A proxy server is a server that acts as an intermediary between clients and an end-server. Proxy servers can be used as an isolation layer between Shotgun users and Shotgun Service, allowing users to access Shotgun while restricting access to the rest of the Internet.
Though it's possible to use a proxy server with your Shotgun site, we highly recommend the gateway server approach.
This documentation is provided as a guide to our clients, in order to help them set up a proxy server. While we can provide some help, proxy servers are the responsibility of clients and will not be implemented by Shotgun.
Additionally, we’ve linked to external sources in this documentation, so please use your own best judgement when referencing.
Proxy. A server that act as an intermediary between a client and an end-server. More details about proxies can be found on Wikipedia (see https://en.wikipedia.org/wiki/Proxy_server). There are different kinds of proxies, depending on your needs.
Forward Proxy. A proxy that provides proxy services to a common group of clients. The proxy configuration allows requests to be allowed of denied, allowing to enforce security around the group of client deserved.
Content-filtering Proxy. A proxy that has some control over the content used, based on different methods, the most popular being URL and IPs.
IT. Information Technology.
Shotgun Web App. Refers to the Shotgun Web Application, available through your Internet browser.
Why would I use a proxy?
The main reason is security. Your studio may have strict security requirements, preventing users from having direct access to the Internet. In most cases, isolating Shotgun access using a proxy will appease your security experts.
What are the implications?
Behind a proxy, Shotgun Web App, SG Toolkit, RV, and SG Desktop should work normally. However, Shotgun is a cloud platform that has an wide range of IPs, that can be dynamic, so any whitelisting approach represent a challenge.
What kind of proxy should I use?
That will depend on your studio’s infrastructure. There are many types of proxies, and the actual implementation can vary greatly. Depending on the size of your studio, you may already be using such a technology for other purposes. It is a good idea to consult your IT Department, as they may already have part of the solution in place. Many professional products/technologies are available and may be already in use at your studio.
If you are looking at implementing your own solution, you could set up a Web proxy server (see https://en.wikipedia.org/wiki/Proxy_server#Web_proxy_servers). For limiting Internet access to Shotgun, you probably want to use a content filtering proxy (see https://en.wikipedia.org/wiki/Proxy_server#Content-control_software), which allows Shotgun traffic to go through but blocks the rest. You will also probably want that proxy to be a forward proxy (see http://www.jscape.com/blog/bid/87783/Forward-Proxy-vs-Reverse-Proxy).
Here are some links to get you started.
|Web Proxy||Description||Proxy Examples|
|Apache Httpd (https://httpd.apache.org/)||Probably the better known web server.||Forward Proxy Example (https://docs.trafficserver.apache.org/en/4.2.x/admin/forward-proxy.en.html)|
|Nginx (http://nginx.org/en/)||Most used web server. Losing traction now that they are investing most of their efforts on Nginx Plus, a paid version.||Forward Proxy Example (https://ef.gy/using-nginx-as-a-proxy-server)(http://plonexp.leocorn.com/leocornus/leocornus.buildout.cfgrepo/xps33)|
|Squid (http://www.squid-cache.org/)||Popular caching proxy often used to implement web access restriction on most operating systems.
User interface available on Mac.
|HTTP Proxy Example (https://www.linode.com/docs/networking/squid/squid-http-proxy-centos-6-4)
Web Filtering Example (https://www.howtoforge.com/web-filtering-on-squid-proxy)
Alternatives to Proxy
Like we mentioned before, our recommended approach is to use a gateway server.
Access restriction can also be implemented at the router or firewall level. These options may be more appealing to you, depending on your expertise. The following articles explains the alternatives well:
Understand your setup
Before going forward, you will need to figure out if you have Web Acceleration enabled for your site. The rules of thumb is that if you are not in the United States, Web Acceleration are enabled.
You have 2 choices concerning the Web Acceleration service:
- Whitelist all the IP addresses ranges used by that acceleration service. Please contact Shotgun Support to obtain the IP ranges.
- Disable the acceleration service.
Whitelisting is a challenge with the Web Acceleration service. That service uses a wide range of IPs, that can change over time. We however recommend to keep the Web Acceleration service enabled as performance and reliability is greatly improved for clients outside America.
Shotgun is using AWS S3 to store your content. As for the Web Acceleration Service, you have 2 options regarding AWS S3:
- Whitelist AWS IPs. See http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html for details.
- Use the Shotgun S3 Proxy. This options is available only for clients storing media in the Oregon region.
S3 has a variable IP scheme, meaning that the IPs are changing over time. This makes it hard to whitelist. To overcome that, we are offering a S3 Proxy. Even if harder to implement, whitelisting AWS IPs is the approach we recommend.
Proxy Server and Firewall Configuration
Because the proxy implementation may vary, we won’t get into the specifics. However, a proxy configured to allow traffic to Shotgun should:
- Allow HTTP and HTTPS traffic to your Shotgun site on default ports (80, 443) for the following IPs:
- mystudio.shotgunstudio.com (where mystudio is your Shotgun site name)
- tank.shotgunstudio.com (for Tookit updates)
- 18.104.22.168 (First Shotgun public IP)
- 22.214.171.124 (Second Shotgun public IP)
- Web Acceleration service IP ranges
- AWS IP ranges
- Allow traffic to be forwarded with/without authentication; both should be supported.
Similarly, if your infrastructure is protected by a firewall, you will want to allow traffic for the same hosts or IP.
Disabling Web Acceleration and activating the S3 Proxy must be done by Shotgun. To do so, open a ticket on Shotgun Support.
That proxy is located at the same address as the Shotgun service. No additional configuration is therefore needed at the proxy and firewall level. Using the proxy has some implications. See Is there any impact of using the S3 Proxy?
Client Workstations Configurations
Each user station will have to be configured to use the proxy. For large scale organizations, this process is usually handled when the user system is set up. There are two main ways to achieve this.
Some OS supports configuration at the OS level. By doing this, most applications will be using that proxy by default.
|Mac OS X||https://support.apple.com/kb/PH18553?locale=en_US||Configure both Web and Secure Web Proxies|
|Chrome||https://support.google.com/chrome/answer/106010?hl=en||Must be changed at the OS level for Mac OS X|
|Firefox||http://www.wikihow.com/Enter-Proxy-Settings-in-Firefox||Configure both HTTP and SSL Proxies|
|Safari||https://support.apple.com/kb/PH19223?locale=en_US||Must be changed at the OS level for Mac OS X|
Configuring Toolkit and SG Desktop
SG Toolkit and SG Desktop can be configured to work behind a proxy. See the following Zendesk Forum for more information about how to set it up:
RV can also be configured to work with a proxy. You can set this up via environment variables, described under Proxy Configuration here:
This should allow any Shotgun integration to work, including launching versions in RV from Shotgun, Screening Room for RV, and Shotgun-aware RVLINKS.
There are some performance impacts. S3 traffic, instead of coming directly from S3, will be routed through Shotgun servers. This means higher latency, and lower bandwidth.
Nothing simple. You could dynamically try to configure your firewall/proxy to allow current S3 IP Addresses range, but it may be a big challenge (see http://serverfault.com/questions/551275/how-can-i-whitelist-oubound-from-private-subnet-traffic-to-s3-on-the-nat-instanc).