Introduction to RBI Proxy
HTTP/HTTPS Proxy Service for SOFTCAMP SHIELDGate Isolated Browser Integration
📋 Table of Contents
- Overview
- What is RBIProxy?
- Overall Architecture
- Main Components
- Operating Principle
- PAC file configuration
- Security Mechanism
- REST API
- Technology Stack
- Use Cases
Overview
RBIProxyis the user's general browser trafficSOFTCAMP SHIELDGate Isolated BrowserIt is an intermediate proxy server that automatically connects.
Users browse the web as usual, but all web access is executed in a secure environment (RBI) to protect them safely from security threats.
Core Values
- Transparent Security: Enhancing security without compromising user experience (automatic redirect)
- Centralized Control: Centralized control of all web traffic with a single proxy
- Simple Relay Structure: Perform only URL conversion and SHIELDGate integration (complex policies are handled by SHIELDGate)
What is RBIProxy?
RBI (Remote Browser Isolation)
Remote Browser IsolationTechnology is a security solution that executes the user's web browsing in a physically isolated remote environment.
전통적인 웹 접속:
[사용자 PC] ──→ [인터넷 웹사이트]
↑
악성코드 다운로드 위험
제로데이 공격 노출
피싱 사이트 직접 접속
RBI 적용 후:
[사용자 PC] ──→ [격리된 브라우저] ──→ [인터넷 웹사이트]
↑
악성코드가 격리 환경에서만 실행
사용자 PC는 안전
Role of RBIProxy
RBIProxy isA relay that converts traffic that has passed through PAC filtering to SHIELDGateis:
🎯 Filtering Structure
┌──────────────────────────────────────────────────────────────┐
│ PAC 파일 (사용자 PC에서 실행) │
│ "어느 사이트는 프록시 거치고, 어느 건 직접?" │
└────────────┬─────────────────────────────┬───────────────────┘
↓ ↓
[허용 사이트] [차단 사이트]
naver.com example.com
microsoft.com unknown-site.com
내부 IP (192.168.x.x) 기타 모든 사이트
↓ ↓
DIRECT (프록시 안 거침) PROXY 10.14.10.176:9999
↓ ↓
[직접 접속] ┌─────────────────────────────┐
│ RBIProxy 서버 │
│ "URL 변환기" │
└──────┬──────────────────────┘
↓
URL 변환 수행
↓
https://shieldgate.softcamp.co.kr/
gate-proxy?currentTab=true&url=원본URL
↓
HTML 리다이렉트 응답
↓
┌───────────────────────┐
│ 사용자 브라우저가 │
│ 자동으로 이동 │
└──────┬────────────────┘
↓
┌─────────────────┐
│ SHIELDGate │
│ gate-proxy │
└──────┬──────────┘
↓
┌─────────────────┐
│ rb-app │
│ (격리 브라우저) │
└──────┬──────────┘
↓
[실제 웹사이트 접속]
specific example
Example 1: Access naver.com (allowed site)
[사용자] naver.com 입력
↓
[PAC 파일] "naver.com? 어? 너 허용이구나!"
↓
[결정] "그럼 너는 DIRECT"
↓
[결과] naver.com에 바로 접속 ✅ (RBIProxy 안 거침)
Example 2: Access example.com (Blocked Site)
[사용자] example.com 입력
↓
[PAC 파일] "example.com? 허용 목록에 없네"
↓
[결정] "너는 RBIProxy로 보내"
↓
[RBIProxy] URL 변환
원본: http://example.com
→
변환: https://shieldgate.softcamp.co.kr/gate-proxy?currentTab=true&url=http://example.com
↓
[HTML 리다이렉트 응답]
<meta http-equiv="refresh" content="0;url=변환된URL"/>
↓
[사용자 브라우저] 자동으로 SHIELDGate URL로 이동
↓
[SHIELDGate] gate-proxy가 rb-app(격리 브라우저) 실행
↓
[rb-app] 격리된 환경에서 example.com 접속
↓
[결과] 사용자는 격리 브라우저로 example.com 이용 ✅
Overall Architecture
Simplified Flowchart
┌─────────────────────┐
│ 사용자 PC │
│ (일반 브라우저) │
│ Chrome / Edge 등 │
└──────────┬──────────┘
│
│ ① Windows 프록시 설정 (PAC)
