On Tue, 2 Jan 2001, Gunther Birznieks wrote:
> Date: Tue, 02 Jan 2001 23:41:01 +0800
> From: Gunther Birznieks <[EMAIL PROTECTED]>
> To: Matt Sergeant <[EMAIL PROTECTED]>, Oleg Bartunov <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: how to secure backend server ?
>
> At 03:02 PM 1/2/01 +0000, Matt Sergeant wrote:
> >On Tue, 2 Jan 2001, Oleg Bartunov wrote:
> >
> > > Hi,
> > >
> > > I have implement standard fe-be scheme as many times discussed
> > > in this list and described by Stas in his guide. Sorry, if I
> > > don't understand something simple.
> > >
> > > Everything works but I get a problem with securing my
> > > backend server - I want backend accepts requests only from my frontend.
> > > I have in backend's conf file:
> > >
> > > <Directory "/db1/w3/comps/discovery">
> > > Options FollowSymLinks ExecCGI Includes MultiViews
> > > AllowOverride All
> > > Order deny,allow
> > > Deny from all
> > > Allow from MY_PROXY_IP
> > > </Directory>
> >
> >Forget that, add the rule to your firewall. Its a far better place to
> >manage these kinds of rules.
>
> I am not sure, but I suspect it may be possible to distinctly bind to
> 127.0.0.1 and thus disallow any external IP address listening for extra
> measure. The default for apache is to bind to every IP on the system
> promiscuously which you don't want on a BE server.
Well, is it possible to tell apache to bind only one IP which
is explicitly writen in Listen command ?
Interesting, that I see right IP of proxy when I print environment
but when request comes to backend I see wrong IP in
$r->connection->remote_ip !
Also, in my original post I wrote that on my observation
request passes twice access control - the first with proxy IP address
(passes ok by configuration) and the second one with original client's IP
which failes also by configuration. And this cause the problem.
Does this correct behaivour ? In my understanding PerlPostReadRequestHandler
is in the beginning of lifecycle of request.
>
> Of course, you will need the firewall method if the BE server actually is
> on a physically separate machine from the FE server.
>
> Where security is concerned, it's not always the best idea to solely depend
> on firewall rules if you can help it... In case one gets misconfigured at
> least you have a 2nd one.
>
> Anyway, unless your mod_rewrite rules on the FE server are doing something
> other than blindly proxying all requests to the BE server, I am not sure
> whether the BE server is actually any more secure because of the reverse
> proxy.
>
> What attack could be made on the BE server directly that could not be made
> through just tunneling the same request through mod_rewrite on the FE server?
>
> eg Are you filtering for "passwd" in the URL with your rewrite rules?
>
True security is to pull out network cable :-)
Now I have academic interest to understand what I've seen.
regards,
Oleg
>
_____________________________________________________________
Oleg Bartunov, sci.researcher, hostmaster of AstroNet,
Sternberg Astronomical Institute, Moscow University (Russia)
Internet: [EMAIL PROTECTED], http://www.sai.msu.su/~megera/
phone: +007(095)939-16-83, +007(095)939-23-83
