so I'm making a SOCKS5 proxy for WebSocket connections and some HTTP calls on a few VMs in DO. The idea is that traffic from K8S cluster would go through the proxies so I could whitelist the IPs on the end service. I'm creating the proxies because DigitalOcean do not yet have CloudNAT or similar features.
I'm also making two proxy servers for redundancy and will use pacemaker + corosync. To achieve this, I'll have to use DigitalOcean Reserved (floating) IPs feature. Thus, proxy will always connect to a public IP and I cannot do it in a VPC, where the proxy could only accept connections from a private network.
So my question is - is basic username authentication enough for security? Here's my Dante configuration.
logoutput: syslog
#user.privileged: root
user.unprivileged: nobody
# The listening network interface or address.
internal: 0.0.0.0 port=7171
# The proxying network interface or address.
external: eth0
# socks-rules determine what is proxied through the external interface.
socksmethod: username
# client-rules determine who can connect to the internal interface.
clientmethod: none
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
}
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
user: prxuser
}
Also, I'm aware that there are other HTTP solutions that do support websocket connections, but I'm limited to using SOCKS at this time.
I'd highly appreciate any assistance!