│ - 허용 사이트 → DIRECT
│ - 차단 사이트 → PROXY 10.14.10.176:9999
↓
┌─────────────────────┐
│ RBIProxy 서버 │
│ (이 프로젝트) │
│ - URL 변환만 │
└──────────┬──────────┘
│
│ ② HTML 리다이렉트
│ shieldgate.softcamp.co.kr/
│ gate-proxy?currentTab=true&url=원본URL
↓
┌─────────────────────┐
│ SHIELDGate │
│ (격리 브라우저) │
│ - gate-proxy │
└──────────┬──────────┘
│
│ ③ rb-app 실행
↓
┌─────────────────────┐
│ rb-app │
│ (격리 브라우저) │
└──────────┬──────────┘
│
│ ④ 실제 웹사이트 접속
↓
┌─────────────────────┐
│ 인터넷 웹사이트 │
│ example.com 등 │
└─────────────────────┘
↓
┌─────────────────────┐
│ Internet Website │
│ example.com etc │
└─────────────────────┘
### 상세 데이터 흐름
**중요**: PAC 파일이 1차 필터링을 수행합니다!
┌─────────────────────────────────────────────────────────────────┐
│ User PC │
│ │
│ [Chrome/Edge] User Inputs URL │
│ ↓ │
│ ┌─────────────────────────────────────────────┐ │
│ │ PAC file (filtering) │ │
│ │ "Where should I send this site?" │ │
│ └──────────┬──────────────────────────────────┘ │
│ │ │
│ ┌──────┴───────┐ │
│ ↓ ↓ │
│ [Allowed Sites] [Blocked Targets] │
│ naver.com example.com │
│ ↓ ↓ │
│ DIRECT PROXY 10.14.10.176:9999 │
│ │
└──────┼──────────────┼──────────────────────────────────────────┘
│ │
↓ │ Delivered via RBIProxy
[naver.com] ↓
Direct Access ┌─────────────────────────────────────────────────────────────────┐
│ RBIProxy Server │
│ (URL Converter) │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ 1. Request Reception (Port 9999) │ │
│ └──────────────────┬───────────────────────────────────────┘ │
│ │ │
│ ┌──────────────────▼───────────────────────────────────────┐ │
│ │ 2. URL Conversion │ │
│ │ Original:http://example.com │ │
│ │ → │ │
│ │ Conversion:https://shieldgate.softcamp.co.kr/ │ │
│ │ gate-proxy?currentTab=true&url=http://example.com│ │
│ └──────────────────┬───────────────────────────────────────┘ │
│ │ │
│ ┌──────────────────▼───────────────────────────────────────┐ │
│ │ 3. HTML Redirect Response │ │
│ │ │ │
│ └──────────────────┬────────────────────────��───────────────┘ │
│ │ │
└─────────────────────┼────────────────────────────────────────────┘
│
↓
┌─────────────────────────────┐
│ User Browser │
│ Automatically move to SHIELDGate │
└─────────────┬───────────────┘
↓
┌─────────────────────┐
│ SHIELDGate │
│ gate-proxy │
└──────────┬──────────┘
│
│ Running rb-app
↓
┌─────────────────────┐
│ rb-app │
│ (Isolated Browser) │
└──────────┬──────────┘
│
│ Direct Internet Access
↓
┌─────────────────────┐
│ Internet Website │
│ example.com │
└─────────────────────┘
***
## 주요 구성 요소
### 1. Windows PAC (Proxy Auto-Config)
**위치**: 사용자 PC의 Windows 프록시 설정
**역할**: **1차 필터링 - 사이트별로 프록시 사용 여부 결정**
**중요**: PAC 파일이 먼저 판단합니다!
- ✅ **허용 사이트** (naver.com, microsoft.com 등) → `DIRECT` (프록시 안 거침)
- ⚠️ **일반 사이트** (example.com 등) → `PROXY 10.14.10.176:9999` (RBIProxy로)
**예시 PAC 파일** (`pac.js`):
```javascript
function FindProxyForURL(url, host) \{
// 1. SHIELDGate 자체는 DIRECT (무한 루프 방지)
if (dnsDomainIs(host, "shieldgate.softcamp.co.kr") ||
dnsDomainIs(host, "security365.co.kr")) \{
return "DIRECT";
\}
// 2. 허용 사이트 목록 (예외 처리)
if (dnsDomainIs(host, "naver.com") ||
dnsDomainIs(host, "microsoft.com") ||
dnsDomainIs(host, "office365.com")) \{
return "DIRECT"; // ← naver.com? 어? 너 허용이구나! DIRECT!
\}
// 3. 내부 네트워크는 DIRECT
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) \{
return "DIRECT";
\}
// 4. 기본 규칙: RBIProxy로 보냄
return "PROXY 10.14.10.176:9999"; // ← example.com? 너는 RBIProxy로!
\}
Actual Operation:
사용자가 naver.com 입력
↓
PAC: "naver.com? 어? 너 허용이구나!"
↓
PAC: "그럼 너는 DIRECT"
↓
naver.com에 바로 접속 ✅ (RBIProxy 거치지 않음)
사용자가 example.com 입력
↓
PAC: "example.com? 허용 목록에 없네"
↓
PAC: "너는 RBIProxy로 보내" (PROXY 10.14.10.176:9999)
↓
RBIProxy로 전달 → 다음 단계 진행
How to Apply PAC Files:
-
Manual Application(individual PC):
- Windows Settings → Network & Internet → Proxy
- Enable "Automatic Proxy Configuration"
- Script address:
http://10.14.10.176:9999/RestAPI/pac.js
-
Applying GPO(Domain Bulk Application):
그룹 정책 편집기
→ 사용자 구성 → 기본 설정 → Windows 설정 → 레지스트리
→ HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
→ AutoConfigURL = "http://10.14.10.176:9999/RestAPI/pac.js" -
Download PAC file:
# RBIProxy가 제공하는 PAC 파일
curl http://10.14.10.176:9999/RestAPI/pac.js -o pac.js
2. RBIProxy Server
Language: Go (Golang)
Port:
- 9999: Proxy Server (Main Function)
- 80: REST API Server (Management/Monitoring)
Deployment: Kubernetes (Docker container)
Main Role: "URL Converter"
Receive all traffic sent from PACConvert to SHIELDGate URL formatdoes.
┌─────────────────────────────────────────────────────┐
│ RBIProxy 서버 (URL 변환기) │
│ │
│ ① 프록시 요청 수신 (9999 포트) │
│ ↓ │
│ ② URL 변환 │
│ 원본: http://example.com │
│ → │
│ 변환: https://shieldgate.softcamp.co.kr/ │
│ gate-proxy?currentTab=true&url=원본URL │
│ ↓ │
│ ③ HTML 리다이렉트 응답 │
│ <meta http-equiv="refresh" │
│ content="0;url=변환URL"/> │
│ │
└─────────────────────────────────────────────────────┘
Core Code (src/main.goLines 317~320:
func redirectUrl(url string) string \{
// SHIELDGate 방식: URL을 쿼리 파라미터로 전달
return cfg.RBIProxy.RBI.BaseURL +
"gate-proxy?currentTab=true&url=" + url
\}
Actual conversion example:
입력: http://example.com
→
출력: https://shieldgate.softcamp.co.kr/gate-proxy?currentTab=true&url=http://example.com
3. SHIELDGate (Isolation Browser)
URL: https://shieldgate.softcamp.co.kr
Composition:
- gate-proxy: Web Interface (Accepts URL to run rb-app)
- rb-app: Isolated Browser Engine (Accessing and Rendering Real Websites)
role:
- gate-proxy receives URL parameters to run rb-app (isolated browser)
- Rendering a real website in an isolated environment with rb-app
- Streaming only the screen to the user
- Application of Security Policies (Download/Upload/Copy Control, etc.)
