Hi, I am not sure if this is the right category or the right website but I’m stuck on a problem to do with basic networking and as this is my first foray into HTTPS, TLS and SSL etc I’m looking for some help.
How it currently works:
The client currently sends a HTTPS (POST) request with a bunch of Json data to an external domain and receives information based on the domain which is also a bunch of Json data.
How I want it to work:
The client sends a HTTPS (POST) request with a bunch of json data to an internal domain/ip, the internal domain/ip then verify’s that the client is allowed to send this HTTPS request based on some data in a database and if they are authenticated then it forwards all the HTTPS post request information to the external domain and receives and forwards the response to the client.
I cannot tell if I want a forward proxy or a reverse proxy. I think I want a reverse proxy because I want the client to POST request a new domain and not the external domain. I’ve looked at Traefik and Nginx as reverse proxies and Traefik seems good. They have a BasicAuth as a middleware so it seemed like the correct solution. However after trying it out it seems like I cannot forward the client to an external domain whilst capturing their entire post request. I then looked at Nginx forward and reverse proxies and with the forward proxy I was able to forward my post request on but wasn’t able to authenticate the users at all and the reverse proxy ends in the same result as traefik.
Edit: The redirection worked but only with TCP not HTTP! Forgot to mention.
On top of all of this I would also like to maintain HTTPS and secure all the traffic to both the internal and the external domain.
Do you know know of any software that works alongside Traefik or Nginx that would work in this case? Or if you have a better solution than using either Traefik or Nginx that would be great. Any help appreciated.
I’ve still got some questions regarding your diagram:
How is the client authenticated on the internal domain?
How does the internal domain authenticate itself to the external domain?
You could use basic HTTP authentication for both cases, which would work fine.
You could use a single basic HTTP authentication user per internal domain to authenticate internal domain → external domain. This way, external domain maintains a list of allowed internal domains.
Your users would be registered and verified only at the internal domain. Because the external domain trusts the internal domain, this could archive what you’re trying to do.
The internal domain simply acts as an authenticated reverse proxy to the external domain, with separate users for client → internal domain and internal domain → external domain.
Of course, both external domain and internal domain need to reject unauthenticated users.
I’m think regular nginx can do what I’ve described here just fine.
I’ve never used Traefik.
Yes. Users are only registered and verified at the internal domain. No user data is held at the external domain and it’s considered secure via SSL encryption. I’m planning to authenticate users at the internal domain by generating a JWT but I’m not concerned about this point yet.
The external domain does presume a certain level of trust from the internal domain yes. And the external domain do no verification that a user is who they say they are.
Ok I am currently looking at nginx reverse proxy with proxy pass + Authelia for authentication. Thanks for the response!
Reverse. … as in, you don’t want clients to change what protocol they speak just because they’re speaking to a proxy, you want the proxy to be a lightweight frontend to some other https service.
If using nginx to do some auth for a domain, it’s doable, but I’m not sure otoh, if arbitrary database queries are supported or if you’ll have to have to fire a subrequest in nginx parlance.
Since there’s mention of jwt … you may want to also consider authelia and caddy with authp.
You’ll want nginx or caddy or traefik to serve https://int.example.com … and forward requests received to https://ext.service.com (upstream in nginx speak) … and then for every request that nginx/caddy/traefik receive you’ll want to do some checking (some kind of auth)
… and also, you’ll need certs for https for int.example.com and ext.service.com … although that one probably has it already.
What isn’t clear in any Nginx guides I’ve read is if it’s behind a reverse proxy do I need to forward the correct IP? As in where do I set https://int.example.com/ in Nginx conf.