Setting up a proxy server for Shotgun

Introduction

A proxy server is a server that acts as an intermediary between clients and an end-server. Proxy servers can be used as an isolation layer between Shotgun users and Shotgun Service, allowing users to access Shotgun while restricting access to the rest of the Internet.

Recommendation

Though it's possible to use a proxy server with your Shotgun site, we highly recommend the gateway server approach.

Disclaimer

This documentation is provided as a guide to our clients, in order to help them set up a proxy server. While we can provide some help, proxy servers are the responsibility of clients and will not be implemented by Shotgun.

Additionally, we’ve linked to external sources in this documentation, so please use your own best judgement when referencing.

Glossary

Proxy. A server that act as an intermediary between a client and an end-server. More details about proxies can be found on Wikipedia (see https://en.wikipedia.org/wiki/Proxy_server). There are different kinds of proxies, depending on your needs.

Forward Proxy. A proxy that provides proxy services to a common group of clients. The proxy configuration allows requests to be allowed of denied, allowing to enforce security around the group of client deserved.

Content-filtering Proxy. A proxy that has some control over the content used, based on different methods, the most popular being URL and IPs.

IT. Information Technology.

Shotgun Web App. Refers to the Shotgun Web Application, available through your Internet browser.

Getting Started

Why would I use a proxy?

The main reason is security. Your studio may have strict security requirements, preventing users from having direct access to the Internet. In most cases, isolating Shotgun access using a proxy will appease your security experts.

SGCS_-_Shotgun_Ecosystem___Proxy.png

What are the implications?

Behind a proxy, Shotgun Web App, SG Toolkit, RV, and SG Desktop should work normally. However, Shotgun is a cloud platform that has an wide range of IPs, that can be dynamic, so any whitelisting approach represent a challenge.

What kind of proxy should I use?

That will depend on your studio’s infrastructure. There are many types of proxies, and the actual implementation can vary greatly. Depending on the size of your studio, you may already be using such a technology for other purposes. It is a good idea to consult your IT Department, as they may already have part of the solution in place. Many professional products/technologies are available and may be already in use at your studio.

If you are looking at implementing your own solution, you could set up a Web proxy server (see https://en.wikipedia.org/wiki/Proxy_server#Web_proxy_servers). For limiting Internet access to Shotgun, you probably want to use a content filtering proxy (see https://en.wikipedia.org/wiki/Proxy_server#Content-control_software), which allows Shotgun traffic to go through but blocks the rest. You will also probably want that proxy to be a forward proxy (see http://www.jscape.com/blog/bid/87783/Forward-Proxy-vs-Reverse-Proxy).

Here are some links to get you started.

Web Proxy Description Proxy Examples
Apache Httpd (https://httpd.apache.org/) Probably the better known web server. Forward Proxy Example (https://docs.trafficserver.apache.org/en/4.2.x/admin/forward-proxy.en.html)
Nginx (http://nginx.org/en/) Most used web server. Losing traction now that they are investing most of their efforts on Nginx Plus, a paid version. Forward Proxy Example (https://ef.gy/using-nginx-as-a-proxy-server)(http://plonexp.leocorn.com/leocornus/leocornus.buildout.cfgrepo/xps33)
Squid (http://www.squid-cache.org/) Popular caching proxy often used to implement web access restriction on most operating systems.
User interface available on Mac.
HTTP Proxy Example (https://www.linode.com/docs/networking/squid/squid-http-proxy-centos-6-4)
Web Filtering Example (https://www.howtoforge.com/web-filtering-on-squid-proxy)

Alternatives to Proxy

Like we mentioned before, our recommended approach is to use a gateway server.

Access restriction can also be implemented at the router or firewall level. These options may be more appealing to you, depending on your expertise. The following articles explains the alternatives well:

http://www.dslreports.com/faq/14018

Configuration

Understand your setup

Before going forward, you will need to figure out if you have Web Acceleration enabled for your site. The rules of thumb is that if you are not in the United States, Web Acceleration are enabled.

You have 2 choices concerning the Web Acceleration service:

  1. Whitelist all the IP addresses ranges used by that acceleration service. Please contact Shotgun Support to obtain the IP ranges.
  2. Disable the acceleration service.