URL conventions:
https://shieldgate.softcamp.co.kr/gate-proxy?currentTab=true&url=<원본URL>
How It Works:
gate-proxy URL로 들어옴
↓
gate-proxy가 url 파라미터 추출
↓
rb-app(격리 브라우저) 실행
↓
rb-app이 실제 웹사이트에 직접 접속
↓
사용자에게 화면 스트리밍
example:
변환된 URL: https://shieldgate.softcamp.co.kr/gate-proxy?currentTab=true&url=http://example.com
→ gate-proxy가 rb-app 실행
→ rb-app이 http://example.com 접속
Operating Principle
🌟 Overall Scenario: 2 Paths
When the user accesses the websitePAC file is judged firstdoes:
사용자가 URL 입력
↓
┌───────────────────────────────┐
│ PAC 파일 (1차 필터) │
│ "이 사이트 어디로 보낼까?" │
└───────┬───────────────────────┘
│
┌────┴─────┐
↓ ↓
[허용] [차단]
↓ ↓
DIRECT PROXY
↓ ↓
[끝] [RBIProxy]
↓
[SHIELDGate]
Scenario A: Allowed Site (naver.com)
Case ending with PAC- No RBIProxy
Step-by-Step Flow
[Step 1] 사용자가 Chrome에 "naver.com" 입력
│
↓
[Step 2] PAC 파일 실행 (사용자 PC에서)
function FindProxyForURL(url, "naver.com") \{
if (dnsDomainIs(host, "naver.com")) \{
return "DIRECT"; // ← 여기서 결정!
\}
\}
│
↓
[Step 3] PAC 판단: "naver.com? 어? 너 허용이구나!"
│
↓
[Step 4] 결정: "그럼 너는 DIRECT" (프록시 사용 안함)
│
↓
[Step 5] naver.com에 직접 접속 ✅
결과: RBIProxy, SHIELDGate 모두 거치지 않음
Scenario B: Blocked Site (example.com)
Case passing through RBIProxy + SHIELDGate
Step-by-Step Flow
[Step 1] 사용자가 Chrome에 "example.com" 입력
│
↓
[Step 2] PAC 파일 실행 (사용자 PC에서)
function FindProxyForURL(url, "example.com") \{
// 허용 목록에 없음
return "PROXY 10.14.10.176:9999"; // ← 여기서 결정!
\}
│
↓
[Step 3] PAC 판단: "example.com? 허용 목록에 없네"
│
↓
[Step 4] 결정: "너는 RBIProxy로 보내"
│
↓
[Step 5] RBIProxy 수신
→ 프록시 요청 수신 (9999 포트)
│
↓
[Step 6] URL 변환 수행
→ 원본: http://example.com
→ 변환: https://shieldgate.softcamp.co.kr/gate-proxy?currentTab=true&url=http://example.com
│
↓
[Step 7] HTML 리다이렉트 응답 생성
→ <meta http-equiv="refresh" content="0;url=변환URL"/>
→ HTTP 202 Accepted 응답
│
↓
[Step 8] 사용자 브라우저가 자동으로 SHIELDGate URL로 이동
│
↓
[Step 9] SHIELDGate gate-proxy가 URL 파라미터 확인
→ url=http://example.com 추출
│
↓
[Step 10] gate-proxy가 rb-app(격리 브라우저) 실행
│
↓
[Step 11] rb-app이 격리된 환경에서 example.com 직접 접속
│
↓
[Step 12] 웹사이트 렌더링 후 사용자에게 화면 스트리밍
│
↓
[완료] 사용자는 격리 브라우저로 example.com을 안전하게 이용 ✅
Scenario Comparison
| step | naver.com (Allowed) | example.com (blocked) |
|---|---|---|
| PAC Filter | DIRECT → Direct Access | PROXY → to RBIProxy |
| RBIProxy | No intermediary | URL Conversion → to SHIELDGate |
| Last Access | directly naver.com | via rb-app (Isolated Browser) |
| Security Level | General | Isolation Environment |
| Number of Steps | Step 5 | Step 12 |
PAC file configuration
What is a PAC file?
**PAC (Proxy Auto-Config)** is a file written in JavaScript that dynamically determines which proxy the browser should use.
Creating PAC File for RBIProxy
RBIProxy is/RestAPI/pac.jsProvides a PAC file through the endpoint.
Basic PAC File Structure
function FindProxyForURL(url, host) \{
// 1. SHIELDGate 자체는 프록시 우회 (무한 루프 방지)
if (dnsDomainIs(host, "shieldgate.softcamp.co.kr") ||
dnsDomainIs(host, "security365.co.kr") ||
dnsDomainIs(host, "softcamp.co.kr")) \{
return "DIRECT";
\}
// 2. 내부 네트워크 (사설 IP) 우회
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) \{
return "DIRECT";
\}
// 3. 특정 도메인 예외 처리
if (dnsDomainIs(host, "microsoft.com") ||
dnsDomainIs(host, "azure.com") ||
dnsDomainIs(host, "office365.com")) \{
return "DIRECT"; // Microsoft 서비스는 프록시 우회
\}
// 4. 기본 규칙: RBIProxy를 통해 프록시
return "PROXY 10.14.10.176:9999";
\}
Main Functions of PAC File
| function | Description | example |
|---|---|---|
dnsDomainIs(host, domain) | Domain Match Verification | dnsDomainIs(host, "example.com") |
shExpMatch(host, pattern) | Wildcard Pattern Matching | shExpMatch(host, "*.google.com") |
isInNet(host, network, mask) | Check IP Network Range | isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") |
isPlainHostName(host) | Check if there is only a hostname (no domain) | isPlainHostName("localhost") |
How to Distribute PAC Files
Method 1: Deploy directly from RBIProxy
RBIProxy is/RestAPI/pac.jsProvides a PAC file through the endpoint.
