Linux – How to ping when behind a proxy?


Linux – How to ping when behind a proxy?

In most companies, Table Server must communicate with the Internet. Table Server has been designed to operate within a protected internal network. Do not configure Table Server directly on the Internet or in a DMZ. Instead, communications between your network and the Internet must use an intermediary via proxy servers. Transfer proxy servers arbitrate traffic from within the network to targets on the Internet. Reverse proxy servers act as an intermediary for traffic between the Internet and targets within the network.

This article is intended for IT professionals with experience in general networking and proxy bridge solutions. This article describes how and when Table requires Internet access, and describes how to configure your network and Table to use proxy transfer servers and reverse for Internet access. There are several available proxy tierce solutions. Therefore, part of the content of the article is necessarily generic.

Before configuring a proxy server, consult Communication with the Internet.

To activate the communication from Table Server to the Internet, deploy Table Server behind a transfer proxy server. When Table Server must access the Internet, it does not send the request directly from the Internet. Instead, he sends the request to the transfer proxy, which in turn transfers the request. Transfer proxys help administrators manage traffic from the Internet for tasks such as load balancing, blocking access to sites, etc.

If you are using a transfer proxy, you must configure the computers that run Table Server in the network to send traffic to the transfer proxy. Server Table does not support authentication by activated relay or by manual proxy.

If you perform OpenID authentication with a transfer proxy solution, additional configurations are required. Consult Configure OpenID to use a transfer proxy.

We recommend that you configure Table Server to use your transfer proxy solution as part of the installation process. More specifically, configure Table Server when you are performing / initialize-tsm. as described in Install and initialize TSM, or as part of the Automated Installation of Table Server.

The procedure below describes how to create a transfer proxy configuration file for Table Server on Linux.

The configuration file is stored in the following directory:

~/.config / systemd / table_server.conf.d

By default, Table Server creates the user without privilege, table The default path of the configuration directory is:.

~ table / .config / systemd / table_server.conf.d

The name of the proxy configuration file in this section and in the configuration file below is called 20-proxy.conf You can name this file based on your own agreement, but it must use the extension .conf. systemd will process the files stored in the directory. table_server.conf.d in lexical order according to the file name.

  1. Execute the order tsm stop.

  2. Start a session as a user without privileges. By default, table, is the user without privileges created by Table Server during installation. Execute the following command:

    sudo su-l table

  3. Create or open the file 20-proxy.conf in the directory table_server.conf.d If you have configured the transfer proxy during configuration, the file. 20-proxy.conf has already been created.

    • Create the file. Execute the following command:

      touch ~ table / .config / systemd / table_server.conf.d / 20-proxy.conf

    • Open the file 20-proxy.conf in a text editor.

  4. Copy it content of the proxy configuration file in the file. If you are editing an existing file, be careful not to delete the configuration. The Content of the proxy configuration file includes instructions for transfer proxy configurations. After modifying and saving the file, go to step 5.

  5. Leave the Table control interpreter. Execute the following command:

    exit

  6. Restart TSM business services. Execute the following script:

    sudo / opt / table / table_server / packages / scripts./ start-administrative-services

  7. Restart TSM .

    tsm restart

If your company uses a proxy server to connect to the Internet, you must configure the Table Server server failure report utility to use the proxy. Even if you have already configured Table Server to use a proxy, you must also configure the server failure reporting utility separately. To configure the proxy for the server failure reporting utility, see Configure the server failure reporting utility.

A reverse proxy is a server that receives requests from external clients (Internet) and transfers them to Table Server. Why use a reverse proxy ? The basic answer is: for security. With an inverse proxy, Table Server is available on the Internet without having to display the individual IP address of this specific Table Server instance on the Internet. A reverse proxy also acts as an authentication and direct passage device, so that no data is stored where people outside the company could obtain it. This requirement is particularly true for organizations that are subject to various privacy regulations, such as PCI, HIPAA or SOX

The following diagram shows the communication path when a client sends a request to Table Server which is configured to operate with an inverse proxy server.

  1. An external client initiates a connection to Table Server. The client uses the public URL which has been configured for the reverse proxy server, for example https://table.example.com (The customer does not know that he has access to a reverse proxy.).

