mailing list archives
Re: Reverse proxy versus shifting webserver to DMZ
From: jean-philippe luiggi <jean-philippe.luiggi () didconcept com>
Date: Mon, 16 Jul 2007 18:39:50 -0400
Beside of just comparing reverse proxy vs hardening web server, i think
the last one is a good choice because as you said, the risk to escalate
privileges is real. You too need to consider reverse proxy because one
with security features may help in protecting applications by
inspecting the requests for malicious requests.
Not saying that using such a tool likes this one may help to
concentrate all the various log in one point.
Last thing, saying a firewall hides the internal addressing is not
allways true. I know plenty of places where the internal network is
full of public IP (university, etc.) and they're protected by a
On 15 Jul 2007 12:54:05 -0000
barcajax () gmail com wrote:
Client=>Reverse proxy (DMZ)=>Webserver (internal)
Is a reverse proxy really that advantageous over hardening a
webserver and shifting it to the DMZ? I read a manual from a vendor
that states the use of a reverse proxy hides the internal addressing.
I disagree with this statement as the firewall does that function.
The way I see it... a reverse proxy (that is built on a different OS
from the webserver) prevents direct attacks on the webserver. However
if the application is vulnerable, attackers can still compromise the
backend by targeting its application flaws. It is possible to
escalate privileges that way. This defeats the purpose of deploying a
reverse proxy wouldn't it?