Reverse Proxy Server Configuration

A reverse proxy is essentially a web server that sits in front of CAS. Users/apps connect to the reverse proxy, and it passes their requests to the correct internal server, then returns the response - so the user/app never talks directly to CAS. People use reverse proxies to get one public “front door,” handle HTTPS certificates in one place, and route different URLs to different endpoints.

Security-wise, a reverse proxy can make you safer because it hides CAS from the public internet and lets you enforce rules in one place (HTTPS settings, basic access checks, rate limiting). But it also becomes a critical point: if it’s misconfigured or compromised, attackers may gain a path to everything behind it. The most common mistakes are accidentally exposing an internal/admin page through the proxy, or letting the backend trust “forwarded” headers from anyone. “Best Practice” is: “allow only what you must,” and lock down CAS so that only the proxy can reach it.

This article describes our recommended approach to these servers. This guidance is not intended to replace an experienced IT professional with networking experience. It’s just a place to start.

https://generalbytes.atlassian.net/wiki/x/AQBlrw

• NGINX is free and quickly installed on your CAS host.

• NGINX is widely used as a reverse proxy service.

• Use Cloudflare or Let’s Encrypt to encrypt the web traffic (HTTPS).

https://generalbytes.atlassian.net/wiki/x/AwB7rw

• You must have a Cloudflare account (free) and their DNS services (paid) to use this option.

• No certificates required.

• Offers simple, long-term endpoint protection with trivial configuration.