www.centos.org

Astaro Firewall and Reverse Proxy

Posted by JoeLemaire on 2012/1/25 15:51:00

Hey All,

It's kind of a shot in the dark, but I thought I would post here to see if anyone has come across this issue before.

We have a customer that has a VPN to us. Our end is a Cisco ASA, their end is an Astaro firewall. Other than this specific issue, the VPN works fine. Over the VPN, they access some web services that we have. The customer hit's a reverse proxy to access these web services. Here's the basic config of our reverse proxy:

NameVirtualHost aspwv.vtinfo.com:80
NameVirtualHost aspwv.vtinfo.com:443

<VirtualHost aspwv.vtinfo.com:80>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

<VirtualHost aspwv.vtinfo.com:443>
        ServerName aspwv.vtinfo.com

        SSLEngine On
        SSLProxyEngine On
        SSLCertificateFile /etc/httpd/ssl/star_vtinfo.com.crt
        SSLCertificateKeyFile /etc/httpd/ssl/star_vtinfo_com.key
        SSLCertificateChainFile /etc/httpd/ssl/Apache_Plesk_Install.txt

        CustomLog /var/log/httpd/aspwv-access.log combined
        Errorlog /var/log/httpd/aspwv-error.log
        LogLevel info

        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

        ProxyRequests off
        RewriteEngine on
        RewriteLog "/var/log/httpd/aspwv-rewrite.log"
        RewriteLogLevel 3

        Timeout 5400
        ProxyTimeout 5400

        ProxyPassReverseCookieDomain vipwebview.vtinfo.com aspwv.vtinfo.com

        <Location /est1/>
                ProxyPass               http://172.25.24.26:10200/
                ProxyPassReverse        http://172.25.24.26:10200/
                ProxyPassReverseCookiePath / /est1/
        </Location>

        <Location /est2/>
                ProxyPass               http://172.25.24.26:10205/
                ProxyPassReverse        http://172.25.24.26:10205/
                ProxyPassReverseCookiePath / /est2/
        </Location>

        <Location /cst1/>
                ProxyPass               http://172.25.24.26:10210/
                ProxyPassReverse        http://172.25.24.26:10210/
                ProxyPassReverseCookiePath / /cst1/
        </Location>

        <Location /cst2/>
                ProxyPass               http://172.25.24.26:10225/
                ProxyPassReverse        http://172.25.24.26:10225/
                ProxyPassReverseCookiePath / /cst2/
        </Location>

		        <Location /mst1/>
                ProxyPass               http://172.25.24.26:10215/
                ProxyPassReverse        http://172.25.24.26:10215/
                ProxyPassReverseCookiePath / /mst1/
        </Location>

        <Location /pst1/>
                ProxyPass               http://172.25.24.26:10220/
                ProxyPassReverse        http://172.25.24.26:10220/
                ProxyPassReverseCookiePath / /pst1/
        </Location>

</VirtualHost>

When they try to hit our reverse proxy, they are getting a 'no route to host' error. I'm assuming this is because their Astaro firewall is in Standard Proxy mode, and it's filtering it out as it doesn't like the rewrites and such that the reverse proxy is doing.

Any thoughts as to how this could be reconfigured so that it doesn't get filtered by their firewall? I've told him that he might want to open up a ticket with Astaro to see if they could assist him with setting up a filtering rule to not inspect traffic destined to us, but I'd thought I'd attack it from our end as well to see if any changes could/should be made on our end to get around this.

Thanks so much!

~Joe

This Post was from: https://www.centos.org/newbb/viewtopic.php?forum=41&topic_id=35477