Reverse Proxies and Liberator

Your organisation may have security policies that route incoming network traffic (typically from the Internet) to a server located in a DMZ. Such a “reverse proxy” server typically acts as a firewall, hiding the details of the Web servers from the Internet clients. It may also be used as a load balancer to distribute the incoming traffic across the available web servers. Although it is possible to use a reverse proxy in front of a set of Liberator servers, this is not recommended, for the following reasons:

  • Performance. Liberator is designed to stream fast moving data to a large number of concurrent clients. Reverse proxies are designed for more traditional HTTP requests and do not generally scale well for the kind of traffic Liberator has to deal with.
  • Streaming support. When reverse proxies are used as load balancers they can prevent real time streaming of data. A proxy will usually try to employ some 'sticky' logic to make sure that once a client has initiated communication with a particular web server via the reverse proxy, it continues to communicate only with this server. In a general purpose reverse proxy server this logic is rarely perfect, but when the servers behind the proxy are Liberators, it must be so, to ensure that each Caplin Trader client always receives streaming updates from the Liberator to which it is connected.
  • Security. Liberator is penetration tested so putting a reverse proxy between Liberator and the client does not necessarily enhance security.
Tip: If your security policy stipulates that reverse proxy servers must be used, then it is recommended that you configure your Caplin Platform installation in one of the following ways, to overcome the performance and streaming issues described above.

Configure the reverse proxy server so that it recognises each Liberator as having a different IP address / hostname, rather than treating all Liberators as having the same virtual IP address / hostname. This allows the StreamLink library in the client to address each Liberator separately. See the following diagram, where the two Liberators have virtual IP addresses liberator-a.example.com and liberator-b.example.com respectively:

Alternatively, install a reverse proxy server for each Liberator, as shown in the following diagram. Each proxy server has a different IP address, which is the virtual IP address of the single Liberator behind it.