Linux – How to ping when behind a proxy?
In most companies, Table Server must communicate with the Internet. Table Server has been designed to operate within a protected internal network. Do not configure Table Server directly on the Internet or in a DMZ. Instead, communications between your network and the Internet must use an intermediary via proxy servers. Transfer proxy servers arbitrate traffic from within the network to targets on the Internet. Reverse proxy servers act as an intermediary for traffic between the Internet and targets within the network.
This article is intended for IT professionals with experience in general networking and proxy bridge solutions. This article describes how and when Table requires Internet access, and describes how to configure your network and Table to use proxy transfer servers and reverse for Internet access. There are several available proxy tierce solutions. Therefore, part of the content of the article is necessarily generic.
Before configuring a proxy server, consult Communication with the Internet.
To activate the communication from Table Server to the Internet, deploy Table Server behind a transfer proxy server. When Table Server must access the Internet, it does not send the request directly from the Internet. Instead, he sends the request to the transfer proxy, which in turn transfers the request. Transfer proxys help administrators manage traffic from the Internet for tasks such as load balancing, blocking access to sites, etc.
If you are using a transfer proxy, you must configure the computers that run Table Server in the network to send traffic to the transfer proxy. Server Table does not support authentication by activated relay or by manual proxy.
If you perform OpenID authentication with a transfer proxy solution, additional configurations are required. Consult Configure OpenID to use a transfer proxy.
We recommend that you configure Table Server to use your transfer proxy solution as part of the installation process. More specifically, configure Table Server when you are performing
/ initialize-tsm. as described in Install and initialize TSM, or as part of the Automated Installation of Table Server.
The procedure below describes how to create a transfer proxy configuration file for Table Server on Linux.
The configuration file is stored in the following directory:
By default, Table Server creates the user without privilege,
table The default path of the configuration directory is:.
~ table / .config / systemd / table_server.conf.d
The name of the proxy configuration file in this section and in the configuration file below is called
20-proxy.conf You can name this file based on your own agreement, but it must use the extension .conf. systemd will process the files stored in the directory.
table_server.conf.d in lexical order according to the file name.
Execute the order
Start a session as a user without privileges. By default,
table, is the user without privileges created by Table Server during installation. Execute the following command:
sudo su-l table
Create or open the file
20-proxy.confin the directory
table_server.conf.dIf you have configured the transfer proxy during configuration, the file.
20-proxy.confhas already been created.
Create the file. Execute the following command:
touch ~ table / .config / systemd / table_server.conf.d / 20-proxy.conf
Open the file
20-proxy.confin a text editor.
Copy it content of the proxy configuration file in the file. If you are editing an existing file, be careful not to delete the configuration. The Content of the proxy configuration file includes instructions for transfer proxy configurations. After modifying and saving the file, go to step 5.
Leave the Table control interpreter. Execute the following command:
Restart TSM business services. Execute the following script:
sudo / opt / table / table_server / packages / scripts.
Restart TSM .
If your company uses a proxy server to connect to the Internet, you must configure the Table Server server failure report utility to use the proxy. Even if you have already configured Table Server to use a proxy, you must also configure the server failure reporting utility separately. To configure the proxy for the server failure reporting utility, see Configure the server failure reporting utility.
A reverse proxy is a server that receives requests from external clients (Internet) and transfers them to Table Server. Why use a reverse proxy ? The basic answer is: for security. With an inverse proxy, Table Server is available on the Internet without having to display the individual IP address of this specific Table Server instance on the Internet. A reverse proxy also acts as an authentication and direct passage device, so that no data is stored where people outside the company could obtain it. This requirement is particularly true for organizations that are subject to various privacy regulations, such as PCI, HIPAA or SOX
The following diagram shows the communication path when a client sends a request to Table Server which is configured to operate with an inverse proxy server.
An external client initiates a connection to Table Server. The client uses the public URL which has been configured for the reverse proxy server, for example
https://table.example.com(The customer does not know that he has access to a reverse proxy.).
The reverse proxy maps this query, which in turn transforms it into a Table Server query. You can configure the reverse proxy server so that it authenticates the client (using SSL / TLS) as a prerequisite for transmitting the request to Table Server.
Table Server receives the request and sends its response to the reverse proxy.
The reverse proxy returns the content to the client. The client, for his part, sees only an interaction with Table Server, and cannot know that the communication was arbitrated by the reverse proxy.
For optimal security, you should configure reverse proxy servers so that they use SSL for any traffic external to your network. These measures help to ensure confidentiality, content integrity and authentication. Unless you have deployed other security measures to protect traffic between your Internet gateway and Table Server, we also recommend that you configure SSL between the bridge proxy and Table Server. You can use internal or self-signed certificates to encrypt traffic between Table Server instances and other internal computers.
Table Server adds an X header to all HTTP responses for the Table Mobile sessions. By default, most proxy solutions keep X headers. If your proxy solution does not store X headers, you will need to configure your proxy server to keep the next header for all HTTP responses for Mobile client sessions:
X-Table: Server Table.
If you have configured authentication at the proxy server bridge, your proxy server must respond to HTTP Table Mobile requests with an HTTP 302 response. Response 302 must include a redirect to the identity provider connection page. To view a diagram describing the authentication sequence 302, see Mobile Table authentication sequence in the Table community.
