Configuring a proxy server for the secure client

Establishing a connection between the secure client and the SaaS server might require the use of a proxy server. Unlike the Turbonomic probes, the secure client establishes a mTLS connection over TCP (Mutual Transport Layer Security over Transmission Control Protocol), which has additional requirements when configuring a proxy server.

Note:

The secure client does not support configured proxies or proxy servers that support http only. Transparent proxies (implicit proxies) that support TLS over TCP are supported.

Requirements

  • TLS passthrough:

    The proxy server must not terminate the TLS session originating from the secure client. This is sometimes called TLS passthrough mode as opposed to the re-encrypt mode.

    With mTLS passthrough, encrypted traffic from the secure clients is passed on to the SaaS server without undergoing decryption in the proxy server. As the data packets are only decrypted on the SaaS server, the encrypted traffic is secure from the malicious attacks.

  • Server name indication:

    The proxy server must support server name indication (SNI).

    SNI is an extension of the TLS protocol that reads the domain name of the SaaS server during the TLS handshake. This enables the proxy server to direct the data to the SaaS server.

Determining the proxy server settings

Open the Turbonomic user interface. Navigate to Settings > Secure Client Management, and then click Server Details tab. The fully qualified domain name (FQDN) and port combinations are required to configure your proxy server.

 Secure Client Management Server Details dialog

If you do not have the URL or login credentials of your SaaS server, contact your Turbonomic representative.

SaaS server endpoints must resemble the following list:
  1. claims-turbonomic.apps.acme.com
  2. skupper-edge-turbonomic.apps.acme.com
  3. skupper-inter-router-turbonomic.apps.acme.com

Example proxy server configuration

A sample HAProxy configuration file is provided to illustrate the two requirements:

# Use SNI to send the request to the appropriate backend
frontend public_ssl
  bind :443
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend be_claims if { req.ssl_sni -i claims-turbonomic.apps.acme.com }
  use_backend be_skupper-edge if { req.ssl_sni -i skupper-edge-turbonomic.apps.acme.com }
  use_backend be_skupper-inter-router if { req.ssl_sni -i skupper-inter-router-turbonomic.apps.acme.com }

# TLS passthrough for claims route
backend be_claims
  balance source
  hash-type consistent
  timeout check 5000ms
  server skupper-claims claims-turbonomic.apps.acme.com:443 weight 1 check

# TLS passthrough for skupper-edge route
backend be_skupper-edge
  balance source
  hash-type consistent
  timeout check 5000ms
  server skupper-router skupper-edge-turbonomic.apps.acme.com:443 weight 1 check

# TLS passthrough for skupper-inter-router route
backend be_skupper-inter-router
  balance source
  hash-type consistent
  timeout check 5000ms
  server skupper-inter-router skupper-inter-router-turbonomic.apps.acme.com:443 weight 1 check