Deployment Scenario Handbook

Implementing a Reverse Proxy for Perimeter Security and Other Reasons

Scenario overview


Acme Inc. has highly sensitive research and design documents. In this scenario, they want to restrict access to these documents by forcing all searches through a proxy. The proxy will enforce authentication with their single sign-on (SSO) system before allowing access to the GSA and also restrict the queries that can be submitted to the GSA.

Requirements


  • Enforce an SSO login before accessing the GSA.
  • Restrict queries performed on the GSA to a single specified collection by restricting URL request parameters.

Assumptions


  • For this example, the assumption is that we are to use Apache Web Server. Note that other web servers can be used for reverse proxies to the GSA.
  • An Apache server is available.
  • An Apache plugin for Acme’s SSO is available.

Key considerations


  • If using the GSA for secure searches:
    • Proxying HTTPS traffic is required.
    • Calls to the security manager on the GSA must be also be proxied.
  • If accessing the GSA over HTTPS, SSL traffic must also be proxied.
  • The GSA is protected by a firewall and access is restricted to the proxy server.

Recommended approach


Google’s recommended approach for implementing a reverse proxy for perimeter security covers the following areas:

Integrating Apache with an SSO

To protect the Apache instance with the SSO, Acme Inc. will install the Apache SSO plugin particular to the SSO that is being used. Depending on whether the plugin contains a configuration interface, they may be presented with application protection options as a series of wizards or the configuration may have to be made by setting appropriate resource filters for traffic in Apache.

When the SSO plugin is configured, anytime the Apache host with the appropriate cookie domain scope is accessed, a user will be authenticated with the SSO. If the user doesn’t have a cookie in her session, she should get redirected to the SSO login page to get one. After that is done, she will be allowed to proceed to the GSA.

Proxying requests to the GSA

A virtual host block is the mechanism commonly used for this, but you can do it in the main server configuration as well. To configure a virtual host to handle proxying of traffic:


<VirtualHost *:80>
  ProxyRequests Off
    <Proxy *>
      Order Deny,Allow
      Deny from all
      Allow from [gsa_ip]
  </Proxy>
 
  ProxyPass / http://gsa32.example.com
  ProxyPassReverse / http://gsa32.example.com
</VirtualHost>

For configurations where secure search is enabled, the mod_ssl Apache plugin is needed for the proxying of HTTPS traffic. Issuing a certificate for the Apache server would also be needed. That certificate would need to be installed on the GSA, so that the proxied requests will be recognized as signed.

Restricting all traffic through the reverse proxy

After the reverse proxy is implemented, Acme Inc. will configure a firewall rule to allow traffic to the GSA from the Apache host only. This will force all requests to go through the Apache reverse proxy when wanting to access the GSA.

Alternative approach


Use an alternate web server for implementing the reverse proxy. One example is using IIS to handle filtering of traffic.

As of GSA 6.14, the Perimeter Security feature of the GSA can be used to implement such a mechanism. The requirement would be to configure a security mechanism on the GSA to do authentication only. When this is enabled, public results will not be shown to users unless they are successfully authenticated to the GSA.

Project task overview


The following table lists the project tasks and activities for implementing a reverse proxy for perimeter security.

Task Activities
Plan Apache integration with SSO
  • Configure Apache to use SSO plugin and set appropriate resource filters to filter traffic to the SSO protected resources
Configure proxying requests to the GSA by Apache
  • If secure search or accessing the GSA over HTTPS is required, mod_ssl will be needed to proxy HTTPS traffic
Configure firewall to restrict access to the GSA from anywhere but the Apache host  

Long term enhancements

  • Consider other uses for the reverse proxy: clean URLs, firewall tunneling, caching for performance.
  • Using Apache as a cache can greatly improve the response time and serving capacity of the GSA. For example, a memcache configuration can be added to the virtual host section:
    CacheEnable mem
    MCacheSize 4096
    MCacheMaxObjectCount 1000
    MCacheMinObjectSize 1
    MCacheMaxObjectSize 4096 

    This would cache the 1000 most recent GSA responses of 4K or less in memory.

Was this helpful?
How can we improve it?