I have to setup access to a remote API service in which requests are IP-Whitelisted.
The problem I have is that my web-nodes are in the cloud and their IP addresses often change.
Therefore I want to proxy API requests from my web-nodes through a server with a fixed IP address.
The other caveat is that these requests must be made over HTTPS.
So I need someway of receiving HTTPS requests on one domain, decrypting them and then forwarding the request onto the destination domain.
Example:
Web Node request to proxy: https://api.proxy.internal.com
Proxy then makes request to: https://external.api.com
Is this possible? I would like to run this on an Ubuntu 14.04 LTS server.
Could I use something like HaProxy or NGINX as a reverse proxy?
Best Answer
You could use HAProxy, or Nginx, or ATS, or Squid, or Pound or just a set of iptables rules.
But you've not told us very much about the problem you are trying to solve.
If the service requires a nominated IP address, then presumably it has some value which should be protected - anything you put in place should ensure that there is equivalent or better protection. Probably the simplest solution is to use HTTPS to the proxy node authenticated by a client certificate - how you do that depends on what your application stack on AWS looks like. Then on the proxy node, re-encapsulate the traffic for connecting to the API. This can be done with a pair of stunnel or stud instances (one acting as server to your AWS instances, verifying the client cert, connecting the unencrypted stream o a second instance talking to the API).
(note you do need to break the SSL connection in order to authenticate it).
Assuming that there is some merit in keeping your service on AWS and that a fixed IP address is not available from AWS, then you need a fixed IP address elsewhere. While there are plenty of cheap hosting companies out there, if you want to ensure high availability for access to the service you're going to need 2 nodes in different locations and a way of distributing the traffic across them. Personally I'd go for haproxy or pound running on your AWS instances configured to operate on the connection as a simple TCP stream (i.e. ignoring the HTTP thing).