Dear Folks,
We are setting up a data server that contains private information about
our students and courses, and an Apache server running Apache Perl
modules that authenticate the user before serving sensitive information
from the data server. We need to do this securely, and with reasonable
performance. The secure information will be encrypted using mod_ssl.
There are many static web pages on the server containing teaching and
learning material for our students also. The web server needs to be
accessible both inside the firewall and outside, from the Internet. The
Computer Centre has a Checkpoint 1 firewall, and is willing to cooperate
with us. I need to decide on the most appropriate way to handle this.
We have few money resources, and have Linux experience, so our solutions
will probably be based on Linux.
One suggestion is to use squid in http-accelerator mode. Squid would
run on a dedicated machine in the DMZ. Lincoln Stein calls this a
"reverse proxy". I have some questions for those with experience:
1. Can Squid redirect the Internet clients to the web server (inside
the firewall) securely?
2. Will Squid handle use of SSL or plain http successfully?
3. Do we need to rewrite URLs?
4. Can Squid successfully tell the difference between dynamic pages
(and so not cache them) and static pages? How? Do we need to do
anything special to mark a page as cachable or not?
Another suggestion is to use Apache with http acceleration turned off,
running in the DMZ, also as a reverse proxy.
1. Is it best to turn off acceleration (caching)?
2. Is Apache a better (more secure/manageable) choice than Squid?
Finally:
1. Does anyone have any other suggestions/ideas?
We need to decide how to do this soon and implement it in the short
summer break, and have it all running before the start of the next
academic year. I will be very grateful for any suggestions/travellers'
tales from those who have travelled this road.
--
Nick Urbanik, Dept. of Electrical & Communications Engineering
Hong Kong Institute of Vocational Education (Tsing Yi)
email: [EMAIL PROTECTED], [EMAIL PROTECTED]
Tel: (852) 2436 8660, (825) 2436 8674 Fax: (852) 2436 8643
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
