You are here
HTTP proxy in back-end network
Last update on 9. May 2016 - 12:42.
For integration work or debugging it may be useful to use a HTTP proxy server behind Airlock. This is an easy way to look inside backend HTTPS-traffic or it can be used to see all backend requests as a summary.
Preparation
First there must be a HTTP proxy server somewhere in the backend network. Choose your preferred proxy server and install it in the backend network.
Free HTTP proxy servers:
- Fiddler (for Windows): http://www.telerik.com/fiddler
- paros (for Windows): http://www.parosproxy.org/
- Squid (Linux/Unix): http://www.squid-cache.org/
- Perl (http://search.cpan.org/dist/HTTP-Proxy/) ...
- Grinder (http://grinder.sourceforge.net/g3/tcpproxy.html)
After having installed the proxy server - test it by using a browser with the proxy server configured. Once you are happy with the test you can use the proxy server with Airlock.
Limitations
- The HTTP proxy server needs to be able to resolve the back-end host names.
- If the back-end uses TLS/SSL, the proxy server needs to be able to establish a tunnel to the back-end using the HTTP method "CONNECT".
How to use the proxy server
Airlock 5.1
Proxy server support is now available as a Security Gate Expert Setting. A proxy server can be configured globally or per back-end group.
Example configuration (global scope):
SecurityGateway * BackendProxy.Proxy "10.0.0.17:3128"
SecurityGateway * BackendProxy.NoProxyFor "127.0.0.1,localhost,localauth"
SecurityGateway * BackendProxy.Tunnel "TRUE"
Airlock 5.0
Unfortunately, HTTP proxy support is broken in Airlock 5.0.Airlock 4.2
The proxy is automatically used, if the variable all_proxy is set in the shell-environment of the gatekeeper/security_gate.
# all_proxy=http://10.0.0.17:3128/
# export all_proxy
# /etc/init.d/slt.sg stop
Stopping Security Gateway
# /etc/init.d/slt.sg start
Starting Security Gateway
By restarting security_gateway all user sessions will be terminated.
The proxy settings are not persistent - after the next reboot or license change the settings will be lost.
To deactivate the HTTP proxy reset the variable to empty and restart again or just reboot the whole system.
Supported proxy variables:
| Variable | Example | Description |
all_proxy | http://proxy.example.com:888/ | Proxy to be used for HTTP and HTTPS back-end requests |
http_proxy | http://proxy.example.com:888/ | Proxy to be used for HTTP back-end requests |
https_proxy | http://proxy.example.com:888/ | Proxy to be used for HTTPS back-end requests |
no_proxy | webapp.example.com,localauth | comma-separated list of back-end servers which shoudn't be proxied This is useful for applications that run on Airlock itself (such as authentication service- "localauth") |