# PAC 파일 접근
http://10.14.10.176:9999/RestAPI/pac.js
Windows Proxy Settings:
- Settings → Network & Internet → Proxy
- "Automatic Search Settings" OFF
- "Use Setup Script" ON
- Script address:
http://10.14.10.176:9999/RestAPI/pac.js
Method 2: Deployment from a Web Server
You can also deploy the PAC file to a separate web server (Apache, Nginx, etc.).
# Nginx 설정 예시
location /proxy.pac \{
alias /var/www/html/pac.js;
types \{
application/x-ns-proxy-autoconfig pac;
\}
\}
Method 3: GPO (Group Policy Object) Deployment
Bulk Application in Active Directory Environment:
-
Open Group Policy Management Console
-
Create a new GPO: "RBIProxy PAC Configuration"
-
Edit → User Configuration → Preferences → Windows Settings → Registry
-
New Registry Entry:
Hive: HKEY_CURRENT_USER
키 경로: Software\Microsoft\Windows\CurrentVersion\Internet Settings
값 이름: AutoConfigURL
값 형식: REG_SZ
값 데이터: http://10.14.10.176:9999/RestAPI/pac.js
PAC File Exception Handling Strategy
1. Performance Optimization: Internal Resources DIRECT
// CDN, 정적 리소스는 직접 접속
if (dnsDomainIs(host, "cdn.jsdelivr.net") ||
dnsDomainIs(host, "cdnjs.cloudflare.com")) \{
return "DIRECT";
\}
2. Compatibility: Bypassing Specific Services
// Microsoft 365 서비스는 프록시 우회 (인증 문제 방지)
if (dnsDomainIs(host, "office365.com") ||
dnsDomainIs(host, "sharepoint.com") ||
dnsDomainIs(host, "teams.microsoft.com")) \{
return "DIRECT";
\}
3. Security: RBI Bypass Only for Trusted Domains
// 회사 내부 시스템은 DIRECT
if (dnsDomainIs(host, "intranet.company.com") ||
dnsDomainIs(host, "erp.company.com")) \{
return "DIRECT";
\}
How to Test PAC Files
// 테스트용 PAC 파일에 디버그 로그 추가
function FindProxyForURL(url, host) \{
var result;
if (dnsDomainIs(host, "shieldgate.softcamp.co.kr")) \{
result = "DIRECT";
\} else if (isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0")) \{
result = "DIRECT";
\} else \{
result = "PROXY 10.14.10.176:9999";
\}
// 브라우저 콘솔에 로그 출력 (디버깅 시에만 사용)
alert("URL: " + url + "\nHost: " + host + "\nResult: " + result);
return result;
\}
Using the Online PAC Tester:
- PacParserTesting after uploading the PAC file
Security Mechanism
1. TLS MITM (Man-In-The-Middle)
RBIProxy uses the MITM technique to inspect HTTPS traffic.
Operation Process
[사용자 브라우저]
│
│ CONNECT example.com:443
↓
[RBIProxy]
│
│ ① HTTP/1.0 200 OK 응답
│ ② example.com용 TLS 인증서 동적 발급
│ ③ 사용자와 TLS 핸드셰이크
│ ④ 암호화된 요청 복호화
│ ⑤ URL 확인: https://example.com/page
│ ⑥ 리다이렉트 응답 생성
↓
[사용자 브라우저]
│
│ 자동으로 SHIELDGate로 이동
↓
[SHIELDGate]
Installation of Private Certificate Required
For HTTPS MITM to function correctly, the user's PC must trust the CA certificate of RBIProxy.
Certificate Download:
curl http://10.14.10.176:9999/RestAPI/cert.cer -o rbiproxy_cert.cer
Installation Method:
-
Windows:
rbiproxy_cert.cerDouble Click- Click "Install Certificate"
- Select "Local Computer"
- "Store all certificates in the following repository"Trusted Root Certification Authorities
- Installation Complete
-
GPO Bulk Deployment:
그룹 정책 관리 → 컴퓨터 구성 → Windows 설정 → 보안 설정
→ 공개 키 정책 → 신뢰할 수 있는 루트 인증 기관
→ rbiproxy_cert.cer 추가
2. RBI Integration Method
RBIProxy supports two types of RBI integration methods:
A. SHIELDGate Method (Currently in Operation) ⭐
Settings:
RBI_LINK_TYPE: SHIELDGate
Code Location: src/main.goline 320
URL format:
https://shieldgate.softcamp.co.kr/gate-proxy?currentTab=true&url=http://example.com
Processing Method:
- RBIProxy isPerform simple URL conversion
- Pass the original URL as a query parameter
- The security policy is handled by SHIELDGate.
Features:
- Simple and intuitive structure
- URL is exposed in plaintext
- RBIProxy only serves as a relay.
