Using a reverse proxy

ittoogami1964 · June 2, 2024, 8:11am

Hi all,
are there any particular implications/precautions/problems to consider for using FIX sessions via a reverse proxy?
I am not an expert in networking and am asking for your help and experience.
Thank you all in advance for any help you can give me

ptdel · July 28, 2024, 9:28pm

Hello Allesandro,

In general there shouldn’t be any reason that you could not use a reverse proxy to handle FIX sessions or application messages. In the simplest case, since all of FIX resides above the transport layer, you could have haproxy, nginx, or something simply pass along the TCP/IP traffic.

The two use-cases I could think of to use a reverse proxy would be:

a.) to terminate a TLS connection, such that information from the outside world to the perimeter of your network is encrypted, while sending the unencrpyted data along to your application servers. This could be useful if you’re running some implementation of FIX that doesn’t support FIX over TLS.

b.) load balancing FIX sessions between multiple instances of FIX applications. Since a FIX session is allowed to consiste of more than a single connection, this could help resolve scaling or performance issues on a busy network.

With the latter use-case, I would think most problems would arise from how your application is handling session state. If session state is stored within the application server, then load balancing your sessions would quickly break things. However, if your application servers are stateless and store session information in some sort of shared storage, then it wouldn’t be a problem.

I would consider talking a look at NGINX and HAProxy as potential solutions if you do need to put a reverse proxy between your application servers and some other entity. I believe that both have modules that allow for load balancing FIX sessions. If you just need to terminate encryption, most reverse-proxy offerings out there should let you terminate without the need for any special modules.

I hope this information helps!

Thanks,
Patrick

scott.atwell · July 28, 2024, 9:56pm

Patrick, note that many firms use / have used (for a decade+) stunnel for TCP-based FIX connectivity.

ptdel · August 1, 2024, 8:20am

Hey Scott,

if you’re using stunnel, that more or less serves the same purpose as one of the other solutions mentioned, as they both serve to “wrap” or “sit in front of” your FIX implementation. If you’ve already got end-to-end encryption achieved with stunnel but still have some requirement to use another reverse proxy, your best bet would be to simply pass through traffic at the TCP/IP level.

ittoogami1964 · September 3, 2024, 9:53pm

ptdel, scott
many thanks for your help.
I will discuss your notes/proposal with my network engineers!
Again, thank you!
Ale

Topic		Replies	Views
Sending FIX messages across internet imported , information-security , xid_169334	7	27	May 20, 2005
Fix Session and Fix Connections imported , transport-independen , xid_164616	2	69	September 16, 2009
Monitor FIX traffic imported , general-qa , xid_167448	5	31	September 1, 2007
Dynamic FIX Session Distribution imported , 42-changes , xid_164383	4	11	February 8, 2000
fix and internet imported , general-qa , xid_166977	6	7	December 12, 2000

Using a reverse proxy

Related topics