[gentoo-user] Proxy questions

[gentoo-user] Proxy questions

[felix]

I know, in general, what proxies do -- caching, filtering, and
bypassing firewalls.  I have even written a couple of very special
purpose proxies.  Now I need one for work, and don't realy want to
write another custom special purpose when it seems there must be a
canned one which can do the job.

We have some vendors who transact business over special ports with
custom protocols.  We pay for these connections, and we only have two
of them, good enough for QA, but when a developer needs to test code,
they have to drag their machine over to QA and schedule time with one
of these connections.  What we need is a proxy which can take any
number of connections on our side and funnel everything into one or
two vendor connections.  I don't know enough of the proxy jargon to
know how to describe it.  I imagine some kind of NAT.  No filtering or
caching; firewall penetration will be taken care of elsewhere.

Any suggestions, or proxy education hints?

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: [gentoo-user] Proxy questions

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2102 bytes --]

On Tuesday 24 Jan 2012 17:08:43 felix@crowfix.com wrote:
> I know, in general, what proxies do -- caching, filtering, and
> bypassing firewalls.  I have even written a couple of very special
> purpose proxies.  Now I need one for work, and don't realy want to
> write another custom special purpose when it seems there must be a
> canned one which can do the job.
> 
> We have some vendors who transact business over special ports with
> custom protocols.  We pay for these connections, and we only have two
> of them, good enough for QA, but when a developer needs to test code,
> they have to drag their machine over to QA and schedule time with one
> of these connections.  What we need is a proxy which can take any
> number of connections on our side and funnel everything into one or
> two vendor connections.  I don't know enough of the proxy jargon to
> know how to describe it.  I imagine some kind of NAT.  No filtering or
> caching; firewall penetration will be taken care of elsewhere.
> 
> Any suggestions, or proxy education hints?

I'm not entirely clear of your use case scenarios and the constraints you are 
trying to address with a proxy (e.g. why the developer does not connect 
directly to the vendors port(s) to access their service? ) but I'll guess that 
you probably need a reverse proxy/load balancer arrangement - something like 
pound, portfusion, or even nginx?  BTW, did I mention apache mod_proxy?  I am 
not sure what authentication arrangements you need to access your vendors 
ports, if you have VPNs or other secure tunnels between your site and the 
vendors', but let's say I'd read up on reverse proxies as a start.

This should make the transaction transparent for your devs, they won't 
necessarily know which vendor they end up with after they hit your URL, but I 
am not sure if it will satisfactorily address the issue of scheduling time for 
a connection with your vendors at times of high demand.  Once ports or vendor 
service limitations are reached the connections will eventually become 
saturated.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Proxy questions

[felix]

On Tue, Jan 24, 2012 at 06:14:22PM +0000, Mick wrote:
> On Tuesday 24 Jan 2012 17:08:43 felix@crowfix.com wrote:
> > I know, in general, what proxies do -- caching, filtering, and
> > bypassing firewalls.  I have even written a couple of very special
> > purpose proxies.  Now I need one for work, and don't realy want to
> > write another custom special purpose when it seems there must be a
> > canned one which can do the job.
> > 
> > We have some vendors who transact business over special ports with
> > custom protocols.  We pay for these connections, and we only have two
> > of them, good enough for QA, but when a developer needs to test code,
> > they have to drag their machine over to QA and schedule time with one
> > of these connections.  What we need is a proxy which can take any
> > number of connections on our side and funnel everything into one or
> > two vendor connections.  I don't know enough of the proxy jargon to
> > know how to describe it.  I imagine some kind of NAT.  No filtering or
> > caching; firewall penetration will be taken care of elsewhere.
> > 
> > Any suggestions, or proxy education hints?
> 
> I'm not entirely clear of your use case scenarios and the constraints you are 
> trying to address with a proxy (e.g. why the developer does not connect 
> directly to the vendors port(s) to access their service? ) but I'll guess that 

Because if the devs connect directly to the vendor, they will take
over the limited connections we are allowed.  Thus they need
throttling and/or some kind of NAT.

> you probably need a reverse proxy/load balancer arrangement - something like 
> pound, portfusion, or even nginx?  BTW, did I mention apache mod_proxy?  I am 
> not sure what authentication arrangements you need to access your vendors 
> ports, if you have VPNs or other secure tunnels between your site and the 
> vendors', but let's say I'd read up on reverse proxies as a start.
> 
> This should make the transaction transparent for your devs, they won't 
> necessarily know which vendor they end up with after they hit your URL, but I 
> am not sure if it will satisfactorily address the issue of scheduling time for 
> a connection with your vendors at times of high demand.  Once ports or vendor 
> service limitations are reached the connections will eventually become 
> saturated.

I don't think saturation is a problem with the kind of dev work we do;
our production systems handle hundreds of thousands of transactions an
hour over a single connection.  The real problem is that if devs grab
that connection, production would stall immediately, so we have a
separate connection for QA which devs will have to share without
hogging; thus some proxy to funnel all requests into the single
channel.  Altho there is some possibility of the QA channel turning
into two, that still needs to be shared amongst a dozen devs and QA.

I'll look into all those buzzwords :-)

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: [gentoo-user] Proxy questions

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 912 bytes --]

On Wednesday 25 Jan 2012 17:11:36 felix@crowfix.com wrote:
> On Tue, Jan 24, 2012 at 06:14:22PM +0000, Mick wrote:
> > On Tuesday 24 Jan 2012 17:08:43 felix@crowfix.com wrote:

> > I'm not entirely clear of your use case scenarios and the constraints you
> > are trying to address with a proxy (e.g. why the developer does not
> > connect directly to the vendors port(s) to access their service? ) but
> > I'll guess that
> 
> Because if the devs connect directly to the vendor, they will take
> over the limited connections we are allowed.  Thus they need
> throttling and/or some kind of NAT.

OK, I understand now.  I guess some reverse proxies offer the ability to 
throttle throughput and/or you can also apply QoS so that internal connections 
to the vendors are always given priority, while external connections coming 
from the devs are constrained appropriately.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]