On 19 Dec 2009, at 12:18, Lars Nooden wrote: > Ben Calvert wrote: >> This is what squid is for. >> >> On Dec 18, 2009, at 10:01 AM, James Stocks wrote: >> >>> Hello everyone, >>> >>> I'm presently using Apache to reverse-proxy HTTP connections through to our >>> Microsoft IIS servers so that we don't have to expose IIS directly to >> Internet >>> hosts. Recently, I've been testing relayd in this role. > > The vulnerable machines are still accessible via the proxy, squid. > Don't fiddle with half measures, move what you have over to Apache. > Say what you have the machine for and it will be easier to find the > right software for you. > > /Lars >
The IIS servers have a fair number of ASP.net based applications, to be honest I don't know what 50% of them do but they are needed. Nothing would please me more than to get rid of these machines and indeed this is what I advocate whenever my opinion is sought. However, I don't have the authority to tell the software development department what to do, so I'm stuck with it for now. I know that IIS isn't ideal from a security point of view, but I want to do everything we can to safeguard them from attack. My view is that placing Apache, relayd, squid et. al. between the server and the Internet at least helps to strip out some attacks. Anyway, somebody has replied to me off-list indicating that relayd can't presently handle virtual hosts in the same way Apache does, so I'll stick with this for now. Thanks to all who advised. James.