On Tue, Jan 25, 2011 at 10:55 PM, Brett Delle Grazie < brett.dellegra...@gmail.com> wrote:
> > Personally if the application isn't designed with security in mind I > wouldn't put it on the Internet or consider paying a developer to review the > application for just this purpose. Depending upon how the application was > developed, reviewing it and updating its security can sometimes be extremely > quick and far less costly than expected. > > Agreed but this isn't my app so rewriting isn't an option. I don't have the source code :-) The supplier is doing their own hardening but that update is not due until the end of the year. In the mean time, I can make a lot of money if I can get this working securely and stabley enough to tie me over until the official product is released. I'm actually planning on using something like stunnel to funnel the whole thing through SSL without the app needing to know about it (I don't think it's SSL aware). From what I've read so far, the SSL part is actually a minor part of the project. Though I admit I may turn out to be mistaken :-) Thankyou for the recommendation to Apache. I like and trust apache so I'll definitely be giving that one a go. haproxy can then be left to handle the load sharing (since I'll be needing a failover machine). Thanks! Sean