0

I started with a new company a few months ago as a software developer. Normally I am doing software development related stuff but because the previous System Admin left the company I've become the resident "IT Guy".

I'm trying to figure out how our network infrastructure fits together and I don't understand a specific interaction between our reverse proxy and our backend webservers. I know that if I type in the backend webserver URL directly (for instance www.backendServer.com/myApp) the name doesn't resolve. But if I type in the proxy URL (for instance www.proxy.com/myApp) that of course does it's job.

How does the backend web server (www.backendserver.com) refuse any sort of connection unless it comes from the proxy?

JonathanDavidArndt
  • 1,424
PeonProgrammer
  • 111
  • 1
    Any number of ways. Might be configured to only work on certain hostnames, might be firewalled so it only responds to requests from certain IPs (like the proxy), the proxy could be configured to pass some sort of authorization header, etc. – ceejayoz Mar 22 '18 at 19:19
  • 1
    Look at the reverse proxy config and if you can go to the URL that it's proxying to (most likely not www.backendServer.com/myApp). But like @ceejayoz wrote, there's a lot of ways that you can do this. – shinjijai Mar 22 '18 at 19:21
  • @ceejayoz if it were configured to only work on certain hostnames, where would that configuration be if the web server was iis 6? – PeonProgrammer Mar 22 '18 at 19:31
  • 1
    @PeonProgrammer in IIS, look at the site, and look at the site bindings. – shinjijai Mar 22 '18 at 19:34
  • 1
    @PeonProgrammer I strongly suggest you look at your Apache configuration on the proxy server, to give you a hint on how this is working. I've been at places where we have a reverse proxy in front of another reverse proxy that finally goes to the app that's listening on a port that's not 80, or 443, etc. – shinjijai Mar 23 '18 at 12:10
  • @shinjijai I have looked closely at the config file on our proxy to know that it's redirecting people to our backend servers and not another proxy. That part is pretty clear to me. What's not clear to me is how the backend servers are refusing connection to outside http requests. There is this implicit trust between our backend servers and this proxy that I can't figure out. – PeonProgrammer Mar 23 '18 at 17:49
  • Are you able to share the Proxy_Pass conf block? If the issue is not with the reverse proxy server, than you'll have to look at the firewall. But like @ceejayoz wrote, there's so many ways that this can be achieved. Because of that, I would suggest figuring out exactly how it works from reverse proxy > backend and what appliance/servers is along the way. From that info you can have a better idea on where to start on answering your own question. – shinjijai Mar 23 '18 at 18:23

1 Answers1

2

If the name doesn't resolve then it's probably not something available in public DNS. The proxy server could be using an internal DNS server your machine doesn't use, it could be defining the hostname in its own hosts file, your assumptions could be incorrect, etc.

On the proxy host, try to ping the domain name you believe is being used for the backend server. If it resolves and responds, then check the proxy hosts DNS configuration and determine what those DNS servers are and if they're somehow private or local to the proxy server.

If the proxy server uses regular public DNS, then investigate its hosts file (this differs in location between Windows, Mac and Linux) and see if there is a custom entry there.

brent
  • 3,521
  • Thanks @brent, i pinged the domain that is our backend server from the proxy host and it resolves and responds. I'm not sure how to check the proxy hosts DNS configuration to determine what the DNS servers are. I'm on Windows 2012 and I'm using apache 2.2 as my reverse proxy. – PeonProgrammer Mar 22 '18 at 21:00
  • 1
    When you try to ping the backend host from your local machine, does that work? – brent Mar 23 '18 at 13:38
  • Negative on my local host. Pinging the backend hostname from the proxy machine I get a response, but if I try to ping the backend machine from my workstation, that does not work. I get result = aborted – PeonProgrammer Mar 23 '18 at 17:53
  • 1
    The answer is likely that the proxy host has a locally relevant DNS config that your workstation does not. Could be separate DNS, a local hosts file, a split horizon setup on your organization's DNS, or something else. It's not that the backend server is denying your requests, it's that you can't resolve the hostname. That's not to say it wouldn't deny the requests if you were able to resolve it, that could still happen due to firewall rules blocking your direct access, or any other number of things. A specific answer for this situation is beyond the scope of a Server Fault question. – brent Mar 26 '18 at 15:13
  • So I tried to use the IP directly for the backend server and I was able to access it that way. Is that an inherit security issue with a reverse proxy or did my predecessors just fail to do this properly. – PeonProgrammer Mar 26 '18 at 16:09
  • 1
    There could be an exception in a firewall to allow access from LAN, or it could be wide open. If it's a public IP, you'll need to make that determination if it is sensitive. If the IP is a private address, then it's up to your organization's security policy if the potential for access from anywhere internal is allowed.

    If the IP is public, I would say it's important to get a handle on just what can directly access it. You could try visiting the IP from your phone over 3G/LTE network (not WiFi from your office) to see if there's security limiting outside access

     – brent Mar 26 '18 at 17:46