- Delegating Policy Management to SHIELDGate
B. DIRECT (JWT) Method (Currently Unused)
Settings:
RBI_LINK_TYPE: DIRECT
Code Location: src/main.goLines 323~342
URL format:
https://rbi.custom.co.kr/view?url=<JWT_TOKEN>
JWT Token Content(hardcoded in lines 329 to 339 of src/main.go):
\{
"ver": "1.0",
"id": "softcamp.co.kr",
"url": "http://example.com",
"policy": \{
"screenmark": "OFF", // 화면 워터마크
"key": "ON", // 키보드 입력 허용
"site": "ON", // 사이트 접근 허용
"dn": "ON", // 다운로드 허용
"up": "ON", // 업로드 허용
"media": "ON", // 미디어 재생 허용
"menu": "ON", // 메뉴 사용 허용
"clip": "ON" // 클립보드 사용 허용
\},
"exp": 1234567890 // 만료 시간 (12시간 후)
\}
Features:
- URL encrypted with JWT token
- Token expiration time setting (12 hours)
Constraints:
- ⚠️ Policy Hardcoded in Codeis set
- ⚠️ Apply the same policy to all requests
- ⚠️ Cannot apply different policies by user/URL
- ⚠️ Cannot be changed via ConfigMap or configuration file
- In the current operating environment,Not used
Summary of Comparison Methods
| item | SHIELDGate Method (In Operation) | DIRECT (JWT) Method (Not Used) |
|---|---|---|
| Settings | RBI_LINK_TYPE: SHIELDGate | RBI_LINK_TYPE: DIRECT |
| URL Conversion | Passing Plain Text as Query Parameters | Encrypting with JWT Token |
| Policy Processing | Processed in SHIELDGate | Included in the JWT token (hardcoded) |
| Policy Flexibility | Flexibly manage in SHIELDGate | impossible (code modification needed) |
| Role of RBIProxy | Simple Repeater | URL + Policy Packaging |
| Current Usage Status | ✅ In Use | ❌ Unused |
Why use the SHIELDGate method?
Current Operating Environment Analysis(ConfigMap 기준):
# build/kube-deploy.yaml
RBI_LINK_TYPE: SHIELDGate # ← 실제 운영 설정
RBI_BASEURL: https://devshieldgate.softcamp.co.kr
Reasons for Choosing SHIELDGate Method:
- Simplicity:
- RBIProxy only performs URL transformation (
src/main.goline 320 - Completely delegate security policy management to SHIELDGate
- Policy changes can be made in SHIELDGate without modifying the code.
- RBIProxy only performs URL transformation (
- Maintainability:
- The JWT-based policy is
src/main.golines 329~339hardcoding - Code modification → Build → Deployment required when policy changes.
- The SHIELDGate method isChange only SHIELDGate settingsYou can do it.
- The JWT-based policy is
- Operational Flexibility:
- Applying different policies by user/groupManaged in SHIELDGate
- RBIProxy operates the same for all users.
- No need to redeploy RBIProxy for policy changes
Conclusion:
- RBIProxy is**"Smart URL Converter"**Focus on Roles
- Complex policy managementThe Share of SHIELDGate
- Simple and Stable Architecture
3. Preventing Infinite Loops
Mechanism to Prevent Infinite Redirects Between RBIProxy and SHIELDGate:
Preventing in PAC file:
// SHIELDGate 도메인은 DIRECT로 접속 (프록시 우회)
if (dnsDomainIs(host, "shieldgate.softcamp.co.kr")) \{
return "DIRECT"; // 무한 루프 방지
\}
Operating Principle:
사용자가 example.com 입력
↓
PAC: PROXY → RBIProxy로
↓
RBIProxy: shieldgate.softcamp.co.kr/gate-proxy?url=example.com 으로 리다이렉트
↓
사용자 브라우저가 shieldgate.softcamp.co.kr 접속 시도
↓
PAC: "shieldgate.softcamp.co.kr? DIRECT!" ← 여기서 차단!
↓
shieldgate.softcamp.co.kr에 직접 접속 (RBIProxy 안 거침)
↓
무한 루프 방지 ✅
If exceptions are not handled in PAC:
❌ 무한 루프 발생:
example.com → RBIProxy → shieldgate... → RBIProxy → shieldgate... (반복)
REST API
RBIProxy provides a REST API for management and monitoring.
1. Version and Health Check
endpoint: GET /orGET /ver
curl http://10.14.10.176:9999/ver
Response:
\{
"code": 0,
"msg": "안녕, Hi, こんにちは, 你好, Chào...",
"ver": "1.0.0.5"
\}
Purpose:
- Service Operation Verification
- Version Information Retrieval
- Kubernetes Liveness/Readiness Probe
2. Active Session Monitoring
endpoint: GET /sessions
Authentication:
- No authentication required when accessing from localhost
- Basic Auth required for external access
# Basic Auth 사용
curl -u admin:password http://10.14.10.176:9999/sessions
Response:
\{
"code": 0,
"msg": "",
"total": 2,
"sessions": [
\{
"client": "192.168.1.100:48068",
"req": "GET https://example.com",
"time": "295.508µs"
\},
\{
"client": "192.168.1.101:37988",
"req": "CONNECT secure.example.com:443",
"time": "1.381s"
\}
]
\}
Purpose:
- Real-time Traffic Monitoring
- Performance Analysis (Request Processing Time)
- User Access Tracking
3. PAC File Distribution
endpoint: GET /RestAPI/pac.js
curl http://10.14.10.176:9999/RestAPI/pac.js
Response: JavaScript PAC file
Purpose:
- Automatic Proxy Configuration for User PC
- Managing PAC Files from the Center
4. Private Certificate Distribution
endpoint: GET /RestAPI/cert.cer
curl http://10.14.10.176:9999/RestAPI/cert.cer -o rbiproxy_cert.cer
Response: CA certificate in PEM format
Purpose:
- Distribution of Private Certificates for HTTPS MITM
- Remove certificate warning by installing on user PC
Technology Stack
Language and Framework
| Technology | version | Purpose |
|---|---|---|
| Go (Golang) | 1.23.11 | Main Language |
| Alpine Linux | 3.21.3 | Docker Base Image |
| elazarl/goproxy | - | HTTP/HTTPS Proxy Library |
Main Go Packages
rbiproxy/
├── cert/ # TLS 인증서 동적 발급 (MITM)
├── config/ # 설정 파일 로드 (config.yaml, 환경변수)
├── restapi/ # REST API 서버
│ └── core/ # API 핸들러 (version, sessions)
└── main.go # 프록시 서버 메인 로직
External Dependencies
- github.com/elazarl/goproxy: HTTP/HTTPS Proxy Engine
- github.com/spf13/viper: Configuration File Management
- dev.azure.com/Security365/go-common:
- JWT Token Creation/Validation
- Logger
- Utility
Build and Deployment
Building Docker Images:
docker build -t rbiproxy:latest -f build/Dockerfile .