Server Table will always authenticate users. This means that even if you authenticate the incoming connections to your organization’s bridge, Table Server will always authenticate the user.
However, not all customers support user authentication with an inverse proxy :
For supported web browsers, you can use SAML, OpenID Connect, Kerberos, trusted tickets or manual authentication with reverse proxy. However, we recommend a transparent scenario where user requests do not require authentication at the bridge level. This recommendation does not prohibit the use of the SSL protocol for authentication at the server / client system level at the bridge proxy. In fact, we strongly recommend authentication at the SSL system level
Mobile Table supports SAML or manual authentication with reverse proxy. The iOS version of Table Mobile also supports Kerberos or manual authentication with reverse proxy. The same recommendation above applies.
Desktop Table and Prep Table do not support authentication with an inverse proxy. For remote access, use a VPN solution or configure your reverse proxy to rout traffic from Table Desktop or Table Prep directly to Table Server for authentication.
If your company authenticates with Active Directory:
- Server Table must be configured for an inverse proxy before configuring Server Table for Kerberos. For more information, see Configure Kerberos.
Before configuring Table Server, you must gather the following information relating to the configuration of the proxy server. To configure Table Server, you use the command
tsm set configuration The information you need to collect is the options you will need when running.
Most of the following tsm options are also used to configure the Table Server deployments operating behind a load balance. For more information, see Add Load Balancer.
|IP address or |
You can enter an IP address or a CNAME for this option.
The address or public IP addresses of the proxy server. This address must be in IPv4 format, for example
If you cannot provide a static IP, or if you are using cloud proxy or external load equilibria, you can specify the CNAME (Canonical Name) DNS value that customers will use to connect to Table Server. This CNAME value must be configured on your reverse proxy solution to communicate with Table Server.
|FQDN||The full qualified domain name that people use to access Table Server, for example |
|Non-FQDN||Any subdomain name for the proxy server. In the example |
|Alias||Public alternative host name (s) for the proxy server. In most cases, aliases are designed using CNAME values. This would, for example, be a proxy server |
|Ports||Port numbers for client traffic to the reverse proxy server.|
If you are using a distributed Table Server facility, execute the controls
tsm following on the initial node of your cluster.
Enter the following command to define the FQDN that customers will use to reach Table Server via the proxy server, where
nameis the FQDN :
tsm configuration set -k gateway.public.host -v '
For example, if you access Table Server by entering
https://table.example.comenter this command in the browser:
tsm configuration set -k gateway.public.host -v 'table.example.com'
Enter the following command to define the address or CNAME of the proxy server, where
server_addresscorresponds to the IPv4 address or the CNAME value:
tsm configuration set -k gateway.trusted -v 'server_ip_address '
If your organization uses multiple proxy servers, enter multiple IPv4 addresses, separated by a comma. IP ranges are not supported. To improve the start and initialization of Table Server, minimize the number of entries for
Enter the following command to specify alternative names for the proxy server, for example its full qualified domain name, names that are not complete qualified domain names and aliases. If there is more than one name, separate the names with commas.
tsm configuration set -k gateway.trusted_hosts -v 'name1, name2, name3 '
For example :
tsm configuration set -k gateway.trusted_hosts -v 'proxy1.example.com, proxy1, ftp.example.com, www.example.com'
If the proxy server uses SSL to communicate with the Internet, execute the following command, which indicates to Table that the reverse proxy server uses port 443 instead of port 80:
tsm configuration set -k gateway.public.port -v 443
Note: if the proxy server uses SSL to communicate with Table Server, SSL must be configured and activated on Table Server.
Enter the following command to apply the configuration change :
tsm hanging-changes apply
If the modifications pending require a restart of the server, the control
hanging-changes applywill display a prompt to inform you that a restart will take place. This prompt appears even if the server is stopped, but in this case, there is no restart. You can delete the prompt using the option
--ignore-prompt, but this will not change the restart behavior. If the modifications do not require restarting, the modifications are applied without a prompt. For more information, see tsm hanging-changes apply.
When a client accesses Table Server via a reverse proxy, specify the message headers that must be kept (or added). More specifically, all proxy servers in the message chain must be represented in the parameters
gateway.trusted_hosts in the file.
The following graph displays example headers for a single jump message chain, where the proxy server communicates directly with Table Server :
The following graph displays example headers for a multi-jump string, where the message passes through two proxy servers before connecting to Table Server :
The following table describes what these headers are and how they are associated with the configuration parameters on Table Server :
|Headers||Description||Associated Server Table settings|
|Table Server needs these headers to determine the IP address of the origin of the queries. The header ||The IP address you set in |
|These headers are used to generate absolute links to Table Server when responding to the client. The header ||Host names that are presented in the header |
|This header is required if SSL is activated for customer traffic to the proxy, but not for proxy traffic to Table Server.|
The port configuration on the reverse proxy (incoming customer connections and outgoing connections to Table Server) must be specified in the corresponding parameters:
If the proxy server uses SSL to communicate with Table Server, SSL must be configured and activated on Table Server.
To validate the configuration of your reverse proxy, publish workbooks and data sources using the Server Table or Desktop Table web creation. If you log in with a web browser to Table Server from the Internet, check that you are using a recommended browser. Publish and view workbooks using existing data sources as well as data sources that you have published. Use the links below to familiarize yourself with the connection to Table Server as an end user.