Setting up a proxy server
Contents
- Introduction
- Recommendation
- Disclaimer
- Glossary
- Getting Started
- Configuration
Introduction
A proxy server is a server that acts as an intermediary between clients and an end-server. Proxy servers can be used as an isolation layer between Flow Production Tracking users and Flow Production Tracking services, allowing users to access Flow Production Tracking while restricting access to the rest of the Internet.
Recommendation
If your existing firewall isn't capable of applying network restrictions using FQDN endpoints then we recommend setting up a proxy server to achieve this goal.
Disclaimer
This documentation is provided as a guide to our clients, in order to help them set up a proxy server. While we can provide some assistance, proxy servers are the responsibility of the client and cannot be implemented or supported by Autodesk.
Additionally, we’ve linked to external sources in this documentation, so please use your own best judgement when referencing.
Glossary
Proxy. A server that act as an intermediary between a client and an end-server. More details about proxies can be found on Wikipedia (see https://en.wikipedia.org/wiki/Proxy_server ). There are different kinds of proxies, depending on your needs.
Forward Proxy. A proxy that provides proxy services to a common group of clients. The proxy configuration allows requests to be allowed of denied, allowing to enforce security around the group of client deserved.
Content-filtering Proxy. A proxy that has some control over the content used, based on different methods, the most popular being FQDNs and URLs.
IT. Information Technology.
Flow Production Tracking Web App. Refers to the Flow Production Tracking Web Application, available through your Internet browser.
Getting Started
Why would I use a proxy?
The main reason is security. Your studio may have strict security requirements, preventing users from having direct access to the Internet. In most cases, isolating Flow Production Tracking access using a proxy will appease your security experts.
What are the implications?
Behind a proxy, Flow Production Tracking Web App, SG Toolkit, RV, and SG Desktop should work normally. However, Flow Production Tracking is a cloud platform that has a wide range of FQDNs, so any allow list approach represents a challenge.
What kind of proxy should I use?
That will depend on your studio’s infrastructure. There are many types of proxies, and the actual implementation can vary greatly. Depending on the size of your studio, you may already be using such a technology for other purposes. It is a good idea to consult your IT Department, as they may already have part of the solution in place. Many professional products /technologies are available and may be already in use at your studio.
If you are looking at implementing your own solution, you could set up a Web proxy server (see https://en.wikipedia.org/wiki/Proxy_server#Web_proxy_servers ). For limiting Internet access to Flow Production Tracking, you probably want to use a content filtering proxy (see https://en.wikipedia.org/wiki/Proxy_server#Content-control_software ), which allows Flow Production Tracking traffic to pass and blocks the rest. You will also probably want that proxy to be a forward proxy (see http://www.jscape.com/blog/bid/87783/Forward-Proxy-vs-Reverse-Proxy).
Alternatives to Proxy
As mentioned previously, our recommended approach is to use your own network firewall appliance to apply network access restrictions, where possible.
Configuration
Understand Your Setup
Before going forward, you will need to be aware of certain aspects of your existing Flow Production Tracking set up, such as:
- Your Flow Production Tracking Site URL(s)
- Which S3 bucket(s) you are using to store media
- Whether Isolation features are enabled
The example we provide should be modified based on your needs outlined above.
Proxy Server and Firewall Configuration
Because the proxy implementation may vary, we won’t get into the specifics. However, a proxy configured to allow traffic to Flow Production Tracking should allow HTTPS traffic on port tcp/443 to the following services:
- Your Flow Production Tracking site FQDN
- Flow Production Tracking service FQDNs
- AWS S3 bucket FQDNs
- Autodesk Identity FQDNs
- Your IdP FQDNs (optional)
See Flow Production Tracking Ecosystem - FQDNs for a comprehensive list of endpoints
The proxy should be hosted in a network segment allowing it unimpeded access to Flow Production Tracking services.
Example Setup
Installing Squid software
An example configuration using the well-known Squid proxy is provided to get you started. First you must install Squid on a server within your infrastructure. If you already have a preferred Linux distribution, please consult its documentation on how to install and start the Squid service. If you don't have a Linux distro, you can check out Ubuntu and their guide to setting up Squid.
