Setting up a gateway server

  1. Shotgun Support
  2. Shotgun Admin Guide
  3. General security

This article describes how you can allow access to a hosted Shotgun site while meeting the internet restriction policies in place at your studio.

Scope and assumptions

This document is intended for the System and Shotgun Administrator.

It is assumed that the reader has basic knowledge about proxy, networking, and HTTP protocols.

Using a gateway server to access Shotgun in the cloud

A gateway server allows users to have access to their hosted Shotgun site, without having access to the rest of the internet. It forwards filtered requests to Shotgun end-points, but blocks all the other requests. This means that when a user requests *.shotgunstudio.com, the request will go through. But if a user requests an unauthorized site, the request will not go through.

SGCS_-_Shotgun_Ecosystem___Gateway.png

Why use a gateway server?

We recommend you use a gateway server instead of setting up a proxy server for Shotgun.

With a gateway server:

  • You don’t have to deal with whitelisting complex IP ranges that can change over time,
  • You can still benefit from all the Web Acceleration features included in each Shotgun Hosted Site,
  • You will see better performance with Amazon S3 compared to the S3 proxy solution, and
  • You will see better performance with all playback and all uploads, compared to the S3 proxy solution.

Getting started

There are two steps to put in place a gateway server.

  1. Put in place a split horizon Domain Name System (DNS). For more information about split horizon DNS, see http://jensd.be/160/linux/split-horizon-dns-masterslave-with-bind.
  2. Set up the gateway server using HAProxy.

Split horizon DNS

Split horizon DNS allows for giving a different answer to a query (in this case, URL resolving) depending on the source of the query. Your split horizon DNS would, for people in your studio, resolve your Shotgun URL to an internal IP address (the gateway server) instead of resolving to Shotgun Public IPs.

The gateway server will forward all requests to the Shotgun IPs. The gateway server can have unrestricted access to make requests out to the internet, but all Artists will see is the internal server, limiting access to Shotgun Internet Resources only.

HAProxy

For implementing the gateway server, we suggest you use HAProxy. HAProxy is a reliable, simple and high performance TCP/HTTP load balancer that would allow you to implement the gateway easily. See http://www.haproxy.org for more details. We recommend using at least version 1.6.  You will find in the Appendix an example of an HAProxy configuration file.

Setting up

In order to correctly configure the gateway server, you will need the following information:

  • <your_site_name>.shotgunstudio.com
  • The name of your particular media bucket, which is based on your regional zone to optimize performance. An example is sg-media-usor-01.s3-accelerate.amazonaws.com. Sg-media-usor-01 may be different depending on your location. If you don’t know this information, please contact Shotgun Support.
  • Two internal IP addresses are assigned to the gateway server: one to listen on <your_site_name>.shotgunstudio.com and one to listen on the S3 url. A third IP may be required if you are using Toolkit.

IP access restriction by your Shotgun site

If you set up a gateway server, you probably want your Shotgun site to only accept requests coming from your studio IPs. See "IP Whitelisting" on Shotgun Help Center for more details.

FAQ

Will the gateway server complexify an Artist’s setup?

No, the gateway server will not change an Artist’s internet access. If Artists are currently allowed to browse certain sites in a restricted way, they will still be able to do so. From an Artist’s perspective, the change will be imperceptible.

All URLs will continue to work as before. The same is true for emails, and URLs in Shotgun-generated emails.

Will the gateway server affect the speed of my site?

No, you will see the same speeds as direct access. You may even see faster speeds due to connection caching by the gateway.

Can I monitor what is forwarded?

Yes, you can log all traffic routed through the forwarding agent. It is possible to monitor the activity from an external angle, and track which IPs are using Shotgun, how many requests are made, etc. However, because the traffic is encrypted over HTTPS, the content of the requests will be encrypted.

Will my other tools work with the gateway server?

Yes, all other tools will continue to work. This includes Toolkit, the Shotgun API, RV, etc.

Why does tank.shotgunstudio.com also need to be forwarded?

Tank.shotgunstudio.com is the Toolkit App Store. Toolkit can operate without it, but calls to that site must also be forwarded for Toolkit updates to succeed.

Appendix

Below is a configuration example for haproxy 1.6

global
 maxconn 4096
 pidfile /tmp/haproxy-queue.pid
  
defaults
 log global
 timeout connect 300000
 timeout client 300000
 timeout server 300000

# handle external ip changes
resolvers external_dns
 nameserver dns1 <external_dns_ip>:53
 resolve_retries 3
 timeout retry 1s
 hold valid 10s
 
# in case someone enters SG address without https
listen http_redirect <internal_ip_address_1>:80
 mode http
 redirect scheme https code 301 if !{ ssl_fc }
 
listen shotgun_proxy <internal_ip_address_1>:443
 mode tcp
 server app1 <your_site_name>.shotgunstudio.com:443
 
listen shotgun_s3_proxy <internal_ip_address_2>:443
 mode tcp
 server app1 sg-media-usor-01.s3-accelerate.amazonaws.com:443

listen shotgun_tank_proxy <internal_ip_address_3>:443
 mode tcp
 server appl tank.shotgunstudio.com:443

 

Article Last Updated:
Follow

0 Comments

Please sign in to leave a comment.