You are here

HTTP proxy in back-end network

Affects version(s): 
6.0 and newer
5.0 and newer
4.2 all versions

For integration work or debugging it may be useful to use a HTTP proxy server behind Airlock. This is an easy way to look inside backend HTTPS-traffic or it can be used to see all backend requests as a summary.

Preparation

First there must be a HTTP proxy server somewhere in the backend network. Choose your preferred proxy server and install it in the backend network.

Free HTTP proxy servers:

After having installed the proxy server - test it by using a browser with the proxy server configured. Once you are happy with the test you can use the proxy server with Airlock.

Limitations

  • The HTTP proxy server needs to be able to resolve the back-end host names.
  • If the back-end uses TLS/SSL, the proxy server needs to be able to establish a tunnel to the back-end using the HTTP method "CONNECT".

How to use the proxy server

Airlock 5.1

Proxy server support is now available as a Security Gate Expert Setting. A proxy server can be configured globally or per back-end group.

Example configuration (global scope):

SecurityGateway * BackendProxy.Proxy             "10.0.0.17:3128"
SecurityGateway * BackendProxy.NoProxyFor        "127.0.0.1,localhost,localauth"
SecurityGateway * BackendProxy.Tunnel            "TRUE"

Airlock 5.0

Unfortunately, HTTP proxy support is broken in Airlock 5.0.Airlock 4.2

The proxy is automatically used, if the variable all_proxy is set in the shell-environment of the gatekeeper/security_gate.

# all_proxy=http://10.0.0.17:3128/
# export all_proxy
# /etc/init.d/slt.sg stop
Stopping Security Gateway
# /etc/init.d/slt.sg start
Starting Security Gateway

By restarting security_gateway all user sessions will be terminated.

The proxy settings are not persistent - after the next reboot or license change the settings will be lost.

To deactivate the HTTP proxy reset the variable to empty and restart again or just reboot the whole system.

Supported proxy variables:

Variable Example
Description

all_proxy

http://proxy.example.com:888/

Proxy to be used for HTTP and HTTPS back-end requests

http_proxy

http://proxy.example.com:888/

Proxy to be used for HTTP back-end requests

https_proxy

http://proxy.example.com:888/

Proxy to be used for HTTPS back-end requests

no_proxy

webapp.example.com,localauth

comma-separated list of back-end servers which shoudn't be proxied

This is useful for applications that run on Airlock itself (such as authentication service- "localauth")

Knowledge Base Categories: