R66 Proxy

In order to support more secure configuration, we propose a Proxy/Reverse Proxy for R66 protocol.

 

This software does not need any database (less risk). Its configuration stores no password or information on what is proxified, except their addresses and the log is minimalist.

This module will be with the folowing constraints:

  • a pair of Local Listening address/port/ssl - Remote(Proxified) address/port/ssl is setup
  • each local listening is therefore attached to a remote proxified R66 server
  • the message will go through the proxy without checking, except temptative of connections
  • one client will initiate a request to the listening interface, which in fact will be the remote interface
  • if the client multiplex multiple transfers in this connection, they will be multiplexed too in the remote one
  • if 2 clients initiate a request to the same listening interface, they will not shared the connection to the remote one
  • it can be used in both ways: proxified his own R66 servers through a listening interface for each and proxified some R66 partners through a listening interface for each

Known limitations:

  • the number of proxified is limited by the number of listening interfaces available on the server (roughly 65K)
  • each listening interface setup some threads and therefore could be a limitation (total number of threads per JVM) but far away enough to suppose to be not an issue
  • no track is available in the proxy, it is a passthrough only. Therefore monitoring is minimalist. The real monitoring stays on R66 servers.

 

By installing a Proxy R66 server, it will forward in both ways requests directly to external or internal R66 servers.

 

The interest is to have a minimalist R66 server in DMZ, with no configuration that could be a source of attack. The drawback is that no control is made within this Proxy R66 server, meaning that the packet are just transmistted as is to the internal or external R66 partner. However, if some attacks as deny of service are made, this will be probably the first level of catch, then enhancing the security level of the R66 solution.

 

The configuration is made by pair, meaning that each listening interface (address, port, ssl mode) is linked to one and only one proxified interface (address, port, ssl mode). Therefore, let say that on internal side we have a R66 server named A, on external side a R66 server named B, the configuration will be as follow:

  • Listening B' in DMZ through address/port/SSL mode (probably none) accessible from inside, linked to B outside
  • Listening A' in DMZ through address/port/SSL mode (probably yes) accessible from outside, linked to A inside

Therefore, in A, the configuration to access to B is made through address/port/SSL mode defined in B', while the remote partner B will access to A through address/port/SSL mode defined in A'.

  • Any servers inside could then reach B through B' (B will then check the authentication)
  • Any servers outsde could then reach A through A' (A will then check the authentication)

So if you want that all outside clients will be able to reach one particular server of yours inside, you need to setup only one path (knowing clients could do either SEND or RECV transfers). Reversely if you want to be able to reach from inside multiples partner servers (say n), then you will have to define one route for each, so n routes.

 

Proxy server is started and stopped as a R66 server (command line is java ... classpath ... java options .... config-proxy.xml).

 

It contains a specific administrator and a specific configuration file, close to R66 standard ones, but will less functionalities.

 

In the configuration file, the following are specific to proxy configuration, in <network> module:

<serverproxy>

  <serverlistenaddr>aaa</serverlistenaddr>

this specified the local address used by the proxy to listen to incoming connections that will be proxified to the remote address

  <serverlistenport>port1</serverlistenport>

this specified the local port in conjunction to the local address

  <serverlistenssl>bool1</serverlistenssl>

this specified if this connector is using SSL or not

 

  <serverremoteaddr>bbb</serverremoteaddr>

this specified the remote address on which the proxy will forward the incoming connections

  <serverremoteport>port2</serverremoteport>

this specified the remote port in conjunction to the remote address

  <serverremotessl>bool2</serverremotessl>

this specified if the remote address is using SSL or not

</serverproxy>

 

Note the admin2 web site (in src/main/admin2) is a slightly modified version of the native R66 server.