0

I am trying to solve a problem that appear to be simple but I can't find a clean architecture.

The problem: I have a client trying to access grafana in a Local network.

   |Router|------|Client
          |         |
          |------|Grafana

When you are behind the router (and thus the firewall) then you can easily access grafana and use it. I would like the same to happen when outside of the local network.

Client|------|Router|-------|Grafana

Easy solution: The basic solution is port forwarding and to simply open port X on the router. I don't want this solution because I can't open ports (for different reason unrelated).

Better Idea I am thinking of setting up the following architecture where a new server is introduced.

Client|------|Server|-------|Router|-------|Grafana

The idea, is that Server will maintain a connection with Grafana. This will prevent any port forwarding as grafana server is making the first move. Then if the client wants to access grafana, it will access server that will redirect it to grafana.

After the first call, Ideally I would like the client to establish a direct connection with grafana, without going through the server.

Also grafana is an exemple/tuto, any other solution with http communication would just be fine

Questions:

  • Is that possible ?
  • It seems that there are tools (CND, reverse proxy) but they don't exactly fit my needs, or maybe I just don't know how to use them ?
  • Which tools to use on server A and B (websocket, socket.io, Nginx, Apache ...). Both servers are using linux.

Thanks !

Romain
  • 101

1 Answers1

0

This looks a lot like a question for Super User, not Serverfault.

That said: The router in your picture is a computer that decides how traffic from the Internet can communicate with resources in your network and vice versa. Placing another computer in front of your router effectively makes that computer your router: turtles all the way down.

So yes, in an IPv4 setting with a single available publicly routable IP address, port forwarding, either directly (if presenting a single service) or via a reverse proxy (if presenting multiple ones over the same port) is the way to go.

Additionally you can harden your network by placing publicly available resources in a separate logical network (what’s usually called a DMZ), with strict firewall rules for what traffic is allowed from servers in the DMZ to servers in your server networks (for example communication with the database underlying the service).

Mikael H
  • 4,868
  • 2
  • 8
  • 15