Reference15r1:Services/Reverse-Proxy: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
Created page with "Reverse Proxy Category:Concept_Reverse_Proxy The reverse proxy is used to forward H.323, SIP, LDAP, HTTP and SMTP requests it receives to other hosts, based on system information like gatekeeper name host name, path or domain. This way it can be controlled which services may be accessed thru the reverse proxy. A reverse proxy may be located at the boundary of an private and a public network, or inside the private network, if the respective ports..."
 
Line 49: Line 49:
;AUTH: the username of an AUTH PLAIN login. The whole username is matched and if no match is found, the domain part after an @ sign if present.
;AUTH: the username of an AUTH PLAIN login. The whole username is matched and if no match is found, the domain part after an @ sign if present.
;RCPT-TO: the recipient mail address. The whole mail address is matched and if no match is found, the domain part.
;RCPT-TO: the recipient mail address. The whole mail address is matched and if no match is found, the domain part.
==== STARTTLS ====
* If the EHLO message is already suitable to detect the host, STARTTLS is handled by the server behind the RP and port forwarding must be done to the non TLS port in this case.
* Otherwise the RP itself handles the STARTTLS handshake. It then doesn't matter if you internally forward to the non TLS port or the TLS port but STARTTLS won't be done anymore in any case.


== DNS Suffixes ==
== DNS Suffixes ==

Revision as of 06:30, 17 April 2025

The reverse proxy is used to forward H.323, SIP, LDAP, HTTP and SMTP requests it receives to other hosts, based on system information like gatekeeper name host name, path or domain. This way it can be controlled which services may be accessed thru the reverse proxy. A reverse proxy may be located at the boundary of an private and a public network, or inside the private network, if the respective ports are forwarded to it by the NAT Router/Firewall. It can be even configured on the same device as the PBX itself. In this case the other services on the device should use non-standard ports, so that the reverse proxy can receive the requests on the standard port and forward them locally to the non-standard ports.

General Parameters

No IPv4
Turn off IPv4 for the reverse proxy function
No IPv6
Turn off IPv6 for the reverse proxy function
H.323/TCP, H.323/TLS
Ports for incoming H.323 TCP or TLS Connections. Use 1720 and 1300 for the standard ports.
SIP/TCP, SIP/TLS
Ports for incoming SIP TCP or TLS Connections. Use 5060 and 5061 for the standard ports.
LDAP, LDAPs
Ports for incoming LDAP TCP or TLS Connections. Use 389 and 636 for the Standard ports.
HTTP, HTTPS
Ports for incoming HTTP TCP or TLS Connections. Use 80 and 443 for the Standard ports.
SMTP, SMTPS
Ports for incoming SMTP TCP or TLS Connections. Use 25 and 587 for the Standard ports.
Log Forwarded Requests
activate protocol dependent logging for successfully forwarded / accepted requests
Log Rejected Requests
activate protocol dependent logging for rejected / non-accepted requests
Blacklist Expiration
Time in minutes after which an entry put in the blacklist automatically, will be removed from the blacklist.
Suspicious Requests/min
Threshold to put an address into the blacklist
Public NAT router address
Required for SIP if RP is behind NAT. External SIP clients will receive this value in Route header of SIP messages. You can configure DNS name or IP address and port here.
If not configured, RP writes it's own local IP address and port into Route header of SIP messages. This works only if RP has a public local IP address.

Hosts

List of configured hosts. Click on the host Name to edit or delete. Use new to add new host

Out
Destination IP-Address (IPv4 or IPv6) for this rule, following by the plain text port
Destination DNS name: must start with @ and is limited to 15 chars. For longer names, you can use a DNS suffix (see below).
TLS
Port for encrypted traffic
Check Certificate
If the Check Certificate checkmark is set, for the internal connection TLS is used only if the received certificate matches the user name within the protocol. This way a host receiving a request through the Reverse Proxy using TLS can assume that the connection was authenticated using a valid certificate, which matches the user.
App Login
Experimental feature to allow access only if a myPBX session has been previously authenticated. Not supported for myApps.
Default
This rule will be used if only the Domain without a path or file in the URI was requested. The empty path is then replaced by the specified URL when the request is forwarded (e.g. an entry http://<host>/web/index.htm with the Default check-mark ticked will match requests with no path and the request is forwarded with the path set to /web/index.htm). Note that also, an implicit rule is created that forwards all requests for files in and beneath the folder where the default document is in (in the example rule, requests to all files under http://<host>/web will be forwarded)
MTLS
Request MTLS on incoming connections. The requesting client has to provide the TLS Server Name on the incoming TLS connection. The Server Name is used to match to the host. If the checkmark is set, MTLS is requested then. If no Server Name is provided or no valid client certificate a connection for this host is rejected. The name od the received and validated certificate is forwarded as X-Remote-Cert HTTP header.
Network
adddr:network to restrict a configured protocol to certain networks

SMTP

The host is search by different criteria based on the incoming socket.
Criterias are searched in the given order and the first match wins.

TLS
the SNI of the TLS handshake
EHLO
the client hostname send inside the client EHLO SMTP protocol message
AUTH
the username of an AUTH PLAIN login. The whole username is matched and if no match is found, the domain part after an @ sign if present.
RCPT-TO
the recipient mail address. The whole mail address is matched and if no match is found, the domain part.

STARTTLS

  • If the EHLO message is already suitable to detect the host, STARTTLS is handled by the server behind the RP and port forwarding must be done to the non TLS port in this case.
  • Otherwise the RP itself handles the STARTTLS handshake. It then doesn't matter if you internally forward to the non TLS port or the TLS port but STARTTLS won't be done anymore in any case.

DNS Suffixes

If you want to forward requests to internal DNS names instead of IP addresses and such an internal DNS name is longer than 15 chars, you must use DNS suffixes to reference it.

Id
a unique id which is used as reference
Suffix
a suffix which is used as replacement of #Id

If you want to use such a suffix inside Out of a host, you must write it like this: @host1.#1 -> this will be expanded to host1.example.com, if the suffix with Id 1 has the value example.com

Counter

Current top ten address with suspicious requests

Addresses

Blacklist/Whitelist addresses