Can Nethserver be used as a reverse proxy for other services?

greavette (Charles) 2017-10-13 21:48:20 UTC #1

Hi Team,

I’m looking for advice/information on if and how I can use Nethserver as a reverse proxy server for other services we run in our office. For example, I’m hoping to use Guacamole through my Nethserver install of the Nextcloud module. I found this article:

https://kmyers.me/blog/tech/short-tutorial-nextcloud-guacamole/

Where I’m hoping to include Guacamole in the ‘External Sites’ module of my Nextcloud. But the article refers to using a reverse proxy. I then looked int reverse proxies and found this one for CentOS:

Now what I’m wondering is if Nethserver can allow me to setup a reverse proxy in my Nethserver so that I may access my Guacamole using my Nethserver SSL certificate?

I hope I’m making sense here. Any advice or pointers would be greatly appreciated. I will of course share my successes (if I have any) with this setup in case others find it useful as well.

Thank you.

mrmarkuz (Markus Neuberger) 2017-10-13 22:16:50 UTC #2

Hi @greavette,

what about the reverse proxy module? Don’t know if it fits your needs…

http://docs.nethserver.org/en/v7/proxy_pass.html#reverse-proxy

https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html

giacomo (Giacomo Sanchietti) 2017-10-14 18:18:37 UTC #3

Even if Apache can do a good job on reverse proxy for small installations, you should consider to use nginx if you have hundreds or more clients.

greavette (Charles) 2017-10-15 18:35:08 UTC #4

Hello @giacomo,

I’m not sure I understand what you are suggesting? Should I install nginx on Nethserver and use that as my reverse proxy?

Thank you @mrmarkuz, I had no idea that Nethserver had a reverse proxy module. I will definitely check this out and try to see if I can get my Guacamole server connected through Nethserver and use my Nethserver SSL cert.

mrmarkuz (Markus Neuberger) 2017-10-15 18:45:10 UTC #5

nginx has a smaller RAM footprint and leads in handling static pages. So when it comes to high load and like @giacomo said if you have many many clients, nginx may be the better solution than apache. See some comparisons:

greavette (Charles) 2017-10-15 21:13:22 UTC #6

Thank you @mrmarkuz for this explanation. Let me see if I understand what you and @giacomo are saying, If I plan to use reverse proxy for many clients it would be best to use nginx. Makes sense. I currently have Nextcloud and WebTop installed on my Production Nethserver. Do they use nginx? When I look in software center I see reverse proxy but it’s only for Apache. Is there a module in Nethserver for reverse proxy for nginx? And if I add nginx and my Nextcloud and Webtop don’t use nginx what problems will I have introducing nginx?

I’d like to keep to using what’s in the software center so I’ll have supported modules during future upgrades.

I’m not sure how many clients (like Guacamole) I’ll have using reverse proxy. How many clients would be considered many passing through Nethserver Apace reverse proxy? Is 2-5 considered many?

Thank you.

mrmarkuz (Markus Neuberger) 2017-10-15 21:24:07 UTC #7

You are welcome.

No, AFAIK there’s no module.

So 2-5 clients is for sure no problem for apache. I’d try with Nethserver apache reverse proxy module, you can still setup nginx if apache does not fit your needs.

greavette (Charles) 2017-10-15 21:32:30 UTC #8

Excellent! Much appreciated @mrmarkuz. I’m sure I’ll be back with more questions.

mrmarkuz (Markus Neuberger) 2017-10-15 21:34:48 UTC #9

Just for info, guacamole and apache reverse proxy configuration:

https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html#apache

greavette (Charles) 2017-10-15 21:55:42 UTC #10

Ok @mrmarkuz, here comes a dumb question for you.

I had thought I setup Guacamole on a separate server, then I use my Nethsever reverse proxy to point to my Guacamole server. But the link you provided suggests that I would make changes on my Guacamole server? Perhaps I’m misunderstanding how I do this.

greavette (Charles) 2017-10-15 22:00:04 UTC #11

More information for you…

Nethserver is my small office domain (but is only a domain for a small number of Windows machines…Guacamole is not a member of the domain). controller but Nethserver is not my main firewall, DNS or DHCP server. We have an Untangle router as our gateway to our office. The Untangle Server is our main firewall, DHCP and DNS server. In order to use Nethserver as my reverse proxy for my Guacamole virtual machine does my Guacamole server need to be on the domain and does Nethserver need to be my main firewall server for our office?

mrmarkuz (Markus Neuberger) 2017-10-15 22:17:25 UTC #12

I don’t really know Guacamole, sorry. But there is a thread:

https://community.nethserver.org/t/guacamole-package/2030/27

Haha there are no dumb questions.