Version Control:
build/version.txt: Major.Minor.Patch versionbuild/version-patch.txt: Patch Number- Automatically Insert Version Information During Build
Use Cases
Case 1: Strengthening Enterprise Web Security
Problem:
- Accessing malicious websites during work by employees
- Ransomware, malware download risks
- Account theft due to access to phishing sites
solution:
[모든 직원 PC]
↓ (GPO로 PAC 자동 배포)
[RBIProxy]
↓ (자동 리다이렉트)
[SHIELDGate 격리 브라우저]
↓ (안전한 접속)
[외부 웹사이트]
결과: 악성코드가 격리 환경에서만 실행, 직원 PC는 안전
Case 2: Apply RBI Only to Specific Departments
Requirements:
- The development team needs unrestricted internet access (DIRECT)
- General departments secure access through RBI
implementation:
// 개발팀 IP 대역
function FindProxyForURL(url, host) \{
var clientIP = myIpAddress();
// 개발팀 IP 대역은 DIRECT
if (isInNet(clientIP, "10.14.20.0", "255.255.255.0")) \{
return "DIRECT";
\}
// 그 외 일반 부서는 RBIProxy 사용
if (/* 예외 조건들 */) \{
return "DIRECT";
\}
return "PROXY 10.14.10.176:9999";
\}
Case 3: Apply RBI only to High-Risk Categories
Requirements:
- Trusted Sites (Microsoft, Google) are DIRECT
- Apply RBI only to unknown sites
implementation:
function FindProxyForURL(url, host) \{
// 신뢰 도메인 리스트
var trustedDomains = [
"microsoft.com", "google.com", "github.com",
"stackoverflow.com", "azure.com"
];
for (var i = 0; i < trustedDomains.length; i++) \{
if (dnsDomainIs(host, trustedDomains[i])) \{
return "DIRECT";
\}
\}
// 기타 사이트는 RBIProxy 경유
return "PROXY 10.14.10.176:9999";
\}
Case 4: Monitoring and Logging
Requirements:
- Real-time Traffic Monitoring
- Tracking which users access which sites
implementation:
# 실시간 활성 세션 모니터링
watch -n 2 'curl -s http://10.14.10.176:9999/sessions | jq .'
# 로그 파일 실시간 확인 (Kubernetes)
kubectl logs -f deployment/rbiproxy -n shieldinfo-dev
# 특정 사용자 IP 필터링
kubectl logs deployment/rbiproxy -n shieldinfo-dev | grep "192.168.1.100"
Deployment Architecture
Kubernetes Environment
┌──────────────────────────────────────────────────��──────────┐
│ Kubernetes Cluster │
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Namespace: shieldinfo-dev │ │
│ │ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ ConfigMap │───→│ Deployment │ │ │
│ │ │ rbiproxy-config │ │ │ │ │
│ │ │ │ │ ┌────────────┐ │ │ │
│ │ │ RBI_BASEURL │ │ │ rbiproxy │ │ │ │
│ │ │ RBI_LINK_TYPE │ │ │ Container │ │ │ │
│ │ │ RBIPROXY_PORT │ │ │ │ │ │ │
│ │ └──────────────────┘ │ │ Port:9999 │ │ │ │
│ │ │ └────────────┘ │ │ │
│ │ └────────┬─────────┘ │ │
│ │ │ │ │
│ │ ┌────────▼─────────┐ │ │
│ │ │ Service │ │ │
│ │ │ rbiproxy │ │ │
│ │ │ │ │ │
│ │ │ Port 80, 9999 │ │ │
│ │ └────────┬─────────┘ │ │
│ └────────────────────────────────────┼────────────────┘ │
│ │ │
│ ┌─────────────────────────────────────▼────────────────┐ │
│ │ Namespace: kube-system │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────────┐ │ │
│ │ │ rke2-ingress-nginx-controller │ │ │
│ │ │ │ │ │
│ │ │ - containerPort.rbiproxy: 9999 │ │ │
│ │ │ - tcp-services ConfigMap 참조 │ │ │
│ │ └───────────────────┬──────────────────────────┘ │ │
│ │ │ │ │
│ │ ┌───────────────────▼──────────────────────────┐ │ │
│ │ │ Service (NodePort/LoadBalancer) │ │ │
│ │ │ Port 9999 외부 노출 │ │ │
│ │ └───────────────────┬──────────────────────────┘ │ │
│ └──────────────────────┼───────────────────────────────┘ │
│ │ │
└─────────────────────────┼─────────────────────────────────────┘
│
│ NodePort or LoadBalancer
↓
┌───────────────┐
│ 외부 접속 │
│ (사용자 PC) │
└───────────────┘
High Availability Configuration
Multi-Replica Deployment:
spec:
replicas: 3 # 3개 인스턴스 실행
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1 # 최대 1개까지만 동시 다운
maxSurge: 1 # 최대 1개까지 추가 생성
HPA (Horizontal Pod Autoscaler):
# CPU 사용률 기반 자동 스케일링
kubectl autoscale deployment rbiproxy \
--cpu-percent=70 \
--min=2 \
--max=10 \
-n shieldinfo-dev
Environment Variables
Inject configuration through Kubernetes ConfigMap.
