Cloudmersive Private Cloud Reverse Proxy Server Configuration

Overview

Cloudmersive Private Cloud Reverse Proxy Server allows you to apply policies to HTTP traffic with no code changes to your web application. Policies include key security policy outcomes such as virus scanning for file uploads

General Approach

In general, the Cloudmersive Private Cloud Reverse Proxy Server should be installed on its own infrastructure, and connects to your underlying target application server, and also connects to Cloudmersive Private Cloud Virus Scan API.

Configure Sites

Each Cloudmersive Private Cloud Reverse Proxy Server can be configured to host (proxy) multiple underlying sites, each with different URLs/domain names.

To configure Cloudmersive Private Cloud Reverse Proxy Server, navigate to the Cloudmersive Management Portal. Click on Private Cloud, and then click on your Reverse Proxy node. From here, click on Configure Node. Scroll to the bottom of the page and click on Add Site. Give the site a descriptive name, and click on Add Site to create the site. You can add multiple Sites to each server node. To edit an existing site, or the site you just created, you can click on Manage.

To delete a site, click on Manage Site and then click on Delete Site and confirm the deletion operation. Note that deletion operations cannot be undone.

Cloudmersive Private Cloud Reverse Proxy Servers check for and apply configuration updates every 30 seconds. Configuration is cached locally in the event that network connectivity between the Reverse Proxy Server and the cloud is lost, the last known good configuration will continue to be used based on the local configuration cache.

Configure Endpoints

Configuring Endpoints is optional if you only plan to host a single Site; if you do not configure Endpoints, all traffic will be routed to the Site. To configure routing to the server, you will want to setup the endpoints. Note that you will also need to configure Host Bindings. Configuring Endpoints will configure which traffic is associated with a given Site, and which traffic should be routed to the underlying target servers.

To configure Endpoints, you can click on Add Endpoint, and then select the endpoint protocol, domain name (optional), and target port (optional).

Configure Host Bindings and Certificates

Import Certificates

When using HTTPS TLS encryption, using public certificates, or private certificates, this is done through Windows Server IIS using standard interfaces. First, connect to your server using Remote Desktop. Then, navigate to Start > Administrative Tools > Internet Information Services (IIS) Manager. Click on the server on the left hand side, and then double-click on Server Certificates. Then click on Import... and then select the certificate file, typically in .pfx format, to import - entering the password if needed. Once imported, your certificate will be stored in the Trust Store and can be used in website host bindings.

Set Host Bindings

Now, you can bind a certificate and host name to your server. Click on Sites > Default Web Site. Then click on Bindings... and then click on Add... to add a host binding. You should add a host binding for each host name / protocol / certificate (if applicable) combination. So for example, if you wish to bind to both https://myserver.com and http://myserver.com, you will want to add two bindings.

HTTPS / TLS Host Binding

To add an HTTPS host binding, click on Add... then select Type and choose https. Under Host name, specify the fully-qualified host name, such as myserver.com or www.myserver.com. Under SSL certificate, select a previously-imported certificate (see above).

HTTP Host Binding

To add an HTTP host binding, click on Add... then select Type and choose http. Under Host name, specify the fully-qualified host name, such as myserver.com or www.myserver.com.

Configure Security Policies

To protect traffic passing through yhour Reverse Proxy Server, you can apply Policies onto your server. Policies will process the traffic passing through your server, and can allow or block traffic passing through. Key policies available include:

Virus Scan File Uploads (multipart/form-data)
Virus Scan JSON Binary Data - Request
Virus Scan JSON Binary Data - Response
Virus Scan File Uploads (multipart/form-data) - Advanced Scan
Virus Scan JSON Binary Data - Advanced Scan
SQL Injection Protection
XML External Entity (XXE) Protection
Cross-Site Scripting (XSS) Protection for Request Parameters
IP Blocklist
IP Allowlist
Rate Limit
Block Known Bot Clients
Block Known Threat Clients
Block Known Tor Clients
Open API v2 (Swagger 2.0) Request Validation

Virus Scan File Uploads (multipart/form-data) Policy

Apply this policy to automatically Virus Scan any file uploads to your Site through multipart/form-data (default content type for form-based file uploads) using Cloudmersive Private Cloud Virus Scanning API, and block the request from passing to the Target server if the request contains a virus-laden file upload.

You can further configure the Virus Scan Policy. You can set a URL Match Regular Expression to limit the policy to only URLs that match the specified URL regular expression. You can also set a URL for a page to show the user if a virus is found. You can also specify a URL for an error page to show the user if there is an error (e.g. all target servers are down).

Virus Scan JSON Binary Data

Apply this policy to automatically scan base-64 encoded binary file data in JSON requests. This is useful for API-based applications, in which the file data may be base-64 encoded.

Rate Limit

Configure a Rate Limit Policy to automatically block client IP addresses that exceed the defined rate limit.

Configure the rate limit value, as well as the unit of time (per Second, or per Minute) to apply the rate limit windowing policy.

IP Blocklist

This policy will allow you to block access from any IP addresses listed on the blocklist.

IP Allowlist

This policy will allow you to block access from any IP addresses NOT listed on the allowlist (typically only used for internal services/APIs).

Cross-Site Scripting (XSS) Protection for Request Parameters

This policy will allow you to block XSS scripting attack requests.

Configure Target Servers

Configuring at least one target server is required. The target server is the underlying server(s) that will server your application. You can add multiple targets, and the Cloudmersive Reverse Proxy Server will load balance traffic across all of the targets.

When specifying the target, you can specify a name, target URL (you can use HTTPS or HTTP transport - be sure the specify the protocl) and also the target port number.

Configure API Keys and Endpoints

Configuring at least one API key is required for Policies that use the underlying API, such as virus scanning and XSS protection.

Configure your API key as well as, optionally, the fully-qualified URL to your Private Cloud Server (recommended), or leverage Cloudmersive Managed Instances or Cloudmersive Public Cloud.

If you speicify multiple API keys, the Reverse Proxy Server will load balance across the API keys for that site.

Video Walkthrough

API Management

You can also configure API Management for your server:

OpenAPI v2 (Swagger 2.0) API Specs

OpenAPI v2 (Swagger 2.0) API Specs

To configure OpenAPI v2 (Swagger 2.0) API Spec validation for requests, click on Add Security Policy and select "Open API v2 (Swagger 2.0) Request Validation". Then, click on Edit next to this policy and upload the OpenAPI spec file (Swagger 2.0 JSON file) and click on Save Changes.

Configure Transform Policies

You can configure a range of transform policies to transform the request or response:

Transform Redirect
Remove Response Header
Set Response Header
Set Request Header
Replace (Conditionally) Request Header
Response Content Replace
Remove Cookie Domain (Response)
Request URL Replace

Configure Logging Policies

You can configure a range of Logging policies to capture and log data from the request or response:

AWS CloudWatch Logging
Azure Log Analytics
Splunk
Webhook (JSON)
LogRhythm