  2. The reverse proxy maps this query, which in turn transforms it into a Table Server query. You can configure the reverse proxy server so that it authenticates the client (using SSL / TLS) as a prerequisite for transmitting the request to Table Server.

  3. Table Server receives the request and sends its response to the reverse proxy.

  4. The reverse proxy returns the content to the client. The client, for his part, sees only an interaction with Table Server, and cannot know that the communication was arbitrated by the reverse proxy.

For optimal security, you should configure reverse proxy servers so that they use SSL for any traffic external to your network. These measures help to ensure confidentiality, content integrity and authentication. Unless you have deployed other security measures to protect traffic between your Internet gateway and Table Server, we also recommend that you configure SSL between the bridge proxy and Table Server. You can use internal or self-signed certificates to encrypt traffic between Table Server instances and other internal computers.

Table Server adds an X header to all HTTP responses for the Table Mobile sessions. By default, most proxy solutions keep X headers. If your proxy solution does not store X headers, you will need to configure your proxy server to keep the next header for all HTTP responses for Mobile client sessions: X-Table: Server Table.

If you have configured authentication at the proxy server bridge, your proxy server must respond to HTTP Table Mobile requests with an HTTP 302 response. Response 302 must include a redirect to the identity provider connection page. To view a diagram describing the authentication sequence 302, see Mobile Table authentication sequence in the Table community.

Server Table will always authenticate users. This means that even if you authenticate the incoming connections to your organization’s bridge, Table Server will always authenticate the user.

However, not all customers support user authentication with an inverse proxy :

  • For supported web browsers, you can use SAML, OpenID Connect, Kerberos, trusted tickets or manual authentication with reverse proxy. However, we recommend a transparent scenario where user requests do not require authentication at the bridge level. This recommendation does not prohibit the use of the SSL protocol for authentication at the server / client system level at the bridge proxy. In fact, we strongly recommend authentication at the SSL system level

  • Mobile Table supports SAML or manual authentication with reverse proxy. The iOS version of Table Mobile also supports Kerberos or manual authentication with reverse proxy. The same recommendation above applies.

  • Desktop Table and Prep Table do not support authentication with an inverse proxy. For remote access, use a VPN solution or configure your reverse proxy to rout traffic from Table Desktop or Table Prep directly to Table Server for authentication.

If your company authenticates with Active Directory:

  • Server Table must be configured for an inverse proxy before configuring Server Table for Kerberos. For more information, see Configure Kerberos.

Before configuring Table Server, you must gather the following information relating to the configuration of the proxy server. To configure Table Server, you use the command tsm set configuration The information you need to collect is the options you will need when running. tsm.

Most of the following tsm options are also used to configure the Table Server deployments operating behind a load balance. For more information, see Add Load Balancer.

IP address or CNAME

You can enter an IP address or a CNAME for this option.

The address or public IP addresses of the proxy server. This address must be in IPv4 format, for example 203.0.113.0, and it must be static.

If you cannot provide a static IP, or if you are using cloud proxy or external load equilibria, you can specify the CNAME (Canonical Name) DNS value that customers will use to connect to Table Server. This CNAME value must be configured on your reverse proxy solution to communicate with Table Server.

gateway.trusted
FQDNThe full qualified domain name that people use to access Table Server, for example table.example.com Table Server does not support the change of context for this option. For example, the following URL is not supported:. example.com/table.gateway.public.host
Non-FQDNAny subdomain name for the proxy server. In the example table.example.com, the subdomain name is table.gateway.trusted_hosts
AliasPublic alternative host name (s) for the proxy server. In most cases, aliases are designed using CNAME values. This would, for example, be a proxy server bigbox.example.com and CNAME entries ftp.example.com and www.example.com.gateway.trusted_hosts
PortsPort numbers for client traffic to the reverse proxy server.

gateway.public.port

If you are using a distributed Table Server facility, execute the controls tsm following on the initial node of your cluster.