Required Environment Variables
| Environment Variables | example value | Description |
|---|---|---|
RBIPROXY_PORT | 9999 | Proxy Service Port |
RBI_BASEURL | https://shieldgate.softcamp.co.kr | SHIELDGate server address (at the end of/Automatically added) |
RBI_LINK_TYPE | SHIELDGate | Integration Method (SHIELDGateorDIRECT) |
TZ | Asia/Seoul | Time Zone (for Log Time Display) |
Selection Environment Variable
| Environment Variables | default value | Description |
|---|---|---|
LOG_LEVEL | info | Log Level (error, warn, info, debug) |
RESTAPI_JWT_SECRET_B64 | Auto-generated | JWT Signature Secret (Base64) |
Environment Variable Priority
1순위: 환경변수 (ConfigMap/환경변수)
2순위: config.yaml 파일
3순위: 커맨드라인 플래그
When deploying Kubernetes, the environment variables from ConfigMap take precedence.
Performance and Resources
Resource Requirements
| Environment | CPU Request | CPU Limit | Memory Request | Memory Limit | Replicas |
|---|---|---|---|---|---|
| Development/Test | 100m | 500m | 200Mi | 512Mi | 1 |
| Small-scale operation | 200m | 700m | 300Mi | 1Gi | 2 |
| Medium-scale operation | 500m | 1000m | 500Mi | 2Gi | 3 |
| Large-scale operation | 1000m | 2000m | 1Gi | 3Gi | 5+ |
Expected Throughput
Single Instance Criteria(Resource: 700m CPU, 1Gi Memory):
- Simultaneous Connections: about 500 to 1,000
- Requests per second: Approximately 100~200 req/s
- Response Time: Average 10~50ms (redirect only)
Actual Performancedepends on the following factors:
- Network Bandwidth
- SHIELDGate Response Speed
- TLS Handshake Overhead
Bottleneck
- TLS MITM: Each HTTPS request requires a handshake → Increased CPU usage
- Dynamic Certificate Issuance: Domain-specific certificate creation → Increased memory usage
- Logging: Increased I/O load by logging all requests
Optimization Tips:
- Log Level
warnorerrorlower - Load balancing through increased number of replicas
- Deploy on a network like the SHIELDGate server (reduce latency)
Logging and Monitoring
Log Format
2026-04-01 15:23:45 [INFO] Local HTTP Request - IP: 192.168.1.100:52341, URL: http://example.com, Method: GET
2026-04-01 15:23:45 [INFO] Local [GET http://example.com] code=200 OK elap=12ms
2026-04-01 15:24:10 [INFO] Local HTTPS CONNECT Request - IP: 192.168.1.100:52342, Host: secure.example.com:443
2026-04-01 15:24:10 [INFO] Local HTTPS Detail - IP: 192.168.1.100:52342, Method: GET, URL: https://secure.example.com/
2026-04-01 15:24:10 [INFO] Local [CONNECT secure.example.com:443] GET https://secure.example.com/ code=200 OK elap=45ms
Log Classification
| Log Type | Description | Meaning |
|---|---|---|
| Local HTTP Request | Receiving HTTP Requests from a Regular Browser | User attempts to access HTTP site |
| Local HTTPS CONNECT | HTTPS CONNECT request of a regular browser | User attempts to access HTTPS site |
| Local HTTPS Detail | The actual content of an HTTPS request | URL confirmed after TLS decryption |
Prometheus Metrics (may be added in the future)
# 활성 세션 수
rbiproxy_active_sessions_total
# 요청 처리 시간 (히스토그램)
rbiproxy_request_duration_seconds
# 요청 수
rbiproxy_requests_total
# 에러 발생 수
rbiproxy_errors_total\{type="tls|redirect|connection"\}
Security Considerations
1. Private Certificate Management
Risk:
- If the CA certificate of RBIProxy is leaked, MITM attacks are possible.
- Service Suspension Upon Certificate Expiration
Response:
- CA certificate file(
proxy_cert.pem,proxy_pkey.pemto store it safely - Managed with Kubernetes Secret (instead of ConfigMap)
- Periodic certificate renewal (e.g., every year)
Certificate Regeneration:
openssl req -x509 -newkey rsa:4096 \
-keyout proxy_pkey.pem \
-out proxy_cert.pem \
-sha256 -days 3650 -nodes \
-subj "/C=KR/ST=Seoul/O=Security365/CN=RBIProxy" \
-addext "subjectAltName=DNS:RBIProxy"
2. REST API Access Control
Risk:
/sessionsUser traffic exposure possible via API
Response:
- Required Basic Auth Configuration
- Force Authentication for External Access to localhost
- Restricting API Access with Kubernetes NetworkPolicy
Basic Auth Configuration (config.yaml):
restapi:
basicAuth:
username: admin
password: strong_password_here
3. Preventing Infinite Loops
Risk:
- If SHIELDGate is not processed as DIRECT in the PAC file, an infinite loop occurs.
