Deployment Scenario Handbook
Implementing a Reverse Proxy for Perimeter Security and Other Reasons
- Scenario overview
- Key considerations
- Recommended approach
- Alternative approach
- Project task overview
- Long term enhancements
Acme Inc. has highly sensitive research and design documents. In this scenario, they want to restrict access to these documents by forcing all searches through a proxy. The proxy will enforce authentication with their single sign-on (SSO) system before allowing access to the GSA and also restrict the queries that can be submitted to the GSA.
- Enforce an SSO login before accessing the GSA.
- Restrict queries performed on the GSA to a single specified collection by restricting URL request parameters.
- For this example, the assumption is that we are to use Apache Web Server. Note that other web servers can be used for reverse proxies to the GSA.
- An Apache server is available.
- An Apache plugin for Acme’s SSO is available.
- If using the GSA for secure searches:
- Proxying HTTPS traffic is required.
- Calls to the security manager on the GSA must be also be proxied.
- If accessing the GSA over HTTPS, SSL traffic must also be proxied.
- The GSA is protected by a firewall and access is restricted to the proxy server.
Google’s recommended approach for implementing a reverse proxy for perimeter security covers the following areas:
- Integrating Apache with an SSO
- Proxying requests to the GSA
- Restricting all traffic through the reverse proxy
To protect the Apache instance with the SSO, Acme Inc. will install the Apache SSO plugin particular to the SSO that is being used. Depending on whether the plugin contains a configuration interface, they may be presented with application protection options as a series of wizards or the configuration may have to be made by setting appropriate resource filters for traffic in Apache.
When the SSO plugin is configured, anytime the Apache host with the appropriate cookie domain scope is accessed, a user will be authenticated with the SSO. If the user doesn’t have a cookie in her session, she should get redirected to the SSO login page to get one. After that is done, she will be allowed to proceed to the GSA.
A virtual host block is the mechanism commonly used for this, but you can do it in the main server configuration as well. To configure a virtual host to handle proxying of traffic:
<VirtualHost *:80> ProxyRequests Off <Proxy *> Order Deny,Allow Deny from all Allow from [gsa_ip] </Proxy> ProxyPass / http://gsa32.example.com ProxyPassReverse / http://gsa32.example.com </VirtualHost>
For configurations where secure search is enabled, the mod_ssl Apache plugin is needed for the proxying of HTTPS traffic. Issuing a certificate for the Apache server would also be needed. That certificate would need to be installed on the GSA, so that the proxied requests will be recognized as signed.
After the reverse proxy is implemented, Acme Inc. will configure a firewall rule to allow traffic to the GSA from the Apache host only. This will force all requests to go through the Apache reverse proxy when wanting to access the GSA.
Use an alternate web server for implementing the reverse proxy. One example is using IIS to handle filtering of traffic.
As of GSA 6.14, the Perimeter Security feature of the GSA can be used to implement such a mechanism. The requirement would be to configure a security mechanism on the GSA to do authentication only. When this is enabled, public results will not be shown to users unless they are successfully authenticated to the GSA.
The following table lists the project tasks and activities for implementing a reverse proxy for perimeter security.
|Plan Apache integration with SSO||
|Configure proxying requests to the GSA by Apache||
|Configure firewall to restrict access to the GSA from anywhere but the Apache host|
- Consider other uses for the reverse proxy: clean URLs, firewall tunneling, caching for performance.
- Using Apache as a cache can greatly improve the response time and serving capacity of the GSA. For example, a memcache configuration can be added to the virtual host section:
CacheEnable mem MCacheSize 4096 MCacheMaxObjectCount 1000 MCacheMinObjectSize 1 MCacheMaxObjectSize 4096
This would cache the 1000 most recent GSA responses of 4K or less in memory.