RE: Securing a webserver through reverse proxy?
Hi there, continuing on this thread That's a implementation I was wondering to do, but interacting with SNORT, to make changes in the destination address (squid or iptables routing). If an attack were detected, it would redirect the traffick to another server or some king of honneypot. Anybody know if it's OK? Is it too hard to do? Thanks Alisson Leite de Morais Veras Sao Paulo - Brazil
Re: Securing a webserver through reverse proxy?
I've read about a way to secure webservers, which must not be directly exposed to the Internet, using a reverse proxy, e.g. MS ISA Server or Squid on a UNIX box. I have yet to use ISA Server for this, but using Squid is an *excellent* method for keeping the actual HTTP server isolated from public access. Now my question would be: Has anyone experience with that? Is it really more secure (compared to firewalling and port forwarding)? Is the MS ISA Server Webpublishing rule (which implies reverse caching) doing an application layer filtering or does it just the mentioned caching? Can a Squid reverse proxy solution fulfill that too? Again, not sure on using ISA, but using Squid has been an very nice option. Basically in a layout with a lot of Windows boxes running IIS as the actual content/web servers, with private ip connections to a public Squid server has been an excellent solution. Of course, this should not be your only means of securing the network, but since your web services are probably public, this extra step should help you out tremendously. If not, what are the steps necessary to accomplish this? I don't know the exact meaning of this question...maybe worded wrong. Here is a link to a good SANS article that covers the general scope and usage of reverse proxy implementation, and covers a brief overview of how to implement with Apache...really adjusting the process here is not that difficult to apply to IIS as the backend web server. http://www.sans.org/rr/web/reverse_proxy.php If you need more detailed information or advice, I can be contacted directly and we can go over a setup more specific to your environment. Personally I prefer Squid since this is what I have used for this exact type of scenario and the cost comparison to licensing an ISA server...well Squid is free so you can't beat that. Adam McCarthy [EMAIL PROTECTED] Your input is appreciated.
Re: Securing a webserver through reverse proxy?
Hi, I have implemented some time ago, something like this, but using apache. Apache has a proxy module, that makes apache work as a proxy for a hole site, or just some directories (this module does much more...). I mean, you can have an exposed webserver (apache), and when someone issue an GET /somedir/ apache will download http://othersite.../somedir/ and show it to you. The httpd.conf will have something like this on your virtualhost directive: ProxyPass /somedir/ http://othersite/somedir/ So, you can have an apache webserver running on the internet, and mapping some directories to your internal IIS or wherever webserver you have. Hope you can understand something! Regards, Alejandro Greetings, I've read about a way to secure webservers, which must not be directly exposed to the Internet, using a reverse proxy, e.g. MS ISA Server or Squid on a UNIX box. Now my question would be: Has anyone experience with that? Is it really more secure (compared to firewalling and port forwarding)? Is the MS ISA Server Webpublishing rule (which implies reverse caching) doing an application layer filtering or does it just the mentioned caching? Can a Squid reverse proxy solution fulfill that too? If not, what are the steps necessary to accomplish this? Your input is appreciated. -- Jonas Nagel [EMAIL PROTECTED]
Re: Securing a webserver through reverse proxy?
Agree, I use the same things here to proxy hdml apps, IIS servers, Apache Servers etc... Apache's reverse proxy implementation is great you can provide authentication with htpasswd files or with an ldap database! -- Brian Carpio CSG Systems Inc. Open Systems Unix System Admin x3317 -- On 19 Feb 2003, Alejandro Flores wrote: Hi, I have implemented some time ago, something like this, but using apache. Apache has a proxy module, that makes apache work as a proxy for a hole site, or just some directories (this module does much more...). I mean, you can have an exposed webserver (apache), and when someone issue an GET /somedir/ apache will download http://othersite.../somedir/ and show it to you. The httpd.conf will have something like this on your virtualhost directive: ProxyPass /somedir/ http://othersite/somedir/ So, you can have an apache webserver running on the internet, and mapping some directories to your internal IIS or wherever webserver you have. Hope you can understand something! Regards, Alejandro Greetings, I've read about a way to secure webservers, which must not be directly exposed to the Internet, using a reverse proxy, e.g. MS ISA Server or Squid on a UNIX box. Now my question would be: Has anyone experience with that? Is it really more secure (compared to firewalling and port forwarding)? Is the MS ISA Server Webpublishing rule (which implies reverse caching) doing an application layer filtering or does it just the mentioned caching? Can a Squid reverse proxy solution fulfill that too? If not, what are the steps necessary to accomplish this? Your input is appreciated. -- Jonas Nagel [EMAIL PROTECTED]
Re: Securing a webserver through reverse proxy?
mod_proxy is very powerful , but when it comes to security I wouldn't use it use it to protect another server as it had some problems in the past . The whole idea of putting a reverse proxy to protect a web server is that the proxy server doesn't have anything besides a small engine to fetch the data from the inside server (if configured right) thus making it less vulnerable to attacks , in combination with a strict iptables ruleset it is relativly secure. Another tip , if you intend on using dynamic pages , make sure you set the cache to 0 . :) TheOg - Original Message - From: Alejandro Flores [EMAIL PROTECTED] To: Security [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, February 19, 2003 8:53 PM Subject: Re: Securing a webserver through reverse proxy? Hi, I have implemented some time ago, something like this, but using apache. Apache has a proxy module, that makes apache work as a proxy for a hole site, or just some directories (this module does much more...). I mean, you can have an exposed webserver (apache), and when someone issue an GET /somedir/ apache will download http://othersite.../somedir/ and show it to you. The httpd.conf will have something like this on your virtualhost directive: ProxyPass /somedir/ http://othersite/somedir/ So, you can have an apache webserver running on the internet, and mapping some directories to your internal IIS or wherever webserver you have. Hope you can understand something! Regards, Alejandro Greetings, I've read about a way to secure webservers, which must not be directly exposed to the Internet, using a reverse proxy, e.g. MS ISA Server or Squid on a UNIX box. Now my question would be: Has anyone experience with that? Is it really more secure (compared to firewalling and port forwarding)? Is the MS ISA Server Webpublishing rule (which implies reverse caching) doing an application layer filtering or does it just the mentioned caching? Can a Squid reverse proxy solution fulfill that too? If not, what are the steps necessary to accomplish this? Your input is appreciated. -- Jonas Nagel [EMAIL PROTECTED]