Reference12r1:Concept Reverse Proxy: Difference between revisions
| Line 18: | Line 18: | ||
Connections are accepted on the configured port. The received protocol is analysed to determine the addressed host and a internal connection is established to this host. If the incoming connection is TCP for the internal connection TCP is used as well, if the external connection is TLS, for the internal connection TLS is used. If only TCP or only TLS is configured for the internal connection it is used regardless if the incoming connection was TCP or TLS. | Connections are accepted on the configured port. The received protocol is analysed to determine the addressed host and a internal connection is established to this host. If the incoming connection is TCP for the internal connection TCP is used as well, if the external connection is TLS, for the internal connection TLS is used. If only TCP or only TLS is configured for the internal connection it is used regardless if the incoming connection was TCP or TLS. | ||
If the Check Certificate checkmark is set, for the internal connection TLS is used only if the received certificate matches the user name within the protocol. This way a host receiving a request thru the Reverse Proxy using TLS can assume that the connection was authenticated using a valid certificate, which matches the user. | |||
=== H.323 === | === H.323 === | ||
For H.323 registrations, the gatekeeper identifier received in GatekeeperRequest or RegistrationRequest messages is matched to the Name configured for the host. Only H.323 over H.225 (H.450-17) is supported. | For H.323 registrations, the gatekeeper identifier received in GatekeeperRequest or RegistrationRequest messages is matched to the Name configured for the host. Only H.323 over H.225 (H.450-17) is supported. | ||
For calls without registration a destination in the for <user>@<domain> is expected. <domain> is matched to the Name configured for the host. This can be used for H.323 open federation. | |||
=== SIP === | |||
For SIP registration the domnain part of the from header of a REGISTER message is matched to the Name of the configured host. | |||
=== HTTP === | |||
For HTTP request the host header is matched to the Name of the configured host. If within a single TCP/TLS connection requests are sent to different hosts, the outgoing connections are terminated and for the request to the other host a new connection is established. | |||
The path which may be accessed can be restricted, by configuring the allowed path. If the pass is configured with a trailing '/' no access to folders inside this path is allowed. | |||
Revision as of 18:26, 11 February 2016
The Reverse Proxy is a software module, which is available on innovaphone gateways. It is designed to allow safe access to services of the innovaphone PBX from the public internet. To accomplish this the gateway must be accessible from the public internet either by NAT port forwarding, or directly. The reverse proxy forwards traffic to configurable destinations. The access to internal destinations can be limited in several ways and algorythms to detect attacks are implemented, which are used to put ip addresses into a blacklist. The reverse proxy support H.323, SIP, HTTP and LDAP over TCP or TLS.
Configuration
The reverse proxy only accepts any connections on the supported protocols, if the port numbers for these protocols are configured. The well-kown port numbers or non standard port numbers can be used for these protocols.
A timeout may be configured until which an entry in the blacklist is removed automatically.
A threshold suspicious requests per minute can be used to tune detection of attacks.
Forwarding to internal destinations is based on the addressed host. For this the received requests are analyed and for each supported protocol different elements are used to identify the addressed host.
Basic Operation
Connections are accepted on the configured port. The received protocol is analysed to determine the addressed host and a internal connection is established to this host. If the incoming connection is TCP for the internal connection TCP is used as well, if the external connection is TLS, for the internal connection TLS is used. If only TCP or only TLS is configured for the internal connection it is used regardless if the incoming connection was TCP or TLS.
If the Check Certificate checkmark is set, for the internal connection TLS is used only if the received certificate matches the user name within the protocol. This way a host receiving a request thru the Reverse Proxy using TLS can assume that the connection was authenticated using a valid certificate, which matches the user.
H.323
For H.323 registrations, the gatekeeper identifier received in GatekeeperRequest or RegistrationRequest messages is matched to the Name configured for the host. Only H.323 over H.225 (H.450-17) is supported.
For calls without registration a destination in the for <user>@<domain> is expected. <domain> is matched to the Name configured for the host. This can be used for H.323 open federation.
SIP
For SIP registration the domnain part of the from header of a REGISTER message is matched to the Name of the configured host.
HTTP
For HTTP request the host header is matched to the Name of the configured host. If within a single TCP/TLS connection requests are sent to different hosts, the outgoing connections are terminated and for the request to the other host a new connection is established.
The path which may be accessed can be restricted, by configuring the allowed path. If the pass is configured with a trailing '/' no access to folders inside this path is allowed.