Configuring a Transparent Proxy

• Overview
• Configuring Transparent Proxy Mode for Incoming Interfaces
• Configuring Transparent Proxy Mode for Outgoing Calls
• Configuration Example

Overview

On Linux systems with the TPROXY kernel option enabled, you can configure the Enterprise Gateway as a transparent proxy. This enables the Enterprise Gateway to present itself as having the server's IP address from the point of view of the client, and/or having the client's IP address from the point of view of the server. This can be useful for administrative or network infrastructure purposes (for example, to keep using existing client/server IP addresses, and for load-balancing).

You can configure transparent proxy mode both for inbound and outbound Enterprise Gateway connections:

• Incoming interfaces can listen on IP addresses that are not assigned to any interface on the local host.
• Outbound calls can present the originating client's IP address to the destination server.

Both of these options act independently of each other.

Configuring Transparent Proxy Mode for Incoming Interfaces

To enable transparent proxy mode on an incoming interface, perform the following steps:

1. In the Policy Studio tree view, expand the Listeners -> Oracle Enterprise Gateway nodes.
2. Right-click your service, and select Add Interface -> HTTP or HTTPS to display the appropriate dialog (for example, Configure HTTP Interface).
3. Select the checkbox labeled Transparent Proxy (allow bind to foreign address). When selected, the value in the Address field can specify any IP address, and incoming traffic for the configured address/port combinations is handled by the Enterprise Gateway.

For more details on configuring interfaces, see Configuring HTTP Services.

Configuring Transparent Proxy Mode for Outgoing Calls

Transparent proxy mode for outgoing calls must be enabled at the level of a connection filter in a circuit. To enable transparent proxy mode for outbound calls, perform the following steps:

1. Ensure that your circuit contains a connection filter (for example, Connect to URL or Connection, available from the Routing category in the filter palette).
2. In your connection filter, select the Advanced tab.
3. Select the checkbox labeled Transparent Proxy (present client's IP address to server). When selected, the IP address of the original client connection that caused the circuit to be invoked is used as the local address of the TCP connection to the destination server.

For more details on configuring connection filters, see Connection and Connect to URL.

Configuration Example

A typical configuration example of transparent proxy mode is shown as follows:

In this example, the remote client’s address is 172.16.0.99, and it is attempting to connect to the server at 10.0.0.99, port 80. The front-facing firewall is configured to route traffic for 10.0.0.99 through the Enterprise Gateway at address 192.168.0.9. The server is configured to use the Enterprise Gateway at address 10.0.0.1 as its default IP router.

The Enterprise Gateway is multi-homed, and sits on both the 192.168.0.0/24 and 10.0.0.0/24 networks. It is configured with a listening interface at address 10.0.0.99:80, with transparent proxy mode switched on, as shown in the following Configure HTTP Interface dialog:

The Enterprise Gateway accepts the incoming call from the client, and processes it locally. However, there is no communication with the server yet. The Enterprise Gateway can process the call to completion and respond to the client—it is masquerading as the server.

If the Enterprise Gateway invokes a connection filter when processing this call (with transparent proxying enabled), the connection filter consults the originating address of the client, and binds the local address of the new outbound connection to that address before connecting. The server then sees the incoming call on the Enterprise Gateway originating from the client (172.16.0.99), rather than either of the Enterprise Gateway's IP addresses. The following dialog shows the example configuration for the Connect to URL filter:

The result is a transparent proxy, where the client sees itself as connecting directly to the server, and the server sees an incoming call directly from the client. The Enterprise Gateway processes two separate TCP connections, one to the client, one to the server, with both masquerading as the other on each connection.

Note: Either side of the transparent proxy is optional. By configuring the appropriate settings for the incoming interface or the connection filter, you can masquerade only to the server, or only to the client.