Whitelisting is a challenge with the Web Acceleration service. That service uses a wide range of IPs, that can change over time. We however recommend to keep the Web Acceleration service enabled as performance and reliability is greatly improved for clients outside America.

Shotgun is using AWS S3 to store your content. As for the Web Acceleration Service, you have 2 options regarding AWS S3:

  1. Whitelist AWS IPs. See http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html for details.
  2. Use the Shotgun S3 Proxy. This options is available only for clients storing media in the Oregon region.

S3 has a variable IP scheme, meaning that the IPs are changing over time. This makes it hard to whitelist. To overcome that, we are offering a S3 Proxy. Even if harder to implement, whitelisting AWS IPs is the approach we recommend.

SGCS_-_Shotgun_Ecosystem___S3_Proxy.png

Proxy Server and Firewall Configuration

Because the proxy implementation may vary, we won’t get into the specifics. However, a proxy configured to allow traffic to Shotgun should:

  • Allow HTTP and HTTPS traffic to your Shotgun site on default ports (80, 443) for the following IPs:
    • mystudio.shotgunstudio.com (where mystudio is your Shotgun site name)
    • tank.shotgunstudio.com (for Tookit updates)
    • 74.50.63.109 (First Shotgun public IP)
    • 74.50.63.111 (Second Shotgun public IP)
    • Web Acceleration service IP ranges
    • AWS IP ranges
  • Allow traffic to be forwarded with/without authentication; both should be supported.

Similarly, if your infrastructure is protected by a firewall, you will want to allow traffic for the same hosts or IP.

Shotgun Web App Configuration

Disabling Web Acceleration and activating the S3 Proxy must be done by Shotgun. To do so, open a ticket on Shotgun Support.

That proxy is located at the same address as the Shotgun service. No additional configuration is therefore needed at the proxy and firewall level. Using the proxy has some implications. See Is there any impact of using the S3 Proxy?

Client Workstations Configurations

Each user station will have to be configured to use the proxy. For large scale organizations, this process is usually handled when the user system is set up. There are two main ways to achieve this.

OS Configuration

Some OS supports configuration at the OS level. By doing this, most applications will be using that proxy by default.

Operating System Documentation Comments
Mac OS X https://support.apple.com/kb/PH18553?locale=en_US Configure both Web and Secure Web Proxies
Windows   Not supported

Browser Configuration

Browser Documentation Comments
Chrome https://support.google.com/chrome/answer/106010?hl=en Must be changed at the OS level for Mac OS X
Firefox http://www.wikihow.com/Enter-Proxy-Settings-in-Firefox Configure both HTTP and SSL Proxies
Safari https://support.apple.com/kb/PH19223?locale=en_US Must be changed at the OS level for Mac OS X

Configuring Toolkit and SG Desktop

SG Toolkit and SG Desktop can be configured to work behind a proxy. See the following Zendesk Forum for more information about how to set it up:

https://support.shotgunsoftware.com/entries/95442748-Initial-Setup-and-Configuration#Advanced%20Installation%20Topics

Configuring RV

RV can also be configured to work with a proxy. You can set this up via environment variables, described under Proxy Configuration here:

http://www.tweaksoftware.com/static/documentation/rv/rv-6.2.7/html/rv_manual.html#Installation_Overview_Shotgun_Licensing_on_All_Platforms

This should allow any Shotgun integration to work, including launching versions in RV from Shotgun, Screening Room for RV, and Shotgun-aware RVLINKS.

FAQ

Is there any impact of using the S3 Proxy?

There are some performance impacts. S3 traffic, instead of coming directly from S3, will be routed through Shotgun servers. This means higher latency, and lower bandwidth.

Any alternatives to using the S3 Proxy?

Nothing simple. You could dynamically try to configure your firewall/proxy to allow current S3 IP Addresses range, but it may be a big challenge (see http://serverfault.com/questions/551275/how-can-i-whitelist-oubound-from-private-subnet-traffic-to-s3-on-the-nat-instanc).

External Resources

Follow

0 Comments

Please sign in to leave a comment.