mailing list archives
Re: Securing a webserver through reverse proxy?
From: "theog" <theog () theog org>
Date: Fri, 21 Feb 2003 01:29:56 +0200
mod_proxy is very powerful , but when it comes to security I wouldn't use it
use it to protect another server as it had some problems in the past .
The whole idea of putting a reverse proxy to protect a web server is that
the proxy server doesn't have anything besides a small engine to fetch the
data from the inside server (if configured right) thus making it less
vulnerable to attacks , in combination with a strict iptables ruleset it is
Another tip , if you intend on using dynamic pages , make sure you set the
cache to 0 .
----- Original Message -----
From: "Alejandro Flores" <aflores () ipad com br>
To: "Security" <security () zerouptime ch>
Cc: <security-basics () securityfocus com>
Sent: Wednesday, February 19, 2003 8:53 PM
Subject: Re: Securing a webserver through reverse proxy?
I have implemented some time ago, something like this, but using
apache. Apache has a proxy module, that makes apache work as a proxy for
a hole site, or just some directories (this module does much more...). I
mean, you can have an exposed webserver (apache), and when someone issue
an GET /somedir/ apache will download http://othersite.../somedir/ and
show it to you.
The httpd.conf will have something like this on your virtualhost
ProxyPass /somedir/ http://othersite/somedir/
So, you can have an apache webserver running on the internet, and
mapping some directories to your internal IIS or wherever webserver you
Hope you can understand something!
I've read about a way to secure webservers, which must not be directly
exposed to the Internet, using a reverse proxy, e.g. MS ISA Server or
Squid on a UNIX box.
Now my question would be: Has anyone experience with that? Is it really
more secure (compared to firewalling and port forwarding)? Is the MS ISA
Server Webpublishing rule (which implies reverse caching) doing an
application layer filtering or does it just the mentioned caching? Can a
Squid reverse proxy solution fulfill that too?
If not, what are the steps necessary to accomplish this?
Your input is appreciated.
Jonas Nagel <fireball () zerouptime ch>