I have a SaaS service which exposes an URL (let's say (https://mylink.foo.com) that is only accessible from some whitelisted IPs. However we now need the aforementioned URL to be accessed by an audience outside those whitelisted IPs. I have thought of implementing another public cloud server as IaaS that acts as a pivot, changing source and destination IPs and redirecting the request to my SaaS provider (it is different from the IaaS), the only whitelisted IP in this case would be the pivot's public IP address.
Also, as the correct URL would point to the original server which is not accessible from IPs not in the whitelist, I am thinking of publishing an HTTP server from the same pivot which exposes a second URL (https://accesslink.foo.com) that gets rewritten to the original URL for reachability purposes.
As this scenario is proposed, it would include:
- A Linux pivot acting as a firewall/NAT device rewriting source/destination IP addresses. Iptables would serve this purpose.
- (perhaps?) another host acting as HTTP reverse proxy rewriting the URL for the requests coming into the server. HTTP server with mod_rewrite or nginx used here.
My concerns and questions are:
- Is the whole idea about my implementation possible? is there any other easier, simpler solution to this kind of problem?
Is the rewriting possible considering the original URL is exposed through HTTPS and not through HTTP?
If you don't mind sharing other implementation concerns/challenges that might not be addressed on my description, feel free to expose them.
Best Answer
I don't see why you would need
iptablesover here.Just install a server as a reverse proxy, have that server's IP in the whitelisted IPs. End-users will connect to that server, which will reverse proxy connections to the final destination.
A reverse proxy opens a connection from its own IP address to the proxied server IP address, so you don't need any extra tricks for IP addresses.