_server >-----> database

 

Retrieving data

web_client >------> web_server_with_http_client >-----firewall-----> http_rest_server >-----> database

                   <------<                                                    <--------------------<                             <------<

 

Given the above architecture, the firewall needs to be configured to allow both the udp_client_to_http_client and the web_server_with_http_client to have outgoing access to the http_rest_server.

 

As an alternative solution, my thoughts are to configure the udp_client_to_http_client to also act as a proxy/forwarder/whatever as shown below.

 

Retrieving data

web_client >------> web_server_with_http_client >------> repurposed_udp_client_to_http_client >-----firewall-----> http_rest_server >-----> database

                   <------<                                                    <------<                                                                    <--------------------<                               <-----<

 

Does this smell like dumb forwarding or a proxy?  Any concerns?  Thank you!

 

[requinix]

The 10 network is an elementary school managed by the school's IT department.

The 55 network is just being used to indicate a public server with a host name on the Internet.

That makes me lean towards a proxy.

 

I take it this proxy server thing would be in a DMZ? I'd actually expect the school to have something capable of this proxying/forwarding business already - are you sure you have to set up something new? There really aren't any existing mechanisms they have in place for this kind of job? The fact that they have a DMZ (I assume) implies they're actively using it, and your use case fits right into that.