Response:
// PAC 파일에 반드시 포함
if (dnsDomainIs(host, "shieldgate.softcamp.co.kr")) \{
return "DIRECT"; // 프록시 우회
\}
4. Internal Network Isolation
Recommended Configuration:
DMZ: [RBIProxy] ← 사용자 PC 접근
Internal: [SHIELDGate] ← RBIProxy만 접근 가능
Example of NetworkPolicy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: rbiproxy-policy
spec:
podSelector:
matchLabels:
app: rbiproxy
ingress:
- from:
- namespaceSelector:
matchLabels:
name: dmz
ports:
- protocol: TCP
port: 9999
Advanced Settings
1. Multi-RBI Server Support
Scenario: Using different RBI servers by department
Implementation Method:
- Deploying multiple RBIProxies (each different)
RBI_BASEURLSettings) - Specify Different Proxies by IP Range in PAC File
function FindProxyForURL(url, host) \{
var clientIP = myIpAddress();
// 개발팀 (10.14.20.0/24) → RBIProxy-Dev
if (isInNet(clientIP, "10.14.20.0", "255.255.255.0")) \{
return "PROXY 10.14.10.100:9999";
\}
// 일반 부서 → RBIProxy-Prod
return "PROXY 10.14.10.176:9999";
\}
2. Whitelist Central Management
current: Hardcoding exception domains in PAC files
Improvement Plan:
- Managing the Exception Domain List in Central Management Systems (DB, Redis, etc.)
- RBIProxy is dynamically loaded
- Generate PAC file as a template
3. Regional RBI Server Distribution
Scenario: Use the nearest RBI server by branch
function FindProxyForURL(url, host) \{
var clientIP = myIpAddress();
// 서울 본사 (10.14.0.0/16)
if (isInNet(clientIP, "10.14.0.0", "255.255.0.0")) \{
return "PROXY 10.14.10.176:9999"; // 서울 RBIProxy
\}
// 부산 지사 (10.20.0.0/16)
if (isInNet(clientIP, "10.20.0.0", "255.255.0.0")) \{
return "PROXY 10.20.10.50:9999"; // 부산 RBIProxy
\}
return "DIRECT";
\}
FAQ (Frequently Asked Questions)
Q1: If RBIProxy goes down, will the internet be unavailable?
A: Yes. If the proxy goes down, all web access will be impossible.
Countermeasures:
-
High Availability Configuration: Multi-Replica Deployment (at least 2)
-
Failover: Specify backup proxy in PAC file
// 메인 프록시 실패 시 백업 프록시 사용
return "PROXY 10.14.10.176:9999; PROXY 10.14.10.177:9999; DIRECT"; -
Monitoring: Real-time Status Monitoring with Prometheus + Grafana
-
Alarm: Immediate notification when down with Alertmanager
Q2: Can RBI be applied to specific users only?
AYes. In the PAC file, it is possible to branch based on IP ranges or users.
function FindProxyForURL(url, host) \{
var clientIP = myIpAddress();
// VIP/임원진은 DIRECT 접속 허용
if (isInNet(clientIP, "10.14.1.0", "255.255.255.0")) \{
return "DIRECT";
\}
// 일반 직원은 RBIProxy 경유
return "PROXY 10.14.10.176:9999";
\}
Q6: What information can be found in the logs?
A: The following information is logged:
- Client IP address
- Request URL and Method
- Response Time
- HTTP Status Codes
Privacy Protection:
- POST body is not logged
- Cookies and Authorization headers are not logged.
- The query parameters of the URL are logged (may include sensitive information).
Limitations and Known Issues
1. WebSocket Support Limitations
Phenomenon: WebSocket connection may not work properly
Cause: HTTP Upgrade request handling not supported
solution: PAC exception handling for sites using WebSocket
// WebSocket 사용 사이트 예외
if (dnsDomainIs(host, "slack.com") ||
dnsDomainIs(host, "teams.microsoft.com")) \{
return "DIRECT";
\}
2. Compatibility Issues with Some Authentication Methods
Phenomenon: Unable to access the site based on client certificate
Cause: Client certificate is not transmitted during the MITM process
solution: PAC exception handling for the site
3. HTTP/2 and HTTP/3
Current Status: Fully supports only HTTP/1.1
HTTP/2: limited support due to goproxy library constraints
HTTP/3: Not Supported (QUIC Protocol)
Related Documents
Installation and Operation
- [Deployment Guide](../../Internal Documents/Deployment-Installation-Operation Guide/RBI Proxy/RBIProxy Deployment Guide.md): Complete Procedure for Kubernetes Deployment
- [Environment Variables](../../internal-docs/deployment-installation-operation-guide/RBI Proxy/RBIProxy config.js guide.md): ConfigMap Setting Details
- Analysis of main.go code: Internal Operating Principle
REST API
- version API: Version and Health Check
- sessions API: Active Session Monitoring
Project Information
- README.md: Project Overview and Change History
License and Open Source
Open Source in Use
| Library | License | Purpose |
|---|---|---|
| elazarl/goproxy | BSD-3-Clause | HTTP/HTTPS Proxy Engine |
| spf13/viper | MIT | Configuration File Management |
Change History
RBIProxy was originallylqqyt2423/go-mitmproxybased on,elazarl/goproxyhas been changed (v1.0.0.1, 2024-06-11).
Reason for Change:
- Better HTTPS Handling
- Stable MITM Functionality
- Active Community Support
Summary
RBIProxy is:
- between the user's PC and the internetTransparent Security Layer
- Through Windows PACAutomatically appliedWorking Proxy
- SOFTCAMP SHIELDGateSwitching web access to an isolated environment in conjunction with __PH_0__
- Through PAC fileSelective Filteringto prevent infinite loops
- in KubernetesEasy Deployment and Scalingpossible
One-line summary:
"URL transformation proxy that converts traffic that has passed through PAC filtering to SHIELDGate"
Next Step
- Refer to the [Deployment Guide](../../internal-docs/deployment-installation-operation-guide/RBI-Proxy/RBIProxy-Deployment-Guide.md) for deployment.
- Customizing PAC files to fit your environment
- Installing CA Certificate on User PC
- Bulk Deployment of PAC Settings via Windows GPO
- Building a Monitoring Dashboard
/sessionsUtilizing API)
Inquiry:
- Technical Support:SOFTCAMP
- Project Management: nicejh
Last modified: 2026-04-01