- Document purpose: This guide provides details for implementing a reverse proxy to secure device communications to the Appspace platform with TLS 1.2+.
- Business problem: Many customers are still using devices that support the 20+-year-old TLS 1.0/1.1 security protocols that have become vulnerable and insecure.
- Solution: Customers who would like to continue using impacted devices with the TLS 1.1/1.0 protocols have the option of using a reverse proxy server to secure the device communication to the Appspace platform.
- Conclusion: Appspace recommends that customers host their own proxy server for the highest level of security. Alternatively, Appspace can also host the proxy in a cloud environment for a fee, however, this is less secure as it still transmits insecure data over the internet.
Introduction
Appspace has historically allowed and supported legacy devices connected to our platform that communicate over a lower Transport Level Security (TLS) 1.0 protocol. However, the TLS 1.0/1.1 protocols have become more vulnerable as computing power and hacker activities have evolved and improved.
During Q2 2022, Appspace will begin phasing out support for the TLS 1.0/1.1 security protocols. After Q3 2022, Appspace will no longer support any connections to the platform, including devices using the TLS 1.0/1.1 security protocol.If your organization requires continued usage of impacted devices, you do have the option to use a reverse proxy server to secure the device communication to the Appspace platform. The reverse proxy server can be hosted by Appspace or by your organization within your infrastructure. A reverse proxy server is a type of HTTP server that typically sits behind the firewall in a private network, and directs client requests to the appropriate backend HTTP server.
A reverse proxy server acts as a gateway for a TLS connection and will convert TLS 1.0/1.1 traffic to use the newer TLS 1.2 protocol before it is transmitted to the Appspace platform.
Using a reverse proxy for TLS is very similar to Appspace’s recommended approach to on-prem content caching. For additional information regarding the reference implementation of a content caching proxy node, please refer to this article: Implementing a Content Caching Strategy
Implementation Options
Appspace is providing customers with the following two options for implementing a proxy:- Customers host the proxy in their data center. This is a commonly used solution by many companies and is available at a reasonable cost. Appspace will provide guidance for the configuration of the proxy. The customer needs to provide the server and configure and manage the server accordingly.
- Appspace hosts the proxy in a cloud environment. For a fee, Appspace will be responsible for providing the server, and configuring it accordingly.
|
Proxy Option |
Benefits |
|
Hosted by customer |
|
|
Hosted by Appspace |
|
Proxy Server Hosted On-Prem – Customer
Customers can provide a proxy server on their network that accepts WAN TLS 1.0/1.1 traffic and converts it to TLS 1.2 traffic that can be sent to Appspace Cloud.
Proxy Server Hosted – Appspace
Appspace can provide a proxy outside of the Appspace Cloud that will accept WAN TLS 1.0/1.1 traffic and convert it to TLS 1.2 traffic that can be sent to Appspace Cloud.
Requirements & Specifications – Reverse Proxy for TLS Translation
Software Requirements
For simplicity and reliability, Appspace recommends our customers implement and manage a proxy server on their network, based on Apache on Linux.
Apache is a powerful and popular open-source web server software that can be deployed on Linux or Windows. The solution discussed here assumes Linux-based deployments, however, it should work equally well on Windows, if that is preferred.
System Requirements
The reverse proxy should meet the following requirements:- Be accessible over the local network by hostname.
- [recommended] Support the HTTPS protocol.
- [required for legacy devices] Support TLS 1.0 connections.
- [required for HTTPS] Provide an SSL certificate trusted by endpoint devices.
- Support whitespace (%20) characters in URLs.
- Relay content requests to the external Appspace server hostname.
- Provide access to hostnames in the following domains and their subdomains:
- *.appspace.com
- *.appspaceusercontent.com
- *.appspacestatic.com
- [Optional] Cache responses in local storage.
- Perform cache cleanup to maintain free storage space.
Host Server Specifications
Listed below are the minimal and recommended specifications for a reverse proxy server.
Minimal specifications (approximate 50 devices):
- 2 virtual CPU cores
- 513 GB RAM
- 32 GB storage
Recommended specifications (approximate 250 devices):
- 4 virtual CPU cores
- 4 GB RAM
- 250 GB storage
SSL Considerations
Reverse caching servers integrate into existing networks and fully utilize SSL capabilities. Reverse caching proxies terminate SSL connections and interpret request data. Because they operate on their own hostname, they need to have a separate certificate for this hostname.
Appspace Device Configuration
Appspace cloud devices are originally registered to appspace.com domain hostnames, which only accept TLS 1.2 connections.
Please consult Appspace Support after the proxy implementation is complete, for assistance in getting devices rebased to reroute the device traffic to a TLS reverse proxy server.