1

I have several app servers in AWS/EC2, where customers may use their LDAP implementations to authentication into our product.

Some of our customers cannot whitelist us by FQDN.

The app servers will be using iptables/NAT to send that LDAP traffic (port varies by customer) to a 'proxy machine' which should then forward that traffic out to it's destination.

iptables -t nat -A OUTPUT -p tcp --dport 389 -j DNAT --to-destination x.x.x.x:3128 iptables -A FORWARD -p tcp -d x.x.x.x --dport 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

As you might have guessed by the port - initially this proxy had Squid installed. I could verify via tcpdump that LDAP traffic was getting to that box on that port, but Squid would never pick up on it or do anything with it.

Failing to find any working examples online, I've moved to HAProxy - largely to a similar result. I also can't find any documentation of HAProxy being used in this manner - with most of it largely being a reverse proxy, or a load balancer.

I've explored setting up a iptables based router as well, but AWS is preventing public IPs on machines with 2 Ethernet interfaces.

Improve this question

1 Answer 1

Reset to default
0

This is extremely straightforward in HAProxy. The thing you're overlooking is that in this configuration, HAProxy is still performing the role of a reverse proxy. The "backend" is the customer's LDAP server, an the frontend is only accessible to you.

listen label_for_the_proxy bind 0.0.0.0:389 mode tcp server label_for_the_server 203.0.113.111:389 check rise 1 fall 2 inter 60000 fastinter 5000 downinter 2000 on-error sudden-death

This is a combination frontend and backend configuration.

Connect to port 389 on this instance, and you'll find yourself talking to the customer's LDAP server. Note that this example is taken from a working environment similar to what you describe, but this configuration, as shown, must not be assumed to be sufficiently secure.

You don't want to transport LDAP in the clear across the Internet. In the environment where I'm using this, it's very similar to your application, except the HAProxy is in the middle of a couple of IPSec tunnels, which is why there is no TLS. But that has no impact on the principles of the configuration.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.