The advantage of the web proxy is not from securing your app - although there are things you can do on the reverse proxy to secure less secure apps
It's main advantage is that it doesn't run a large software stack - and so it makes it harder for people to compromise your front end and then compromise your internal networks, and even then they have to get from that DMZ into your main infrastructure. We go a step further at work. We have a DMZ <- a web zone <- internal zone - so even if you can compromise the DMZ and the web servers you still don't have direct access to the other machines - taking servers + desktop machines - something like 30-50K cores. -----Original Message----- From: Clive Eisen <cl...@hildebrand.co.uk> Sent: 09 February 2021 19:23 To: Rafael Caceres <rcace...@aasa.com.pe> Cc: James Smith <j...@sanger.ac.uk>; Vincent Veyron <vv.li...@wanadoo.fr>; modperl@perl.apache.org Subject: Re: Moving ExecCGI to mod_perl - performance and custom 'modules' [EXT] > On 9 Feb 2021, at 19:16, Rafael Caceres <rcace...@aasa.com.pe> wrote: > > Another thing that can be done is keep the app server + DB inside your LAN > and place a reverse proxy on your DMZ, that adds some level of protection. Not really - the only protection is if all your apis or web pages are secure - the reverse proxy does not help or hinder that. — C -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
