Imagine a scenario where you have an application instrumented with Loupe running in an environment that can’t directly reach your Loupe Server, how do you get the sessions files? It seemed far fetched to me, but it’s come up several times in two situations:
- Internal Clients without direct Internet access attempting to send data to Loupe Cloud-Hosted Service.
- External Clients attempting to send data to an internal, protected Loupe Self-Hosted Server.
When this has come up before I’ve pushed customers to use a traditional HTTP proxy - since the Loupe Agent uses a straightforward REST API this this works. Unfortunately, many times customers can’t deploy a generic proxy for the same reasons the systems are isolated in the first place - security policies that prevent generic network access.
A More Secure Option
Working with one of our banking customers, I talked at length with their security team to understand the root concerns they had. Frankly, I went into the conversation expecting to convince them to just open up a generic proxy and be done with it. But the longer we discussed it, the more I could see what their goals were and how we could help. In their particular situation the Loupe Server is in an internal trusted network and can’t be directly contacted from the Internet. Before they would sign off on any solution they wanted to ensure it satisfied several conditions:
- Validate Each Request: The proxy needed to validate API requests, not just blindly pass them along. Otherwise, it could be used to exploit a security vulnerability on an internal system.
- Terminate All Requests at the Proxy: Even valid requests need to be terminated at the proxy and then re-issued to the Loupe Server. This protects against DDoS attacks spreading internally and other ways requests could be abused.
- Hide Internal Information: Details of the internal network like addresses, user names, Loupe Repository, and server names can’t leak out even if a request generates an error or the internal servers are down or unavailable.
The more I thought about it, the more sense it made for us to make a proxy that could be easily integrated into an application and meet the requirements the client laid out. We know the exact protocol the Agent depends on so it would be a lot easier for us to make a correct implementation. So, we committed to making a sample app version for our customer to try and thought it would end there.
Easy to Integrate
Working with our web team we implemented an ASP.NET Web API module that could be easily added to any existing site (build with ASP.NET MVC / Web API). First, add the Loupe Proxy from NuGet to get the Proxy and its dependencies in your host web application. Then, add one line of code to activate they Proxy. It leverages the configuration of the Loupe Agent in the web site to know what server to forward data to so no additional configuration is required.
Once activated, the Loupe Proxy will take over requests to the path /loupe/hub and respond the same way a Loupe server would - although it redacts error responses to hide details the Loupe Agent doesn’t care about and complies with the security goals listed above. To use it, just change the server configuration for the client applications to point to your web site instead of directly to the Loupe Server, like this:
<configuration> <gibraltar> <server enabled="true" useSsl="true" server="your.application.dns.name" applicationBaseDirectory="loupe" autoSendSessions="true" sendAllApplications="true" /> </gibraltar> </configuration>
For more examples and details on how to validate the installation, see the Read Me on GitHub.
Complete with Diagnostic Logging and Metrics
As you’d expect from something we’d write, the Loupe Proxy provides solid diagnostic logging of what it is doing and records metrics about its performance to help with troubleshooting and monitoring for suspicious activity. You can verify the proxy is correctly set up by looking for the Proxy Started log message, which looks like this:
If the Loupe Agent configuration for the host web application is insufficient you’ll see a different log message prompting you that the proxy can’t work and guiding you to what you need to fix.
If You Need It, It’s Ready!
We know most users will never need the Loupe Proxy, but if you do we’ve got your back - just add it from NuGet, follow the instructions for set up and you’re there! Like our other Open Source agents, it’s free to use and modify but also backed by our exceptional support team. If your security team has any questions or suggestions then can contact us or review the source code themselves!