0

I'm trying to solve an architecture design puzzle, it's about designing an infra for keeping data and servers as much secured/hidden as possible, here are requirements:

*I want to hide the internal design of my infra (several data servers with public and private hosts)

*I want to access to each service using same IP address, and the query is forwarded to right server based on something (cookie, uri, port or whatever)

*access to data service must be enforced with ssl/tls encryption

After studying carefully these requirements I was thinking about using a reverse proxy and grant access to all data services only across the reverse proxy server, an other pro of a reverse proxy is that access authentication is enforced at once with ssl/tls encryption and no need to configure each endpoint separately.

my real issue is that I didn't find any reverse proxy that can redirect TCP traffic (for example mysql requests), and same for static load balancing algorithms that are supported only for HTTP requests, (haproxy for instance)

Any idea how to solve this issue ?

Thanks to all

adaak
  • 1
  • 1
  • 2
  • "_I didn't find any reverse proxy that supports tcp queries..._" What do you mean by that? There really is no such thing as a TCP query. All TCP does is to set up a connection between peer hosts. Any queries would be above the transport layer, and TCP would be ignorant of what is a request or reply. – Ron Maupin Nov 02 '16 at 16:17
  • I meant to forward tcp requests and not http, for instance mysql connection is handled via tcp, – adaak Nov 02 '16 at 17:57
  • There is no such thing as a TCP request. That is the point that I'm trying to get across. The request/reply is an application-layer concept, not a TCP concept. – Ron Maupin Nov 02 '16 at 18:00
  • it's ok, let's not name it tcp request and take mysql and mssqll example: so I want to set up a reverse proxy with hostname rproxy.com, so mysql.rproxy.com (or rproxy.com:port1) will redirect request to mysql_server and mssql.rproxy.com (or rproxy.com:port2) will redirect request to mssql_server and so on for other sub domains will redirect request to corresponding data servers (aurora, postgresql ... etc) – adaak Nov 02 '16 at 19:19

2 Answers2

1

try using haproxy. I think that's what you are looking for. You can google it and checkout their site an you could also benefit from watching this

Michael
  • 375
  • 1
  • 9
  • Hi @Michael, thank you for your answer, indeed, haproxy is well designed to handle load balancing for web servers, but my need is to build a static load balancer for handling TCP traffic, something like [link](https://www.nginx.com/resources/admin-guide/tcp-load-balancing/) – adaak Nov 02 '16 at 22:26
1

HAProxy is proxy and load balancer for HTTP and TCP. It supports routing based on TCP payload which you'll probably need.

For HTTP traffic you can enforce SSL/TLS.

TCP is application specific. Either application supports SSL/TLS or you have to tunnel connections.

dario
  • 131
  • 4
  • Thank you for your reply, indeed i dont want a load balancer but a reverse proxy which redirect tcp requests from server a to server b, so the config would be hidding tcp server b (mysql for instance) behind the reverse proxy a. Make sense ? – adaak Nov 20 '18 at 10:39
  • Recommendation stands, Haproxy as TCP proxy. Same limitation, you can't encrypt TCP connection with reverse proxy. Eg. for mysql you'd have to enforce encrypted connections between client and server on mysql server. – dario Nov 20 '18 at 11:42