  1. Enter the following command to define the FQDN that customers will use to reach Table Server via the proxy server, where name is the FQDN :

    tsm configuration set -k gateway.public.host -v '

    For example, if you access Table Server by entering https://table.example.com enter this command in the browser:

    tsm configuration set -k gateway.public.host -v 'table.example.com'

  2. Enter the following command to define the address or CNAME of the proxy server, where server_address corresponds to the IPv4 address or the CNAME value:

    tsm configuration set -k gateway.trusted -v 'server_ip_address '

    If your organization uses multiple proxy servers, enter multiple IPv4 addresses, separated by a comma. IP ranges are not supported. To improve the start and initialization of Table Server, minimize the number of entries for gateway.trusted.

  3. Enter the following command to specify alternative names for the proxy server, for example its full qualified domain name, names that are not complete qualified domain names and aliases. If there is more than one name, separate the names with commas.

    tsm configuration set -k gateway.trusted_hosts -v 'name1, name2, name3 '

    For example :

    tsm configuration set -k gateway.trusted_hosts -v 'proxy1.example.com, proxy1, ftp.example.com, www.example.com'

  4. If the proxy server uses SSL to communicate with the Internet, execute the following command, which indicates to Table that the reverse proxy server uses port 443 instead of port 80:

    tsm configuration set -k gateway.public.port -v 443

    Note: if the proxy server uses SSL to communicate with Table Server, SSL must be configured and activated on Table Server.

  5. Enter the following command to apply the configuration change :

    tsm hanging-changes apply

    If the modifications pending require a restart of the server, the control hanging-changes apply will display a prompt to inform you that a restart will take place. This prompt appears even if the server is stopped, but in this case, there is no restart. You can delete the prompt using the option --ignore-prompt, but this will not change the restart behavior. If the modifications do not require restarting, the modifications are applied without a prompt. For more information, see tsm hanging-changes apply.

When a client accesses Table Server via a reverse proxy, specify the message headers that must be kept (or added). More specifically, all proxy servers in the message chain must be represented in the parameters gateway.trusted and gateway.trusted_hosts in the file.

The following graph displays example headers for a single jump message chain, where the proxy server communicates directly with Table Server :

The following graph displays example headers for a multi-jump string, where the message passes through two proxy servers before connecting to Table Server :

The following table describes what these headers are and how they are associated with the configuration parameters on Table Server :

HeadersDescriptionAssociated Server Table settings
REMOTE_ADDR and X-FORWARDED-FOR (XFF)Table Server needs these headers to determine the IP address of the origin of the queries. The header X-FORWARDED-FOR must present the IP address chain to Table Server for connections to take place.The IP address you set in gateway.trusted must correspond to the IP address presented in REMOTE_ADDR If you have sent several addresses in. gateway.trusted, one of them must correspond to the IP address presented in REMOTE_ADDR.
HOST and X-FORWARDED HOST (XFH)These headers are used to generate absolute links to Table Server when responding to the client. The header X-FORWARDED-HOST must present host names to Table Server for connections to take place.Host names that are presented in the header X-FORWARDED-HOST should be included in the host names you specify in gateway.trusted_hosts.
X-FORWARDED-PROTO (XFP)This header is required if SSL is activated for customer traffic to the proxy, but not for proxy traffic to Table Server.

The headers X-FORWARDED-PROTO play an important role in scenarios where HTTP or HTTPS is not kept at each stage of the message route. For example, if the reverse proxy requires SSL for external requests, but the traffic between the reverse proxy and Table Server is not configured to use SSL, the headers X-FORWARDED-PROTO are required. Some proxy solutions automatically add headers X-FORWARDED-PROTO, while others do not. Ultimately, depending on your proxy solution, you may need to configure the port transfer so that the request is translated from port 443 to port 80.

The port configuration on the reverse proxy (incoming customer connections and outgoing connections to Table Server) must be specified in the corresponding parameters: gateway.public.port, which is the port that customers use to connect to the proxy.

If the proxy server uses SSL to communicate with Table Server, SSL must be configured and activated on Table Server.

To validate the configuration of your reverse proxy, publish workbooks and data sources using the Server Table or Desktop Table web creation. If you log in with a web browser to Table Server from the Internet, check that you are using a recommended browser. Publish and view workbooks using existing data sources as well as data sources that you have published. Use the links below to familiarize yourself with the connection to Table Server as an end user.


Leave a Reply

Your email address will not be published.