Jump to content

Creating a forward proxy


Go to solution Solved by Jacques1,

Recommended Posts

I would like to create a web proxy which will allow HTTPS requests from a webclient browser to be forwarded to a webserver with a different IP (and maybe port), and upon a response from the webserver, have the response forwarded back to the webclient browser.

 

This is considered a forward proxy and not a reverse proxy, right?

Any recommendations on where to start?

Will I need to install a webserver such as ngnix on the proxy machine, or are their other options?

 

Thanks

Link to comment
Share on other sites

  • Solution

This is considered a forward proxy and not a reverse proxy, right?

 

If the client explicitly connects to the proxy for the sake of reaching another server, then it's a forward proxy.

 

 

 

Will I need to install a webserver such as ngnix on the proxy machine, or are their other options?

 

You will need a forward proxy. nginx isn't one, and Apache needs additional modules. Consider using a dedicated proxy like squid.

Link to comment
Share on other sites

Before committing to squid, let me provide some more information.

 

Content transferred will be very limited, and will only be small json strings.  As such, caching is not required.

No filtering or restricting access is required, and the firewall is configured to only allow outgoing access from the machine in question to the single desired ip.

I would like to keep cpu/memory requirements to a minimum.

 

I've also looked at tinyproxy, but wonder if it too is overkill.

Link to comment
Share on other sites

Appearently there's confusion about the terms.

 

If you just want to rewrite the destination of packets, then we're talking about NAT (network address translation). If you want to route packets, that's routing. None of this has anything to do with a forward proxy.

Link to comment
Share on other sites

I'm reading between the lines. Notion mentions a proxy but so far the only requirement has been a device that is able to carry HTTP(S) transactions between two networks, and "proxy" is a popular term for the general purpose of ferrying packets even though the word has a more technical definition.

 

Now, if there needed to be HTTPS->HTTP forwarding then a true proxy would be necessary rather than dumb forwarding.

Link to comment
Share on other sites

Sure, I'm simply saying that using a specific term like "forward proxy" (as opposed to the generic "proxy") when you want something entirely different is not very clever, especially in a programming community where words actually have meanings.

 

But I agree this sounds more like a case for forwarding.

Link to comment
Share on other sites

Sorry for the ambiguity.

 

No need for HTTPS->HTTP.

 

Firewall/gatway is configured to allow outgoing access for IP 10.1.1.100:443 to 55.55.55.55:443

Webbrowser with IP 10.1.1.200 makes a request to 10.1.1.100:443.

Pseudoproxy with IP 10.1.1.100 changes request from 10.1.1.100:443 to 55.55.55.55:443

Webserver with IP 55.55.55.55 receives the request, and responds to 10.1.1.100:443 which in turn responds to 10.1.1.200:443 

 

Edited by NotionCommotion
Link to comment
Share on other sites

Hi,

 

Is the verdict that all I need is dumb forwarding?  And will the response magically be forwarded back to the originator?  Is this a sysctl or iptables thing?

 

PS.  Note that I am not attempting to circumvent some organization's IT policy. When I stated that the firewall is configured to allow outgoing access from a given ip/port to another, it is because I asked them to configure it so and not that I discovered some vulnerability.  I actually need to conduits to this external ip, and thought it would be easier for them to manage a single ip with two ports.

Link to comment
Share on other sites

Dumb forwarding from a LAN to a WAN is a bit unusual to do but probably still possible. However personally I would care more about the nature of the setup rather than technical feasibility.

 

What's this 10 and 55 network like? Are they at all related to each other? Controlled by the same organization, or administered separately? Is the 55 machine publicly accessible, possibly with its own hostname (be that a domain- or subdomain-level name)?

 

Forwarding and proxying "feel" different. Forwarding is more about the (in)convenience of a network setup and is a software solution to a hardware problem, while proxying is like providing a workaround to a sensible situation that is yet disadvantageous to your needs and unable to be altered. Forwarding is about getting into somewhere while proxying is about getting out of somewhere. Or something like that. One of those two should "feel" more appropriate for this situation.

Link to comment
Share on other sites

The 10 network is an elementary school managed by the school's IT department.

The 55 network is just being used to indicate a public server with a host name on the Internet.

 

There are really two things going on.

 

Getting data

 udp_servers >------> udp_client_to_http_client >-----firewall-----> http_rest_server >-----> database

 

Retrieving data

web_client >------> web_server_with_http_client >-----firewall-----> http_rest_server >-----> database

                   <------<                                                    <--------------------<                             <------<

 

Given the above architecture, the firewall needs to be configured to allow both the udp_client_to_http_client and the web_server_with_http_client to have outgoing access to the http_rest_server.

 

As an alternative solution, my thoughts are to configure the udp_client_to_http_client to also act as a proxy/forwarder/whatever as shown below.

 

Retrieving data

web_client >------> web_server_with_http_client >------> repurposed_udp_client_to_http_client >-----firewall-----> http_rest_server >-----> database

                   <------<                                                    <------<                                                                    <--------------------<                               <-----<

 

Does this smell like dumb forwarding or a proxy?  Any concerns?  Thank you!

 
Link to comment
Share on other sites

The 10 network is an elementary school managed by the school's IT department.

The 55 network is just being used to indicate a public server with a host name on the Internet.

That makes me lean towards a proxy.

 

I take it this proxy server thing would be in a DMZ? I'd actually expect the school to have something capable of this proxying/forwarding business already - are you sure you have to set up something new? There really aren't any existing mechanisms they have in place for this kind of job? The fact that they have a DMZ (I assume) implies they're actively using it, and your use case fits right into that.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.