I think both will work but you may try it with your existing Guacamole server first. I just found the link when googling about apache and guacamole. I thought you can use it to have the correct parameters when configuring the Nethserver apache reverse proxy module.

Same domain should not be needed. If your Nethserver is behind Untangle, you may port forward www to your Nethserver, which will reverse proxy to Guacamole.
But I do not know Guacamole, so maybe it needs some “special” configuration I don’t know.

giacomo (Giacomo Sanchietti) 2017-10-16 12:13:05 UTC #13

I would consider 1K clients many

You will surely have no problems event with hundreds of client with Apache. We have it in productions on dozens of applications

Jclendineng (Joel Clendineng) 2017-10-17 01:09:41 UTC #14

I use apache proxypass and it works well. I have a writeup on it somewhere on here, but its pretty simple, you do need to use ssh though. I need to learn nginx as I still live in an apache world just make sure apache is looking for the conf files in sites-enables and sites-available and plop the server you want to reverse proxy there, reboot apache service and it works good. Plus of that is you can use the server cert for any proxied sites on the network unless you want to set up certs for each proxy in which case you can do that to. Nethserver reverse proxy doesnt really work for anything but the most basic things so you will need to download winscp and putty and do it manually.

giacomo (Giacomo Sanchietti) 2017-10-17 07:08:51 UTC #15

What can be improved in your opinion?
We use it in many situations without real problems.

Jclendineng (Joel Clendineng) 2017-10-17 12:38:37 UTC #16

Example: I have a freenas server at 192.168.10.10 and a nextcloud server at 192.168.10.6, plex at 1.5, etc. I want to proxy nas.mydomain.com to 192.168.10.10, plex.mydomain.com to 192.168.1.5, cloud.mydomain.com to 192.168.10.6. The built in gui does not let you do any of that, and thats a typical use case I think. I can to a mydomain.com/PROXYPASSURL just cannot do PROXYPASSURL.mydomain.com. Also I host multiple domains on my nethserver, each with its own proxypass sites, there is no way to manage each domain from what I gather its global across all domains.

greavette (Charles) 2017-10-17 14:23:26 UTC #17

Hi All,

I’d like to clarify something. My investigation into using reverse proxy from Nethserver was to find a way to provide an SSL connection to my Guacamole server. I had a lot of trouble and failed getting my domains SSL Cert installed/working on my Guacamole server. So I had thought that using reverse proxy from Nethserver would assist me.

My thought (and perhaps this is my misunderstanding) was that I when I use reverse proxy from Nethserver and point to my Guacamole server. I’m assuming my Guacamole server does not need to have our SSL certificate installed and my Guacamole will instead use my certificate from my Nethserver.

Is this an incorrect assumption? When using reverse proxy do I need to still have an SSL certificate installed on my Guacamole server?

Thanks in advance for any advice you can provide me.

giacomo (Giacomo Sanchietti) 2017-10-17 15:05:06 UTC #18

Yes.

No, unless you want to secure communications between the proxy and Guacamole server

greavette (Charles) 2017-10-17 15:18:50 UTC #19

Thanks very much @giacomo, as always this forum is so very helpful!

This is what I was hoping to hear.

So I’ve installed the reverse proxy module now. Here is what I need to create then:

My Guacamole server address is http://10.101.243.10:8080/guacamole

How do I create a reverse proxy entry in Nethserver that will allow me to use an https connection to my guacamole server? There are two fields on the reverse proxy server screen that I believe is all I would need, Name and Target URL and I would enable the require SSL encrypted connection checkbox. Could someone provide me an example of what I should put into those fields that would allow my connection to guacamole to use the certificate from my Nethserver? It’s unclear to me what I put in here.

Thank you.

edi (Davide) 2017-10-17 17:19:17 UTC #20

Hey @greavette,
have you tried with something similar to this section from the guacamole howto

Setup the reverse proxy
vi /etc/httpd/conf.d/guacamole_reverse.conf

SSLProxyEngine on
# ProxyPass: guacamole
# Description:
ProxyPass       /path/to/guacamole/      http://FQDN:8080/guacamole/ flushpackets=on
ProxyPassReverse        /path/to/guacamole/      http://FQDN:8080/guacamole/

    <Location />
	SSLRequireSSL
</Location>

ProxyPass /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
ProxyPassReverse /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
<Location /websocket-tunnel>

</Location>

then
systemctl restart httpd.service

More info about proxying from guacamole website