Squid configuration file
The following squid.conf file contains all necessary rules to allow your users to access Flow Production Tracking services. By default it will listen for connections on http://*:3128 (where * is all interfaces on your Squid server) and tunnel HTTPS connections to upstream services. You will need to modify the FQDN of your Flow Production Tracking site, along with AWS S3 bucket if using a non-US region.
# Port to listen on
http_port 3128
# Tunnel HTTPS connections using the CONNECT method
# Only communicate on tcp/443 (HTTPS)
acl connect method CONNECT
acl https port 443
http_access deny !https
http_access deny connect !https
# Allow access to my Flow Production Tracking site
acl sg_site dstdomain mysite.shotgrid.autodesk.com
http_access allow sg_site
# Allow access to necessary Flow Production Tracking and 3rd party services
acl sg_services dstdomain launchdarkly.shotgrid.autodesk.com shotgrid.autodesk.com tank.shotgunstudio.com sg-software.ems.autodesk.com s3-proxy.shotgrid.autodesk.com s3-proxy.shotgunstudio.com sg-sec.s3-accelerate.amazonaws.com sg-data-retention.s3-accelerate.amazonaws.com api.amplitude.com
http_access allow sg_services
# Allow access to Flow Production Tracking S3 bucket
acl sg_s3 dstdomain sg-media-usor-01.s3.amazonaws.com sg-media-usor-01.s3-accelerate.amazonaws.com
http_access allow sg_s3
## Optional: Deny access to other Flow Production Tracking sites and specified ADSK services
#acl blocked_services dstdomain .shotgrid.autodesk.com .shotgunstudio.com drive.autodesk.com
#http_access deny blocked_services
# Allow access to Autodesk Identity
acl adsk_identity dstdomain .autodesk.com sso.connect.pingidentity.com autodesk-prod.okta.com .oktacdn.com .tiqcdn.com
http_access allow adsk_identity
# Deny access to all other endpoints
http_access deny allPlease note that the above is a bare bones example, you should consult the Squid Reference and Squid FAQ for information on setting up logging and restricting access to the proxy.
Client Workstation Configuration
Each user station will have to be configured to use the proxy. For large scale organizations, this process is usually handled when the user system is set up.
An exception for shotgunlocalhost.com to bypass the proxy must be configured in order for Flow Production Tracking Toolkit action menu shortcuts to function correctly. Alternatively, if access to shotgunlocalhost.com can't be granted then Setting up the Flow Production Tracking Desktop App for local installs can be followed to enable this functionality.
OS Configuration
Some OS' support configuration at the OS level. By doing this, most applications will use the proxy by default.
Windows OS proxy settings must be configured in order for SSO authentication prompts in desktop softwares—such as the Flow Production Tracking Desktop App and RV—to function correctly.
| Operating System | Documentation |
|---|---|
| Mac OS X | https://support.apple.com/en-gb/guide/mac-help/mchlp2591/mac |
| Windows | https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-proxy-server-settings |
Browser Configuration
| Browser | Documentation |
|---|---|
| Chrome | Chrome uses OS settings (see above) |
| Firefox | https://support.mozilla.org/en-US/kb/connection-settings-firefox |
| Safari | https://support.apple.com/en-gb/guide/safari/ibrw1053/mac |
Configuring Flow Production Tracking Toolkit and Flow Production Tracking Desktop
Flow Production Tracking Toolkit and Flow Production Tracking Desktop can be configured to work behind a proxy. See the Flow Production Tracking Integrations Admin Guide for more information on how to set this up.
Configuring Flow Production Tracking RV
RV can also be configured to work with a proxy. You can set this up via environment variables, described under Proxy Configuration here.
This should allow any Flow Production Tracking integration to work, including launching versions in RV from Flow Production Tracking, Screening Room for RV, and Flow Production Tracking-aware RVLINKS.
Configuring Flow Production Tracking Create
If you are using a proxy server with Flow Production Tracking Create, you'll need to set the following environment variable:
SGC_NETWORK_PROXY host_nameWhere host_name is the host name or dotted numerical IP address. A numerical IPv6 address must be written within [brackets]. To specify a port number in this string, append :[port] to the end of the host name. If not specified, Flow Production Tracking Create defaults to using port 1080 for proxies.
Alternatively, you can use the global environment variables http_proxy and https_proxy to your proxy url:port.