Proxy servers and Liberator

This page provides guidance on hosting Liberator behind a proxy server and connecting to Liberator from behind a proxy server.

Connecting to Liberator from behind an HTTP proxy server

We recommend that clients behind HTTP proxies use HTTPS to connect to Liberator.

Using HTTPS is important not only for security, but also because it changes how traffic passes through the proxy. In HTTP communication, the proxy acts as an intermediary; in HTTPS transactions, the proxy commonly acts as a tunnel.

Tunnels are the optimum way for clients to establish a streaming connection to Liberator via a proxy. When a proxy acts as a tunnel, it is no longer considered a party in the communication between client and server. The proxy blindly passes traffic between the client and Liberator.

Some proxy servers can be configured to act as an intermediary in HTTPS communication, also known as TLS 'bumping'. If clients behind such a proxy cannot connect to Liberator using HTTPS, connectivity may be achieved if the proxy administrator can configure the proxy to serve CONNECT requests to Liberator by HTTPS tunnel.

Hosting Liberator behind a proxy server

Your organisation may have security policies that route incoming network traffic (typically from the Internet) to a server located in a DMZ. Such a "reverse proxy" server typically acts as a firewall, hiding the details of the Web servers from the Internet clients. It may also be used as a load balancer to distribute the incoming traffic across the available web servers. Although it is possible to use a reverse proxy in front of a set of Liberator servers, this is not recommended, for the following reasons:

  • Performance. Liberator is designed to stream fast moving data to a large number of concurrent clients. Reverse proxies are designed for more traditional HTTP requests and do not generally scale well for the kind of traffic Liberator has to deal with.

  • Streaming support. When reverse proxies are used as load balancers they can prevent real time streaming of data. A proxy will usually try to employ some 'sticky' logic to make sure that once a client has initiated communication with a particular web server via the reverse proxy, it continues to communicate only with this server. In a general purpose reverse proxy server this logic is rarely perfect, but when the servers behind the proxy are Liberators, it must be so, to ensure that each Caplin Trader client always receives streaming updates from the Liberator to which it is connected.

  • Security. Liberator is penetration tested so putting a reverse proxy between Liberator and the client does not necessarily enhance security.

If your security policy stipulates that reverse proxy servers must be used, then it is recommended that you configure your Caplin Platform installation in one of the following ways, to overcome the performance and streaming issues described above.

Configure the reverse proxy server so that it recognises each Liberator as having a different IP address / hostname, rather than treating all Liberators as having the same virtual IP address / hostname. This allows the StreamLink library in the client to address each Liberator separately. See the following diagram, where the two Liberators have virtual IP addresses and respectively:

Reverse Proxy Recognizing Separate Liberator

Alternatively, install a reverse proxy server for each Liberator, as shown in the following diagram. Each proxy server has a different IP address, which is the virtual IP address of the single Liberator behind it.

Reverse Proxy for each Liberator