Forum: NGINX Reverse Proxy Data Diode

Hello all,

The below article

https://www.synergistscada.com/building-your-own-d...

uses a fiber optic data diode along with Nginx as a reverse proxy.

The author states:

"TCP/IP client-server reverse proxies on either end of the data diode
can be setup to respond to
the hand shaking requests automatically without the need to actually
send any data back to
the insecure network. The client-server proxies solution should work
in most cases however,
through testing should be completed in a lab environment before
deploying a data diode
solution into an ICS."

And

"Step 5  Configure your Reverse Proxy

Depending on the data you want to replicate you can either configure
an open source reverse
proxy like nginx (engine x) and use your databases web services to
replicate the data.

Step 6  Disconnect one of the fiber optic ST connectors

Once you have your two proxy servers configured and communicating to
each other you can
simply disconnect one of the two fiber ST connectors.  You will likely
need to spend time
properly configuring your reverse proxy servers to relay the
information correctly and you will
need to write some scripts in your database to perform the continuous
data replication."

He however does not provide any working configuration.

We would love to implement this and I greatly appreciate any help.

If someone can at least just point me in the right direction I would
be eternally grateful.

Thank you.

I urge caution using this approach to a data diode.
The question you ask is a very important one: where can I find a working
configuration?
Do not get me wrong, it is possible to make such approaches work, I have
seen them in my companies test lab.
The question you have to consider is reliability and trust.
How reliable does the solution need to be?  My experiece has been making
something work in a test lab is relatively easy.  However, making 
something
work in a deployed environment, thus sustainable 24/7/365 is much 
harder.
Intermittent data losses will happen over time?  How does your 
application
manage these?  How do you implement re-synchronisation (can't be 
triggered
automatically, as there is no feedback loop).

Sorry, I am not answering your question directly, rather rasiing issues 
you
need to consider before building something yourself.

These issues are explored further iat the links below.

Link: http://colinrobbins.me/2013/02/07/diy-data-diode-for-1612/
(reliability question)
Link: http://colinrobbins.me/2013/03/12/can-you-trust-yo...
(trust question)

Posted at Nginx Forum: 
http://forum.nginx.org/read.php?2,237446,237451#msg-237451

On 17 March 2013 10:17, Camayoc <nginx-forum@nginx.us> wrote:

> manage these?  How do you implement re-synchronisation (can't be triggered
> automatically, as there is no feedback loop).

Thank you for your response.

I have read both links before and understand the implications.

I just wanted to see this work and simply cannot believe how expensive
commercial

solutions are.

I'd argue the commercial solutions are value for money, given the
complexities.
By I accept I am biased :-)

Posted at Nginx Forum: 
http://forum.nginx.org/read.php?2,237446,237457#msg-237457

From: "Camayoc" <nginx-forum@nginx.us>

> I'd argue the commercial solutions are value for money, given the
> complexities.

Not to mention most organizations that would need such a device like
having someone to hold accountable (usually via lawsuit) when it fails.



Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or 
entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if 
this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or 
any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.