Reverse Proxy Service Object (Ingress)

Ingress service objects are used in the ngress/Reverse proxy rules. The object defines a listener port that the Multicloud Defense gateway listens for the traffic it receives and forwards to the target/backend address. Listener port can be configured with a decryption profile that has a TLS certificate configured. When the traffic hits the listener port, Multicloud Defense Gateway returns the TLS certificate configured. consider the following confiugrable options:

  • An SNI can be configured on this port. This enables a single listener port (e.g 443) to be proxied to multiple backend targets based on the SNI.

  • L7 DoS (L7 Denial of Service) can be configured on the service to set rate limits for an URI and/or HTTP method.

  • Target defines the backend address object and port to forward the traffic. The proxied traffic can be forwarded as HTTP, HTTPS, TCP or TLS.

Use the following procedure to create and add a reverse proxy service object:

Procedure


Step 1

Navigate to Policies > Security Policies > Services.

Step 2

Click Create.

Step 3

Click Reverse Proxy.

Step 4

Provide a Name and Description.

Step 5

Configure proxy parameters as defined below:

Option

Description

Decryption Profile

Assign a decryption profile, which also includes the server certificate, to be used for the proxy service.

Dst Port

Assign a destination port. For most web-based services, the destination port will be 443. This is the port Multicloud Defense Gateway listens on for the incoming traffic.

Protocol

TCP is the default.

SNI

Enter the list of SNIs.

L7 DoS

Enter the Layer 7 DoS profile to assign to this proxy service.

Target Backend Port

Enter the Target/Backend application port number.

Protocol

Select the backend protocol.

Address

Select a backend IP address. The IP address in most cases will be the frontend IP of an internal load balancer.

Note

If the proxy service is required to run on multiple ports, you can add more entries. However all the ports serve the same certificate and are proxied to the same backend destination address object.